Solved

IAS Radius - Authenticating Cisco Admins and VPN Users on ASA 5510

Posted on 2008-10-30
4
3,887 Views
Last Modified: 2009-05-05
We have an ASA 5510 that we are configuring for RADIUS authentication.

We are trying to setup the authentication so that there are two seperate groups on the ASA both pointing to the same IAS server.  

One group will be used to authenticate admin access to the ASA/Routers. (ie. Telnet, SSH, Console)
The second group will be used to authenticate the remote access VPN users.

I've tried setting it up but what happens is because both groups on the ASA point to the same IAS server the policies dont work well together.  The VPN users end up being able to log into the devices.

I tried using the shell:priv attributes but then I read a topic on cisco's site that the attribute is not supported on ASA devices.

There must be a way to do this without having to use two IAS servers.
0
Comment
Question by:BubbaJones82
  • 2
4 Comments
 
LVL 1

Expert Comment

by:bml104
ID: 22851686
You can just point your ASA to authenticate VIA AD with LDAP.

http://6200networks.com/2007/10/02/asa-configure-ldap-authentication-for-users/

This is what I followed for my IAS authentication. Im on 8.0

http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22859628
The requirement is to use Radius to authenticate remote access vpn users as well as admin access to the ASA.
Radius also needs to return user attributes for static ip and privilege level.
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22885693
Hi,

Solution 1
-----------

ASA's radius request packet for Administrative login and VPN login will have the following differences (assuming your admins are connecting to the console/telnet/ssh from inside):

Called-Station-Id for VPN is the outside IP address of the ASA
Calling-Station-Id for VPN will be a public IP address

So you can create 2 policies on IAS and filter based on called-station-id in addition to the Windows Group.

Solution 2
------------

This one requires 8.0.3 interim 19 atleast on ASA

You have created 2 aaa-server entries. I presume both will have a host entry such as :

aaa-server <name> host <ip>

For the server group used for VPN use :

aaa-server <name> host (outside) <ip>

In this code ASA will use the outside ip address and route lookup for the inside ip. Hence the source ip address of this request will be the outside IP Address instead of the inside address. Now on IAS you need to match using the client address.
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22888718
I tested Solution 1 quickly and it looks like its working.  I'll fully test it when I get to work this morning.  

Solution 1 seems to be ideal since It doesn't require a second aaa-server group to be configured on the ASA.

Have you had any experience with the privilege levels?  I posted a separate question you may want to check out for some additional points.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html

I'll let you know how this goes later today.

Thanks!

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now