topic Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi in Network Access Control

Authorization problem between ASA - ACS 5.1 - AD (with Certificate)

Thomas Imboden — Mon, 11 Mar 2019 00:38:58 GMT

Hi all

I have an authentication & authorization problem with certificates between ASA, ACS 5.1 and AD.

AAA requests are handled in the following way.

Cisco VPN client with certificate ---> ASA ---> ASA sends the appropriate certificate field with username for authorization to radius server (ACS 5.1) --> ACS 5.1 sends the username for identity and authorization to AD.

I configured the ACS with following Access Policy (Network Access):

Identity:

Protocol Radius & NDG:ASA --> Identity Source = AD

Authorization:

AD:ExternalGroup=match --> Authorization Profile with radius attribute "Class 25" back to ASA for applying Group Policy.

With this setup the ACS can't handle the authorization. I defined in the Identity under advanced option to continue if authentication failed (the ASA sends only the username without password from the certificate). But in that way the ACS can't retrieve the user attributes from the AD for the authorization. It can only retrieve the user attributes from AD, if it delivers a valid username AND password to the AD.

What makes me wonder is the fact, that the ACS gets all the user attributes under "Users and Identity Stores" - "External Identity Stores" - "Active Directory" when I do a manual user lookup vs. the AD with a valid username (without password)... but in the access policy the ACS doesn't get the user attributes from the AD when it must process an AAA request with the advanced option to continue if authentication fails.

Thanks in advance for any help - Thomas

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

Bastien Migette — Mon, 13 Dec 2010 10:09:42 GMT

When you see the attributes that are retrieved with a manual user lookup, did you checked the attributes that you want ACS to retrieve ? The fetched attributes are used to make a list of attributes that will be fetched on authentication and to make the process easier you can retrieve it from a sample user.

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

Thomas Imboden — Tue, 21 Dec 2010 18:38:04 GMT

I opened a service request concerning the problem I had with the AAA design.

It's not possible to do authentication over ASA to ACS with only a valid username against AD. There must be a password for the username. Only with the correct user credentials (username & password) the ACS is able to do a successful authentication against the AD.

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

Tarik Admani — Wed, 22 Dec 2010 05:24:51 GMT

Thanks for updating this thread, I am sure this will be helpful for many more in the future.

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

constantin — Wed, 05 Jan 2011 12:11:42 GMT

Hi Thomas,

We have the same problem and the same scenario. Our Cisco CE told me to use the radius-common-password for this authorisation purpose.

Until now, for me it does'nt run, but may be you have more luck on this.

By the way, have you already got some information on this from TAC?

Ciao

Christian

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

Patrick Tran — Fri, 25 Feb 2011 14:41:24 GMT

Hello,

I have exactly the same issue.

About Common password:

"Common Password—Specifies the common password for use with a RADIUS authorization server. The password is case-sensitive. The box displays only asterisks. If you are defining a RADIUS server to be used for authentication rather than authorization, do not provide a common password.

A RADIUS authorization server requires a password and username for each connecting user. You enter the password here. The RADIUS authorization server administrator must configure the RADIUS server to associate this password with each user authorizing to the server via this FWSM. Be sure to provide this information to your RADIUS server administrator. Enter a common password for all users who are accessing this RADIUS authorization server through this FWSM.

If you leave this field blank, each user password will be his or her own username. For example, a user with the username "jsmith" would enter "jsmith". As a security precaution never use a RADIUS authorization server for authentication. Use of a common password or usernames as passwords is much less secure than strong passwords per user."

I tried it and it work when I specified my test user's password in common password... but I can't do this for everybody

I have ACS 5.2, is there a solution in this version?

Thanks,

Patrick

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

Herbert Baerten — Mon, 28 Feb 2011 11:55:18 GMT

Just adding a thought here in case it might help anyone: instead of doing Radius authorization towards ACS, you could configure the ASA to do LDAP authorization directly to AD. This would not require a password.

It would be similar to this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

except that you would use certificate authentication instead of Kerberos - so you wouldn't need the authentication-server-group, and instead add username-from-certificate but I suppose you already have that part covered if you're doing Cert+Radius.

hth

Herbert

Re: Authorization problem between ASA - ACS 5.1 - AD (with Certi

Patrick Tran — Mon, 28 Feb 2011 12:39:24 GMT

Hi Herbert,

Thanks for your reply.

I tested LDAP authorization with group mapping before RADIUS.
It worked fine.

I tested ACS because I wanted to centralized company's authorizations on RADIUS.

I will stay on LDAP for the moment.

Regards,

Patrick