Skip to main content

 

 

Cisco Defense Orchestrator

Control User Permissions and Attributes Using RADIUS and Group Policies

This article provides information on applying attributes to RA VPN connections from an external RADIUS server or a group policy.

You can apply user authorization attributes (also called user entitlements or permissions) to RA VPN connections from an external RADIUS server or from a group policy defined on the FTD device. If the FTD device receives attributes from the external AAA server that conflict with those configured on the group policy, then attributes from the AAA server always take precedence.

The FTD device applies attributes in the following order:

  1. User attributes defined on the external AAA server—The server returns these attributes after successful user authentication or authorization.
  2. Group policy configured on the FTD device—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU= group-policy) for the user, the FTD device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.
  3. Group policy assigned by the connection profile—The connection profile has the preliminary settings for the connection and includes a default group policy applied to the user before authentication. All users connecting to the FTD device initially belong to this group, which provides any attributes that are missing from the user attributes returned by the AAA server, or the group policy assigned to the user.

FTD devices support RADIUS attributes with vendor ID 3076. If the RADIUS server you use does not have these attributes defined, you must manually define them. To define an attribute, use the attribute name or number, type, value, and vendor code (3076).

The following topics explain the supported attributes based on whether the values are defined in the RADIUS server, or whether they are values the system sends to the RADIUS server.

Attributes Sent to the RADIUS Server

RADIUS attributes 146 and 150 are sent from the FTD device to the RADIUS server for authentication and authorization requests. All the following attributes are sent from the FTD device to the RADIUS server for accounting start, interim-update, and stop requests.

Attributes FTD Sends to RADIUS
Attribute Attribute Syntax, Type Single or Multi-valued Description or Value
Client Type 150 Integer Single

The type of client this is connecting to the VPN:

2= AnyConnect Client SSL VPN

Session Type 151 Integer Single

The type of connection:

1 = AnyConnect Client SSL VPN

Tunnel Group Name 146 String Single The name of the connection profile that was used for establishing the session, as defined on the FTD device. The name can be 1 - 253 characters.

Attributes Received from the RADIUS Server

The following user authorization attributes are sent to the FTD device from the RADIUS server.

Attribute Attribute Number Syntax, Type Single or Multi-valued  Description or Value
Access-List-Inbound 86 String Single 

Both Access-List attributes take the name of an ACL that is configured on the FTD device. Create these ACLs in FDM using the Smart CLI Extended Access List object type (Log in to FDM and select Device > Advanced Configuration > Smart CLI > Objects). 

These ACLs control traffic flow in the inbound (traffic entering the FTD device) or outbound (traffic leaving the FTD device) direction.
Access-List-Outbound 87 String Single
Address-Pools 217 String Single The name of a network object defined on the FTD device that identifies a subnet, which will be used as the address pool for clients connecting to the RA VPN. Define the network object on the Objects page.
Banner1 15 String Single The banner to display when the user logs in.
Banner2 36 String Single  The second part of the banner to display when the user logs in. Banner2 is appended to Banner1.
Group-Policy 25 String Single

The group policy to use in the connection. You must create the group policy on the RA VPN Group Policy page. You can use one of the following formats:

  • group policy name
  • OU=group policy name
  • OU=group policy name
Simultaneous-Logins 2 Integer Single The number of separate simultaneous connections the user can establish, 0 - 2147483647.
VLAN 140 Integer Single The VLAN on which to confine the user's connection, 0 - 4094. You must also configure this VLAN on a subinterface on the FTD device.

 

  • Was this article helpful?