https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3357044#M550360 Just a quick update in case anyone finds this. I upgraded ASDM/ASA yesterday. Now on 7.9(2) ASDM and 9.9(2). The realm-id has been removed from config and the "Edit AAA Server Group" gui. Wed, 28 Mar 2018 20:24:46 GMT briancarson 2018-03-28T20:24:46Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3325449#M550354 <P>Hello all,&nbsp;</P> <P>&nbsp;</P> <P>I have an ASA 5512x running firmware 9.9(1). I am trying to add a RADIUS server group for authentication and I am being asked for a Realm-id. I have been using an older ASA 5510 for testing and I have never been prompted for this and I have not seen it on any of the documentation I have viewed. There is a configured LDAP server group already and the realm ID is set to 0. I just want to make sure I know what the realm ID does before I go any further.&nbsp; Any help is appreciated!&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Capture.PNG" style="width: 409px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/7222i657B80FD44B5DE66/image-size/large?v=v2&amp;px=999" role="button" title="Capture.PNG" alt="Capture.PNG" /></span></P> Fri, 21 Feb 2020 18:44:57 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3325449#M550354 brandonbittinger 2020-02-21T18:44:57Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3333044#M550355 <P>Hi there, I just tried the 0 value for the Realm-id. Looks like this works. Starting aan SSH session with only Radius as authentication option works fine</P> <P>&nbsp;</P> <P>Cheers</P> <P>Marcel</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 17 Feb 2018 22:41:00 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3333044#M550355 Marcel70 2018-02-17T22:41:00Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350015#M550356 <P>I've been looking for information about this field since it's not documented. In a post on the Japanese forum, it was explained that it was supported, but not being used. You cannot leave it blank. However, putting 0 does work and appears to be the only option when adding an AAA server.</P> <P>Here's the post, from June of 2017. It was required for my copy of ASA 9.9(1)/ASDM 7.9(1)151.</P> <P><A href="https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/5041-docs-security/article-id/625" target="_blank">https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/5041-docs-security/article-id/625</A></P> <P>-I realize this is old, but thought I'd add to it for people searching for documentation like myself.</P> <P>&nbsp;</P> Fri, 16 Mar 2018 17:05:00 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350015#M550356 briancarson 2018-03-16T17:05:00Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350217#M550357 <P>Interesting. I had only associated realms with Firepower previously. The ASA release notes, configuration guide and command reference are silent on this option. I do see it from the cli on an ASA running 9.9(1).</P> <P>&nbsp;</P> <PRE>ccielab-asa(config-aaa-server-group)# aaa-server test1 protocol ldap ccielab-asa(config-aaa-server-group)# ? AAA server configuration commands: exit Exit from aaa-server group configuration mode help Help for AAA server configuration commands max-failed-attempts Specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated no Remove an item from aaa-server group configuration reactivation-mode Specify the method by which failed servers are reactivated realm-id Enter this keyword to specify the internal realm id ccielab-asa(config-aaa-server-group)# realm-id ? aaa-server-group mode commands/options: &lt;0-65535&gt; Internal realm id ccielab-asa(config-aaa-server-group)# end ccielab-asa# sh ver | i bin System image file is "disk0:/asa991-smp-k8.bin" ccielab-asa#</PRE> Sat, 17 Mar 2018 13:05:04 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350217#M550357 Marvin Rhoads 2018-03-17T13:05:04Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350253#M550358 Hi briancarson,<BR /><BR />actually that was my though :). It good to share so other can find it and<BR />do not have to search very long. Thx for sharing.<BR /><BR />Cheers<BR /><BR /> Sat, 17 Mar 2018 16:18:33 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350253#M550358 Marcel70 2018-03-17T16:18:33Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350965#M550359 <P>On further exploring, one additional item to note. There is no mention/record of the parameter in the 'show running' in either CLI or ASDM.</P> <P>I am unsure if this is the first version (ASDM) it has appeared. The realm-id field is numeric, 0-<SPAN class="cwcot">65535. You cannot save without a number in this field and you can add multiple server groups with the identical value.</SPAN></P> <P><SPAN class="cwcot">I suppose this could be implemented in a future version expanding cross-realm authentication for Radius servers? Not something I'll need to worry about for the foreseeable future.</SPAN></P> <P>&nbsp;edit: I stand corrected. I checked 'show start' and it is there. Right under the aaa-server protocol entry.</P> <P>&nbsp;</P> Mon, 19 Mar 2018 16:04:13 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3350965#M550359 briancarson 2018-03-19T16:04:13Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3357044#M550360 Just a quick update in case anyone finds this. I upgraded ASDM/ASA yesterday. Now on 7.9(2) ASDM and 9.9(2). The realm-id has been removed from config and the "Edit AAA Server Group" gui. Wed, 28 Mar 2018 20:24:46 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3357044#M550360 briancarson 2018-03-28T20:24:46Z https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3357439#M550361 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/457643">@briancarson</a>,</P> <P>&nbsp;</P> <P>Thanks for the update. I see the same on my lab system as well.</P> <P>&nbsp;</P> <P>Interestingly Cisco didn't mention fixing this problem in the release notes.</P> Thu, 29 Mar 2018 12:22:17 GMT https://community.cisco.com/t5/network-access-control/asa-server-group-asking-for-realm-id-for-radius/m-p/3357439#M550361 Marvin Rhoads 2018-03-29T12:22:17Z