Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started.

New Member

Cisco ACS5.3; differentiating between WebVPN and IPSEC Radius Authentications from a ASA

I am using Cisco ACS5.3 to authenticate users (using radius) for a cisco ASA firewall for both WebVPN and IPSEC client connections.  I have been able to do this successfully.  However I need to be able to deply Cisco vendor specific attributes (VSA) for both IPSEC and WebVPN sessions using authorisation profiles.   Ideally I don't want to have to combine the attributes required for both services in the same authorisation profile, as I will have to produce alot of different profiles for the different combinations.

The only way I can see that you could possibilly do this is by having service selection rules that can differentiate between WebVPN and IPSEC Radius authentication requests.  I have experimented inbound VSA's without success.  Is this possible?

  • AAA Identity and NAC
Everyone's tags (4)

Cisco ACS5.3; differentiating between WebVPN and IPSEC Radius Au


Are you clients coming in through different tunnel groups? If so, you can create a compound condition where you can map the radius attribute: CVPN3000/ASA/PIX7.x-DAP-Tunnel-Group-Name in the authorization policy. If it equals the TG for webvpn send back the av-pair accordingly.


Tarik Admani
*Please rate helpful posts*

Tarik Admani *Please rate helpful posts*