Cisco ASA - Group-policy assignment based on OU


The purpose of this document is to explain the configuration methods required to assign to a group-policy to a user based on their OU group.


The Cisco ASA firewall includes the ability to assign a user to a group policy based on their OU group. This is achieved via the use of the IETF RADIUS Attribute 25.
This attribute contains the users OU and is sent by the Radius server (to the ASA) during the RADIUS Authentication and Authorization process.

Note : The IETF RADIUS Attribute 25 is defined within the Network Working Group RFC 2865.

Configuration Example

Within this example we will use this feature to assign different bookmarks to the user based on which OU group they are in.
For this example we will use 2 OU groups. They are Sales and Finance.

In order for the correct group-policy to be assigned based on the OU the OU returned by the Radius server much match the name of the corresponding group-policy. The OU returned must also include a (;) semi colon. Below shows an example :

4f 55 3d 54 65 73 74 55 73 65 72 3b                |  OU=TestOU;


Prior to configuring the firewall each user/group(s) on the Radius server assigned the RADIUS Attribute 25.

Cisco ASA

In essence the ASA configuration is fairly simple. A group-policy is created for each OU (and named accordingly). Along with a single tunnel-group and a AAA server.

aaa-server RADServer protocol radius
aaa-server RADServer (dmz) host
 retry-interval 3
 timeout 25
 key ******
 radius-common-pw ******

group-policy Sales internal
group-policy Sales attributes
 vpn-tunnel-protocol svc webvpn
  url-list value bookmark1
  customization value DfltCustomization

group-policy Finance internal
group-policy Finance attributes
 vpn-tunnel-protocol svc webvpn
  url-list value bookmark2
  customization value DfltCustomization

tunnel-group WebVPN type remote-access
tunnel-group WebVPN general-attributes
 address-pool ippool
 authentication-server-group RADServer
tunnel-group WebVPN webvpn-attributes
 group-alias WEBVPN-EXAMPLE enable


When debugging there are 2 main commands on the ASA. These are :

debug radius all - shows the response and attributes returned by the RADUIS server.
sh vpn-sessiondb webvpn - shows the group-policy and tunnel-group assigned to the user. 

debug radius all

cisco-asa# debug radius all

RADIUS packet decode (response)

Raw packet data (length = 34).....
02 3a 00 22 e6 28 3c 24 8a d4 87 c1 71 16 ce de    |  .:.".(<$....q...
74 1d 46 81 19 0e 4f 55 3d 54 65 73 74 55 73 65    |  t.F...OU=TestOU; |

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 58 (0x3A)
Radius: Length = 34 (0x0022)
Radius: Vector: E6283C241AD487C17016CBDE741D4681
Radius: Type = 25 (0x19) Class
Radius: Length = 14 (0x0E)
Radius: Value (String) =
4f 55 3d 54 65 73 74 55 73 65 72 3b                |  OU=TestOU;
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
remove_req 0xab9dfcec session 0x413e id 58
free_rip 0xab9dfcec
radius: send queue empty

show vpn-sessiondb webvpn

cisco-asa# sh vpn-sessiondb webvpn

Session Type: WebVPN

Username     : Test                  Index        : 2395
Public IP    :
Protocol     : Clientless
License      : SSL VPN
Encryption   : RC4                    Hashing      : SHA1
Bytes Tx     : 52548                  Bytes Rx     : 21453
Group Policy : TestOU               Tunnel Group : WebVPN
Login Time   : 09:27:03 cdt Wed May 2 2012
Duration     : 0h:11m:55s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none


The main caveat with this configuration method is when using the same AAA server for different tunnel-groups. If the same authentication-server-group (RADUIS server) is assigned, when the RADIUS Attribute 25 is returned the user will be assigned to the relevant group-policy based on their OU regardless of which tunnel-group they have arrived on.

As you can imagine this can cause a number of complications especially when arriving via an IPSEC tunnel-group only to then be assigned to a WebVPN group policy. The result to the client is a "Reason 433: Reason Not Specified by Peer"

The work around to this is to assign different users or authentication-server-groups to each tunnel-group.

Tags: ASA

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001