Solved

Cisco ASA 8 Privilege-Level Radius Attribute for IAS

Posted on 2008-11-02
3
5,028 Views
Last Modified: 2012-06-27
Has anyone successfully configured Microsoft IAS to send the Cisco Radius Privilege-Level 220 attribute to an ASA with firmware 8.0

When a user telnets into the ASA they should be put into priv exec mode (#) instead of needing to type enable and entering another password.

According the the ASA 8.0 configuration guide, at the bottom of the Radius section, it lists the Privilege-Level attribute with an attribute number of 220.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1661512

I've tried to enter this into IAS as a vendor-specific attribute but I've had no luck.

I've added the radius debugging info for a telnet login.  

Under "parsed packet data" it appears to be accepting the attribute as it recognizes 220 as Privilege Level.

Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 15 (0x000F)


Thanks in advance!


radius mkreq: 0xe

alloc_rip 0xd5137894

    new request 0xe --> 12 (0xd5137894)

got user ''

got password

add_req 0xd5137894 session 0xe id 12

RADIUS_REQUEST

radius.c: rad_mkpkt
 

RADIUS packet decode (authentication request)
 

--------------------------------------

Raw packet data (length = 131).....

01 0c 00 83 2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d    |  ......\e:.H.....

92 63 60 19 01 0f 73 74 65 76 65 6e 2e 6d 69 6c    |  .c`...user.name

6c 65 72 02 12 fa 19 80 01 8e 41 21 e5 3f fd b1    |  .......A!.?..

12 a4 37 93 05 04 06 0a f9 01 f6 05 06 00 00 00    |  ..7.............

0b 3d 06 00 00 00 05 1a 21 00 00 00 09 01 1b 69    |  .=......!......i

70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 32    |  p:source-ip=10.2

34 39 2e 35 35 2e 33 33 1f 1b 69 70 3a 73 6f 75    |  49.55.33..ip:sou

72 63 65 2d 69 70 3d 31 30 2e 32 34 39 2e 35 35    |  rce-ip=10.249.55

2e 33 33                                           |  .33
 

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 12 (0x0C)

Radius: Length = 131 (0x0083)

Radius: Vector: 2ECF5C653AEB48E106C7F41D92636019

Radius: Type = 1 (0x01) User-Name

Radius: Length = 15 (0x0F)

Radius: Value (String) =

73 74 65 76 65 6e 2e 6d 69 6c 6c 65 72             |  user.name

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

fa 19 80 01 8e 41 21 e5 3f fd b1 12 a4 37 93 05    |  .....A!.?....7..

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.249.1.246 (0x0AF901F6)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xB

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 33 (0x21)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 27 (0x1B)

Radius: Value (String) =

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.

32 34 39 2e 35 35 2e 33 33                         |  249.55.33

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 27 (0x1B)

Radius: Value (String) =

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.

32 34 39 2e 35 35 2e 33 33                         |  249.55.33

send pkt 10.249.24.32/1645

rip 0xd5137894 state 7 id 12

rad_vrfy() : response message verified

rip 0xd513a280

 : chall_state ''

 : state 0x7

 : timer 0x0

 : reqauth:

     2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d 92 63 60 19

 : info 0xe

     session_id 0xe

     request_id 0xc

     user 'user.name'

     response '***'

     app 0

     reason 0

     skey 'RadiusKey'

     sip 10.249.24.32

     type 1
 

RADIUS packet decode (response)
 

--------------------------------------

Raw packet data (length = 88).....

02 0c 00 58 12 c2 06 68 77 7a 52 c9 79 a9 50 a6    |  ...X...hwzR.y.P.

d8 4c b0 6c 1a 0c 00 00 0c 04 dc 06 00 00 00 0f    |  .L.l............

19 20 40 49 04 6e 00 00 01 37 00 01 0a f9 18 20    |  . @I.n...7.....

01 c9 3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14    |  ..:H.)..........

1a 0c 00 00 01 37 07 06 00 00 00 01 1a 0c 00 00    |  .....7..........

01 37 08 06 00 00 00 00                            |  .7......
 

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 12 (0x0C)

Radius: Length = 88 (0x0058)

Radius: Vector: 12C20668777A52C979A950A6D84CB06C

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 220 (0xDC) Privilege Level

Radius: Length = 6 (0x06)

Radius: Value (Integer) = 15 (0x000F)

Radius: Type = 25 (0x19) Class

Radius: Length = 32 (0x20)

Radius: Value (String) =

40 49 04 6e 00 00 01 37 00 01 0a f9 18 20 01 c9    |  @I.n...7..... ..

3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14          |  :H.)..........

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 7 (0x07) Unknown

Radius: Length = 6 (0x06)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 8 (0x08) Unknown

Radius: Length = 6 (0x06)

rad_procpkt: ACCEPT

RADIUS_ACCESS_ACCEPT: normal termination

RADIUS_DELETE

remove_req 0xd5137894 session 0xe id 12

free_rip 0xd5137894

radius: send queue empty

Open in new window

0
Comment
Question by:BubbaJones82
  • 2
3 Comments
 
LVL 2

Expert Comment

by:vivek283
ID: 22891719
Hi,

ASA/PIX cannot put a user into priv exec mode directly. This feature is yet to be added into ASA/PIX.

BTW RADIUS privilege levels are sent using 26/09/001 Cisco-av-pair. The value is set to "priv:lvl=<lvl>". This might be useful for ASDM

HTH
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22891806
I did read at the link below that its not supported but it only mentions versions 7.x. I was hoping this was implemented in version 8.x.

http://supportwiki.cisco.com/ViewWiki/index.php/The_AAA_Exec_Authorization_with_RADIUS_or_TACACS_fails_to_work_on_the_ASA
The version 8 documentation does mention a privilege-level which seems to indicate that version 8 supports it.

Attribute Name
Privilege-Level

ASA
Y

PIX
Y

Attr. #
220

Syntax/Type
Integer

Single or Multi-Valued
Single

Description or Value
An integer between 0 and 15

 
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22891893
8.x supports it for level mapping to be used for command authorization - Specially in ASDM.

It still cannot use it for dropping a user directly into priv exec mode.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Radius setup on a Cisco Switch with Server 2012 23 44
Radius Debug Error 16 43
Cisco CUCM 10.5: password recovery 2 45
PEAP authentication 7 24
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now