Ask the Expert: Configuring and troubleshooting AAA on ASA for use with VPN - Page 3

ciscomoderator · ‎12-10-2011

With Herbert Baerten

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about the use of AAA (Authentication, Authorization, Accounting) for Remote Access VPN on the Cisco Adaptive Security Appliance (ASA) with Cisco expert Herbert Baerten who will answer questions on this topic. He can also answer questions on the use of various AAA protocols such as TACACS, RADIUS, LDAP and PKI (certificates), as well as the usage of the local AAA database, including Dynamic Access Policies (DAP.) Herbert Baerten is a customer support engineer at the Cisco Technical Assistance Center in Brussels, Belgium, where he has been part of the Security team since joining Cisco six years ago. His area of expertise is in security, including VPN, IPSec VPN, and SSL VPN on the Cisco IOS and Cisco ASA platforms.

Remember to use the rating system to let Herbert know if you have received an adequate response.

Herbert might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security sub-community Other Security Subjects discussion forum shortly after the event. This event lasts through December 22nd, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

dianewalker · ‎12-21-2011

Herbert,

There is a company that uses NAS client (wireless Controllers) in the cloud. We want to use their NAS client to authenticate with our RADIUS server. In order to authenticate their NAS client with our RADIUS server, our RADIUS server needs to be accessible from the internet. Is there a security risk if we put our Radius server to be accessible from the internet?

Thanks.

Diane

Herbert Baerten · ‎12-22-2011

Hi Diane,

There is a company that uses NAS client (wireless Controllers) in the cloud. We want to use their NAS client to authenticate with our RADIUS server. In order to authenticate their NAS client with our RADIUS server, our RADIUS server needs to be accessible from the internet. Is there a security risk if we put our Radius server to be accessible from the internet?

I'm far from expert on risk assessment so please take the following for what it is though, just one person's opinion - you may want to consult an expert.

Having said that, exposing a server to the Internet is always a risk so you need to outweigh the benefits/value versus the risk and potential impact.

In the case of an AAA server I would say there is quite a high risk of a Denial of Service attack, especially in the case of Radius because it uses UDP (which is easy to spoof), which may or may not have a moderate to high impact, depending on how important the availability of the Radius server is to your organization.

In addition there is the risk of the server gettting compromised; vulnerabilities in AAA servers are rare, but one can never be sure there are none and the potential impact of an AAA server being compromised is probably huge.

There are a few other elements to consider, e.g. if this NAS client has a static IP address then of course you can allow access to the Radius server from this address only which reduces the risk but does not eliminate it. Applying rate-limiting on the traffic to the server can reduce the impact of a DoS attack. Deploying an IPS in front of the server can reduce the risk of it getting compromised.

All in all, personally I would advise against it and propose to this external company to establish a VPN tunnel with them and carry the Radius traffic over this tunnel.

I hope this helps

Herbert

dianewalker · ‎12-21-2011

Herbert,

The RADIUS server listens to port 1645 and 1646 (accounting); and port 1812 and 1813 (accounting). Does it matter which ports you choose? We setup 1645 and 1646 for some NAS clients. We also setup 1812 and 1813 for some NAS clients. I am not sure why the NAS clients were setup using different ports. Would you recommend that we setup all NAS clients to be 1812 and 1813?

Thanks.

Diane

Herbert Baerten · ‎12-22-2011

Hi Diane

The RADIUS server listens to port 1645 and 1646 (accounting); and port 1812 and 1813 (accounting).  Does it matter which ports you choose?  We setup 1645 and 1646 for some NAS clients.  We also setup 1812 and 1813 for some NAS clients.  I am not sure why the NAS clients were setup using different ports.  Would you recommend that we setup all NAS clients to be 1812 and 1813?

It does not matter at all which ports you choose to use. There was a time (long ago ) when only 1645/1646 were used, and then 1812/1813 became the official ports to use - but for backward compatibility most Radius servers will continue to listen on 1645/1646 as well as 1812/1813.

Functionality is exactly the same though on both port pairs, so it's just a matter of personal preference (and maybe the firewall admin's preference if there is a firewall between the NAS clients and the server).

regards

Herbert

iabhianand · ‎12-21-2011

hello sir,

with regarding to the firewall ASA5520, i'm using it in my network, all the confiuration are properly configured and working but with the use of proxy address in internet explorer(e.:206.53.155.129/3128) all the blocked contents as easily accessible simply it bypass all the network through firewall.so will u guide me to block the proxy servers.if u want the confiiguration than let me know,but as soon as possible provide me the solution for it.

Herbert Baerten · ‎12-22-2011

Hello Abhi,

since this question is not related to the topic of this Ask-The-Expert event, I kindly ask that you open a new thread in the forum. Click the link, then click "Start a discussion" on the right hand side of the screen. I'm sure the Firewall experts in this forum will be able to help.

regards

Herbert