Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco ASA : Group-Policy allocation from radius class ?


I've got a problem, I currently have an AnyConnect profile/tunnel-group which works as follows (this part is not the problem) :

  • The user authenticates over a Radius server (freeradius)
  • The Radius server connects to a LDAP database, and verify the user credentials
  • Then, after the LDAP response (OK / NOK), the Radius Server reply to the ASA, and specify the value of the radius class attribute IETF-Class-25 to the ASA (OU=<group-policy>)
  • Then, the ASA checks if such a group-policy exists (the name as to be the same that the one from the radius), and if so, the ASA "places"  the user in the group-policy

Well, above were just some explanations. It works perfectly with Cisco AnyConnect client or any Cisco SSL-VPN compliant client (openconnect under linux for instance).

The problem is, this doesn't work with IPsec clients, and i don't know exactly why. On the ASA, the connection profile is allright for AnyConnect and for IPsec/IKEv1. The difference is the configuration, with IPsec/IKEv1, as we use it, you need to enter a pre-shared key, and the configuration for the client is not the same (need to enter a tunnel-group, and the pre-shared key as the one on the IPsec/IKEv1 connection profile). But the system of "group-policy attribution from a radius attribute" doesn't work with such IPsec clients.

Logs say something like : "not possible to attribute an IP address ...", as it doesn't place the user in the right group-policy.

Resolved : it was a Radius issue ! With IPsec protocol it seems that it didn't return the group from the LDAP database, but

a default attribute from the users file. That's now fixed.



New Member

Cisco ASA : Group-Policy allocation from radius class ?


New Member

Cisco ASA : Group-Policy allocation from radius class ?

Hi Marc,

Where di you find the AV pairs for Group-Policy selection.

Im trying to set-up a NPS server, that should return the value of Group Policy selection, but cannot find anything about how the AV pair should look like..

Can U help me out here?



CreatePlease to create content