Cisco ASA VPN Radius Server Authentication

decot33 · ‎05-23-2019

Hello!

I am attempting to deploy a 5506-X ASA using a radius server for VPN authentication. I will have two types of users with different access needs. Typically I would just have Local AAA users and separate them into groups for the ACL management. I understand that the radius server can be configured to attach a class name (attribute 25). From the research that I have done I have learned that when attempting to connect to the VPN the ASA can assign the user to a group policy that has the name as radius class name. What I am not sure about is how to configure the connection profile to allow for this to happen. Any guidance on this would be appreciated. Also if I am leaving anything out please let me know.

Thanks!

GRANT3779 · ‎05-27-2019

Hi Decot,

What are you using as your Radius back end? ACS, ISE, NPS on Windows? Will you be differentiating between your users based on an AD group?

At a high level you would have your various Group Polices configured on the ASA with the relevant access set for each.

ASA configured with the Radius Server details and Anyconnect configured to use Radius for Authentication.

The Radius server would be setup with the ASA as a Radius Client, and you would have conditions setup on the Radius server, e.g is decto33 in AD Group ADMIN, if so allow access and assign to group policy "Admin Policy". This is done by having the Radius server send attribute 25 with a value of the Group Policy name configured on the ASA.

Based on Windows / NPS there is a guide here -

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/117641-config-asa-00.html

vsurresh · ‎06-04-2019

Looking at your requirements I assume you might as well use Dynamic Access Policies. I have used them with LDAP where users in different AD group will get a different kind of access. I believe Radius can be used as well.