67-35
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter67 Configuring Connection Profiles, Group Policies, and Users
Configuring Connection Profiles
During authentication, the RADIUS server presents access challenge messages to the ASA. Within these
challenge messages are reply messages containing text from the SDI server. The message text is different
when the ASA is communicating directly with an SDI server than when communicating through the
RADIUS proxy. Therefore, in order to appear as a native SDI server to the AnyConnect client, the ASA
must interpret the messages from the RADIUS server.
Also, because the SDI messages are configurable on the SDI server, the message text on the ASA must
match (in whole or in part) the message text on the SDI server. Otherwise, the prompts displayed to the
remote client user may not be appropriate for the action required during authentication. The AnyConnect
client may fail to respond and authentication may fail.
The following section describes how to configure the ASA to ensure successful authentication between
the client and the SDI server:
Configuring the Security Appliance to Support RADIUS/SDI Messages
The following section describes the steps to configure the ASA to interpret SDI-specific RADIUS reply
messages and prompt the AnyConnect user for the appropriate action:
Step1 Configure a connection profile (tunnel group) to forward RADIUS reply messages in a manner that
simulates direct communication with an SDI server using the proxy-auth sdi command from
tunnel-group webvpn configuration mode. Users authenticating to the SDI server must connect over this
connection profile.
For example:
hostname(config)# tunnel-group sales webvpn attributes
hostname(tunnel-group-webvpn)# proxy-auth sdi
Step2 Configure the RADIUS reply message text on the ASA to match (in whole or in part) the message text
sent by the RADIUS server with the proxy-auth_map sdi command from tunnel-group webvpn
configuration mode.
The default message text used by the ASA is the default message text used by
Cisco Secure Access Control Server(ACS). If you are using Cisco Secure ACS, and it is using the
default message text, you do not need to configure the message text on the ASA. Otherwise, use the
proxy-auth_map sdi command to ensure the message text matches.
Table67-3 shows the message code, the default RADIUS reply message text, and the function of each
message. Because the security appliance searches for strings in the order that they appear in the table,
you must ensure that the string you use for the message text is not a subset of another string.
For example, “new PIN” is a subset of the default message text for both new-pin-sup and
next-ccode-and-reauth. If you configure new-pin-sup as “new PIN”, when the security appliance
receives “new PIN with the next card code” from the RADIUS server, it will match the text to the
new-pin-sup code instead of the next-ccode-and-reauth code.
Table67-3 SDI Op-codes, Default Message Text, and Message Function
Message Code
Default RADIUS Reply
Message Text Function
next-code Enter Next PASSCODE Indicates the user must enter the NEXT tokencode
without the PIN.
new-pin-sup Please remember your
new PIN
Indicates the new system PIN has been supplied and
displays that PIN for the user.