Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1189
Views
0
Helpful
2
Replies

Cisco ASA VPN Radius Server Authentication

decot33
Level 1
Level 1

‎05-23-2019 04:23 PM - edited ‎02-21-2020 09:09 AM

Hello!

I am attempting to deploy a 5506-X ASA using a radius server for VPN authentication.  I will have two types of users with different access needs.  Typically I would just have Local AAA users and separate them into groups for the ACL management.  I understand that the radius server can be configured to attach a class name (attribute 25).  From the research that I have done I have learned that when attempting to connect to the VPN the ASA can assign the user to a group policy that has the name as radius class name.  What I am not sure about is how to configure the connection profile to allow for this to happen.  Any guidance on this would be appreciated.  Also if I am leaving anything out please let me know.

 

Thanks! 

0 Helpful
2 Replies 2

GRANT3779
Spotlight
Spotlight

‎05-27-2019 02:11 AM

Hi Decot,

 

What are you using as your Radius back end? ACS, ISE, NPS on Windows? Will you be differentiating between your users based on an AD group?

 

At a high level you would have your various Group Polices configured on the ASA with the relevant access set for each.

 

ASA configured with the Radius Server details and Anyconnect configured to use Radius for Authentication.

 

The Radius server would be setup with the ASA as a Radius Client, and you would have conditions setup on the Radius server, e.g is decto33 in AD Group ADMIN, if so allow access and assign to group policy "Admin Policy". This is done by having the Radius server send attribute 25 with a value of the Group Policy name configured on the ASA.

 

Based on Windows / NPS there is a guide here -

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

 

0 Helpful

vsurresh
Level 1
Level 1

‎06-04-2019 08:14 AM

Looking at your requirements I assume you might as well use Dynamic Access Policies. I have used them with LDAP where users in different AD group will get a different kind of access. I believe Radius can be used as well.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card