AAA with RADIUS of ASA

Hey everybody,

I'm with RADIUS AAA configuration on our Firewall remote ASA. It's pretty simple, but I have some firewall that does not work on. I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them. The weird part is some of them work and some of them do not work.

I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.

Thanks in advance,

Kimberly

Hi Kimberly,

just curious: why 8.0.4 and not 8.0.5?

What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?

Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?

If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:

Debug RADIUS

Debug aaa authentic

Debug aaa 254 Commons

You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »

HTH

Herbert

Tags: Cisco Security

Similar Questions

Integration of AAA with RADIUS NPS Microsoft Active Directory

Hi all...

We are looking to centralize administrative authentication of our switches and routers using domain AD groups. The oldest switches being 3560 s. There are a lot of great guides online on how to do it using MS NPS, but they all seem to require NPS to the use of the PAP and SPAP for authentication methods between the RADIUS (switches) clients and NPS-clear text protocols. It is the only option to make this work? Of course, the main concern would be the high-level AD user passwords transmitted through the wire. Am I right in thinking that the AD passwords are indeed involved in the process and NOT only verification of the Shared Secret between the NPS RADIUS clients... and then membership in one group AD? Also, what would be a safe alternative where AD passwords would not be sent in clear text. Any clarification would be great...

Thank you... Dennis

Hello Dennis.

The password is not sent in clear text. Instead, it is encrypted by the n (in your case the switch) until this draft is forwarded to the Radius server. The 'shared secret' is used in the encryption process, that's why the secret is not sent over the network. In addition, this is why the shared secret should be complex. For more information, see the links below:

http://www.Cisco.com/c/en/us/support/docs/security-VPN/Remote-Authentication-Dial-user-service-RADIUS/12433-32.html

http://TechNet.Microsoft.com/en-us/library/cc771660%28V=WS.10%29.aspx

I hope this helps!

Thank you for evaluating useful messages!

WiFi WPA2 Enterprise with RADIUS - connection problem

Hello

I have here a new ISA 570w with the latest firmware (1.2.17).

Anyway, I can't get wifi to work in mode WPA2 Enterprise with RADIUS authentication.

Mode WPA2 PSK are not a problem.

I have configured the BEAM properly and I can connect directly to him via NTRadPing without any problem. Also the test in the web interface works without any problem (see Figure 2, 3).

The RADIUS server is a server Synology RADIUS on a Synology NAS, which is a FreeRADIUS server under the hood.

In the settings of the ISA wireless, I put this RADIUS server for authentication (see screenshot 1, 4).

However, I can not connect to connect to the network:

On the iPhone (iOS 6.1.3) I get a prompt for a user name and password, but when I click on connect, it says 'connect to 'cisco3'... ". "and stays there.

In ISA 570w newspaper, he said:

Information

Wireless

MSG = add MAC station in the list of the ATU. VID = 5; MAC = 5 C: 59:48:02:78:3E;

Information

Wireless

MSG = Wireless mode is a 802.11 mixed b_g_n

When I cancel the connection attempt, he said:

Information

Wireless

MSG = the Client has dissociated;

On my Thinkpad with Windows 7 Professional I have everything configured as usual (see screenshots 5,6,7,8) but when I try to connect I do not get a command prompt where I wonder username and password, and finally the connection cannot be established (see Figure 9). Also tried with the same configuration on an another Windows 7 Pro installed costs for laptop with the same problem.

I can't see any attempt of 570w ISA to authenticate anything in the logs of the RADIUS.

Also the capture of network traffic on the LAN to the Synology NAS port does not show the RADIUS datagrams.

I already disabled COP because I read that it can cause problems, but it did not help.

Can you please suggest something else I can try?

Thanks in advance!

Kind regards

Dominik

I saw these screenshots, but that screen settings just select the button set up next to the authentication method in the section user authentication, under users. In each of your screenshots, the RADIUS server identification number is 1, so I would also ensure that I configured the server ID RADIUS 1 that can be configured by going to users-> RADIUS servers.

