Solved

IAS Radius - Authenticating Cisco Admins and VPN Users on ASA 5510

Posted on 2008-10-30
4
3,888 Views
Last Modified: 2009-05-05
We have an ASA 5510 that we are configuring for RADIUS authentication.

We are trying to setup the authentication so that there are two seperate groups on the ASA both pointing to the same IAS server.  

One group will be used to authenticate admin access to the ASA/Routers. (ie. Telnet, SSH, Console)
The second group will be used to authenticate the remote access VPN users.

I've tried setting it up but what happens is because both groups on the ASA point to the same IAS server the policies dont work well together.  The VPN users end up being able to log into the devices.

I tried using the shell:priv attributes but then I read a topic on cisco's site that the attribute is not supported on ASA devices.

There must be a way to do this without having to use two IAS servers.
0
Comment
Question by:BubbaJones82
  • 2
4 Comments
 
LVL 1

Expert Comment

by:bml104
ID: 22851686
You can just point your ASA to authenticate VIA AD with LDAP.

http://6200networks.com/2007/10/02/asa-configure-ldap-authentication-for-users/

This is what I followed for my IAS authentication. Im on 8.0

http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22859628
The requirement is to use Radius to authenticate remote access vpn users as well as admin access to the ASA.
Radius also needs to return user attributes for static ip and privilege level.
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22885693
Hi,

Solution 1
-----------

ASA's radius request packet for Administrative login and VPN login will have the following differences (assuming your admins are connecting to the console/telnet/ssh from inside):

Called-Station-Id for VPN is the outside IP address of the ASA
Calling-Station-Id for VPN will be a public IP address

So you can create 2 policies on IAS and filter based on called-station-id in addition to the Windows Group.

Solution 2
------------

This one requires 8.0.3 interim 19 atleast on ASA

You have created 2 aaa-server entries. I presume both will have a host entry such as :

aaa-server <name> host <ip>

For the server group used for VPN use :

aaa-server <name> host (outside) <ip>

In this code ASA will use the outside ip address and route lookup for the inside ip. Hence the source ip address of this request will be the outside IP Address instead of the inside address. Now on IAS you need to match using the client address.
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22888718
I tested Solution 1 quickly and it looks like its working.  I'll fully test it when I get to work this morning.  

Solution 1 seems to be ideal since It doesn't require a second aaa-server group to be configured on the ASA.

Have you had any experience with the privilege levels?  I posted a separate question you may want to check out for some additional points.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html

I'll let you know how this goes later today.

Thanks!

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now