cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3628
Views
1
Helpful
5
Replies

ASA TACACS+ webvpn authentication

brilong
Cisco Employee
Cisco Employee

I run a ASA 5555-X in my lab with code 9.4(3)8.  I recently followed How To: ISE TACACS+ Configuration for ASA Network Devices to configure TACACS+ and it wasn't until I was done that I realized I cannot use TACACS+ for webvpn authentication.  It appears to only allow LOCAL, RADIUS or LDAP.  I'm no ASA expert so I had no idea about this limitation.  Why would I use TACACS+ authentication for ASDM and SSH authentication if I cannot use it for my Anyconnect clients?  Do I need to configure RADIUS or LDAP in parallel to TACACS+ in order for my end users to be authenticated by ISE?  How about my legacy IPSEC clients?

Thank you.

5 Replies 5

howon
Cisco Employee
Cisco Employee

Brian, TACACS+ is typically used for administrative access control and it provides unique benefit compared to RADIUS or LDAP. It provides ability to control command authorization that is defined on the central server so you can configure multiple admin groups with granular control in terms of managing devices. It also provides detailed accounting, banner messages, and enable password support that is not possible with RADIUS or LDAP.

RADIUS /LDAP is typically used for endusers to gain access behind the network device such as webvpn, SSL vpn, or IPSEC clients.

brilong
Cisco Employee
Cisco Employee

Follow-up: is there a document showing how AAA should be configured such that TACACS+ is used as per the above-referenced document and RADIUS (ISE) is used for SSL VPN and IPSEC clients?  I'm not interested in the Posture feature, so I followed an older guide here:  ASA 8.0: Configure RADIUS Authentication for WebVPN Users - Cisco

When I run the test aaa-server command, it is successful, but when I VPN into my ASA, I get rejected and ISE says I was rejected as well.  The ISE live log says 24020: User authentication against the LDAP Server failed.  I have been able to authenticate on my Cat 3750X switches with ISE using the same username and password so I'm wondering what I may be missing on the ASA configuration.

When I set my tunnel-group general-attributes to authorization-server-group ISE-RADIUS, it fails.  When I go back to LOCAL, it works fine.  Any tips would be appreciated.

howon
Cisco Employee
Cisco Employee

I would suggest looking into why the user auth against LDAP failed on the ISE first. Do you see different backend identity source being used when you run test aaa-server command vs. when you login as VPN user?

brilong
Cisco Employee
Cisco Employee

I have the successful login here:

Overview

Event   5200 Authentication succeeded

Username       brilong

Endpoint Id

Endpoint Profile

Authentication Policy   Default >> Default >> Default

Authorization Policy   Default >> Basic_Authenticated_Access

Authorization Result   PermitAccess

Authentication Details

Source Timestamp       2016-09-02 16:28:28.652

Received Timestamp     2016-09-02 16:28:28.653

Policy Server   ise1

Event   5200 Authentication succeeded

Username       brilong

Authentication Identity Store   Cisco_IdM

Authentication Method   PAP_ASCII

Authentication Protocol         PAP_ASCII

Network Device asa-rtp

Device Type     All Device Types#Security Devices#Firewalls

Location       All Locations#LabDaddy

NAS IPv4 Address       172.16.1.1

NAS Port Type   Virtual

Authorization Profile   PermitAccess

Response Time   51

Other Attributes

ConfigVersionId         135

DestinationPort         1645

Protocol       Radius

NAS-Port       2

NetworkDeviceProfileName       Cisco

NetworkDeviceProfileId 8ade1f15-aef1-4a9a-8158-d02e835179db

IsThirdPartyDeviceFlow false

AcsSessionID   ise1/260143792/1562655

SelectedAuthenticationIdentityStores   Internal Users

SelectedAuthenticationIdentityStores   Cisco_IdM

SelectedAuthenticationIdentityStores   Guest Users

AuthorizationPolicyMatchedRule Basic_Authenticated_Access

CPMSessionID   ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g

ISEPolicySetName       Default

AllowedProtocolMatchedRule     Default

IdentitySelectionMatchedRule   Default

Network Device Profile Cisco

Location       Location#All Locations#LabDaddy

Device Type     Device Type#All Device Types#Security Devices#Firewalls

IdentityDn     uid=brilong,cn=users,cn=accounts,dc=cisco

RADIUS Username         brilong

Device IP Address       172.16.1.1

CiscoAVPair     coa-push=true

Result

State   ReauthSession:ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g

Class   CACS:ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g:ise1/260143792/1562655

LicenseTypes   Base license consumed

And the failed login as follows, but I'm not sure what I'm seeing as a problem.

Overview

Event   5400 Authentication failed

Username       brilong

Endpoint Id     64.102.x.y

Endpoint Profile

Authentication Policy   Default >> Default >> Default

Authorization Result

Authentication Details

Source Timestamp       2016-09-02 15:13:05.07

Received Timestamp     2016-09-02 15:13:05.101

Policy Server   ise1

Event   5400 Authentication failed

Failure Reason 24020 User authentication against the LDAP Server failed

Resolution     If the user record is disabled, enable it. If the user record is expired, reset the credentials. Otherwise the failure is probably due to an invalid password.

Root cause     User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired

Username       brilong

Endpoint Id     64.102.x.y

Calling Station Id     64.102.x.y

Authentication Identity Store   Cisco_IdM

Audit Session Id       ac1001010001700057c9cf3a

Authentication Method   PAP_ASCII

Authentication Protocol         PAP_ASCII

Service Type   Framed

Network Device asa-rtp

Device Type     All Device Types#Security Devices#Firewalls

Location       All Locations#LabDaddy

NAS IPv4 Address       172.16.1.1

NAS Port Type   Virtual

Response Time   98

Other Attributes

ConfigVersionId         135

Device Port     47192

DestinationPort         1645

RadiusPacketType       AccessRequest

Protocol       Radius

NAS-Port       94208

Framed-Protocol         PPP

Tunnel-Client-Endpoint (tag=0) 64.102.x.y

CVPN3000/ASA/PIX7x-Tunnel-Group-Name   TG

OriginalUserName       brilong

NetworkDeviceProfileName       Cisco

NetworkDeviceProfileId 8ade1f15-aef1-4a9a-8158-d02e835179db

IsThirdPartyDeviceFlow false

SSID   172.18.151.x

CVPN3000/ASA/PIX7x-Client-Type 1

AcsSessionID   ise1/260143792/1558619

SelectedAuthenticationIdentityStores   Internal Users

SelectedAuthenticationIdentityStores   Cisco_IdM

SelectedAuthenticationIdentityStores   Guest Users

CPMSessionID   ac1001010001700057c9cf3a

ISEPolicySetName       Default

AllowedProtocolMatchedRule     Default

IdentitySelectionMatchedRule   Default

Network Device Profile Cisco

Location       Location#All Locations#LabDaddy

Device Type     Device Type#All Device Types#Security Devices#Firewalls

IdentityDn     uid=brilong,cn=users,cn=accounts,dc=cisco

RADIUS Username         brilong

Device IP Address       172.16.1.1

Called-Station-ID       172.18.151.x

CiscoAVPair     audit-session-id=ac1001010001700057c9cf3a,

ip:source-ip=64.102.x.y,

coa-push=true

Result

RadiusPacketType       AccessReject

AuthenticationResult   Failed

Session Events

2016-09-02 15:13:05.101         Authentication failed

howon
Cisco Employee
Cisco Employee

ISE is complaining that the password is incorrect. Since you are using correct password, I suspect it could be the ASA setting that is causing this. I suggest going through the ASA guide to ensure that it is correctly configured. Here is example of ASA + ACS. Setup of ACS should be similar to ISE:

ASA 8.3 and Later: Radius Authorization (ACS 5.x) for VPN Access Using Downloadable ACL with CLI and ASDM Configuration …

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers