Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Assign Group Membership attribute to DAP for Radius logins via SSL VPN

Basically I want to query Radius for AD group membership and apply a set of Bookmarks based on that group. I would use LDAP, but we have two domains and I need both to be available for login, so I am using ACS 5.3 as a proxy. Any help or suggestions? I saw that using attribute 4242 for DAP for group membership, but what is the Group syntax? I am stuck and need help.



Cisco Employee

Assign Group Membership attribute to DAP for Radius logins via S

Hi Dino,

when using Radius, the value of the IETF Class attribute (IETF #25) is interpreted by the ASA as the name of a group-policy.

See e.g.

In the example in that document, the syntax used is OU=Grouppolicyname, but the "OU=" is optional, you can just as well enter the name by itself.

If you need help mapping the AD group(s) to the radius Class attribute in ACS, I'm afraid I can't help you with that but you can ask in the forum.

Alternatively, you could have all users share the same group-policy, but have ACS push the name of the bookmark list to use, I don't know the attribute name by heart but if you scroll through the list of ASA attributes on ACS it should be fairly obvious (let me know if not )

BTW - there is an alternative to using a Radius "proxy" to solve the multi-domain issue. If you configure a GCS (Global Catalog Server) in your AD forest, the ASA can authenticate users in all the domains the GCS knows about. Downside to this is that the GCS does not support password change.



CreatePlease login to create content