10-25-2023 10:46 AM
ASA 5506-X with 9.16(4)42 and latest iOS AnyConnect client.
I am moving from LDAP Username/Password authentication against our local AD to SAML and was wanting to have a second end-user prompt for specifying which Group Policy they should be put into for a small group of admin using Radius Challenge.
I can use secondary authentication if I use AAA with LDAP or Local, but if I change over to SAML then the SAML authentication works fine but there is never a Radius request for the secondary authentication.
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_POOL
secondary-authentication-server-group RADIUS use-primary-username
default-group-policy GroupPolicy_SSL_VPN
password-management
authentication-attr-from-server secondary
authenticated-session-username secondary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
authentication saml
saml identity-provider https://..
If I try using Radius Challenge during the Authorization that fails as well using AAA or SAML authentication when the Radius server returns the Access-Challenge
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool VPN_POOL
authorization-server-group RADIUS
default-group-policy GroupPolicy_SSL_VPN
password-management
authentication-attr-from-server secondary
authenticated-session-username secondary
And from FreeRadius:
(0) Sent Access-Challenge Id 44 from 192.168.42.68:2000 to 192.168.42.3:29912 length 0
(0) Reply-Message := "Please enter your Group\n\nEither GROUP1 or GROUP2"
(0) State = 0xd132c740d78ad36cca03c85518e4d58a
Is there a way to have an additional prompt for the end user after a successful SAML authentication for a small number of users?
10-27-2023 04:40 AM
In ASA 9.16 SAML authentication cannot be used with any other authentication method:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/vpn/asa-916-vpn-config/webvpn-configure-users.html#reference_55BA48B37D6443BEA5D2F42EC21075B5
"This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."
Starting with ASA 9.18 it's possible to use SAML with certificates:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/release/notes/asarn918.html#reference_epy_jcy_35b
When using RADIUS for authorization with SAML authentication you would need to use "authorize-only" option:
aaa-server RADIUSSRV protocol radius
authorize-only
If you want to override group policy for the specific users, SAML IdP can send cisco_group_policy attribute with a group policy name:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html
"The SAML Identity Provider can be configured to send authorization attributes in addition to the authentication assertions. The SAML Service Provider component in threat defense device interprets the SAML assertions and makes authorization or group policy selections based on the received assertions. The assertion attributes are processed using DAP rules configured in the management center.
The Group Policy attribute must use the attribute name cisco_group_policy. This attribute is not dependent on DAP being configured. However, if a DAP is configured, it can be used as part of the DAP policy.
If an attribute with the name cisco_group_policy is received, the corresponding value is used to select the connection group-policy."
If it above does not meet your requirements I guess you will need to add another tunnel group and users will select tunnel group instead of group policy. I'm not aware of any other way to trigger user prompt with SAML AAA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide