03-22-2018 07:34 AM - edited 03-12-2019 05:08 AM
Hi all,
I'm setting up an Anyconnect VPN lab for certificate based authentication+authorization. Per all the documentation, the ASA should authenticate the cert, and send an authorize only radius message to ISE that will respond with an authorisation response. In order to do this I have to configure the radius server group on the ASA to be 'authorize-only' That command should be present according to all the documentation: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/aaa-radius.html.
(config-aaa-server-group)# authorize-only
Problem is that command is missing from my ASA:
ciscoasa(config)# aaa-server ISE-PSNs protocol radius
ciscoasa(config-aaa-server-group)# ?
AAA server configuration commands:
accounting-mode Enter this keyword to specify accounting mode
ad-agent-mode Enter this keyword to specify ad-agent mode
exit Exit from aaa-server group configuration mode
help Help for AAA server configuration commands
interim-accounting-update Enter this keyword to enable Interim accounting
update
max-failed-attempts Specify the maximum number of failures that will
be allowed for any server in the group before that
server is deactivated
merge-dacl Specify whether a downloadable ACL received from
RADIUS should be combined with a Cisco AV-Pair ACL
no Remove an item from aaa-server group configuration
reactivation-mode Specify the method by which failed servers are
reactivated
ciscoasa(config-aaa-server-group)#
Any ideas?
thanks all!
03-22-2018 07:37 AM
.. and just to add, not configuring authorize-only means that rather than sending an authorize only radius request, the ASA is trying to authenticate against ISE using the CN name in the cert (an AD user), which is obviously failing, as ISE is expecting a password.
cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide