SEC0404 – Firepower 7.0 AnyConnect VPN RADIUS Attributes (Part 1)

In this video we will see what else we can do with RADIUS attributes
Radius was designed for this and it has these capabilities already
Following are some of the RADIUS attributes that firepower supports

In this video we will see how group policy attributes can be totally returned using RADIUS and not rely on group policy at all

This document does not show exhaustive list but because Anyconnect on firepower is inherited from ASA there are more attributes

Even though this page says Cisco attributes for LDAP Authorization these are the same attributes we use in RADIUS

We will remove attributes that we did not configure and remove the lines which says none and disable

We will look for first attribute “banner value xxxx”

RADIUS attributes with “IETF” in beginning means that they are RADIUS standard and the ones without IETF are Cisco proprietary

alert interval is not present in this list
but we can look at ISE as well as this list is outdated as these are available in ISE

We will skip split-tunneling policy for now and we will come back to it

It seems like those attributes are available as we can see in ISE

by default ISE does not have full list of protocols but in our case we need two values IKEV2 and SVC (ssl-client)

so from that list we will add values of SVC 32 + IPSec (IKEv2) 64 = 96

In this authorization profile we will need to use Advanced Attribute settings because these are not common RADIUS attributes

Here we will set time in seconds 3600 instead of 60 minutes

Here also we will set 12 hours time in 43200 seconds instead of minutes (720 mins)

attributes with “Radius” in front means that these are IETF attributes spelled simply as Idle-Timeout and Session-Timeout similarly attributes with Cisco-VPN3000 are vendor specific attributes

Pretty much everything now is being returned from RADIUS so this default group policy will not be of much use