How to return Group Attribute back to Cisco ASA for Access Policies

If you are using Active Directory / LDAP as your First Factor source you can configure the LoginTC RADIUS Appliance to return a single RADIUS Attribute containing the name of Group the user is part of back to Cisco ASA. This attribute would be returned only upon successful authentication of the user.

Here are the steps for configuring this:

1. On the LoginTC RADIUS Connector, navigate to the web based UI and click Configurations > Your Configuration

2. Scroll down to First Factor and click Edit

3. Scroll down to Group Attribute (Advanced) and select Specify a Group Attribute

4. Set RADIUS Group Attribute to be the name of the RADIUS attribute Cisco ASA expected the Active Directory Group to be in the response.

5. Set AD Groups to be a comma delimited list of the possible AD Groups that can be returned. For example: "Administrators,Sales,Engineers". This list is in priority order. Only the first group found will be returned as a RADIUS attribute. If no Group Membership is found, the RADIUS Group Attribute will not appear in the response.

Upon a successful authentication and if the user is part of one of the groups specified in Step 5, the "/var/log/logintc/authenticate.log" log file will show:

2017-05-25 14:51:06,163 - DEBUG - Setting RADIUS attribute: Class = Administrators

The name of the RADIUS attribute (in this case "Class") is what was configured in Step 4. You can test this by using Test Configuration and checking the logs to make sure the correct RADIUS attribute name and value is being set for a particular user.