Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2847
Views
20
Helpful
7
Replies

Authorization problem between ASA - ACS 5.1 - AD (with Certificate)

Thomas Imboden
Level 1
Level 1

‎12-12-2010 10:37 AM - edited ‎03-10-2019 05:38 PM

Hi all

I have an authentication & authorization problem with certificates between ASA, ACS 5.1 and AD.

AAA requests are handled in the following way.

Cisco VPN client with certificate ---> ASA ---> ASA sends the appropriate certificate field with username for authorization to radius server (ACS 5.1) --> ACS 5.1 sends the username for identity and authorization to AD.

I configured the ACS with following Access Policy (Network Access):

Identity:

Protocol Radius & NDG:ASA --> Identity Source = AD

Authorization:

AD:ExternalGroup=match --> Authorization Profile with radius attribute "Class 25" back to ASA for applying Group Policy.

With this setup the ACS can't handle the authorization. I defined in the Identity under advanced option to continue if authentication failed (the ASA sends only the username without password from the certificate). But in that way the ACS can't retrieve the user attributes from the AD for the authorization. It can only retrieve the user attributes from AD, if it delivers a valid username AND password to the AD.

What makes me wonder is the fact, that the ACS gets all the user attributes under "Users and Identity Stores" - "External Identity Stores" - "Active Directory" when I do a manual user lookup vs. the AD with a valid username (without password)... but in the access policy the ACS doesn't get the user attributes from the AD when it must process an AAA request with the advanced option to continue if authentication fails.

Thanks in advance for any help - Thomas

Labels:
0 Helpful
7 Replies 7

Bastien Migette
Cisco Employee
Cisco Employee

‎12-13-2010 02:09 AM

When you see the attributes that are retrieved with a manual user lookup, did you checked the attributes that you want ACS to retrieve ? The fetched attributes are used to make a list of attributes that will be fetched on authentication and to make the process easier you can retrieve it from a sample user.

Thomas Imboden
Level 1
Level 1
In response to Bastien Migette

‎12-21-2010 10:38 AM

I opened a service request concerning the problem I had with the AAA design.

It's  not possible to do authentication over ASA to ACS with only a valid  username against AD. There must be a password for the username. Only with the correct user credentials (username & password) the  ACS is able to do a successful authentication against the AD.

Tarik Admani
VIP Alumni
VIP Alumni
In response to Thomas Imboden

‎12-21-2010 09:24 PM

Thanks for updating this thread, I am sure this will be helpful for many more in the future.

0 Helpful

constantin
Level 1
Level 1
In response to Thomas Imboden

‎01-05-2011 04:11 AM

Hi Thomas,

We have the same problem and the same scenario. Our Cisco CE told me to use the radius-common-password for this authorisation purpose.

Until now, for me it does'nt run, but may be you have more luck on this.

By the way, have you already got some information on this from TAC?

Ciao

Christian

0 Helpful

Patrick Tran
Level 1
Level 1
In response to constantin

‎02-25-2011 06:41 AM

Hello,

I have exactly the same issue.

About Common password:

"Common Password—Specifies  the common password for use with a RADIUS authorization server. The  password is case-sensitive. The box displays only asterisks. If you are  defining a RADIUS server to be used for authentication rather than  authorization, do not provide a common password.

A RADIUS authorization server requires a password and username for each  connecting user. You enter the password here. The RADIUS authorization  server administrator must configure the RADIUS server to associate this  password with each user authorizing to the server via this FWSM. Be sure  to provide this information to your RADIUS server administrator. Enter a  common password for all users who are accessing this RADIUS  authorization server through this FWSM.

If you leave this field blank, each user password will be his or her own  username. For example, a user with the username "jsmith" would enter  "jsmith". As a security precaution never use a RADIUS authorization  server for authentication. Use of a common password or usernames as  passwords is much less secure than strong passwords per user."

I tried it and it work when I specified my test user's password in common password... but I can't do this for everybody

I have ACS 5.2, is there a solution in this version?

Thanks,

Patrick

0 Helpful

Herbert Baerten
Cisco Employee
Cisco Employee
In response to Patrick Tran

‎02-28-2011 03:55 AM

Just adding a thought here in case it might help anyone: instead of doing Radius authorization towards ACS, you could configure the ASA to do LDAP authorization directly to AD. This would not require a password.

It would be similar to this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008060f261.shtml

except that you would use certificate authentication instead of Kerberos - so you wouldn't need the authentication-server-group, and instead add username-from-certificate but I suppose you already have that part covered if you're doing Cert+Radius.

hth

Herbert

Patrick Tran
Level 1
Level 1
In response to Herbert Baerten

‎02-28-2011 04:39 AM

Hi Herbert,

Thanks for your reply.

I tested LDAP authorization with group mapping before RADIUS.
It worked fine.

I tested ACS because I wanted to centralized company's authorizations on RADIUS.

I will stay on LDAP for the moment.

Regards,

Patrick

0 Helpful
Customers Also Viewed These Support Documents