Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA5500 web vpn radius attributes

Hi,

I'm working on getting ssl vpn users authenticated via radius. Whenver a user authenticates I get the following attributes passed from the ASA :


        User-Name = "user"
        User-Password = "***"
        NAS-Port = 266403840
        Calling-Station-Id = "1.1.1.1"
        NAS-Port-Type = Virtual
        NAS-IP-Address = 2.2.2.2
        cisco-avpair = "ip:source-ip=1.1.1.1<30><149>"

 

Pretty standard stuff, but from the documentation ASA's support many more attributes. Why aren't these being passed in the authentication request? Is there something I need to do to enable these? Basically I have differnet tunnel groups with overlapping usernames, and the ASA isn't providing me any info on what group or url the user landed on, so I don't know how to authenticate these users. Realms aren't an option for me.

 

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Is that really all that is

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
4 REPLIES
VIP Purple

Is that really all that is

Is that really all that is sent? The RADIUS-request should include the tunnel-group-name like the following which is from a "debug radius" on an ASA 8.4(5):

Radius: Type = 146 (0x92) Tunnel-Group-Name
Radius: Length = 8 (0x08)
Radius: Value (String) =
56 50 4e 2d 44 45                                  |  VPN-DE

 

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Yeah thats all I get. Are you

Yeah thats all I get. Are you seeing that in an authentication request or an authorization?

 

I'm running 8.0(3)12, maybe thats the problem?

New Member

ok, so it looks those

ok, so it looks those attributes were added 8.4(3), from the release notes

 

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html

 

 

VIP Purple

> I'm running 8.0(3)12, maybe

I'm running 8.0(3)12, maybe thats the problem?

Ok, I didn't expect a such old version ...

Version 8.0 is already "End of Software Maintainance".

If you are planning the migration to 8.4, keep in mind that the Memory-requirements are higher then for older releases.

-- Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
38
Views
0
Helpful
4
Replies
This widget could not be displayed.