Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
2
Replies

ASA AAA

Go to solution
Mattias Andersson
Level 1
Level 1

‎05-28-2012 03:46 AM

Hi,

I want to consolidate all AAA functionallity we have today in various radius servers to an ISE installation.

I'm now wondering how to differentiate a administrative device login (SSH/ASDM) from an VPN user login if the radius requests goes to the same server.

As far as I can see there is nothing in the ASA Radius-Request-Attributes that differs for thoose use cases. Any advice?

Best regards

/Mattias

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎05-31-2012 07:45 AM

Hi Mattias,

as of ASA 8.4.3 the Radius Access-Request contains 2 new attributes, Tunnel Group Name and Client Type, when a VPN user connects. Not sure if a request for admin access will contain Client Type = 0 or if it does not include this attribute.

But you probably don't even need those, as you can just push the IETF service-type attribute, cfr:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1136429

hth

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎05-31-2012 07:45 AM

Hi Mattias,

as of ASA 8.4.3 the Radius Access-Request contains 2 new attributes, Tunnel Group Name and Client Type, when a VPN user connects. Not sure if a request for admin access will contain Client Type = 0 or if it does not include this attribute.

But you probably don't even need those, as you can just push the IETF service-type attribute, cfr:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_aaa.html#wp1136429

hth

Herbert

0 Helpful

Go to solution
Mattias Andersson
Level 1
Level 1
In response to Herbert Baerten

‎06-01-2012 01:24 AM

Thank you Herbert,

That was exatcly the answer I was hoping for.

Now comes the question how to set that up in ISE, but that is a totaly diffrent story and thread.

Best regards,

/Mattias

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents