Cisco ASA Radius Authentication

Morning everyone.

I am currently in the process of setting up some Cisco ASA firewalls, for which I want to use Radius authentication on the VPN clients & SSH / ASDM management.

For Radius authentication, I am using NPS on Windows Server 2012, and the ASA is 5515-x running v8.6.

To do this the way I would like it to work, I created two seperate NPS policies, one for the VPN with the relevant groups, and a seperate policy for the SSH / ASDM management, with the correct management AD group attached.  I can see that I can create the two policies within the ASA, and assign these different policies to different functions, but the problem I have, is that our radius server can not distinguish between the two.

Is there a way, that I can push through some unique information in the request, so that the radius server can make this distinction?  I am finding that although the authentication may fail on the first policy for the ASDM, it is being allowed by the second policy for the VPN, which is obviously no good.

I am willing to use LDAP authentication as a last resort for the SSH / ASDM, but I would rather use Radius due to it's more "granular" approach and better integration with the AD.

Thanks in advance,
Who is Participating?
rauenpcConnect With a Mentor Commented:
They way I've used a single NPS server to perform both functions was just through the use of AD groups and certain radius settings.

The higher priority radius policies should include the AD group, NAS IPv4 address, NAS port type, and Called Station ID. The Called station ID is the IP address the VPN client used to connect in. This would likely be the public IP address of the ASA.
The lower priority radius policies includes the same properties except the Called Station ID.

This way, when users VPN in they will only hit the VPN policy because of the Called Station ID attribute, and any attempts at SSH/ASDM will fall to the lower policy which would require a different AD Group to authenticate. The only oddity to this would be if you are able to directly SSH/ASDM to the public interface of the firewall - I can't remember if the Called Station ID is part of the attributes sent when connecting to the firewall this way.
KevinSeddon81Author Commented:
Of course. Thanks for that Rauenpc.

Often, the most annoying problems have the most simplest answers!

I fought the same battle many times... and I used to always go the Radius and LDAP route to get around the issue. This was my method for a number of years. It wasn't until I saw someone else's configuration that I learned how and why to use the called station ID.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.