ASA: cli, ssh asdm login and VPN login with the same freeRADIUS

Unanswered Question
Sep 22nd, 2009
User Badges:

Hi all!


I have a problem, we are using freeradius server to authenticate the VPN users. It works fine.

Now I want authenticate the ssh, asdm users with the same radius.

The only problem is that the ASA doesn't send different attributes to the radius and in the radius I can't sort the request(VPN or SSH).


How can I set the ASA to send Service-Type attribute or something what can be usefull?


every time it sends just these attributes:

User-Name = xxx

User-Password = xxx

NAS-IP-Address = xxx

NAS-Port = xxx

NAS-Port-Type = Virtual

Cisco-AVPair = "ip:source-ip=xxx"

Calling-Station-Id = "ip:source-ip=xxx"


Have you got any idea?

ty


Gabor


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jagadeeshan.s Tue, 09/22/2009 - 02:56
User Badges:


Hi,


An alternate idea is, use "aaa authentication" for ssh & https services using your radius server.


-Jags.


Jatin Katyal Tue, 09/22/2009 - 04:29
User Badges:
  • Cisco Employee,

Hi,


Per my knowledge, this is not possible to configure ASA to send service-type in radius access-request.


Ques: why we need service-type attribute.The user will be authenticated without this.


NOTE: ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.


Just configure your ASA with following commands:


aaa authentication http console LOCAL

aaa authentication ssh console LOCAL


username password priv 15


LOCAL: This will help you to login into the ASA when freeradius is not available.


HTH


Regards,

JK







hegegabor Tue, 09/22/2009 - 04:54
User Badges:

Hi,

ok, I know how to authenticate the ssh users with radius.


The only problem is that I don't want allow VPN users to access to ssh. But if the Radius cant separate the request, it dosen't know witch type of user want to login.


(Not just service-type good for me, everything that is differs in the two auth type.)




hegegabor Tue, 09/22/2009 - 04:36
User Badges:

hmm, yes exactly this is what I want.

I want authentication and authorization for ssh. Still have an authentication (aaa of the VPN users) but the access-request is the same, this is the problem.

I can't separate these different type authentication.


for example:

In cisco IOS I can send vendor specific attributes to radius ("vsa send"). And here the attribute values are different.



Jatin Katyal Tue, 09/22/2009 - 05:07
User Badges:
  • Cisco Employee,

Hi,


You got it.


there is no command available on ASA to send vendor specific attribute.


I think you are looking for an attribute that differentiate the access-request for both the cases. Also, service-type attribute is a good catch but this will always come in radius accept so you need to configure this on the free radius server.


Service-type:


http://freeradius.org/rfc/rfc2865.html#Service-Type


HTH


Regards,

JK


hegegabor Tue, 09/22/2009 - 05:33
User Badges:

hi.


okay I see there is no way to send specific attributes to radius, or modify it in ASA. That is what i wanted to know.


Thank you all.


BR,

Gabor

Actions

This Discussion