Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2410
Views
0
Helpful
8
Replies

ISE EAP-FAST over AnyConnect SSL VPN

lhill
Level 1
Level 1

‎05-30-2013 07:44 PM - edited ‎03-10-2019 08:29 PM

I'm trying to apply the eap-fast policy I created using NAM profile editor to the anyconnect ssl VPN connection but it doesn't look like you can do this. Am I going about this the wrong way. My VPN connection auth always show up as PAP. If I turn on password management I get mschap v2 authentication to work but not the host eap-fast auth?

Labels:
0 Helpful
8 Replies 8

Jatin Katyal
Cisco Employee
Cisco Employee

‎05-31-2013 03:19 AM

Eap-fast can not be use as an authentication method for vpn authentication. EAP-FAST is an IEEE 802.1X authentication type.

Authentication Methods

The ASA supports the following authentication methods with RADIUS:

PAP—For all connection types.

CHAP—For L2TP-over-IPsec.

MS-CHAPv1—For L2TP-over-IPsec.

MS-CHAPv2—For  L2TP-over-IPsec, and for regular IPsec remote access connections when  the password-management feature is enabled. You can also use MS-CHAPv2  with clientless connections.

Authentication  Proxy modes—Including RADIUS to Active Directory, RADIUS to RSA/SDI,  RADIUS to Token-server, and RSA/SI to RADIUS

Yes, by-default vpn session use PAP as an authentication method.  However, if you would like use mschapv2 for radius communiccation, we  need to turn on password-management under the appropriate tunnel-group.

To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel-group general-attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details.

source:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_aaa.html#wp1058400

Jatin Katyal

- Do rate helpful posts -

~Jatin
0 Helpful

lhill
Level 1
Level 1
In response to Jatin Katyal

‎05-31-2013 03:46 AM

Thanks Jatin. My goal is to verify that the end user is connecting using a corporate device using MAR. So briefly reading looks like I will have to setup the Asa with ldap authorization or point it at the ISE for authorization based on endpoint being a member of the domain.

Sent from Cisco Technical Support iPhone App

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to lhill

‎05-31-2013 04:25 AM

Well, when you say MAR that again is Machine access Restriction and meant for wireless authentication. Where you can configure radius to ensure that end client is able to authenticate machine and user both. We can setup a condition to check if the machine being memberOf domian computers and user being memberOf domain users.

Since you're using VPN, I would suggest you two things (further to what you proposed)

You may integrate ASA directly with LDAP and can use ldap attribute map.

PIX/ASA 8.0: Use LDAP Authentication to Assign a Group Policy at Login

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

With ISE we can create an authorization rule using external group: AD group and radius-IETF class attribute with a specific group-policy.

Hope it helps.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎06-01-2013 03:29 PM

I hope it helps you understnding why we use EAP-FAST and MAR. In case you still have any doubt, let's discuss.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

lhill
Level 1
Level 1
In response to Jatin Katyal

‎06-02-2013 06:57 PM

Thanks for the explanation I appreciate it. I will configure the ldap map on the asa and the ISE authorization policy if I can find those conditions you mentioned and see if that works.

Sent from Cisco Technical Support iPhone App

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to lhill

‎06-02-2013 09:48 PM

Sure. Give it a shot and let me know if you have any questions.

Jatin Katyal
- Do rate helpful posts -

~Jatin
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jatin Katyal

‎06-04-2013 12:59 AM

If you've configured ISE in between ASA and LDAP as a radius server then you don't need to configure LDAP on ASA.

We can choose either one:

1.] Integrate ASA with LDAP bypassing ISE

2.] Integrate ASA with ISE and  configured LDAP as a backend database for ISE.

You're  working with 2nd option. On ISE if you have created a condition to  check user memberOf attribute and apply results based on the group  membership return. I think that what you need.

Posting the same reply on forum as well so that it helps other reading out there.

Jatin Katyal
* Do rate helpful posts *

~Jatin
0 Helpful

lhill
Level 1
Level 1
In response to Jatin Katyal

‎06-11-2013 08:32 PM

Jatin, looking into this again can you please explain a little further how to configure "radius-IETF class attribute with a specific group-policy" in the ISE settings? I don't see a radius-ietf option in ISE. The user authorization domain group is simple enough and I have that working.

Sent from Cisco Technical Support iPhone App

0 Helpful
Top