ASA: cli, ssh asdm login and VPN login with the same freeRADIUS

Unanswered Question
Sep 22nd, 2009
User Badges:

Hi all!

I have a problem, we are using freeradius server to authenticate the VPN users. It works fine.

Now I want authenticate the ssh, asdm users with the same radius.

The only problem is that the ASA doesn't send different attributes to the radius and in the radius I can't sort the request(VPN or SSH).

How can I set the ASA to send Service-Type attribute or something what can be usefull?

every time it sends just these attributes:

User-Name = xxx

User-Password = xxx

NAS-IP-Address = xxx

NAS-Port = xxx

NAS-Port-Type = Virtual

Cisco-AVPair = "ip:source-ip=xxx"

Calling-Station-Id = "ip:source-ip=xxx"

Have you got any idea?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jagadeeshan.s Tue, 09/22/2009 - 02:56
User Badges:


An alternate idea is, use "aaa authentication" for ssh & https services using your radius server.


Jatin Katyal Tue, 09/22/2009 - 04:29
User Badges:
  • Cisco Employee,


Per my knowledge, this is not possible to configure ASA to send service-type in radius access-request.

Ques: why we need service-type attribute.The user will be authenticated without this.

NOTE: ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.

Just configure your ASA with following commands:

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

username password priv 15

LOCAL: This will help you to login into the ASA when freeradius is not available.




hegegabor Tue, 09/22/2009 - 04:54
User Badges:


ok, I know how to authenticate the ssh users with radius.

The only problem is that I don't want allow VPN users to access to ssh. But if the Radius cant separate the request, it dosen't know witch type of user want to login.

(Not just service-type good for me, everything that is differs in the two auth type.)

hegegabor Tue, 09/22/2009 - 04:36
User Badges:

hmm, yes exactly this is what I want.

I want authentication and authorization for ssh. Still have an authentication (aaa of the VPN users) but the access-request is the same, this is the problem.

I can't separate these different type authentication.

for example:

In cisco IOS I can send vendor specific attributes to radius ("vsa send"). And here the attribute values are different.

Jatin Katyal Tue, 09/22/2009 - 05:07
User Badges:
  • Cisco Employee,


You got it.

there is no command available on ASA to send vendor specific attribute.

I think you are looking for an attribute that differentiate the access-request for both the cases. Also, service-type attribute is a good catch but this will always come in radius accept so you need to configure this on the free radius server.





hegegabor Tue, 09/22/2009 - 05:33
User Badges:


okay I see there is no way to send specific attributes to radius, or modify it in ASA. That is what i wanted to know.

Thank you all.




This Discussion