Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
0
Helpful
2
Replies

RADIUS Attributes & PIX 6.3(5)

andrew.butterworth
Level 7
Level 7

‎10-17-2006 02:39 AM

I have a PIX 501 running the latest software - 6.3(5). I have VPDN enabled and I am connecting VPN clients using the Native L2TP client in Windows 2000/XP. This is working fine but I am using Microsoft IAS to authenticate users using RADIUS. The PIX doesn't send the RADIUS Attribute NAS-Port-Type and I would like to use this as one of the Policy Conditions when users attempt to Authenticate the VPN connection (L2TP). I also use IAS to authenticate Telnet/SSH/HTTPS access to the PIX for administration and I would prefer to have separate IAS Policies for VPN & Administration. Currently this isn't possible since the PIX doesn't send the RADIUS Attribute NAS-Port-Type to the IAS Server for Telnet, SSH, HTTPS or VPN connections. Is there a way to enable this or is this a feature in PIX 7.x?

Thanks

Andy

Labels:
0 Helpful
2 Replies 2

thomas.chen
Level 6
Level 6

‎10-20-2006 01:39 PM

For authentication, you can use NT authentication on the ASA or you can enable the MS IAS Radius, also in 7.1.2 you can us LDAP.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00800b6099.shtml.

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to thomas.chen

‎10-20-2006 03:12 PM

Thanks for the reply Thomas but I think you missed the point. I have Authentication working, the problem is the PIX - running 6.3(5) doesn't send any attributes to the RADIUS server as part of the Authentication request that I can use as part of the IAS Policy.

I authenticate Terminal (telnet/SSH) and HTTPS (PDM) users via RADIUS as well as VPN Users. I have a policy with conditions of the NAS-IP-Address matches the PIX and the Windows Group matches my Cisco Admin group. In this profile I originally only had the Authentication type set to PAP since this is what is sent when Administration Terminal (Telnet/SSH/HTTPS) users access the PIX. When a VPN user accesses the PIX it doesn't send any additional attributes to the RADIUS server indcating this is a VPN connection (such as NAS-Port-Type = VPN....) so I have had to add MSCHAP as an authentication type to the policy. The problem with this is I can't separate VPN & Admin users into two separate policies.

Does PIX 7.x send NAS-Port-Type in the Authentication request to the RADIUS Server?

Thanks

Andy

0 Helpful
Customers Also Viewed These Support Documents