This document describes how to configure Cisco Identity Services Engine
(ISE) to utilize the Client-Type RADIUS Vendor-Specific Attribute (VSA) in
order to differentiate multiple types of authentication used on the Cisco
Adaptive Security Appliance (ASA). Organizations often require policy decisions
based on the way the user is authenticated to the ASA. This also allows you to
apply policy to received management connections on the ASA, which allows us to
use RADIUS in place of TACACS+, when prudent.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and
Technical Tips Conventions for more information on document
The Client-Type attribute was added in ASA Release 8.4.3, which allows
the ASA to send the type of client that authenticates to the ISE in
Access-Request (and Accounting-Request) packets, and allows ISE to make policy
decisions based on that attribute. This attribute requires no configuration on
the ASA, and is sent automatically.
The Client-Type attribute is currently defined with these integer
Cisco VPN Client (Internet Key Exchange Version
AnyConnect Client SSL VPN
Clientless SSL VPN
L2TP/IPsec SSL VPN
AnyConnect Client IPsec VPN (IKEv2)
In this section, you are provided the information you need in order to
configure ISE to utilize the Client-Type attribute described in this
To add the Client-Type attribute values to ISE, create the attribute
and populate its values as a custom dictionary.
On ISE, navigate to Policy > Policy
Elements > Dictionaries >
Within the System dictionaries, navigate to
RADIUS > RADIUS Vendors
The Vendor ID on the screen should be 3076. Click on the
Dictionary Attributes tab.
Click Add (See Figure 1).
Figure 1: Dictionary Attributes
Populate the fields in the custom RADIUS Vendor Attribute form as
seen in Figure 2.
Figure 2: RADIUS Vendor Attribute
Click the Save button at the bottom of the
In order to utilize the new attribute for policy decisions, add the
attribute to an authorization rule in the conditions section.
In ISE, navigate to Policy >
Create a new rule or modify an existing policy.
In the conditions section of the rule, expand the conditions pane and
select either Create a New Condition (for a new rule) or
Add Attribute/Value (for a pre-existing
In the Select Attribute field, navigate to
Choose the appropriate operator (Equals or
Not Equals) for your environment.
Choose the Authentication type you wish to
Assign an Authorization Result appropriate to your
After the rule is created, the Authorization Condition should look
similar to the example in Figure 3.
Figure 3: Authorization Condition Example
In order to verify the Client-Type attribute is in use, examine the
authentications from the ASA in ISE.
Navigate to Operations >
Click the Details button for the authentication from
Scroll down to Other Attributes and look for
CVPN3000/ASA/PIX7x-Client-Type= (See Figure 4)
Figure 4: Other Attributes Details
The Other Attributes field should indicate the
received value for the authentication. The rule should match the policy defined
in step 2 of the configuration section.