Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2498
Views
0
Helpful
6
Replies

ASA: cli, ssh asdm login and VPN login with the same freeRADIUS

hegegabor
Level 1
Level 1

‎09-22-2009 02:48 AM - edited ‎03-10-2019 04:41 PM

Hi all!

I have a problem, we are using freeradius server to authenticate the VPN users. It works fine.

Now I want authenticate the ssh, asdm users with the same radius.

The only problem is that the ASA doesn't send different attributes to the radius and in the radius I can't sort the request(VPN or SSH).

How can I set the ASA to send Service-Type attribute or something what can be usefull?

every time it sends just these attributes:

User-Name = xxx

User-Password = xxx

NAS-IP-Address = xxx

NAS-Port = xxx

NAS-Port-Type = Virtual

Cisco-AVPair = "ip:source-ip=xxx"

Calling-Station-Id = "ip:source-ip=xxx"

Have you got any idea?

ty

Gabor

Labels:
0 Helpful
6 Replies 6

jagadeeshan.s
Level 1
Level 1

‎09-22-2009 02:56 AM

Hi,

An alternate idea is, use "aaa authentication" for ssh & https services using your radius server.

-Jags.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to jagadeeshan.s

‎09-22-2009 04:29 AM

Hi,

Per my knowledge, this is not possible to configure ASA to send service-type in radius access-request.

Ques: why we need service-type attribute.The user will be authenticated without this.

NOTE: ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.

Just configure your ASA with following commands:

aaa authentication http console LOCAL

aaa authentication ssh console LOCAL

username password priv 15

LOCAL: This will help you to login into the ASA when freeradius is not available.

HTH

Regards,

JK

~Jatin
0 Helpful

hegegabor
Level 1
Level 1
In response to Jatin Katyal

‎09-22-2009 04:54 AM

Hi,

ok, I know how to authenticate the ssh users with radius.

The only problem is that I don't want allow VPN users to access to ssh. But if the Radius cant separate the request, it dosen't know witch type of user want to login.

(Not just service-type good for me, everything that is differs in the two auth type.)

0 Helpful

hegegabor
Level 1
Level 1
In response to jagadeeshan.s

‎09-22-2009 04:36 AM

hmm, yes exactly this is what I want.

I want authentication and authorization for ssh. Still have an authentication (aaa of the VPN users) but the access-request is the same, this is the problem.

I can't separate these different type authentication.

for example:

In cisco IOS I can send vendor specific attributes to radius ("vsa send"). And here the attribute values are different.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to hegegabor

‎09-22-2009 05:07 AM

Hi,

You got it.

there is no command available on ASA to send vendor specific attribute.

I think you are looking for an attribute that differentiate the access-request for both the cases. Also, service-type attribute is a good catch but this will always come in radius accept so you need to configure this on the free radius server.

Service-type:

http://freeradius.org/rfc/rfc2865.html#Service-Type

HTH

Regards,

JK

~Jatin
0 Helpful

hegegabor
Level 1
Level 1
In response to Jatin Katyal

‎09-22-2009 05:33 AM

hi.

okay I see there is no way to send specific attributes to radius, or modify it in ASA. That is what i wanted to know.

Thank you all.

BR,

Gabor

0 Helpful
Customers Also Viewed These Support Documents