09-22-2009 02:48 AM - edited 03-10-2019 04:41 PM
Hi all!
I have a problem, we are using freeradius server to authenticate the VPN users. It works fine.
Now I want authenticate the ssh, asdm users with the same radius.
The only problem is that the ASA doesn't send different attributes to the radius and in the radius I can't sort the request(VPN or SSH).
How can I set the ASA to send Service-Type attribute or something what can be usefull?
every time it sends just these attributes:
User-Name = xxx
User-Password = xxx
NAS-IP-Address = xxx
NAS-Port = xxx
NAS-Port-Type = Virtual
Cisco-AVPair = "ip:source-ip=xxx"
Calling-Station-Id = "ip:source-ip=xxx"
Have you got any idea?
ty
Gabor
09-22-2009 02:56 AM
Hi,
An alternate idea is, use "aaa authentication" for ssh & https services using your radius server.
-Jags.
09-22-2009 04:29 AM
Hi,
Per my knowledge, this is not possible to configure ASA to send service-type in radius access-request.
Ques: why we need service-type attribute.The user will be authenticated without this.
NOTE: ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.
Just configure your ASA with following commands:
aaa authentication http console
aaa authentication ssh console
username
LOCAL: This will help you to login into the ASA when freeradius is not available.
HTH
Regards,
JK
09-22-2009 04:54 AM
Hi,
ok, I know how to authenticate the ssh users with radius.
The only problem is that I don't want allow VPN users to access to ssh. But if the Radius cant separate the request, it dosen't know witch type of user want to login.
(Not just service-type good for me, everything that is differs in the two auth type.)
09-22-2009 04:36 AM
hmm, yes exactly this is what I want.
I want authentication and authorization for ssh. Still have an authentication (aaa of the VPN users) but the access-request is the same, this is the problem.
I can't separate these different type authentication.
for example:
In cisco IOS I can send vendor specific attributes to radius ("vsa send"). And here the attribute values are different.
09-22-2009 05:07 AM
Hi,
You got it.
there is no command available on ASA to send vendor specific attribute.
I think you are looking for an attribute that differentiate the access-request for both the cases. Also, service-type attribute is a good catch but this will always come in radius accept so you need to configure this on the free radius server.
Service-type:
http://freeradius.org/rfc/rfc2865.html#Service-Type
HTH
Regards,
JK
09-22-2009 05:33 AM
hi.
okay I see there is no way to send specific attributes to radius, or modify it in ASA. That is what i wanted to know.
Thank you all.
BR,
Gabor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide