05-28-2012 03:46 AM
Hi,
I want to consolidate all AAA functionallity we have today in various radius servers to an ISE installation.
I'm now wondering how to differentiate a administrative device login (SSH/ASDM) from an VPN user login if the radius requests goes to the same server.
As far as I can see there is nothing in the ASA Radius-Request-Attributes that differs for thoose use cases. Any advice?
Best regards
/Mattias
Solved! Go to Solution.
05-31-2012 07:45 AM
Hi Mattias,
as of ASA 8.4.3 the Radius Access-Request contains 2 new attributes, Tunnel Group Name and Client Type, when a VPN user connects. Not sure if a request for admin access will contain Client Type = 0 or if it does not include this attribute.
But you probably don't even need those, as you can just push the IETF service-type attribute, cfr:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1136429
hth
Herbert
05-31-2012 07:45 AM
Hi Mattias,
as of ASA 8.4.3 the Radius Access-Request contains 2 new attributes, Tunnel Group Name and Client Type, when a VPN user connects. Not sure if a request for admin access will contain Client Type = 0 or if it does not include this attribute.
But you probably don't even need those, as you can just push the IETF service-type attribute, cfr:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1136429
hth
Herbert
06-01-2012 01:24 AM
Thank you Herbert,
That was exatcly the answer I was hoping for.
Now comes the question how to set that up in ISE, but that is a totaly diffrent story and thread.
Best regards,
/Mattias
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide