09-02-2016 10:08 AM
I run a ASA 5555-X in my lab with code 9.4(3)8. I recently followed How To: ISE TACACS+ Configuration for ASA Network Devices to configure TACACS+ and it wasn't until I was done that I realized I cannot use TACACS+ for webvpn authentication. It appears to only allow LOCAL, RADIUS or LDAP. I'm no ASA expert so I had no idea about this limitation. Why would I use TACACS+ authentication for ASDM and SSH authentication if I cannot use it for my Anyconnect clients? Do I need to configure RADIUS or LDAP in parallel to TACACS+ in order for my end users to be authenticated by ISE? How about my legacy IPSEC clients?
Thank you.
09-02-2016 10:21 AM
Brian, TACACS+ is typically used for administrative access control and it provides unique benefit compared to RADIUS or LDAP. It provides ability to control command authorization that is defined on the central server so you can configure multiple admin groups with granular control in terms of managing devices. It also provides detailed accounting, banner messages, and enable password support that is not possible with RADIUS or LDAP.
RADIUS /LDAP is typically used for endusers to gain access behind the network device such as webvpn, SSL vpn, or IPSEC clients.
09-02-2016 01:04 PM
Follow-up: is there a document showing how AAA should be configured such that TACACS+ is used as per the above-referenced document and RADIUS (ISE) is used for SSL VPN and IPSEC clients? I'm not interested in the Posture feature, so I followed an older guide here: ASA 8.0: Configure RADIUS Authentication for WebVPN Users - Cisco
When I run the test aaa-server command, it is successful, but when I VPN into my ASA, I get rejected and ISE says I was rejected as well. The ISE live log says 24020: User authentication against the LDAP Server failed. I have been able to authenticate on my Cat 3750X switches with ISE using the same username and password so I'm wondering what I may be missing on the ASA configuration.
When I set my tunnel-group general-attributes to authorization-server-group ISE-RADIUS, it fails. When I go back to LOCAL, it works fine. Any tips would be appreciated.
09-02-2016 01:19 PM
I would suggest looking into why the user auth against LDAP failed on the ISE first. Do you see different backend identity source being used when you run test aaa-server command vs. when you login as VPN user?
09-02-2016 01:44 PM
I have the successful login here:
Overview
Event 5200 Authentication succeeded
Username brilong
Endpoint Id
Endpoint Profile
Authentication Policy Default >> Default >> Default
Authorization Policy Default >> Basic_Authenticated_Access
Authorization Result PermitAccess
Authentication Details
Source Timestamp 2016-09-02 16:28:28.652
Received Timestamp 2016-09-02 16:28:28.653
Policy Server ise1
Event 5200 Authentication succeeded
Username brilong
Authentication Identity Store Cisco_IdM
Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII
Network Device asa-rtp
Device Type All Device Types#Security Devices#Firewalls
Location All Locations#LabDaddy
NAS IPv4 Address 172.16.1.1
NAS Port Type Virtual
Authorization Profile PermitAccess
Response Time 51
Other Attributes
ConfigVersionId 135
DestinationPort 1645
Protocol Radius
NAS-Port 2
NetworkDeviceProfileName Cisco
NetworkDeviceProfileId 8ade1f15-aef1-4a9a-8158-d02e835179db
IsThirdPartyDeviceFlow false
AcsSessionID ise1/260143792/1562655
SelectedAuthenticationIdentityStores Internal Users
SelectedAuthenticationIdentityStores Cisco_IdM
SelectedAuthenticationIdentityStores Guest Users
AuthorizationPolicyMatchedRule Basic_Authenticated_Access
CPMSessionID ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g
ISEPolicySetName Default
AllowedProtocolMatchedRule Default
IdentitySelectionMatchedRule Default
Network Device Profile Cisco
Location Location#All Locations#LabDaddy
Device Type Device Type#All Device Types#Security Devices#Firewalls
IdentityDn uid=brilong,cn=users,cn=accounts,dc=cisco
RADIUS Username brilong
Device IP Address 172.16.1.1
CiscoAVPair coa-push=true
Result
State ReauthSession:ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g
Class CACS:ac10016bIBR0dSkYMwuTKsUJME3937762/G3wHa/hv/IvEo6W/g:ise1/260143792/1562655
LicenseTypes Base license consumed
And the failed login as follows, but I'm not sure what I'm seeing as a problem.
Overview
Event 5400 Authentication failed
Username brilong
Endpoint Id 64.102.x.y
Endpoint Profile
Authentication Policy Default >> Default >> Default
Authorization Result
Authentication Details
Source Timestamp 2016-09-02 15:13:05.07
Received Timestamp 2016-09-02 15:13:05.101
Policy Server ise1
Event 5400 Authentication failed
Failure Reason 24020 User authentication against the LDAP Server failed
Resolution If the user record is disabled, enable it. If the user record is expired, reset the credentials. Otherwise the failure is probably due to an invalid password.
Root cause User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired
Username brilong
Endpoint Id 64.102.x.y
Calling Station Id 64.102.x.y
Authentication Identity Store Cisco_IdM
Audit Session Id ac1001010001700057c9cf3a
Authentication Method PAP_ASCII
Authentication Protocol PAP_ASCII
Service Type Framed
Network Device asa-rtp
Device Type All Device Types#Security Devices#Firewalls
Location All Locations#LabDaddy
NAS IPv4 Address 172.16.1.1
NAS Port Type Virtual
Response Time 98
Other Attributes
ConfigVersionId 135
Device Port 47192
DestinationPort 1645
RadiusPacketType AccessRequest
Protocol Radius
NAS-Port 94208
Framed-Protocol PPP
Tunnel-Client-Endpoint (tag=0) 64.102.x.y
CVPN3000/ASA/PIX7x-Tunnel-Group-Name TG
OriginalUserName brilong
NetworkDeviceProfileName Cisco
NetworkDeviceProfileId 8ade1f15-aef1-4a9a-8158-d02e835179db
IsThirdPartyDeviceFlow false
SSID 172.18.151.x
CVPN3000/ASA/PIX7x-Client-Type 1
AcsSessionID ise1/260143792/1558619
SelectedAuthenticationIdentityStores Internal Users
SelectedAuthenticationIdentityStores Cisco_IdM
SelectedAuthenticationIdentityStores Guest Users
CPMSessionID ac1001010001700057c9cf3a
ISEPolicySetName Default
AllowedProtocolMatchedRule Default
IdentitySelectionMatchedRule Default
Network Device Profile Cisco
Location Location#All Locations#LabDaddy
Device Type Device Type#All Device Types#Security Devices#Firewalls
IdentityDn uid=brilong,cn=users,cn=accounts,dc=cisco
RADIUS Username brilong
Device IP Address 172.16.1.1
Called-Station-ID 172.18.151.x
CiscoAVPair audit-session-id=ac1001010001700057c9cf3a,
ip:source-ip=64.102.x.y,
coa-push=true
Result
RadiusPacketType AccessReject
AuthenticationResult Failed
Session Events
2016-09-02 15:13:05.101 Authentication failed
09-02-2016 02:26 PM
ISE is complaining that the password is incorrect. Since you are using correct password, I suspect it could be the ASA setting that is causing this. I suggest going through the ASA guide to ensure that it is correctly configured. Here is example of ASA + ACS. Setup of ACS should be similar to ISE:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: