cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4701
Views
20
Helpful
7
Replies
Highlighted

ASA Server Group Asking For Realm-id for RADIUS

Hello all, 

 

I have an ASA 5512x running firmware 9.9(1). I am trying to add a RADIUS server group for authentication and I am being asked for a Realm-id. I have been using an older ASA 5510 for testing and I have never been prompted for this and I have not seen it on any of the documentation I have viewed. There is a configured LDAP server group already and the realm ID is set to 0. I just want to make sure I know what the realm ID does before I go any further.  Any help is appreciated! 

 

Capture.PNG

7 REPLIES 7
Highlighted
Beginner

Hi there, I just tried the 0 value for the Realm-id. Looks like this works. Starting aan SSH session with only Radius as authentication option works fine

 

Cheers

Marcel

 

 

Highlighted
Beginner

I've been looking for information about this field since it's not documented. In a post on the Japanese forum, it was explained that it was supported, but not being used. You cannot leave it blank. However, putting 0 does work and appears to be the only option when adding an AAA server.

Here's the post, from June of 2017. It was required for my copy of ASA 9.9(1)/ASDM 7.9(1)151.

https://supportforums.cisco.com/t5/tkb/articleprintpage/tkb-id/5041-docs-security/article-id/625

-I realize this is old, but thought I'd add to it for people searching for documentation like myself.

 

Highlighted

Hi briancarson,

actually that was my though :). It good to share so other can find it and
do not have to search very long. Thx for sharing.

Cheers

Highlighted
Hall of Fame Guru

Interesting. I had only associated realms with Firepower previously. The ASA release notes, configuration guide and command reference are silent on this option. I do see it from the cli on an ASA running 9.9(1).

 

ccielab-asa(config-aaa-server-group)# aaa-server test1 protocol ldap    
ccielab-asa(config-aaa-server-group)# ?

AAA server configuration commands:
  exit                 Exit from aaa-server group configuration mode
  help                 Help for AAA server configuration commands
  max-failed-attempts  Specify the maximum number of failures that will be
                       allowed for any server in the group before that server
                       is deactivated
  no                   Remove an item from aaa-server group configuration
  reactivation-mode    Specify the method by which failed servers are
                       reactivated
  realm-id             Enter this keyword to specify the internal realm id
ccielab-asa(config-aaa-server-group)# realm-id ?

aaa-server-group mode commands/options:
  <0-65535>  Internal realm id
ccielab-asa(config-aaa-server-group)# end      
ccielab-asa# sh ver | i bin
System image file is "disk0:/asa991-smp-k8.bin"
ccielab-asa#
Highlighted

On further exploring, one additional item to note. There is no mention/record of the parameter in the 'show running' in either CLI or ASDM.

I am unsure if this is the first version (ASDM) it has appeared. The realm-id field is numeric, 0-65535. You cannot save without a number in this field and you can add multiple server groups with the identical value.

I suppose this could be implemented in a future version expanding cross-realm authentication for Radius servers? Not something I'll need to worry about for the foreseeable future.

 edit: I stand corrected. I checked 'show start' and it is there. Right under the aaa-server protocol entry.

 

Highlighted

Just a quick update in case anyone finds this. I upgraded ASDM/ASA yesterday. Now on 7.9(2) ASDM and 9.9(2). The realm-id has been removed from config and the "Edit AAA Server Group" gui.
Highlighted

@briancarson,

 

Thanks for the update. I see the same on my lab system as well.

 

Interestingly Cisco didn't mention fixing this problem in the release notes.

Content for Community-Ad