Solved

IAS Radius - Authenticating Cisco Admins and VPN Users on ASA 5510

Posted on 2008-10-30
4
3,889 Views
Last Modified: 2009-05-05
We have an ASA 5510 that we are configuring for RADIUS authentication.

We are trying to setup the authentication so that there are two seperate groups on the ASA both pointing to the same IAS server.  

One group will be used to authenticate admin access to the ASA/Routers. (ie. Telnet, SSH, Console)
The second group will be used to authenticate the remote access VPN users.

I've tried setting it up but what happens is because both groups on the ASA point to the same IAS server the policies dont work well together.  The VPN users end up being able to log into the devices.

I tried using the shell:priv attributes but then I read a topic on cisco's site that the attribute is not supported on ASA devices.

There must be a way to do this without having to use two IAS servers.
0
Comment
Question by:BubbaJones82
  • 2
4 Comments
 
LVL 1

Expert Comment

by:bml104
ID: 22851686
You can just point your ASA to authenticate VIA AD with LDAP.

http://6200networks.com/2007/10/02/asa-configure-ldap-authentication-for-users/

This is what I followed for my IAS authentication. Im on 8.0

http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22859628
The requirement is to use Radius to authenticate remote access vpn users as well as admin access to the ASA.
Radius also needs to return user attributes for static ip and privilege level.
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22885693
Hi,

Solution 1
-----------

ASA's radius request packet for Administrative login and VPN login will have the following differences (assuming your admins are connecting to the console/telnet/ssh from inside):

Called-Station-Id for VPN is the outside IP address of the ASA
Calling-Station-Id for VPN will be a public IP address

So you can create 2 policies on IAS and filter based on called-station-id in addition to the Windows Group.

Solution 2
------------

This one requires 8.0.3 interim 19 atleast on ASA

You have created 2 aaa-server entries. I presume both will have a host entry such as :

aaa-server <name> host <ip>

For the server group used for VPN use :

aaa-server <name> host (outside) <ip>

In this code ASA will use the outside ip address and route lookup for the inside ip. Hence the source ip address of this request will be the outside IP Address instead of the inside address. Now on IAS you need to match using the client address.
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22888718
I tested Solution 1 quickly and it looks like its working.  I'll fully test it when I get to work this morning.  

Solution 1 seems to be ideal since It doesn't require a second aaa-server group to be configured on the ASA.

Have you had any experience with the privilege levels?  I posted a separate question you may want to check out for some additional points.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html

I'll let you know how this goes later today.

Thanks!

0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question