Solved

Cisco ASA 8 Privilege-Level Radius Attribute for IAS

Posted on 2008-11-02
3
5,064 Views
Last Modified: 2012-06-27
Has anyone successfully configured Microsoft IAS to send the Cisco Radius Privilege-Level 220 attribute to an ASA with firmware 8.0

When a user telnets into the ASA they should be put into priv exec mode (#) instead of needing to type enable and entering another password.

According the the ASA 8.0 configuration guide, at the bottom of the Radius section, it lists the Privilege-Level attribute with an attribute number of 220.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1661512

I've tried to enter this into IAS as a vendor-specific attribute but I've had no luck.

I've added the radius debugging info for a telnet login.  

Under "parsed packet data" it appears to be accepting the attribute as it recognizes 220 as Privilege Level.

Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 15 (0x000F)


Thanks in advance!


radius mkreq: 0xe
alloc_rip 0xd5137894
    new request 0xe --> 12 (0xd5137894)
got user ''
got password
add_req 0xd5137894 session 0xe id 12
RADIUS_REQUEST
radius.c: rad_mkpkt
 
RADIUS packet decode (authentication request)
 
--------------------------------------
Raw packet data (length = 131).....
01 0c 00 83 2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d    |  ......\e:.H.....
92 63 60 19 01 0f 73 74 65 76 65 6e 2e 6d 69 6c    |  .c`...user.name
6c 65 72 02 12 fa 19 80 01 8e 41 21 e5 3f fd b1    |  .......A!.?..
12 a4 37 93 05 04 06 0a f9 01 f6 05 06 00 00 00    |  ..7.............
0b 3d 06 00 00 00 05 1a 21 00 00 00 09 01 1b 69    |  .=......!......i
70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 32    |  p:source-ip=10.2
34 39 2e 35 35 2e 33 33 1f 1b 69 70 3a 73 6f 75    |  49.55.33..ip:sou
72 63 65 2d 69 70 3d 31 30 2e 32 34 39 2e 35 35    |  rce-ip=10.249.55
2e 33 33                                           |  .33
 
Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 12 (0x0C)
Radius: Length = 131 (0x0083)
Radius: Vector: 2ECF5C653AEB48E106C7F41D92636019
Radius: Type = 1 (0x01) User-Name
Radius: Length = 15 (0x0F)
Radius: Value (String) =
73 74 65 76 65 6e 2e 6d 69 6c 6c 65 72             |  user.name
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
fa 19 80 01 8e 41 21 e5 3f fd b1 12 a4 37 93 05    |  .....A!.?....7..
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.249.1.246 (0x0AF901F6)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 33 (0x21)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.
32 34 39 2e 35 35 2e 33 33                         |  249.55.33
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 27 (0x1B)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e    |  ip:source-ip=10.
32 34 39 2e 35 35 2e 33 33                         |  249.55.33
send pkt 10.249.24.32/1645
rip 0xd5137894 state 7 id 12
rad_vrfy() : response message verified
rip 0xd513a280
 : chall_state ''
 : state 0x7
 : timer 0x0
 : reqauth:
     2e cf 5c 65 3a eb 48 e1 06 c7 f4 1d 92 63 60 19
 : info 0xe
     session_id 0xe
     request_id 0xc
     user 'user.name'
     response '***'
     app 0
     reason 0
     skey 'RadiusKey'
     sip 10.249.24.32
     type 1
 
RADIUS packet decode (response)
 
--------------------------------------
Raw packet data (length = 88).....
02 0c 00 58 12 c2 06 68 77 7a 52 c9 79 a9 50 a6    |  ...X...hwzR.y.P.
d8 4c b0 6c 1a 0c 00 00 0c 04 dc 06 00 00 00 0f    |  .L.l............
19 20 40 49 04 6e 00 00 01 37 00 01 0a f9 18 20    |  . @I.n...7.....
01 c9 3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14    |  ..:H.)..........
1a 0c 00 00 01 37 07 06 00 00 00 01 1a 0c 00 00    |  .....7..........
01 37 08 06 00 00 00 00                            |  .7......
 
Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 12 (0x0C)
Radius: Length = 88 (0x0058)
Radius: Vector: 12C20668777A52C979A950A6D84CB06C
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 15 (0x000F)
Radius: Type = 25 (0x19) Class
Radius: Length = 32 (0x20)
Radius: Value (String) =
40 49 04 6e 00 00 01 37 00 01 0a f9 18 20 01 c9    |  @I.n...7..... ..
3a 48 9b 29 c2 12 00 00 00 00 00 00 01 14          |  :H.)..........
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 7 (0x07) Unknown
Radius: Length = 6 (0x06)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 311 (0x00000137)
Radius: Type = 8 (0x08) Unknown
Radius: Length = 6 (0x06)
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xd5137894 session 0xe id 12
free_rip 0xd5137894
radius: send queue empty

Open in new window

0
Comment
Question by:BubbaJones82
  • 2
3 Comments
 
LVL 2

Expert Comment

by:vivek283
ID: 22891719
Hi,

ASA/PIX cannot put a user into priv exec mode directly. This feature is yet to be added into ASA/PIX.

BTW RADIUS privilege levels are sent using 26/09/001 Cisco-av-pair. The value is set to "priv:lvl=<lvl>". This might be useful for ASDM

HTH
0
 
LVL 1

Author Comment

by:BubbaJones82
ID: 22891806
I did read at the link below that its not supported but it only mentions versions 7.x. I was hoping this was implemented in version 8.x.

http://supportwiki.cisco.com/ViewWiki/index.php/The_AAA_Exec_Authorization_with_RADIUS_or_TACACS_fails_to_work_on_the_ASA
The version 8 documentation does mention a privilege-level which seems to indicate that version 8 supports it.

Attribute Name
Privilege-Level

ASA
Y

PIX
Y

Attr. #
220

Syntax/Type
Integer

Single or Multi-Valued
Single

Description or Value
An integer between 0 and 15

 
0
 
LVL 2

Accepted Solution

by:
vivek283 earned 500 total points
ID: 22891893
8.x supports it for level mapping to be used for command authorization - Specially in ASDM.

It still cannot use it for dropping a user directly into priv exec mode.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Use packet tracer to verify anyconnect VPN 11 93
Upgrading from Sonicwall Tz210 6 34
VPN Server config in Modem 5 65
VLAN Configuration on Cisco Switch 8 35
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question