AAA group session policies are not applying based on priority
Article ID: CTX289931
Updated On:
Description
When using AAA groups to apply session policy, and a user is a member of multiple AAA groups, the policy with the lower priority is not applying and instead the higher priority policy is.
Resolution
When using AAA Groups and advanced authentication, if a users will end up getting session policies from multiple AAA groups, weights should be added to create priority.
The weights cannot currently be set in GUI and must be set in CLI with the "add aaa group <name> -weight #" command.
With classic policies, all AAA group based session policies are lumped together and evaluated based on priority.
With advanced, each individual AAA group is evaluated separately so that the priority only applies to other policies in that same group. If a user is a member of multiple aaa groups where the same type of policy is applied, the policy priorities between the groups are evaluated based on group weight first. The group with the lower weight takes priority and individual policy priorities are evaluated afterwards, and apply only to other policies in the same group.
In CLI you can see with "show aaa group" that each group has a weight of 0 by default. In this situation all AAA groups have an equal priority. The determination for which policy has priority is whichever AAA group was created first in the config.
To have further control over which group will have priority, the weights of the AAA groups need to be adjusted where the lower weight has the highest priority.
The weights cannot currently be set in GUI and must be set in CLI with the "add aaa group <name> -weight #" command.
Problem Cause
When advanced session policies are used, AAA group processing of session policies is slightly different.With classic policies, all AAA group based session policies are lumped together and evaluated based on priority.
With advanced, each individual AAA group is evaluated separately so that the priority only applies to other policies in that same group. If a user is a member of multiple aaa groups where the same type of policy is applied, the policy priorities between the groups are evaluated based on group weight first. The group with the lower weight takes priority and individual policy priorities are evaluated afterwards, and apply only to other policies in the same group.
In CLI you can see with "show aaa group" that each group has a weight of 0 by default. In this situation all AAA groups have an equal priority. The determination for which policy has priority is whichever AAA group was created first in the config.
To have further control over which group will have priority, the weights of the AAA groups need to be adjusted where the lower weight has the highest priority.
Issue/Introduction
AAA group session policies are not applying based on priority
Was this article helpful?
Yes
No
Powered by
