Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8605
Views
6
Helpful
8
Replies

ASA AnyConnect RADIUS Group Lock (with RSA Authentication Manager)

dexterism
Level 1
Level 1

‎09-30-2014 08:00 PM - edited ‎03-10-2019 10:04 PM

Hi,

I was wondering if anyone here has ever configured multiple AnyConnect VPN profiles, all authenticating to a back-end RSA Authentication Manager server without the use of SecureACS?

What I have here are 3 groups of users in different geographic locations - Americas, Europe, and Asia, and basically I need to assign them to the correct subnet based on their VPN group. The VPN profiles are successfully authenticated to the RSA Authentication Manager using RADIUS, however, the users are not being assigned *any* available group policy, and thus not being put in any of the available valid tunnels, and the connection attempt eventually fails.

The users are in the RSA authentication manager database (imported from AD), and for each user there is a custom RADIUS IETF-25 attribute defined in RSA AM with a value that matches each of our anyconnect tunnels.

Those with experience integrating multiple AnyConnect profiles with RSA SecurID, how did you successfully implement group lock in your environment without the use of SecureACS (we don't have one at our disposal)....

Thanks.

Labels:
0 Helpful
8 Replies 8

Javier Portuguez
Level 9
Level 9

‎10-01-2014 05:30 AM

Hi,

Are you connecting to the RSA server over sdi or Radius?

If Radius, you could run the "debug radius all" on the ASA to check whether the attribute 25 comes back from the RSA server.

HTH.

dexterism
Level 1
Level 1
In response to Javier Portuguez

‎10-03-2014 07:30 AM

Hi Javier,

Figured out the issue, what I had to do was to go into the RSA SecurID operations console and edit RADIUS.INI.

As the ASA is not defined as a recognized product in RSA Authnetication manager, it fell back to the standard radius profile. The problem occurs when RSA tries to send the standard class attribute to the ASA in which it does not recognize, thus failing the authorization process.

 

vendor-product       = - Standard Radius -

dictionary           = Radius

ignore-ports         = no

help-id              = 2000

send-class-attribute = no

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to dexterism

‎10-03-2014 08:17 AM

Awesome!

Glad to hear that.

Have a nice weekend. 

0 Helpful

jfernandez11
Level 1
Level 1

‎10-09-2014 07:00 PM

 I have a similar setup to dexterism which I can't quite get working yet.  I'm would like to use the RSA AM user database and built-in RADIUS server to pass back the group-lock attribute back to the RADIUS client (Cisco ASA 5510).  I've created my own custom Identity Attribute which contains the list of VPN groups and mapped the RADIUS Class (ID 25) attribute to it. 

 

On the Cisco, I've setup several DAP's to assign the correct ACL filters depending on what the radius.25 class value is.  The issue is that when I authenticate with the AnyConnect VPN client, it doesn't look like the RADIUS ID 25 value is being passed from the RADIUS server to the Cisco ASA RADIUS client.  It's always falling to the last DAP policy "DfltAccessPolicy".  I've also verified from the "debug radius all" that its not showing the RADIUS server's assigned value for that particular user. 

 

Any ideas are greatly appreciated!

0 Helpful

Javier Portuguez
Level 9
Level 9
In response to jfernandez11

‎10-10-2014 05:37 AM

Hello,

Well, if the RADIUS debug output does not list the attribute 25 then the server is not sending it. 

Did you follow the configuration steps indicated in the configuration guide of the RSA AM product?

Unfortunately, it sounds like a configuration issue on the server side. 

HTH.

0 Helpful

dexterism
Level 1
Level 1
In response to jfernandez11

‎10-10-2014 07:26 AM

Hi jfernandez11,

You don't need DAP as the ASA will automatically recognize IETF attribute 25 as the Group policy name. Make sure the values configured for your RADIUS attribute profiles on the RSA AM matches the Group Policy Name exactly on the cisco ASA.

Also you need to go into the user's profile on RSA AM, and under "authentication settings" - select the appropriate RADIUS profile to assign to the user.

Nothing is done on the ASA except to configure the RADIUS servers. 80% of the config is done on the back end while the ASA simply points to the RADIUS server.

Regards,

Dexter

0 Helpful

jfernandez11
Level 1
Level 1
In response to dexterism

‎10-13-2014 10:57 AM

Thank you both for the quick and helpful replies.  Yes, this is definitely a RSA server config issue.  I was unaware of the "authentication settings" for the individual users.  I am now able to pass RADIUS attributes back to the Cisco ASA RADIUS client.  Haven't quite got it working to my liking yet, but I think I'm well on my way now.  Thanks!

0 Helpful

jfernandez11
Level 1
Level 1
In response to jfernandez11

‎10-13-2014 06:24 PM

Finally got the RADIUS server (RSA AM 8.1) to pass the RADIUS.25 attribute back to the RADIUS client (Cisco ASA 5510).  Here's what I did in hope that this will help others who run into this issue.  On the RSA AM server;

  1. Create RADIUS profile -
    1. RADIUS -> RADIUS Profiles -> Add New 
      1. Profile Name: group1
      2. Return List Attributes:
        1. Attribute: Class
        2. Value - group-GP1
        3. Add -> Save 
      3. Profile Name: NoVPN
      4. Return List Attributes:
        1. Attribute: Class
        2. Value - NoVPN
        3. Add -> Save
           
  2. Create RADIUS Client -
    1. RADIUS -> RADIUS Clients -> Add New 
      1. RADIUS Client tab;
        1. Client Name: ciscoasa
        2. IP Address: Cisco ASA's IP address
        3. Make/Model: Standard Radius
        4. Shared Secret - your designated shared secret
      2. RSA Agent tab;
        1. RADIUS profile: NOVPN
           
  3. Associate user account to RADIUS profile;
    1. Identity -> Users -> Manage Existing
      1. Search for user -> click on user -> Authentication Settings;
        1. User RADIUS Profile: group-GP1

I created a "NOVPN" group-policy and set that as the default RADIUS profile for the RADIUS client as well as the default group-policy for the single tunnel group profile on the Cisco ASA.  Then I set the "vpn-simultaneous-logins" to 0 so that users who are not part of the "group-GP1" group policy will be unable to connect.  I got this idea from the Cisco Ask the Expert page - https://supportforums.cisco.com/discussion/11365251/ask-expert-configuring-and-troubleshooting-aaa-asa-use-vpn. 

 

Initially I tried creating a custom "Identity Attribute" and added my various defined group-policies into the "Predefined List Entries".   Then I mapped this attribute to the RADIUS standard user attribute (Class, attribute ID #25).  I was confident that this would work and would be the easiest method to assign group policies to users, but the RADIUS attribute was never sent to the Cisco ASA and I'm not sure why.  I also tried manually setting the "RADIUS User Attributes" through the "User Authentication Settings" on the RSA server, but that didn't work either.  The only method that was successful (thanks to dexterism's help) was creating a separate RADIUS profile for each group policy that I created on our Cisco ASA appliance and then associating the policy through the "User RADIUS Profile" in the "User Authentication Settings."

Customers Also Viewed These Support Documents