locked
Group based Radius return Attributes RRS feed

  • Question

  • Is it possible to return a radius class attribute (id 25) to a radius client based on a user's group membership?

    We need this returning class attribute to assign different VPN profiles to our Cisco Anyconnect VPN users. The Cisco ASA firewalls are currently using a legacy RSA server to do this now, but we need to get rid of RSA.

    The current MFA server i installed (6.1) onpremise only seems to able to return a radius attribute in general, not based on groups? Anyone able to answer this?

    Monday, March 10, 2014 9:02 AM

Answers

  • The MFA Server is not able to return group membership via RADIUS. There are a few potential options:

    1. Use the MFA Server as a RADIUS proxy to another RADIUS server that can return an attribute based on group membership. I believe NPS has that capability although requires a different policy to be set up for each group.

    2. Use LDAP instead of RADIUS. When the MFA Server acts as an LDAP proxy, group membership information returned by AD will be proxied back to the ASA.

    3. I'm not sure about the Cisco ASA, but it may be possible to set up authentication and authorization separately. If it is, you can use RADIUS to the MFA Server for authentication, but then use LDAP/AD directly to AD for authorization.

     
    Monday, March 10, 2014 9:02 PM

All replies

  • The MFA Server is not able to return group membership via RADIUS. There are a few potential options:

    1. Use the MFA Server as a RADIUS proxy to another RADIUS server that can return an attribute based on group membership. I believe NPS has that capability although requires a different policy to be set up for each group.

    2. Use LDAP instead of RADIUS. When the MFA Server acts as an LDAP proxy, group membership information returned by AD will be proxied back to the ASA.

    3. I'm not sure about the Cisco ASA, but it may be possible to set up authentication and authorization separately. If it is, you can use RADIUS to the MFA Server for authentication, but then use LDAP/AD directly to AD for authorization.

     
    Monday, March 10, 2014 9:02 PM
  • Has there been any updates to this process? Is there a feature in 6.1.1.1 that allows for the ad groups to be returned with radius authentication.

    Friday, November 6, 2015 7:10 PM
  • Has there been any updates to this process? Is there a feature in 6.1.1.1 that allows for the ad groups to be returned with radius authentication.

    We are also interested in doing this, can anyone provide an update on it's feasibility?


    Dean MCTS-SQL 2005 Business Intelligence, MCITP SharePoint 2010, MCSA Office 365

    Monday, March 20, 2017 3:33 PM
  • Same here. 

    We tested with MFA cloud as well, using the Azure NPS extension

    With the RegKey REQUIRE_USER_MATCH in the registry path HKLM\Software\Microsoft\AzureMFA set to FALSE, we are able to let users bypass MFA (if they are not MFA-enabled in Azure) and connect to the VPN. 

    In this scenario, the class 25 attribute is passed to the Radius.

    Enabling this same user in MFA, the attribute is not passed during 2nd step authentication.

    This is a blocker for us going forward with Azure, so any help/workarounds here are much appreciated. 

    Thursday, November 2, 2017 12:32 PM