Control User Permissions and Attributes Using RADIUS and Group Policies

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

This article provides information on applying attributes to RA VPN connections from an external RADIUS server or a group policy.

You can apply user authorization attributes (also called user entitlements or permissions) to RA VPN connections from an external RADIUS server or from a group policy defined on the FTD device. If the FTD device receives attributes from the external AAA server that conflict with those configured on the group policy, then attributes from the AAA server always take precedence.

The FTD device applies attributes in the following order:

User attributes defined on the external AAA server—The server returns these attributes after successful user authentication or authorization.
Group policy configured on the FTD device—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU= group-policy) for the user, the FTD device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.
Group policy assigned by the connection profile—The connection profile has the preliminary settings for the connection and includes a default group policy applied to the user before authentication. All users connecting to the FTD device initially belong to this group, which provides any attributes that are missing from the user attributes returned by the AAA server, or the group policy assigned to the user.

FTD devices support RADIUS attributes with vendor ID 3076. If the RADIUS server you use does not have these attributes defined, you must manually define them. To define an attribute, use the attribute name or number, type, value, and vendor code (3076).

The following topics explain the supported attributes based on whether the values are defined in the RADIUS server, or whether they are values the system sends to the RADIUS server.

Attributes Sent to the RADIUS Server

RADIUS attributes 146 and 150 are sent from the FTD device to the RADIUS server for authentication and authorization requests. All the following attributes are sent from the FTD device to the RADIUS server for accounting start, interim-update, and stop requests.

Attributes FTD Sends to RADIUS
Attribute	Attribute	Syntax, Type	Single or Multi-valued	Description or Value
Client Type	150	Integer	Single	The type of client this is connecting to the VPN: 2= AnyConnect Client SSL VPN
Session Type	151	Integer	Single	The type of connection: 1 = AnyConnect Client SSL VPN
Tunnel Group Name	146	String	Single	The name of the connection profile that was used for establishing the session, as defined on the FTD device. The name can be 1 - 253 characters.

Attributes Received from the RADIUS Server

The following user authorization attributes are sent to the FTD device from the RADIUS server.

Attribute	Attribute Number	Syntax, Type	Single or Multi-valued	Description or Value
Access-List-Inbound	86	String	Single	Both Access-List attributes take the name of an ACL that is configured on the FTD device. Create these ACLs in FDM using the Smart CLI Extended Access List object type (Log in to FDM and select Device > Advanced Configuration > Smart CLI > Objects). These ACLs control traffic flow in the inbound (traffic entering the FTD device) or outbound (traffic leaving the FTD device) direction.
Access-List-Outbound	87	String	Single
Address-Pools	217	String	Single	The name of a network object defined on the FTD device that identifies a subnet, which will be used as the address pool for clients connecting to the RA VPN. Define the network object on the Objects page.
Banner1	15	String	Single	The banner to display when the user logs in.
Banner2	36	String	Single	The second part of the banner to display when the user logs in. Banner2 is appended to Banner1.
Group-Policy	25	String	Single	The group policy to use in the connection. You must create the group policy on the RA VPN Group Policy page. You can use one of the following formats: group policy name OU=group policy name OU=group policy name;
Simultaneous-Logins	2	Integer	Single	The number of separate simultaneous connections the user can establish, 0 - 2147483647.
VLAN	140	Integer	Single	The VLAN on which to confine the user's connection, 0 - 4094. You must also configure this VLAN on a subinterface on the FTD device.