Solved

Cisco ASA 8 Privilege-Level Radius Attribute for IAS

Posted on 2008-11-02
3
5,075 Views
Last Modified: 2012-06-27
Has anyone successfully configured Microsoft IAS to send the Cisco Radius Privilege-Level 220 attribute to an ASA with firmware 8.0

When a user telnets into the ASA they should be put into priv exec mode (#) instead of needing to type enable and entering another password.

According the the ASA 8.0 configuration guide, at the bottom of the Radius section, it lists the Privilege-Level attribute with an attribute number of 220.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1661512

I've tried to enter this into IAS as a vendor-specific attribute but I've had no luck.

I've added the radius debugging info for a telnet login.  

Under "parsed packet data" it appears to be accepting the attribute as it recognizes 220 as Privilege Level.

Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 15 (0x000F)


Thanks in advance!


radius mkreq: 0xe
alloc_rip 0xd5137894
    new request 0xe --> 12 (0xd5137894)
got user ''
got password
add_req 0xd5137894 session 0xe id 12
RADIUS_REQUEST
radius.c: rad_mkpkt
 
RADIUS packet decode (authentication request)
 
--------------------------------------
Raw packet data (length = 131).....
01 0c 00 83 2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d    |  ......\e:.H.....
92 63 60 19 01 0f 73 74 65 76 65 6e 2e 6d 69 6c    |  .c`...user.name
6c 65 72 02 12 fa 19 80 01 8e 41 21 e5 3f fd b1    |  .......A!.?..
12 a4 37 93 05 04 06 0a f9 01 f6 05 06 00 00 00    |  ..7.............
0b 3d 06 00 00 00 05 1a 21 00 00 00 09 01 1b 69    |  .=......!......i
70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 32    |  p:source-ip=10.2
34 39 2e 35 35 2e 33 33 1f 1b 69 70 3a 73 6f 75    |  49.55.33..ip:sou
72 63 65 2d 69 70 3d 31 30 2e 32 34 39 2e 35 35    |  rce-ip=10.249.55
2e 33 33                                           |  .33
 
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 12 (0x0C)
Radius: Length = 131 (0x0083)
Radius: Vector: 2ECF5C653AEB48E106C7F41D92636019
Radius: Type = 1 (0x01) User-Name
Radius: Length = 15 (0x0F)
Radius: Value (String) =
73 74 65 76 65 6e 2e 6d 69 6c 6c 65 72             |  user.name
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
fa 19 80 01 8e 41 21 e5 3f fd b1 12 a4 37 93 05    |  .....A!.?....7..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.249.1.246 (0x0AF901F6)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.
32 34 39 2e 35 35 2e 33 33                         |  249.55.33
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.
32 34 39 2e 35 35 2e 33 33                         |  249.55.33
send pkt 10.249.24.32/1645
rip 0xd5137894 state 7 id 12
rad_vrfy() : response message verified
rip 0xd513a280
 : chall_state ''
 : state 0x7
 : timer 0x0
 : reqauth:
     2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d 92 63 60 19
 : info 0xe
     session_id 0xe
     request_id 0xc
     user 'user.name'
     response '***'
     app 0
     reason 0
     skey 'RadiusKey'
     sip 10.249.24.32
     type 1
 
RADIUS packet decode (response)
 
--------------------------------------
Raw packet data (length = 88).....
02 0c 00 58 12 c2 06 68 77 7a 52 c9 79 a9 50 a6    |  ...X...hwzR.y.P.
d8 4c b0 6c 1a 0c 00 00 0c 04 dc 06 00 00 00 0f    |  .L.l............
19 20 40 49 04 6e 00 00 01 37 00 01 0a f9 18 20    |  . @I.n...7.....
01 c9 3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14    |  ..:H.)..........
1a 0c 00 00 01 37 07 06 00 00 00 01 1a 0c 00 00    |  .....7..........
01 37 08 06 00 00 00 00                            |  .7......
 
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 12 (0x0C)
Radius: Length = 88 (0x0058)
Radius: Vector: 12C20668777A52C979A950A6D84CB06C
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 15 (0x000F)
Radius: Type = 25 (0x19) Class
Radius: Length = 32 (0x20)
Radius: Value (String) =
40 49 04 6e 00 00 01 37 00 01 0a f9 18 20 01 c9    |  @I.n...7..... ..
3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14          |  :H.)..........
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 7 (0x07) Unknown
Radius: Length = 6 (0x06)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 8 (0x08) Unknown
Radius: Length = 6 (0x06)
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xd5137894 session 0xe id 12
free_rip 0xd5137894
radius: send queue empty

Open in new window

0
Comment
Question by:BubbaJones82
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 2

Expert Comment

by:vivek283
ID: 22891719
Hi,

ASA/PIX cannot put a user into priv exec mode directly. This feature is yet to be added into ASA/PIX.

BTW RADIUS privilege levels are sent using 26/09/001 Cisco-av-pair. The value is set to "priv:lvl=<lvl>". This might be useful for ASDM

HTH
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22891806
I did read at the link below that its not supported but it only mentions versions 7.x. I was hoping this was implemented in version 8.x.

http://supportwiki.cisco.com/ViewWiki/index.php/The_AAA_Exec_Authorization_with_RADIUS_or_TACACS_fails_to_work_on_the_ASA
The version 8 documentation does mention a privilege-level which seems to indicate that version 8 supports it.

Attribute Name
Privilege-Level

ASA
Y

PIX
Y

Attr. #
220

Syntax/Type
Integer

Single or Multi-Valued
Single

Description or Value
An integer between 0 and 15

 
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22891893
8.x supports it for level mapping to be used for command authorization - Specially in ASDM.

It still cannot use it for dropping a user directly into priv exec mode.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AS-Path BGP Attribute 7 44
Microwave IP VPN or Wireless Bridging 26 89
Management of Huawei B315 2 73
Cisco Nexus 9372 port channel 3 45
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question