ASA with ACS4.2

Krasnoperov · ‎10-02-2012

Hi, I have simple network config

AnyconnectClient(with certificate)------>ASA(with SSL VPN enabled)---------->ACSserver

Client authentificates on ASA via certificate, and after successful authentification I want to Authorize my clients on ACS with DACL association per client. ASA get username from CN-field in certificate, and sends to ACS, ACS respond to ASA authentification fail, password incorrect, and no DACL assign happends. How can I define in ACS that it should be only authorization process without any password, just username from certificate?

Herbert Baerten · ‎10-08-2012

Hi

in Radius there is no possibility to retrieve user attributes without providing a password.

So the only way the ASA can do authorization is to do a "fake" authentication request with a dummy password.

By default, this dummy password is the same as the username.

So, if you configure the user on ACS to have a password equal to his username, this should work.

Alternatively you can configure the ASA to always send the same password (for all users). So obviously in that case you need to configure all users on ACS to have the same password.

e.g.

aaa-server MyRadius (inside) host x.x.x.x

radius-common-pw MyPass123

If this is not possible, you can:

-use LDAP authorization (my ACS knowledge is a bit outdated but I don't think it can act as LDAP server though)

or

- configure the ASA to do cert + password authentication (and optionally, pre-fill the username from the cert)

or

- ask in the AAA forum to see if the ACS experts have any other ideas

hth

Herbert