Hello,
I am currently using NPS for authentication and authorization for my Cisco AnyConnect VPN users. NPS is either granting or denying access and if access is granted it is sending a Class attribute back to the ASA with the grant reply that tells the ASA what policy to apply to the user. We are doing this to dynamically assign users to specific vlans based on AD group membership.
I am currently working on switching the authentication piece to Okta SAML. That is working, but I now need to make a second call to the NPS server for the Class attribute (authorization) so the ASA can assign the user to the correct vlan.
I know that the process of making the separate authorization call to a RADIUS server is possible and is fairly common practice. What I am not seeing is how to write the Network Policy for just the Authorization piece. You have to select a Grant or Deny option.
From my research, since the authentication is happening elsewhere the ASA does not have a user password to send to the NPS server. All it has to send is the username it receives from the Authentication server (Okta). Am I able to configure it to ignore the password somehow?
Thanks
Jeremy