All that said, I have seen that your tests have passed and I also do not understand the point of having the RADIUS settings on other screens and then to have info ID RADIUS. My thought is that you'd be able to pre-set RADIUS users of-> screen RADIUS servers and then select the RADIUS server ID in all other screens without having to enter the RADIUS news over and over again. He also thinks that you could ignore the users-> screen RADIUS server and enter RADIUS information over and over again and it should work... as you set up initially. However, based on the past experience of programming errors, I recommend configuring the ID from RADIUS server 1 under user-> RADIUS servers if you have not already... just in case where.

Shawn Eftink
CCNA/CCDA

Please note all useful messages and mark the correct answers to help others looking for solutions in the community.

Color of 3D text drawn with RADIUS Excursion

3D using drawn with RADIUS, I can extrude text to make it 3D. How to change the color of the excursion on the text. I don't know how on a form, but not on the thanks text.

Go to animate - side - colors - RGB

AAA ACS RADIUS ASA administrative access

We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.

Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.

Installation on the ASA:

RADIUS protocol Server AAA rad-group1
AAA-server host of rad-Group1 (inside_pd) rad-server-1
key *.
AAA-server host of rad-Group1 (inside_pd) rad-Server-2
key *.
authentication AAA ssh console LOCAL rad-group1
AAA authentication telnet console LOCAL rad-group1
HTTP authentication AAA console LOCAL rad-group1
AAA authorization exec-authentication server

Have you tried pushing various combinations of these attributes of the ACS:

Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
Value of RADIUS-IETF Service-Type = administrative (6)
Cisco-av-pair value = "" shell: priv-lvl = 15 ""

Hi Phil,

You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.

Assign privileges on ASA with RADIUS

Hello. I use ASA 5510 8.2, ACS 4.2 for windows and RADIUS for auth.

I would attribute private user to logon level. Docs says that I must send Cisco VAS CVPN3000-privilege-level (id is 220), but I don't see this option in the configuration of the Interfaces.

How to set this attribute to the ACS? Maybe somehow I can specify manually GO?

Thank you.

You can control the level of privilege maximum with this pair of AV, but you cannot assign a privilege level during its connection as you can do with authorization exec on IOS.

SE2 RADIUS AAA with 3750E Version 12.2 (53)

Hi guys,.

I'm fighting with NPS AA configuration for our 3750 array... authentication and authorization

I tried almost every config I could find online, but the more I got out it is a simple authentication. What I need is quite simple:

We have several ad groups

1 - Admin

2 - Readonly with few privileges for ping, traceroute and show, telnet

I need my switches to recognize groups and assign the correct private. But it doesn't seem to be the case. Can someone show a clean config for the switch and NPS?

Thank you

P.S. I created and deleted most of my configs so if someone has something to clean and detail I would very much apreciate it.

Hello

This is the configuration I have on my IOS switch:

AAA authentication login default local radius group

AAA authentication enable default group enable RADIUS

RADIUS group AAA authorization exec default authenticated if

RADIUS-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx

I created two policies on the IAS (yours would be NPS). Both have Windows groups such as designating a ReadOnly condition and the other in the FullAccess group.

ReadOnly results return Service-Type NAS-Prompt

FullAccess results return Type of Administrative Service

When a user of ReadOnly access, I get:

User access audit

Username: priv1

Password:

Switch > en

Password:

% Authentication failure.

Switch >

Thus, the user is limited to the unpriviledged (>) mode controls.

When a user of FullAccess accessing:

User access audit

Username: priv15

Password:

Switch #.

I get directly affected to activate the Mode (#) due to the Administrative value of the attribute Type of service.

According to the role based there is a document on the Forum that refers to GANYMEDE + as well

https://supportforums.Cisco.com/docs/doc-15765

Kind regards.

802. 1 x authentication with Radius and win7 Mab

Good afternoon!

I have a question about 802.1 x I've set up a laboratory in which I have configured authentication mab with 802. 1 x, but I have a weird behavior of my network controller. On the switch (4948e), I see that the user is authenticated and authorized, and I can see my switch these outputs:

21 April 15:13:30.263: % AUTHMGR-5-START: start "mab" for the customer (a01d.48ac.b7f
(5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* Apr 21 15:13:30.267: % MAB-5-SUCCESS: authentication successful for the client (a01d
. 48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* April 21 15:13:30.267: % AUTHMGR-7-RESULT: authentication result 'success' of me
ab' for the client (a01d.48ac.b7f5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C00000
02E002F3DAC
* Apr 21 15:13:31.299: % AUTHMGR-5-SUCCESS: authorization succeeds in for the customer (a0
1d.48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC

If I type "see the authentication session", the corresponding output.

