Ubuntu 14.04 (Linux 3.13.0-48), freeradius 2.1.12, ASA 9.4.2 (which runs Lua 5.0.2), AnyConnect 4.2

Setting up communications between an ASA and a radius server can be tricky, because it's hard to know what attributes the radius server is sending back and are being applied to a user session. One method is to use wireshark to capture the communications between the ASA and radius server. Another is to enable debugging on the ASA with debug dap trace. An easier way is to just have the attributes printed out on the end-user device when they log in.

The dynamic access policy feature of the ASA will let you input Lua functions to get this information. Open ASDM and go to

  • Configuration
  • Remote Access VPN
  • Network (Client) Access
  • Dynamic Access Policies
  • Click Add
  • Policy Name: debug
  • Priority: 1 (or whatever works in your environment)
  • In the Selection Criteria area, click Advanced
  • Make sure AND is selected. In the Logical Expressions box, enter:
      function print_table(tbl, prefix)
         if (type(tbl) == "table") then
           for k,v in pairs(tbl) do
             if (type(v) == "table") then
               print_table(v, prefix .. "." .. k)
               CheckAndMsg(true, prefix .. "." .. k .. "=\"" .. v .. "\"", "")
      CheckAndMsg(true, "============", "")
      CheckAndMsg(true, "DEBUG", "")
      print_table(aaa, "aaa")
      print_table(endpoint, "endpoint")
      return true
  • Click OK to close the Add Dynamic Access Policy window, then click Apply

Now, if you log in to AnyConnect on a device, you'll notice that a dropdown message box appears and shows you the values of the AV pairs.

You might want to be able to toggle the display of the debug message from a freeradius server. That will allow you to turn it on when a user calls in and reports problems and you need to know what settings are being applied to their account.

  • On the freeradius server, change their user record and add Reply-Message = "debug_print". Note that you could use any attribute you want, but I know that Reply-Message does work.
    test            Cleartext-Password := "test123"
                    Class = "OU=Test_VPN;",
                    Reply-Message = "debug_print"
  • Back in ASDM, go to the debug policy you created earlier and change it so that it only fires when Reply-Message = "debug_print"
  • OK and Apply