?
Solved

IAS Radius - Authenticating Cisco Admins and VPN Users on ASA 5510

Posted on 2008-10-30
4
Medium Priority
?
3,942 Views
Last Modified: 2009-05-05
We have an ASA 5510 that we are configuring for RADIUS authentication.

We are trying to setup the authentication so that there are two seperate groups on the ASA both pointing to the same IAS server.  

One group will be used to authenticate admin access to the ASA/Routers. (ie. Telnet, SSH, Console)
The second group will be used to authenticate the remote access VPN users.

I've tried setting it up but what happens is because both groups on the ASA point to the same IAS server the policies dont work well together.  The VPN users end up being able to log into the devices.

I tried using the shell:priv attributes but then I read a topic on cisco's site that the attribute is not supported on ASA devices.

There must be a way to do this without having to use two IAS servers.
0
Comment
Question by:BubbaJones82
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Expert Comment

by:bml104
ID: 22851686
You can just point your ASA to authenticate VIA AD with LDAP.

http://6200networks.com/2007/10/02/asa-configure-ldap-authentication-for-users/

This is what I followed for my IAS authentication. Im on 8.0

http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix/
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22859628
The requirement is to use Radius to authenticate remote access vpn users as well as admin access to the ASA.
Radius also needs to return user attributes for static ip and privilege level.
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 2000 total points
ID: 22885693
Hi,

Solution 1
-----------

ASA's radius request packet for Administrative login and VPN login will have the following differences (assuming your admins are connecting to the console/telnet/ssh from inside):

Called-Station-Id for VPN is the outside IP address of the ASA
Calling-Station-Id for VPN will be a public IP address

So you can create 2 policies on IAS and filter based on called-station-id in addition to the Windows Group.

Solution 2
------------

This one requires 8.0.3 interim 19 atleast on ASA

You have created 2 aaa-server entries. I presume both will have a host entry such as :

aaa-server <name> host <ip>

For the server group used for VPN use :

aaa-server <name> host (outside) <ip>

In this code ASA will use the outside ip address and route lookup for the inside ip. Hence the source ip address of this request will be the outside IP Address instead of the inside address. Now on IAS you need to match using the client address.
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22888718
I tested Solution 1 quickly and it looks like its working.  I'll fully test it when I get to work this morning.  

Solution 1 seems to be ideal since It doesn't require a second aaa-server group to be configured on the ASA.

Have you had any experience with the privilege levels?  I posted a separate question you may want to check out for some additional points.

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html

I'll let you know how this goes later today.

Thanks!

0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question