Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
340
Views
0
Helpful
1
Replies

Radius Challenge prompt after SAML login?

PeteL
Level 1
Level 1

‎10-25-2023 10:46 AM

ASA 5506-X with 9.16(4)42 and latest iOS AnyConnect client. 

I am moving from LDAP Username/Password authentication against our local AD to SAML and was wanting to have a second end-user prompt for specifying which Group Policy they should be put into for a small group of admin using Radius Challenge.

I can use secondary authentication if I use AAA with LDAP or Local, but if I change over to SAML then the SAML authentication works fine but there is never a Radius request for the secondary authentication.

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_POOL
 secondary-authentication-server-group RADIUS use-primary-username
 default-group-policy GroupPolicy_SSL_VPN
 password-management
 authentication-attr-from-server secondary
 authenticated-session-username secondary
tunnel-group DefaultWEBVPNGroup webvpn-attributes
 authentication saml
 saml identity-provider https://..

If I try using Radius Challenge during the Authorization that fails as well using AAA or SAML authentication when the Radius server returns the Access-Challenge

tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_POOL
 authorization-server-group RADIUS
 default-group-policy GroupPolicy_SSL_VPN
 password-management
 authentication-attr-from-server secondary
 authenticated-session-username secondary

And from FreeRadius:

(0) Sent Access-Challenge Id 44 from 192.168.42.68:2000 to 192.168.42.3:29912 length 0
(0)   Reply-Message := "Please enter your Group\n\nEither GROUP1 or GROUP2"
(0)   State = 0xd132c740d78ad36cca03c85518e4d58a

Is there a way to have an additional prompt for the end user after a successful SAML authentication for a small number of users?

Labels:
0 Helpful
1 Reply 1

gajownik
Cisco Employee
Cisco Employee

‎10-27-2023 04:40 AM

In ASA 9.16 SAML authentication cannot be used with any other authentication method:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa916/configuration/vpn/asa-916-vpn-config/webvpn-configure-users.html#reference_55BA48B37D6443BEA5D2F42EC21075B5

"This SAML SSO SP feature is a mutual exclusion authentication method. It cannot be used with AAA and certificate together."

Starting with ASA 9.18 it's possible to use SAML with certificates:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/release/notes/asarn918.html#reference_epy_jcy_35b

When using RADIUS for authorization with SAML authentication you would need to use "authorize-only" option:

aaa-server RADIUSSRV protocol radius
authorize-only

If you want to override group policy for the specific users, SAML IdP can send cisco_group_policy attribute with a group policy name:
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html

"The SAML Identity Provider can be configured to send authorization attributes in addition to the authentication assertions. The SAML Service Provider component in threat defense device interprets the SAML assertions and makes authorization or group policy selections based on the received assertions. The assertion attributes are processed using DAP rules configured in the management center.
The Group Policy attribute must use the attribute name cisco_group_policy. This attribute is not dependent on DAP being configured. However, if a DAP is configured, it can be used as part of the DAP policy.
If an attribute with the name cisco_group_policy is received, the corresponding value is used to select the connection group-policy."

If it above does not meet your requirements I guess you will need to add another tunnel group and users will select tunnel group instead of group policy. I'm not aware of any other way to trigger user prompt with SAML AAA.

0 Helpful
Customers Also Viewed These Support Documents