Cisco ASA with NAC Appliance

Unanswered Question
Feb 10th, 2010
User Badges:

I will be building a new RAS solution for a customer. Users will authenticate using RSA SecurID to the ASA. I will be using LDAP to map these users into group policies on the ASA. Behind the ASA I will have a CAS in Virtual Gatway mode. Once the users are authenticated agains the ASA I will use VPN SSO to automatically authenticate the user against the NAC infastructure.

My question is this. Is it possible to map users to NAC roles based on the group-policy assigned by the ASA to a NAC role using accounting packets from the ASA? I cannot find specific examples on how to do this with just the ASA and the NAC appliance without introducing ACS.

For example:

User A authenticates to the ASA using SecurID and is mapped to the group policy "employees" by LDAP - I would like them to be dynamically mapped to a NAC role called employees by the accounting packets from the ASA. If its possible, which attribute would hold the group policy info?

I am open to other ideas as well.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jpecarski Thu, 02/11/2010 - 04:54
User Badges:

Thanks Kevin for the response.

With this scenario I would be using AD authentication, either with LDAP or Kerberos and then authorize the user with LDAP to provide them will a role mapping.

The scenario I'm looking at is using the accounting packets from the ASA to map the user into a NAC role. The user will already be authorized by LDAP when logging into the ASA, I'm trying to save a step by avoiding yet a 2nd authorization to LDAP. My Auth provider in this scenario would be VPN SSO.


Yudong Wu Thu, 02/11/2010 - 20:03
User Badges:
  • Gold, 750 points or more

Yes, ASA can send radius accounting info to NAC for mapping to the role.

The group info should be included in radius class 25.

jpecarski Thu, 02/25/2010 - 07:25
User Badges:


Thanks for the response. Radius class 25 will contain the tunnel-group name associated to the user?

Yudong Wu Thu, 02/25/2010 - 09:37
User Badges:
  • Gold, 750 points or more

It's not tunnel-group name.

checked the link below

Basically, you need configure "ldap attribute-map" on ASA to map group attribute which is sent to ASA by LDAP server to Radius class. The value of that "group attribute" would be the value of Radius class 25. it's nothing related to tunnel-group name.

jpecarski Thu, 02/25/2010 - 12:39
User Badges:

Hi Kevin,

If a user called userA who is a member of group groupA in LDAP, I can map the "memberOf" attribute to radius "class"  using a LDAP MAP on the ASA and this class will be forwarded in a radius accounting packet to the NAC so I can make a role mapping?

My customer plans on having about 12 - 14 tunnel groups, all but one using VPN SSO. The other will be using Windows AD SSO with Kerberos. The plan is to have the ASA perform all the authentication and authorization and send the radius accounting packet to the NAC for SSO where I can also perform the role mapping.


Yudong Wu Thu, 02/25/2010 - 13:31
User Badges:
  • Gold, 750 points or more

Yes, you are correct.

Saying LDAP server returns the group info of "UserA" in memberof attribute, it's value is "groupA".

You configure ASA to map "memberof" attribute value "groupA" to Radius class attribute value "group-policyA", where "group-policyA" is a group-policy cy name configured on ASA. ASA will send Radius accounting packet including Radius class attribute with value "group-policyA" to NAC. You can use it to do role mapping. HTH.

jpecarski Tue, 03/02/2010 - 10:38
User Badges:

Thanks for your help Kevin.

I'm working with some folks on cabling the NAC appliance. As I have already mentioned this will be used in conjunction with a Cisco ASA to perform posture against the VPN users. I plan to deploy this in VGW mode with L3 support. Do you see any issues with cabling the ASA directly to the untrusted interface on the CAS? Available switch ports are the main reason for this discussion.

How would the VLAN mapping work in this instance? Would I need a trunk interface on the ASA to pass the necessary VLAN tags?

Yudong Wu Wed, 03/03/2010 - 12:39
User Badges:
  • Gold, 750 points or more

If you connect ASA to CAS directly, I think you have to use subinterface on ASA with related VLAN assigned. In this way, ASA can send the packet with the correct vlan tag.


This Discussion