Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
0
Replies

Mapping Reply-Message radius attribute to ACL rule stored on ASA

Peter
Level 1
Level 1

‎08-25-2016 02:55 AM - edited ‎03-11-2019 12:01 AM

Hi everybody,

I'm trying to figure out how to 'activate' ACL rule on ASA FW based on Reply-Message (or other supported) radius attribute we receive from our Radius server.

The ideal working scenario is:

We have a number of employees assigned to different groups (MANAGEMENT, FINANCE, SUPPORT) in Active Directory.

Employees authenticate themselves via direct authentication webpage on ASA -> https://interface_ip/netaccess/connstatus.html

If authentication successful, the Radius responds back to ASA with RADIUS_ACCESS_ACCEPT message and with Reply-Message attributes indicating, what group(s) the particular employee is a member of.

To this point, it all works (as you can see below)

RADIUS packet decode (response)

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 39 (0x27)
Radius: Length = 93 (0x005D)
Radius: Vector: 6FD33743D4331EA2FE7CD64E8D42AC28
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 7 (0x07)
Radius: Value (String) =
52 45 4d 49 54                                     |  MANAGEMENT
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 6 (0x06)
Radius: Value (String) =
43 4f 4f 50                                        |  FINANCE
Radius: Type = 18 (0x12) Reply-Message
Radius: Length = 7 (0x07)
Radius: Value (String) =
43 5a 4c 41 42                                     |  SUPPORT
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
63 ea 07 a7 00 00 01 37 00 01 02 00 0a 1c 00 fe    |  c......7........
00 00 00 00 00 00 00 00 00 00 00 00 01 d1 fb 51    |  ...............Q
78 b7 66 d5 00 00 00 00 00 02 f9 c4                |  x.f.........
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xaea0e8f4 session 0x39 id 39
free_rip 0xaea0e8f4
radius: send queue empty

What we struggle with is the final 'mapping' of the Reply-Message attribute to anything on ASA so that it can be used in ACL list that allows/denies access for the particular GROUPS (Reply-Message values). I've got a gut feeling that there is a way to achieve this maybe by mapping the radius Reply-Message attribute to 'user objects' which can be later linked to particular ACL? Or maybe use the Radius group-policy attribute and then map this somehow to ACL on ASA? We would like to keep all our ACL's on ASA - this disqualifies Cisco AV-Pair solution.

We have this working on our Checkpoint FW and would like to migrate to ASA but this is very important feature that could possibly stop us from moving over Any suggestions and hints are very welcome and appreciated.

Thank you.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents