IAS Radius - Authenticating Cisco Admins and VPN Users on ASA 5510

We have an ASA 5510 that we are configuring for RADIUS authentication.

We are trying to setup the authentication so that there are two seperate groups on the ASA both pointing to the same IAS server.  

One group will be used to authenticate admin access to the ASA/Routers. (ie. Telnet, SSH, Console)
The second group will be used to authenticate the remote access VPN users.

I've tried setting it up but what happens is because both groups on the ASA point to the same IAS server the policies dont work well together.  The VPN users end up being able to log into the devices.

I tried using the shell:priv attributes but then I read a topic on cisco's site that the attribute is not supported on ASA devices.

There must be a way to do this without having to use two IAS servers.
LVL 1
BubbaJones82Asked:
Who is Participating?
 
vivek283Connect With a Mentor Commented:
Hi,

Solution 1
-----------

ASA's radius request packet for Administrative login and VPN login will have the following differences (assuming your admins are connecting to the console/telnet/ssh from inside):

Called-Station-Id for VPN is the outside IP address of the ASA
Calling-Station-Id for VPN will be a public IP address

So you can create 2 policies on IAS and filter based on called-station-id in addition to the Windows Group.

Solution 2
------------

This one requires 8.0.3 interim 19 atleast on ASA

You have created 2 aaa-server entries. I presume both will have a host entry such as :

aaa-server <name> host <ip>

For the server group used for VPN use :

aaa-server <name> host (outside) <ip>

In this code ASA will use the outside ip address and route lookup for the inside ip. Hence the source ip address of this request will be the outside IP Address instead of the inside address. Now on IAS you need to match using the client address.
0
 
bml104Commented:
You can just point your ASA to authenticate VIA AD with LDAP.

http://6200networks.com/2007/10/02/asa-configure-ldap-authentication-for-users/

This is what I followed for my IAS authentication. Im on 8.0

http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/
0
 
BubbaJones82Author Commented:
The requirement is to use Radius to authenticate remote access vpn users as well as admin access to the ASA.
Radius also needs to return user attributes for static ip and privilege level.
0
 
BubbaJones82Author Commented:
I tested Solution 1 quickly and it looks like its working.  I'll fully test it when I get to work this morning.  

Solution 1 seems to be ideal since It doesn't require a second aaa-server group to be configured on the ASA.

Have you had any experience with the privilege levels?  I posted a separate question you may want to check out for some additional points.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html

I'll let you know how this goes later today.

Thanks!

0
All Courses

From novice to tech pro — start learning today.