Cisco ASA Radius Authentication

Morning everyone.

I am currently in the process of setting up some Cisco ASA firewalls, for which I want to use Radius authentication on the VPN clients & SSH / ASDM management.

For Radius authentication, I am using NPS on Windows Server 2012, and the ASA is 5515-x running v8.6.

To do this the way I would like it to work, I created two seperate NPS policies, one for the VPN with the relevant groups, and a seperate policy for the SSH / ASDM management, with the correct management AD group attached.  I can see that I can create the two policies within the ASA, and assign these different policies to different functions, but the problem I have, is that our radius server can not distinguish between the two.

Is there a way, that I can push through some unique information in the request, so that the radius server can make this distinction?  I am finding that although the authentication may fail on the first policy for the ASDM, it is being allowed by the second policy for the VPN, which is obviously no good.

I am willing to use LDAP authentication as a last resort for the SSH / ASDM, but I would rather use Radius due to it's more "granular" approach and better integration with the AD.

Thanks in advance,
Kevin
KevinSeddon81Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rauenpcCommented:
They way I've used a single NPS server to perform both functions was just through the use of AD groups and certain radius settings.

The higher priority radius policies should include the AD group, NAS IPv4 address, NAS port type, and Called Station ID. The Called station ID is the IP address the VPN client used to connect in. This would likely be the public IP address of the ASA.
The lower priority radius policies includes the same properties except the Called Station ID.

This way, when users VPN in they will only hit the VPN policy because of the Called Station ID attribute, and any attempts at SSH/ASDM will fall to the lower policy which would require a different AD Group to authenticate. The only oddity to this would be if you are able to directly SSH/ASDM to the public interface of the firewall - I can't remember if the Called Station ID is part of the attributes sent when connecting to the firewall this way.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KevinSeddon81Author Commented:
Of course. Thanks for that Rauenpc.

Often, the most annoying problems have the most simplest answers!

Kevin
0
rauenpcCommented:
I fought the same battle many times... and I used to always go the Radius and LDAP route to get around the issue. This was my method for a number of years. It wasn't until I saw someone else's configuration that I learned how and why to use the called station ID.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.