topic Re: ASA TACACS+ webvpn authentication in Network Access Control

ASA TACACS+ webvpn authentication

brilong — Fri, 02 Sep 2016 17:08:43 GMT

I run a ASA 5555-X in my lab with code 9.4(3)8. I recently followed How To: ISE TACACS+ Configuration for ASA Network Devices to configure TACACS+ and it wasn't until I was done that I realized I cannot use TACACS+ for webvpn authentication. It appears to only allow LOCAL, RADIUS or LDAP. I'm no ASA expert so I had no idea about this limitation. Why would I use TACACS+ authentication for ASDM and SSH authentication if I cannot use it for my Anyconnect clients? Do I need to configure RADIUS or LDAP in parallel to TACACS+ in order for my end users to be authenticated by ISE? How about my legacy IPSEC clients?

Thank you.

Re: ASA TACACS+ webvpn authentication

howon — Fri, 02 Sep 2016 17:21:05 GMT

Brian, TACACS+ is typically used for administrative access control and it provides unique benefit compared to RADIUS or LDAP. It provides ability to control command authorization that is defined on the central server so you can configure multiple admin groups with granular control in terms of managing devices. It also provides detailed accounting, banner messages, and enable password support that is not possible with RADIUS or LDAP.

RADIUS /LDAP is typically used for endusers to gain access behind the network device such as webvpn, SSL vpn, or IPSEC clients.

Re: ASA TACACS+ webvpn authentication

brilong — Fri, 02 Sep 2016 20:04:46 GMT

Follow-up: is there a document showing how AAA should be configured such that TACACS+ is used as per the above-referenced document and RADIUS (ISE) is used for SSL VPN and IPSEC clients? I'm not interested in the Posture feature, so I followed an older guide here: ASA 8.0: Configure RADIUS Authentication for WebVPN Users - Cisco

When I run the test aaa-server command, it is successful, but when I VPN into my ASA, I get rejected and ISE says I was rejected as well. The ISE live log says 24020: User authentication against the LDAP Server failed. I have been able to authenticate on my Cat 3750X switches with ISE using the same username and password so I'm wondering what I may be missing on the ASA configuration.

When I set my tunnel-group general-attributes to authorization-server-group ISE-RADIUS, it fails. When I go back to LOCAL, it works fine. Any tips would be appreciated.

Re: ASA TACACS+ webvpn authentication

howon — Fri, 02 Sep 2016 20:19:14 GMT

I would suggest looking into why the user auth against LDAP failed on the ISE first. Do you see different backend identity source being used when you run test aaa-server command vs. when you login as VPN user?

Re: ASA TACACS+ webvpn authentication

brilong — Fri, 02 Sep 2016 20:44:46 GMT

I have the successful login here:

