Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
886
Views
0
Helpful
4
Replies

ASA5500 web vpn radius attributes

Go to solution
jerry.bonner
Level 1
Level 1

‎08-13-2014 01:40 PM

Hi,

I'm working on getting ssl vpn users authenticated via radius. Whenver a user authenticates I get the following attributes passed from the ASA :


        User-Name = "user"
        User-Password = "***"
        NAS-Port = 266403840
        Calling-Station-Id = "1.1.1.1"
        NAS-Port-Type = Virtual
        NAS-IP-Address = 2.2.2.2
        cisco-avpair = "ip:source-ip=1.1.1.1<30><149>"

 

Pretty standard stuff, but from the documentation ASA's support many more attributes. Why aren't these being passed in the authentication request? Is there something I need to do to enable these? Basically I have differnet tunnel groups with overlapping usernames, and the ASA isn't providing me any info on what group or url the user landed on, so I don't know how to authenticate these users. Realms aren't an option for me.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2014 02:19 PM

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎08-13-2014 02:19 PM

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 

0 Helpful

Go to solution
jerry.bonner
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2014 06:04 AM

Yeah thats all I get. Are you seeing that in an authentication request or an authorization?

 

I'm running 8.0(3)12, maybe thats the problem?

0 Helpful

Go to solution
jerry.bonner
Level 1
Level 1
In response to jerry.bonner

‎08-14-2014 06:08 AM

ok, so it looks those attributes were added 8.4(3), from the release notes

 

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html

 

 

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to jerry.bonner

‎08-14-2014 06:35 AM

I'm running 8.0(3)12, maybe thats the problem?

Ok, I didn't expect a such old version ...

Version 8.0 is already "End of Software Maintainance".

If you are planning the migration to 8.4, keep in mind that the Memory-requirements are higher then for older releases.

0 Helpful
Customers Also Viewed These Support Documents