Cisco ACS 5.x Use Case: Local Custom Attributes

This ACS is fun ūüôā

We saw many cool features of the ACS so far. Now let’s talk about custom attributes. What they are and what are we going to use them for. The topology is almost the same. The difference is that instead of the router, we will be using the ASA firewall. And the scenario is as follows: we will create three custom attributes:

  • ANYCONNECT is of type boolean (true/false)
  • DEVICEADMIN is also of type boolean
  • IP_ADDRESS is of type IPaddress

What we will do with these is this: if a user has the ANYCONNECT attribute set to true, he/she is allowed to make an Anyconnect VPN session. If a user has the DEVICEADMIN attribute set to true, he/she is allowed to access a network device for management purposes. Finally, if the IP_ADDRESS is set for a user, he/she will have that address assigned when connecting via VPN, otherwise, a user will receive an IP address from a pool.

First, let’s create our attributes. Under System Administration->Configuration->Dictionaries->Identity->Internal Users, we click Create and fill in the form. For the ANYCONNECT attribute:


The same way we create the DEVICEADMIN attribute:


And for the IP_ADDRESS:


Now we create a user with desired options selected:


Now we need to create rules for both access services, the ANYCONNECT access service and the DEVICELOGIN access service. These are our access services:


And our Services Selection Rules look like this:


Finally, let’s review each access services authorization rules. For the ANYCONNECT access service:




Before we take quick tests, let’s review the ASA configuration:

aaa-server ACS_RAD protocol radius
aaa-server ACS_RAD (VMWARE) host
key spop123
aaa-server ACS_TAC protocol tacacs+
aaa-server ACS_TAC (VMWARE) host
key spop123

aaa authentication ssh console ACS_TAC LOCAL

ip local pool POOL1 mask

enable outside
anyconnect image disk0:/anyconnect-win-3.1.04059-k9.pkg 11
anyconnect enable

tunnel-group DefaultWEBVPNGroup general-attributes
address-pool POOL1
authentication-server-group ACS_RAD
accounting-server-group ACS_RAD

group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client

Ok, let’s give it a try… First we try the VPN. We make an Anyconnect session¬†and verify it on the ASA:

atest1/pri/act# show vpn-sessiondb anyconnect

Session Type: AnyConnect

Username     : aleksandar.vidovic     Index        : 73
Assigned IP  :        Public IP    :
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)AES256  SSL-Tunnel: (1)AES256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)SHA1  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 2479                   Bytes Rx     : 507
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 23:00:32 UTC Mon Mar 24 2003
Duration     : 0h:00m:14s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


And on the ACS server:


And as we saw from the ASA output, we received a custom specified static IP address:

root@pop-deb:/home/sasa# ifconfig vpn0
vpn0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:  P-t-P:  Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


Now let’s try access this firewall using SSH connection:

sasa@pop-deb:~$ ssh -l aleksandar.vidovic
aleksandar.vidovic@’s password:
Permission denied, please try again.
aleksandar.vidovic@’s password:


And logs on the ACS server say:


So, that was the story about custom local attributes.

Thanks for reading!

This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, ASA, Cisco, Security and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s