Cisco ASA Series Cli Configuration Manual page 1669

Chapter 1 Configuring Connection Profiles, Group Policies, and Users
During authentication, the RADIUS server presents access challenge messages to the ASA. Within these
challenge messages are reply messages containing text from the SDI server. The message text is different
when the ASA is communicating directly with an SDI server than when communicating through the
RADIUS proxy. Therefore, in order to appear as a native SDI server to the AnyConnect client, the ASA
must interpret the messages from the RADIUS server.
Also, because the SDI messages are configurable on the SDI server, the message text on the ASA must
match (in whole or in part) the message text on the SDI server. Otherwise, the prompts displayed to the
remote client user may not be appropriate for the action required during authentication. The AnyConnect
client may fail to respond and authentication may fail.
"Configuring the Security Appliance to Support RADIUS/SDI Messages" section on page 70-35
describes how to configure the ASA to ensure successful authentication between the client and the SDI
server.
Configuring the Security Appliance to Support RADIUS/SDI Messages
To configure the ASA to interpret SDI-specific RADIUS reply messages and prompt the AnyConnect
user for the appropriate action, perform the following steps:
Step 1
Configure a connection profile (tunnel group) to forward RADIUS reply messages in a manner that
simulates direct communication with an SDI server using the proxy-auth sdi command from
tunnel-group webvpn configuration mode. Users authenticating to the SDI server must connect over this
connection profile.
For example:
hostname(config)# tunnel-group sales webvpn attributes
hostname(tunnel-group-webvpn)# proxy-auth sdi
Step 2
Configure the RADIUS reply message text on the ASA to match (in whole or in part) the message text
sent by the RADIUS server with the proxy-auth_map sdi command from tunnel-group webvpn
configuration mode.
The default message text used by the ASA is the default message text used by
Cisco Secure Access Control Server (ACS). If you are using Cisco Secure ACS, and it is using the
default message text, you do not need to configure the message text on the ASA. Otherwise, use the
proxy-auth_map sdi command to ensure the message text matches.
Table 70-3
message. Because the security appliance searches for strings in the order that they appear in the table,
you must ensure that the string you use for the message text is not a subset of another string.
For example, "new PIN" is a subset of the default message text for both new-pin-sup and
next-ccode-and-reauth. If you configure new-pin-sup as "new PIN", when the security appliance
receives "new PIN with the next card code" from the RADIUS server, it will match the text to the
new-pin-sup code instead of the next-ccode-and-reauth code.
Message Code
next-code
new-pin-sup
shows the message code, the default RADIUS reply message text, and the function of each
Table 1-3
Default RADIUS Reply
Message Text
Enter Next PASSCODE
Please remember your
new PIN
SDI Op-codes, Default Message Text, and Message Function
Function
Indicates the user must enter the NEXT tokencode
without the PIN.
Indicates the new system PIN has been supplied and
displays that PIN for the user.
Cisco ASA Series CLI Configuration Guide
Configuring Connection Profiles
1-35