This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have an ASA 5512x running firmware 9.9(1). I am trying to add a RADIUS server group for authentication and I am being asked for a Realm-id. I have been using an older ASA 5510 for testing and I have never been prompted for this and I have not seen it on any of the documentation I have viewed. There is a configured LDAP server group already and the realm ID is set to 0. I just want to make sure I know what the realm ID does before I go any further. Any help is appreciated!
Hi there, I just tried the 0 value for the Realm-id. Looks like this works. Starting aan SSH session with only Radius as authentication option works fine
I've been looking for information about this field since it's not documented. In a post on the Japanese forum, it was explained that it was supported, but not being used. You cannot leave it blank. However, putting 0 does work and appears to be the only option when adding an AAA server.
Here's the post, from June of 2017. It was required for my copy of ASA 9.9(1)/ASDM 7.9(1)151.
-I realize this is old, but thought I'd add to it for people searching for documentation like myself.
Interesting. I had only associated realms with Firepower previously. The ASA release notes, configuration guide and command reference are silent on this option. I do see it from the cli on an ASA running 9.9(1).
ccielab-asa(config-aaa-server-group)# aaa-server test1 protocol ldap ccielab-asa(config-aaa-server-group)# ? AAA server configuration commands: exit Exit from aaa-server group configuration mode help Help for AAA server configuration commands max-failed-attempts Specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated no Remove an item from aaa-server group configuration reactivation-mode Specify the method by which failed servers are reactivated realm-id Enter this keyword to specify the internal realm id ccielab-asa(config-aaa-server-group)# realm-id ? aaa-server-group mode commands/options: <0-65535> Internal realm id ccielab-asa(config-aaa-server-group)# end ccielab-asa# sh ver | i bin System image file is "disk0:/asa991-smp-k8.bin" ccielab-asa#
On further exploring, one additional item to note. There is no mention/record of the parameter in the 'show running' in either CLI or ASDM.
I am unsure if this is the first version (ASDM) it has appeared. The realm-id field is numeric, 0-65535. You cannot save without a number in this field and you can add multiple server groups with the identical value.
I suppose this could be implemented in a future version expanding cross-realm authentication for Radius servers? Not something I'll need to worry about for the foreseeable future.
edit: I stand corrected. I checked 'show start' and it is there. Right under the aaa-server protocol entry.
Thanks for the update. I see the same on my lab system as well.
Interestingly Cisco didn't mention fixing this problem in the release notes.