Trying to use RADIUS to control VPN and SSH access to ASA

corey · ‎02-17-2010

We're trying to implement RSA SecurID for our VPN user as well as access to our routers/switches/firewalls. RSA supports RADIUS, but not TACACS.

So RSA support has shown me how to setup a radius profile in their software that sends a class attribute, such as class=ou=admin to the ASA that they say will let me differentiate my admin users from VPN users. But I can't seem to figure out where this matches up with something on the ASA. I've been able to get myself logged in via VPN and SSH, but I obviously don't most VPN users to be able to SSH into the device.

Any tips as to how to differnetiate admin users from VPN users via RADIUS?

Jagdeep Gambhir · ‎02-17-2010

Corey,

In this case the only way possible is using RSA and LDAP. You can perform authentication with RSA in native mode and group mapping by
using the LDAP group mapping configuration. Authorization is controlled based on the user's LDAP group membership. When RSA native mode
authentication succeeds, group mapping is performed with LDAP. The user's group is applied based on the group mapping configuration.

RSA Authentication with LDAP Group Mapping,
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp574139




Regards,
~JG


Do rate helpful posts

corey · ‎02-18-2010

Thanks, I checked out that link. The document outlines what to do in ACS, but I'm not clear if or how that translates to doing the same type of thing on the ASA. We don't have an ACS server. RSA support did talk about groups, but I am just not seeing where this goes on the ASA.

20vek · ‎02-18-2010

Are you using ASA local AAA server or external one? If it's external then what is it? Freeradius and LDAP or MS one with Active Directory?

Ivan Martinon · ‎02-18-2010

In order to differenciate Admin users with VPN users you can use the service type attribue on the radius server to pass along Admin (service type 6) service type for ssh connections and Outbound (Service type 5) to allow vpn connections, to do so you need to configure authorization exc on the asa as the following link says:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1543122

HTH

Ivan

corey · ‎02-19-2010

Thanks Ivan, I think we're close now. By configuring those attributes on my radius server I can login with user or admin credentials to my routers now. But when I login to my ASA (I'm testing with telnet) it still does not give me level 15 access at the CLI. Even with the "aaa authorization exec authentication-server" command. Any other thoughts?

Ivan Martinon · ‎02-19-2010

Corey, Authorization exec works very diferent on ASAs as how it does on IOS, for instance on IOS you are placed immediately int exec level according to the privilege level defined on your AAA server. On the ASA authorization exec is only used to allow the user to create administrative connections to the box or not, it will never place you no matter what commands you add (this is by design) into exec mode. So with the "service type" you will only allow use to access first admin console and then enable mode.

corey · ‎02-22-2010

So I will still have to type "enable" to get into privileged mode? That's workable. At that point, which password is the enable password (assuming I'm still using RADIUS) - is it the real enable password, is it my RSA password or is it the default radius user (something like #r@d15 - it's excaping me right now)?

jedubois · ‎02-26-2010

Corey,

Typing enable is currently required to get into enable mode on the ASAs yes.

What enable password you use depends on the ASA configuration.

"aaa authentication enable console ..." is the line in the config to look at.

If it is set to radius then you will use the raidus password.

If it is set to local you would use the locally configured enable password.

--Jesse