DAP Policy not honoring RADIUS flag 25 for Dynamic Group Placement

jrahul · ‎02-22-2010

I am attempting to get dynamic group placement working with SDI and RADIUS authentication. Problem is, SDI can MUST be the primary authentication type, and when RADIUS is set up as the secondary authentication type, DAP appears to ignore the option 25 being passed from the RADIUS server for dynamic group placement.

My config is as follows:

group-policy Grp-Pol-1 internal
group-policy Grp-Pol-1 attributes
address-pools value Grp-Pol-1

group-policy Grp-Pol-2 internal
group-policy Grp-Pol-2 attributes
address-pools value Grp-Pol-2

group-policy Grp-Pol-3 internal
group-policy Grp-Pol-3 attributes
address-pools value Grp-Pol-3

tunnel-group Tu-Grp type remote-access
tunnel-group Tu-Grp general-attributes
authentication-server-group RSA-SecureID
secondary-authentication-server-group RADIUS use-primary-username
default-group-policy Grp-Pol-3
strip-realm
tunnel-group Tu-Grp webvpn-attributes
radius-reject-message
group-alias Tu-Grp enable
!

The log output during dynamic group placement is as follows (NOT WORKING LOG):

%ASA-6-113004: AAA user authentication Successful : server = 10.0.0.1 : user = My-User-ID
%ASA-6-113004: AAA user authentication Successful : server = 10.1.0.1 : user = My-User-ID
%ASA-6-113003: AAA group policy for user My-User-ID is being set to Grp-Pol-1
%ASA-6-113011: AAA retrieved user specific group policy (Grp-Pol-1) for user = My-User-ID
%ASA-6-113009: AAA retrieved default group policy (Grp-Pol-3) for user = My-User-ID
%ASA-6-113008: AAA transaction status ACCEPT : user = My-User-ID
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.grouppolicy = Grp-Pol-3
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.username = My-User-ID
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.tunnelgroup = Tu-Grp
%ASA-6-734001: DAP: User My-User-ID, Addr 172.16.25.1, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

When RADIUS is configured as the primary auth method the log output is as follows (WORKING LOG):

%ASA-6-113004: AAA user authentication Successful : server = 10.1.0.1 : user = My-User-ID
%ASA-6-113003: AAA group policy for user My-User-ID is being set to Grp-Pol-1
%ASA-6-113011: AAA retrieved user specific group policy (Grp-Pol-1) for user = My-User-ID
%ASA-6-113009: AAA retrieved default group policy (Grp-Pol-3) for user = My-User-ID
%ASA-6-113008: AAA transaction status ACCEPT : user = My-User-ID
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.radius["25"]["1"] = ou=Grp-Pol-1;
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.radius["25"]["2"] = CACS:0/1eb5d7/a32fb81/My-User-ID
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.grouppolicy = Grp-Pol-1
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.class = Grp-Pol-1
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.username = My-User-ID
%ASA-7-734003: DAP: User My-User-ID, Addr 172.16.25.1: Session Attribute aaa.cisco.tunnelgroup = Tu-Grp
%ASA-6-734001: DAP: User My-User-ID, Addr 172.16.25.1, Connection AnyConnect: The following DAP records were selected for this connection: DfltAccessPolicy

If I set up Secure-ID authentication via a RADIUS proxy, dynamic group placement works as it should; however, this will require me to deploy new ACS servers to proxy the SDI authentication, which I would rather not do.

Any communicty asistance would be appreciated.

Thanks

Issue was resolved.

Found a command that would allow the tunnel group to utilize the auth attributes from the secondary auth server:

tunnel-group Tu-Grp general-attributes

authentication-attr-from-server secondary

Issue resolved :-)