Overview

Event 5200 Authentication succeeded

Username brilong

Endpoint Id

Endpoint Profile

Authentication Policy Default >> Default >> Default

Authorization Policy Default >> Basic_Authenticated_Access

Authorization Result PermitAccess

Authentication Details

Source Timestamp 2016-09-02 16:28:28.652

Received Timestamp 2016-09-02 16:28:28.653

Policy Server ise1

Event 5200 Authentication succeeded

Username brilong

Authentication Identity Store Cisco_IdM

Authentication Method PAP_ASCII

Authentication Protocol PAP_ASCII

Network Device asa-rtp

Device Type All Device Types#Security Devices#Firewalls

Location All Locations#LabDaddy

NAS IPv4 Address 172.16.1.1

NAS Port Type Virtual

Authorization Profile PermitAccess

Response Time 51

Other Attributes

ConfigVersionId 135

DestinationPort 1645

Protocol Radius

NAS-Port 2

NetworkDeviceProfileName Cisco

NetworkDeviceProfileId 8ade1f15-aef1-4a9a-8158-d02e835179db

IsThirdPartyDeviceFlow false

AcsSessionID ise1/260143792/1562655

SelectedAuthenticationIdentityStores Internal Users

SelectedAuthenticationIdentityStores Cisco_IdM

SelectedAuthenticationIdentityStores Guest Users

AuthorizationPolicyMatchedRule Basic_Authenticated_Access

CPMSessionID ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g

ISEPolicySetName Default

AllowedProtocolMatchedRule Default

IdentitySelectionMatchedRule Default

Network Device Profile Cisco

Location Location#All Locations#LabDaddy

Device Type Device Type#All Device Types#Security Devices#Firewalls

IdentityDn uid=brilong,cn=users,cn=accounts,dc=cisco

RADIUS Username brilong

Device IP Address 172.16.1.1

CiscoAVPair coa-push=true

Result

State ReauthSession:ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g

Class CACS:ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g:ise1/260143792/1562655

LicenseTypes Base license consumed

And the failed login as follows, but I'm not sure what I'm seeing as a problem.

Overview

Event 5400 Authentication failed

Username brilong

Endpoint Id 64.102.x.y

Endpoint Profile

Authentication Policy Default >> Default >> Default

Authorization Result

Authentication Details

Source Timestamp 2016-09-02 15:13:05.07

Received Timestamp 2016-09-02 15:13:05.101

Policy Server ise1

Event 5400 Authentication failed

Failure Reason 24020 User authentication against the LDAP Server failed

Resolution If the user record is disabled, enable it. If the user record is expired, reset the credentials. Otherwise the failure is probably due to an invalid password.

Root cause User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired

Username brilong

Endpoint Id 64.102.x.y

Calling Station Id 64.102.x.y

Authentication Identity Store Cisco_IdM

Audit Session Id ac1001010001700057c9cf3a

Authentication Method PAP_ASCII

Authentication Protocol PAP_ASCII

Service Type Framed

Network Device asa-rtp

Device Type All Device Types#Security Devices#Firewalls

Location All Locations#LabDaddy

NAS IPv4 Address 172.16.1.1

NAS Port Type Virtual

Response Time 98

Other Attributes

ConfigVersionId 135

Device Port 47192

DestinationPort 1645

RadiusPacketType AccessRequest

Protocol Radius

NAS-Port 94208

Framed-Protocol PPP

Tunnel-Client-Endpoint (tag=0) 64.102.x.y

CVPN3000/ASA/PIX7x-Tunnel-Group-Name TG

OriginalUserName brilong

NetworkDeviceProfileName Cisco

NetworkDeviceProfileId 8ade1f15-aef1-4a9a-8158-d02e835179db

IsThirdPartyDeviceFlow false

SSID 172.18.151.x

CVPN3000/ASA/PIX7x-Client-Type 1

AcsSessionID ise1/260143792/1558619

SelectedAuthenticationIdentityStores Internal Users

SelectedAuthenticationIdentityStores Cisco_IdM

SelectedAuthenticationIdentityStores Guest Users

CPMSessionID ac1001010001700057c9cf3a

ISEPolicySetName Default

AllowedProtocolMatchedRule Default

IdentitySelectionMatchedRule Default

Network Device Profile Cisco

Location Location#All Locations#LabDaddy

Device Type Device Type#All Device Types#Security Devices#Firewalls

IdentityDn uid=brilong,cn=users,cn=accounts,dc=cisco

RADIUS Username brilong

Device IP Address 172.16.1.1

Called-Station-ID 172.18.151.x

CiscoAVPair audit-session-id=ac1001010001700057c9cf3a,

ip:source-ip=64.102.x.y,

coa-push=true

Result

RadiusPacketType AccessReject

AuthenticationResult Failed

Session Events

2016-09-02 15:13:05.101 Authentication failed

Re: ASA TACACS+ webvpn authentication

howon — Fri, 02 Sep 2016 21:26:58 GMT

ISE is complaining that the password is incorrect. Since you are using correct password, I suspect it could be the ASA setting that is causing this. I suggest going through the ASA guide to ensure that it is correctly configured. Here is example of ASA + ACS. Setup of ACS should be similar to ISE:

ASA 8.3 and Later: Radius Authorization (ACS 5.x) for VPN Access Using Downloadable ACL with CLI and ASDM Configuration …