Control User Permissions and Attributes Using RADIUS and Group Policies
You can apply user authorization attributes (also called user entitlements or permissions) to RA VPN connections from an external RADIUS server or from a group policy defined on the FTD device. If the FTD device receives attributes from the external AAA server that conflict with those configured on the group policy, then attributes from the AAA server always take precedence.
The FTD device applies attributes in the following order:
- User attributes defined on the external AAA server—The server returns these attributes after successful user authentication or authorization.
- Group policy configured on the FTD device—If a RADIUS server returns the value of the RADIUS CLASS attribute IETF-Class-25 (OU= group-policy) for the user, the FTD device places the user in the group policy of the same name and enforces any attributes in the group policy that are not returned by the server.
- Group policy assigned by the connection profile—The connection profile has the preliminary settings for the connection and includes a default group policy applied to the user before authentication. All users connecting to the FTD device initially belong to this group, which provides any attributes that are missing from the user attributes returned by the AAA server, or the group policy assigned to the user.
FTD devices support RADIUS attributes with vendor ID 3076. If the RADIUS server you use does not have these attributes defined, you must manually define them. To define an attribute, use the attribute name or number, type, value, and vendor code (3076).
The following topics explain the supported attributes based on whether the values are defined in the RADIUS server, or whether they are values the system sends to the RADIUS server.
Attributes Sent to the RADIUS Server
RADIUS attributes 146 and 150 are sent from the FTD device to the RADIUS server for authentication and authorization requests. All the following attributes are sent from the FTD device to the RADIUS server for accounting start, interim-update, and stop requests.
| Attribute | Attribute | Syntax, Type | Single or Multi-valued | Description or Value |
|---|---|---|---|---|
| Client Type | 150 | Integer | Single |
The type of client this is connecting to the VPN: 2= AnyConnect Client SSL VPN |
| Session Type | 151 | Integer | Single |
The type of connection: 1 = AnyConnect Client SSL VPN |
| Tunnel Group Name | 146 | String | Single | The name of the connection profile that was used for establishing the session, as defined on the FTD device. The name can be 1 - 253 characters. |
Attributes Received from the RADIUS Server
The following user authorization attributes are sent to the FTD device from the RADIUS server.
| Attribute | Attribute Number | Syntax, Type | Single or Multi-valued | Description or Value |
|---|---|---|---|---|
| Access-List-Inbound | 86 | String | Single |
Both Access-List attributes take the name of an ACL that is configured on the FTD device. Create these ACLs in FDM using the Smart CLI Extended Access List object type (Log in to FDM and select Device > Advanced Configuration > Smart CLI > Objects). These ACLs control traffic flow in the inbound (traffic entering the FTD device) or outbound (traffic leaving the FTD device) direction. |
| Access-List-Outbound | 87 | String | Single | |
| Address-Pools | 217 | String | Single | The name of a network object defined on the FTD device that identifies a subnet, which will be used as the address pool for clients connecting to the RA VPN. Define the network object on the Objects page. |
| Banner1 | 15 | String | Single | The banner to display when the user logs in. |
| Banner2 | 36 | String | Single | The second part of the banner to display when the user logs in. Banner2 is appended to Banner1. |
| Group-Policy | 25 | String | Single |
The group policy to use in the connection. You must create the group policy on the RA VPN Group Policy page. You can use one of the following formats:
|
| Simultaneous-Logins | 2 | Integer | Single | The number of separate simultaneous connections the user can establish, 0 - 2147483647. |
| VLAN | 140 | Integer | Single | The VLAN on which to confine the user's connection, 0 - 4094. You must also configure this VLAN on a subinterface on the FTD device. |