Solved

Cisco ASA 8 Privilege-Level Radius Attribute for IAS

Posted on 2008-11-02
3
5,013 Views
Last Modified: 2012-06-27
Has anyone successfully configured Microsoft IAS to send the Cisco Radius Privilege-Level 220 attribute to an ASA with firmware 8.0

When a user telnets into the ASA they should be put into priv exec mode (#) instead of needing to type enable and entering another password.

According the the ASA 8.0 configuration guide, at the bottom of the Radius section, it lists the Privilege-Level attribute with an attribute number of 220.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1661512

I've tried to enter this into IAS as a vendor-specific attribute but I've had no luck.

I've added the radius debugging info for a telnet login.  

Under "parsed packet data" it appears to be accepting the attribute as it recognizes 220 as Privilege Level.

Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 15 (0x000F)


Thanks in advance!


radius mkreq: 0xe

alloc_rip 0xd5137894

    new request 0xe --> 12 (0xd5137894)

got user ''

got password

add_req 0xd5137894 session 0xe id 12

RADIUS_REQUEST

radius.c: rad_mkpkt
 

RADIUS packet decode (authentication request)
 

--------------------------------------

Raw packet data (length = 131).....

01 0c 00 83 2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d    |  ......\e:.H.....

92 63 60 19 01 0f 73 74 65 76 65 6e 2e 6d 69 6c    |  .c`...user.name

6c 65 72 02 12 fa 19 80 01 8e 41 21 e5 3f fd b1    |  .......A!.?..

12 a4 37 93 05 04 06 0a f9 01 f6 05 06 00 00 00    |  ..7.............

0b 3d 06 00 00 00 05 1a 21 00 00 00 09 01 1b 69    |  .=......!......i

70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 32    |  p:source-ip=10.2

34 39 2e 35 35 2e 33 33 1f 1b 69 70 3a 73 6f 75    |  49.55.33..ip:sou

72 63 65 2d 69 70 3d 31 30 2e 32 34 39 2e 35 35    |  rce-ip=10.249.55

2e 33 33                                           |  .33
 

Parsed packet data.....

Radius: Code = 1 (0x01)

Radius: Identifier = 12 (0x0C)

Radius: Length = 131 (0x0083)

Radius: Vector: 2ECF5C653AEB48E106C7F41D92636019

Radius: Type = 1 (0x01) User-Name

Radius: Length = 15 (0x0F)

Radius: Value (String) =

73 74 65 76 65 6e 2e 6d 69 6c 6c 65 72             |  user.name

Radius: Type = 2 (0x02) User-Password

Radius: Length = 18 (0x12)

Radius: Value (String) =

fa 19 80 01 8e 41 21 e5 3f fd b1 12 a4 37 93 05    |  .....A!.?....7..

Radius: Type = 4 (0x04) NAS-IP-Address

Radius: Length = 6 (0x06)

Radius: Value (IP Address) = 10.249.1.246 (0x0AF901F6)

Radius: Type = 5 (0x05) NAS-Port

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0xB

Radius: Type = 61 (0x3D) NAS-Port-Type

Radius: Length = 6 (0x06)

Radius: Value (Hex) = 0x5

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 33 (0x21)

Radius: Vendor ID = 9 (0x00000009)

Radius: Type = 1 (0x01) Cisco-AV-pair

Radius: Length = 27 (0x1B)

Radius: Value (String) =

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.

32 34 39 2e 35 35 2e 33 33                         |  249.55.33

Radius: Type = 31 (0x1F) Calling-Station-Id

Radius: Length = 27 (0x1B)

Radius: Value (String) =

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.

32 34 39 2e 35 35 2e 33 33                         |  249.55.33

send pkt 10.249.24.32/1645

rip 0xd5137894 state 7 id 12

rad_vrfy() : response message verified

rip 0xd513a280

 : chall_state ''

 : state 0x7

 : timer 0x0

 : reqauth:

     2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d 92 63 60 19

 : info 0xe

     session_id 0xe

     request_id 0xc

     user 'user.name'

     response '***'

     app 0

     reason 0

     skey 'RadiusKey'

     sip 10.249.24.32

     type 1
 

RADIUS packet decode (response)
 

--------------------------------------

Raw packet data (length = 88).....

02 0c 00 58 12 c2 06 68 77 7a 52 c9 79 a9 50 a6    |  ...X...hwzR.y.P.

d8 4c b0 6c 1a 0c 00 00 0c 04 dc 06 00 00 00 0f    |  .L.l............

19 20 40 49 04 6e 00 00 01 37 00 01 0a f9 18 20    |  . @I.n...7.....

01 c9 3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14    |  ..:H.)..........

1a 0c 00 00 01 37 07 06 00 00 00 01 1a 0c 00 00    |  .....7..........

01 37 08 06 00 00 00 00                            |  .7......
 

Parsed packet data.....

Radius: Code = 2 (0x02)

Radius: Identifier = 12 (0x0C)

Radius: Length = 88 (0x0058)

Radius: Vector: 12C20668777A52C979A950A6D84CB06C

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 3076 (0x00000C04)

Radius: Type = 220 (0xDC) Privilege Level

Radius: Length = 6 (0x06)

Radius: Value (Integer) = 15 (0x000F)

Radius: Type = 25 (0x19) Class

Radius: Length = 32 (0x20)

Radius: Value (String) =

40 49 04 6e 00 00 01 37 00 01 0a f9 18 20 01 c9    |  @I.n...7..... ..

3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14          |  :H.)..........

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 7 (0x07) Unknown

Radius: Length = 6 (0x06)

Radius: Type = 26 (0x1A) Vendor-Specific

Radius: Length = 12 (0x0C)

Radius: Vendor ID = 311 (0x00000137)

Radius: Type = 8 (0x08) Unknown

Radius: Length = 6 (0x06)

rad_procpkt: ACCEPT

RADIUS_ACCESS_ACCEPT: normal termination

RADIUS_DELETE

remove_req 0xd5137894 session 0xe id 12

free_rip 0xd5137894

radius: send queue empty

Open in new window

0
Comment
Question by:BubbaJones82
  • 2
3 Comments
 
LVL 2

Expert Comment

by:vivek283
ID: 22891719
Hi,

ASA/PIX cannot put a user into priv exec mode directly. This feature is yet to be added into ASA/PIX.

BTW RADIUS privilege levels are sent using 26/09/001 Cisco-av-pair. The value is set to "priv:lvl=<lvl>". This might be useful for ASDM

HTH
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22891806
I did read at the link below that its not supported but it only mentions versions 7.x. I was hoping this was implemented in version 8.x.

http://supportwiki.cisco.com/ViewWiki/index.php/The_AAA_Exec_Authorization_with_RADIUS_or_TACACS_fails_to_work_on_the_ASA
The version 8 documentation does mention a privilege-level which seems to indicate that version 8 supports it.

Attribute Name
Privilege-Level

ASA
Y

PIX
Y

Attr. #
220

Syntax/Type
Integer

Single or Multi-Valued
Single

Description or Value
An integer between 0 and 15

 
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22891893
8.x supports it for level mapping to be used for command authorization - Specially in ASDM.

It still cannot use it for dropping a user directly into priv exec mode.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now