Cisco Community
English
Register
Community will be in Read-only Mode from April 11 at 11:00 PM PT to Monday April 12 at 9:00 PM PT - READ DETAILS HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
375
Views
0
Helpful
4
Replies
jerry.bonner
Beginner
Beginner
‎08-13-2014 01:40 PM
‎08-13-2014 01:40 PM

ASA5500 web vpn radius attributes

Hi,

I'm working on getting ssl vpn users authenticated via radius. Whenver a user authenticates I get the following attributes passed from the ASA :


        User-Name = "user"
        User-Password = "***"
        NAS-Port = 266403840
        Calling-Station-Id = "1.1.1.1"
        NAS-Port-Type = Virtual
        NAS-IP-Address = 2.2.2.2
        cisco-avpair = "ip:source-ip=1.1.1.1<30><149>"

 

Pretty standard stuff, but from the documentation ASA's support many more attributes. Why aren't these being passed in the authentication request? Is there something I need to do to enable these? Basically I have differnet tunnel groups with overlapping usernames, and the ASA isn't providing me any info on what group or url the user landed on, so I don't know how to authenticate these users. Realms aren't an option for me.

 

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
‎08-13-2014 02:19 PM
‎08-13-2014 02:19 PM

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

View solution in original post

0 Helpful
4 REPLIES 4
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
‎08-13-2014 02:19 PM
‎08-13-2014 02:19 PM

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.

View solution in original post

0 Helpful
jerry.bonner
Beginner
Beginner
In response to Karsten Iwen
‎08-14-2014 06:04 AM
‎08-14-2014 06:04 AM

Yeah thats all I get. Are you seeing that in an authentication request or an authorization?

 

I'm running 8.0(3)12, maybe thats the problem?

0 Helpful
jerry.bonner
Beginner
Beginner
In response to jerry.bonner
‎08-14-2014 06:08 AM
‎08-14-2014 06:08 AM

ok, so it looks those attributes were added 8.4(3), from the release notes

 

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html

 

 

0 Helpful
Karsten Iwen
VIP Mentor VIP Mentor
VIP Mentor
In response to jerry.bonner
‎08-14-2014 06:35 AM
‎08-14-2014 06:35 AM

I'm running 8.0(3)12, maybe thats the problem?

Ok, I didn't expect a such old version ...

Version 8.0 is already "End of Software Maintainance".

If you are planning the migration to 8.4, keep in mind that the Memory-requirements are higher then for older releases.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor
or share a meal with a hungry child.
0 Helpful
Latest Contents
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
0
0
0
0
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
FMT 2.3.4 adding ASA migrations of S2S VPN in public beta
Created by William_Hansch on 03-22-2021 08:00 AM
0
10
0
10
The latest iteration (v2.3.4) of the Cisco Secure Firewall Migration Tool adds public beta support for S2S VPN migrations from ASA: Policy-based (crypto map) Pre-Shared key authentication type VPN configuration to Firepower Management Center VP... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 03-22-2021 04:40 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
ISE Data limiting best practices
Created by Jonathan Casillas on 03-18-2021 04:34 PM
0
5
0
5
Intro This document presents the ISE data limiting best practices that can dramatically improve the system performance on ISE. Symptoms Your deployment may be impacted if the alarms tab on ISE shows High load average, high CPU or high memoy usage alarm... view more
Content for Community-Ad