cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
378
Views
0
Helpful
4
Replies
jerry.bonner
Beginner

ASA5500 web vpn radius attributes

Hi,

I'm working on getting ssl vpn users authenticated via radius. Whenver a user authenticates I get the following attributes passed from the ASA :


        User-Name = "user"
        User-Password = "***"
        NAS-Port = 266403840
        Calling-Station-Id = "1.1.1.1"
        NAS-Port-Type = Virtual
        NAS-IP-Address = 2.2.2.2
        cisco-avpair = "ip:source-ip=1.1.1.1<30><149>"

 

Pretty standard stuff, but from the documentation ASA's support many more attributes. Why aren't these being passed in the authentication request? Is there something I need to do to enable these? Basically I have differnet tunnel groups with overlapping usernames, and the ASA isn't providing me any info on what group or url the user landed on, so I don't know how to authenticate these users. Realms aren't an option for me.

 

1 ACCEPTED SOLUTION

Accepted Solutions
Karsten Iwen
VIP Mentor

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 

View solution in original post

4 REPLIES 4
Karsten Iwen
VIP Mentor

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 

View solution in original post

Yeah thats all I get. Are you seeing that in an authentication request or an authorization?

 

I'm running 8.0(3)12, maybe thats the problem?

ok, so it looks those attributes were added 8.4(3), from the release notes

 

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html

 

 

I'm running 8.0(3)12, maybe thats the problem?

Ok, I didn't expect a such old version ...

Version 8.0 is already "End of Software Maintainance".

If you are planning the migration to 8.4, keep in mind that the Memory-requirements are higher then for older releases.

Content for Community-Ad