Solved: Privilege level assignment via RADIUS

Claudio Truttmann · ‎05-22-2013

Hi all,

I'm looking forward to use RADIUS Authentication for all user connecting to my ASA Firewall Version 8.6(4) and for a second customer Version 9.1(1)

Now i would like to set some privilege level for those users connecting to the ASA. Because one group should have Priv 15 rights and the other one should have Priv 1 (only read-access). But when i'm testing with the same RADIUS AV-pair as for Cisco IOS switches it doesn't assign any priviliege level. So the user always gets priv 15 level. Is it possible to set any privilege level via RADIUS. I'm using MS NPS 2008 for RADIUS and is working fine with the switches and routers. But still not for the ASA firewall.

We don't have command authorization applied yet on the firewall.

Thanks a lot for feedback.

Jatin Katyal · ‎05-30-2013

No, you don't need to configure command authorization because it only works with TACACS. Since you're using radius,you can assign the privilege levels on RADIUS server by using Service-Type attribute.

You need the below listed command on the ASA.

hostname(config)# aaa authorization exec authentication-server

–Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication console commands.

–Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command.

–Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote access (IPSec and SSL) users can still authenticate and terminate their remote access sessions.

Limiting User CLI and ASDM Access with Management Authorization

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html

This command also enables support of administrative user privilege levels from RADIUS, which can be used in conjunction with local command privilege levels for command authorization.

Configuring local command authorization

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wp1072168

Let me know if you have any issues.

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Favaloro. · ‎05-29-2013

Yes, you can do privilege level assignment using A/V pairs.

But you still have to manually set the privilege level for the ASA commands.

Claudio Truttmann · ‎05-30-2013

Thanks for your answer.

That means i had to activate the command authorization for proper working ?

Will exactly the same A/V pairs working as for switches and routers or is there any difference ?

Jatin Katyal · ‎05-30-2013

No, you don't need to configure command authorization because it only works with TACACS. Since you're using radius,you can assign the privilege levels on RADIUS server by using Service-Type attribute.

You need the below listed command on the ASA.

hostname(config)# aaa authorization exec authentication-server

–Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication console commands.

–Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command.

–Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote access (IPSec and SSL) users can still authenticate and terminate their remote access sessions.

Limiting User CLI and ASDM Access with Management Authorization

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html

This command also enables support of administrative user privilege levels from RADIUS, which can be used in conjunction with local command privilege levels for command authorization.

Configuring local command authorization

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wp1072168

Let me know if you have any issues.

Jatin Katyal
- Do rate helpful posts -

~Jatin

stephensites · ‎11-15-2016

I know this is an old discussion, but it matches my issue perfectly and I'm desparate. I am on ASA 9.4(2) and using NPS for RADIUS. I am sending shell:priv-lvl=2 for a particular user group. This part is working according to radius debug output. But as you can see below, the priv level is not set.

RADIUS debug:

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 96).....
02 0a 00 60 2b 6f 13 93 24 10 07 da e4 ec 53 e5 | ...`+o..$.....S.
8b e0 97 5e 06 06 00 00 00 06 19 2e 59 f6 06 95 | ...^........Y...
00 00 01 37 00 01 02 00 0a 64 64 13 00 00 00 00 | ...7.....dd.....
00 00 00 00 00 00 00 00 01 d1 ff 4d a2 dc 01 88 | ...........M....
00 00 00 00 00 00 bc 93 1a 18 00 00 00 09 01 12 | ................
73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 32 | shell:priv-lvl=2

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 10 (0x0A)
Radius: Length = 96 (0x0060)
Radius: Vector: 2B6F1393241007DAE4EC53E58BE0975E
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 25 (0x19) Class
Radius: Length = 46 (0x2E)
Radius: Value (String) =
59 f6 06 95 00 00 01 37 00 01 02 00 0a 64 64 13 | Y......7.....dd.
00 00 00 00 00 00 00 00 00 00 00 00 01 d1 ff 4d | ...............M
a2 dc 01 88 00 00 00 00 00 00 bc 93 | ............
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 24 (0x18)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 18 (0x12)
Radius: Value (String) =
73 68 65 6c 6c 3a 70 72 69 76 2d 6c 76 6c 3d 32 | shell:priv-lvl=2
rad_procpkt: ACCEPT
Got AV-Pair with value shell:priv-lvl=2
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0x00007fffd5ec38d8 session 0x28f09 id 10
free_rip 0x00007fffd5ec38d8
radius: send queue empty

asa> sh curpriv
Username : domain_user
Current privilege level : 1
Current Mode/s : P_UNPR

Here is my sanitized AAA config. There are some other configurations for ldap that are being used for other things.

aaa-server COMPANY protocol radius
max-failed-attempts 5
aaa-server COMPANY (company) host 10.10.10.11
key *****
aaa-server COMPANY (company) host 10.10.10.10
key *****
aaa-server COMPANY_LDAP protocol ldap
aaa-server COMPANY_LDAP (company) host 10.10.10.11
server-port 636
ldap-base-dn OU=COMPANY,DC=company,DC=local
ldap-group-base-dn CN=VPN,OU=Groups,OU=COMPANY,DC=company,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=ldap,OU=Service Accounts,OU=COMPANY,DC=company,DC=local
ldap-over-ssl enable
server-type microsoft
user-identity default-domain LOCAL
aaa authentication http console COMPANY LOCAL
aaa authentication ssh console COMPANY LOCAL
aaa authorization exec authentication-server auto-enable

I must be missing something here. Care to take a look?

Thanks

dsanchez81 · ‎05-31-2018

I get it, old post...but was getting very frustrated with the Cisco-AVpair command not working with my ASA(as for whatever reason it works on the switch w/RADIUS), and following your post and using the Service-Type 6 instead fixed it. Thank you!!

BrianPersaud · ‎06-28-2019

If it worked with service-type 6, where do you specify the privilege level for the user?

dsanchez81 · ‎07-01-2019

So, this goes on the Cisco box:

aaa authorization exec authentication-server

Then this goes on your RADIUS Server:

User-Name = CoolUserGuy

Service-Type = 6

Not sure your radius server, and your ASA versions but that's what finally worked for me.

BrianPersaud · ‎07-08-2019

If you are using ISE as radius here are the results parameters to set:

Cisco-VPN3000:CVPN3000/ASA/PIX7x-Privilege-Level = 5

Radius:Service-Type = Administrative

Here are the commands used on the ASA:

aaa-server xxx protocol radius
aaa-server xxx (Inside) host xxx
aaa authentication http console xxx LOCAL
aaa authentication enable console xxx LOCAL
aaa authentication ssh console xxx LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server auto-enable
aaa authorization http console xxx
aaa authentication login-history