Re: ASA Server Group Asking For Realm-id for RADIUS

brandonbittinger · ‎02-05-2018

Hello all,

I have an ASA 5512x running firmware 9.9(1). I am trying to add a RADIUS server group for authentication and I am being asked for a Realm-id. I have been using an older ASA 5510 for testing and I have never been prompted for this and I have not seen it on any of the documentation I have viewed. There is a configured LDAP server group already and the realm ID is set to 0. I just want to make sure I know what the realm ID does before I go any further. Any help is appreciated!

Marcel70 · ‎02-17-2018

Hi there, I just tried the 0 value for the Realm-id. Looks like this works. Starting aan SSH session with only Radius as authentication option works fine

Cheers

Marcel

briancarson · ‎03-16-2018

I've been looking for information about this field since it's not documented. In a post on the Japanese forum, it was explained that it was supported, but not being used. You cannot leave it blank. However, putting 0 does work and appears to be the only option when adding an AAA server.

Here's the post, from June of 2017. It was required for my copy of ASA 9.9(1)/ASDM 7.9(1)151.

https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/5041-docs-security/article-id/625

-I realize this is old, but thought I'd add to it for people searching for documentation like myself.

Marcel70 · ‎03-17-2018

Hi briancarson,

actually that was my though :). It good to share so other can find it and
do not have to search very long. Thx for sharing.

Cheers

Marvin Rhoads · ‎03-17-2018

Interesting. I had only associated realms with Firepower previously. The ASA release notes, configuration guide and command reference are silent on this option. I do see it from the cli on an ASA running 9.9(1).

ccielab-asa(config-aaa-server-group)# aaa-server test1 protocol ldap    
ccielab-asa(config-aaa-server-group)# ?

AAA server configuration commands:
  exit                 Exit from aaa-server group configuration mode
  help                 Help for AAA server configuration commands
  max-failed-attempts  Specify the maximum number of failures that will be
                       allowed for any server in the group before that server
                       is deactivated
  no                   Remove an item from aaa-server group configuration
  reactivation-mode    Specify the method by which failed servers are
                       reactivated
  realm-id             Enter this keyword to specify the internal realm id
ccielab-asa(config-aaa-server-group)# realm-id ?

aaa-server-group mode commands/options:
  <0-65535>  Internal realm id
ccielab-asa(config-aaa-server-group)# end      
ccielab-asa# sh ver | i bin
System image file is "disk0:/asa991-smp-k8.bin"
ccielab-asa#

briancarson · ‎03-19-2018

On further exploring, one additional item to note. There is no mention/record of the parameter in the 'show running' in either CLI or ASDM.

I am unsure if this is the first version (ASDM) it has appeared. The realm-id field is numeric, 0-65535. You cannot save without a number in this field and you can add multiple server groups with the identical value.

I suppose this could be implemented in a future version expanding cross-realm authentication for Radius servers? Not something I'll need to worry about for the foreseeable future.

edit: I stand corrected. I checked 'show start' and it is there. Right under the aaa-server protocol entry.

briancarson · ‎03-28-2018

Just a quick update in case anyone finds this. I upgraded ASDM/ASA yesterday. Now on 7.9(2) ASDM and 9.9(2). The realm-id has been removed from config and the "Edit AAA Server Group" gui.

Marvin Rhoads · ‎03-29-2018

@briancarson,

Thanks for the update. I see the same on my lab system as well.

Interestingly Cisco didn't mention fixing this problem in the release notes.