cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1960
Views
0
Helpful
8
Replies

AnyConnect and ACS5.1

alex.dersch
Level 4
Level 4

Hello Team,

i'am having a problem with following setup. Cisco ASA 5520 with ACS 5.1. I'd like to have multiple SSL VPN Client Connection Profiles which is already working fine. Each Profile should use an idividual Service Selection Rule in the ACS.

I tried to use follwoing Attribute "CVPN3000/ASA/PIX7.x-SVC-Profile-Name" in the Service Selection Policy to define an individual service. But it's not working.

How can i make sure that this attribute is sent from the ASA to the ACS.

thanks for you feedback

alex

8 Replies 8

Jay Young
Cisco Employee
Cisco Employee

Alex,

You can try "debug radius all" when you are doing the test and you should see a dump of the access-accept response and all the attributes that are sent back.

From there you can determine whether the ACS or the ASA is mis-behaving.

-Jay

Jay thanks for your reply,

i collect the debug on the firewal, it seems for me, that the ASA sends the attributes but the ACS doesn't understand them.

any idea how to teach the ACS to understand the parameters?

RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=172.24.7.11

RADIUS packet decode (authentication request)

--------------------------------------
Feb 02 2011 04:32:36: %ASA-6-113004: AAA user authentication Successful : server =  10.0.128.3 : user = dersa
Feb 02 2011 04:32:36: %ASA-6-113009: AAA retrieved default group policy (FroxWebPolicy) for user = dersa
Feb 02 2011 04:32:36: %ASA-6-113008: AAA transaction status ACCEPT : user = dersa
Feb 02 2011 04:32:36: %ASA-7-734003: DAP: User dersa, Addr 172.24.7.11: Session Attribute aaa.radius["1"]["1"] = dersa
Feb 02 2011 04:32:36: %ASA-7-734003: DAP: User dersa, Addr 172.24.7.11: Session Attribute aaa.radius["25"]["1"] = CACS:bsacs01/85987645/26
Feb 02 2011 04:32:36: %ASA-7-734003: DAP: User dersa, Addr 172.24.7.11: Session Attribute aaa.cisco.grouppolicy = FroxWebPolicy
Feb 02 2011 04:32:36: %ASA-7-734003: DAP: User dersa, Addr 172.24.7.11: Session Attribute aaa.cisco.username = dersa
Feb 02 2011 04:32:36: %ASA-7-734003: DAP: User dersa, Addr 172.24.7.11: Session Attribute aaa.cisco.tunnelgroup = FROX_SSLVPN
Feb 02 2011 04:32:36: %ASA-6-734001: DAP: User dersa, Addr 172.24.7.11, Connection Clientless: The following DAP records were selected for this connection: DfltAccessPolicy
Feb 02 2011 04:32:36: %ASA-6-716001: Group User IP <172.24.7.11> WebVPN session started.
Feb 02 2011 04:32:36: %ASA-6-716038: Group User IP <172.24.7.11> Authentication: successful, Session Type: WebVPN.
Raw packet data (length = 134).....
01 24 00 86 dc e5 ba 6b c8 61 86 47 74 9d 12 e3    |  .$.....k.a.Gt...
e0 99 5e 3f 01 07 64 65 72 73 61 02 12 96 1b c9    |  ..^?..dersa.....
05 0c 75 86 97 05 46 f2 9a ed f3 08 7a 05 06 00    |  ..u...F.....z...
01 90 00 1e 0d 31 37 32 2e 31 36 2e 32 2e 32 35    |  .....172.16.2.25
1f 0d 31 37 32 2e 32 34 2e 37 2e 31 31 3d 06 00    |  ..172.24.7.11=..
00 00 05 42 0d 31 37 32 2e 32 34 2e 37 2e 31 31    |  ...B.172.24.7.11
04 06 0a 00 80 02 1a 20 00 00 00 09 01 1a 69 70    |  ....... ......ip
3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32 2e 32    |  :source-ip=172.2
34 2e 37 2e 31 31                                  |  4.7.11

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 36 (0x24)
Radius: Length = 134 (0x0086)
Radius: Vector: DCE5BA6BC8618647749D12E3E0995E3F
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
64 65 72 73 61                                     |  dersa
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
96 1b c9 05 0c 75 86 97 05 46 f2 9a ed f3 08 7a    |  .....u...F.....z
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x19000
Radius: Type = 30 (0x1E) Called-Station-Id
Radius: Length = 13 (0x0D)
Radius: Value (String) =
31 37 32 2e 31 36 2e 32 2e 32 35                   |  172.16.2.25
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 13 (0x0D)
Radius: Value (String) =
31 37 32 2e 32 34 2e 37 2e 31 31                   |  172.24.7.11
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 66 (0x42) Tunnel-Client-Endpoint
Radius: Length = 13 (0x0D)
Radius: Value (String) =
31 37 32 2e 32 34 2e 37 2e 31 31                   |  172.24.7.11
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 10.0.128.2 (0x0A008002)
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 32 (0x20)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 26 (0x1A)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 37 32    |  ip:source-ip=172
2e 32 34 2e 37 2e 31 31                            |  .24.7.11
send pkt 10.0.128.3/1645
rip 0x739f97d8 state 7 id 36
rad_vrfy() : response message verified
rip 0x739fed28
: chall_state ''
: state 0x7
: timer 0x0
: reqauth:
     dc e5 ba 6b c8 61 86 47 74 9d 12 e3 e0 99 5e 3f
: info 0x44
     session_id 0x44
     request_id 0x24
     user 'dersa'
     response '***'
     app 0
     reason 0
     skey 'B3048*a1'
     sip 10.0.128.3
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 53).....
02 24 00 35 c2 9e 8f 3e 6c 0b 86 38 2d 43 01 e2    |  .$.5...>l..8-C..
15 1c 51 c2 01 07 64 65 72 73 61 19 1a 43 41 43    |  ..Q...dersa..CAC
53 3a 62 73 61 63 73 30 31 2f 38 35 39 38 37 36    |  S:bsacs01/859876
34 35 2f 32 36                                     |  45/26

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 36 (0x24)
Radius: Length = 53 (0x0035)
Radius: Vector: C29E8F3E6C0B86382D4301E2151C51C2
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
64 65 72 73 61                                     |  dersa
Radius: Type = 25 (0x19) Class
Radius: Length = 26 (0x1A)
Radius: Value (String) =
43 41 43 53 3a 62 73 61 63 73 30 31 2f 38 35 39    |  CACS:bsacs01/859
38 37 36 34 35 2f 32 36                            |  87645/26
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x739f97d8 session 0x44 id 36
free_rip 0x739f97d8
radius: send queue empty

Alex,

You may want to move this thread over to AAA region in the security section to see if anyone else has an idea to configure the ACS device (sorry not my speciality).

-Jay

i moved it, thanks for efforts. i checked the the ACS logs, there are no VSA reaching the ACS.

can you paste the link where you moved it to?

Ooh Micheal,

this was a year ago, i believe i didn't move it. But I got it to run as needed. Do you have a particular question maybe I can help.

regards

alex

Hi Alex, i'm struggling with a situation like this, would you please suggest me which radius attribute  i have to use to distinguish which webvpn profile is the user using in the service selection rule, or how did you accomplish this?

Thanks in advance

Oscar.

Oscar,

Not sure if this will help, but it seems the radius attribute is

"CVPN3000/ASA/PIX7.x-SVC-Profile-Name" or "SVC-Profiles"

Which translates to radius attribute number 128 and vendor ID 3076.

See:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1802187

-Jay