Re: Cisco anyconnect User authentication and authorization with

rahulpratheek · ‎01-18-2012

Hi,

I would like to configure RADIUS authentication and authorization in ASA 8.2 (ADSM 6.2) by configuring Cisco anyconnect VPN client connection profile.

So the end result would be user enters his username, password and a token in any connect client, then the RADIUS server validates this information and sends the user attributes to ASA upon successful authentication.

I would be grateful if i can get the step by step procedure to achieve this:

The below is what iam trying to do:

1) Create an AAA server group.

2) Add the AAA server to this group (here its RADIUS).

3) create an LDAP-cisco ASA group mapping (for authorization)

3) Add a group policy and create IP pool. (We can add two types of group policies, one is internal and external. Not sure which one to select here).

4) create a any connect vpn client connection profile. Here we specify the created server group name, IP pool and group policy.

(While creating a connection profile, it asks us to select an interface. As of now i have only one interface which is "inside". Not sure what the interface "outside" means).

Any replies on this would be really helpful.

andrew.prince · ‎01-18-2012

Go to the below URL - it has all the information you will need

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

rahulpratheek · ‎01-19-2012

Hi Andrew,

Thanks a lot for the reply.Those examples were helpful to me.

I was a bit confused about the NAT rules. Just wanted to know whether its required to create a NAT exempt rule.

Most of the docs say if "If enable traffic through firewall without address translation" is enabled (Configuration -> Firewall -> NAT rules), then we dont have to specify any NAT rules.

Actually, im looking at some thing specific to RADIUS configuration in ASA 5520/ASDM 6.2 and using Any Connect VPN client to perform AAA.

andrew.prince · ‎01-19-2012

As a basic rule - I always have a NAT exempt rule, but that is just me. When I am troubleshooting I do not have to think about NAT.

The URL I sent has lots of config examples, I can see 5 that have AAA/Radius and 8 that have AnyConnect config examples - just mix and match.....JigSaw time!!!!

rahulpratheek · ‎01-19-2012

Andrew,

Thanks for the confirmation. Ya, its really a JigSaw time now.

rahulpratheek · ‎01-23-2012

Andrew,

We are trying to set up RADIUS authentication and authorization through ayconnect client using Cisco ASA.

We are stuck at the authorization part. Below is what i have done.

1) Created a server group (Configuration -> Remote access VPN -> AAA/local users -> AAA Server groups )

2) I have added a RADIUS Server into this AAA server group.

3) Verified the authentication through RADIUS using the "Test" button.

4) Authentication was successful.(got an information message).

5) To verify the authorization part for this AAA Server, we will have to setup the LDAP to RADIUS group mapping.

6) So, in LDAP-RADIUS mapping, i have added an attribute name as "Member Of" in "Customer name" field and mapped it to "IETF-RADIUS-Class" attibute in "Cisco name" field and entered the mapping value for the attribute "Member Of" in the "customer value" field and in the "Cisco value' field i entered the Group policy that i created.(internal group policy).

7) After applying these LDAP-RADIUS mapping, i tried to verify the authorization part.

8) Selected the AAA RADIUS Server and clicked on "Test" and i have enabled the "Authorization" button in the Test settings.But when i test the authorization part, iam geting an error message saying "Authorization failed.AAA Server rejected".

The question here is how do i ensure that the LDAP-RADIUS mapping that i have created is applicable to the AAA Server that i have created.

Could you please provide me a solution for this ( i will send you the screen shots if required).

Thanks.

Cisco anyconnect User authentication and authorization with Cisco ASA using RADIUS server group