Switch #show authentication sessions

Interface MAC address method ID of Session of field status
Item in gi1/11 a01d.48ac.b7f5 mab DATA Authz success C0A8DF9C0000002E002F3DAC

The thing is that when I check my network controller, it said "authentication failure". That's what I've done so far:

1. I restarted my pc, the same behavior.

2. I disabled and enabled my network controller, the same behavior.

3. I rebooted the switch and re-configured. Same behavior.

4. I tried with another PC configuration. Same behavior.

5. I changed the configuration of "user authentication" using dot1x EAP authenticator and it worked.

This is the configuration I have on my switch:

AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
start-stop radius group AAA accounting dot1x default
AAA - the id of the joint session

!

control-dot1x system-auth

!

Switch #show run gigabitEthernet int 1/11
Building configuration...

Current configuration: 128 bytes
!
interface GigabitEthernet1/11

Cx-to-Host description
switchport access vlan 223
switchport mode access
Auto control of the port of authentication
MAB
end

This is the first time I'll put up a configuration 802. 1 x. I'm doing something wrong?

I really hope that I am not the only one with this kind of behavior!

Thank you for any assistance you can give me!

Status: Authz success

This means that the port is open. Is this permanent? Keep looking at the output of the show a few minutes see if it tries to dot1x too. Can you ping from the PC?

As authentication of 802. 1 X is enabled in the properties of the map NETWORK PC that you can expect dot1x method runs on the switch and eventually respond to the computer with auth fail. Authentication in the PC box is not necessary for MAB.

What type of RADIUS server you use and there 802.1 policy X in addition to MAB policy?

IP address: unknown

This means that the switch did not recognize the IP address of the host, probably due to the lack of

analysis of IP device

command. But it is not necessary for the plain MAB or dot1x.

Permission of AAA with ACS Shell-games

Hi all

I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.

I have difficulty getting permission to AAA to work properly with ACS.

I am able to configure ACS fine users and assign them shell and private level 7.

I then install a set of Shell Auth and enter the issuance of orders and configure.

When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to

to access global configuration mode by typing in conf (or set up) terminal or t.

If I type con? It is the only command connect, configure is never an option...

The only way I can get this to work is by entering the command:

privilege exec level 7 Configure terminal

I thought the whole purpose of the ACS Shell Set to provide this information to the router?

It's frustrating

The ACS server is set up with the Shell Set named Level_7 order authorization

It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.

The "unmatched Args allowed" is also selected.

See an extract of my IOS config below:

AAA new-model

!

!

AAA group Ganymede Server + ACS

Server 10.90.0.11

!

AAA authentication login default group local ACS

AAA authorization exec default group ACS

AAA authorization commands 7 by default local ACS group

!

Cisco radius-server host 10.90.0.11 keys

!

!

privilege exec level 7 Configure terminal

privilege exec level 7 set up

privilege exec level 7 show running-config

privileges exec level 7 show

!

Hope you can help me with this one...

PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!

Hello

So now,

You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.

Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.

That's what I suggest that orders back to a normal level.

Provided below are the steps to set up the shell command authorization:

-------------------------------------------

Follow these steps on the router:

-------------------------------------------

! - is the desired username

! - is the password

! create - us a local user name and password

! - in case we are not able to get authenticated via

! - our Ganymede server +. To provide a backdoor.

password username 15 privilege

! - To apply the aaa on the router model

AAA new-model

! - Following command is to specify our ACS

! - location of the server, where is the

! - ip address of the ACS server. And

! - is the key which must be the same during the FAC and the router.

radius-server host key

! - To get the authentication of users through ACS, when they try to log - in

! - If our router is unable to join the ACS, we will use

! - our local user name & the password that we created above. This

! - we prevent locking.

AAA authentication login default group Ganymede + local

AAA authorization exec default group Ganymede + local

AAA authorization config-commands

AAA authorization commands 0 default group Ganymede + local

AAA authorization commands 1 default group Ganymede + local

AAA authorization commands 15 default group Ganymede + local

! - Sequence of commands are for posting to the activity of the user.

! - When the user connects to the device.

AAA accounting exec default start-stop Ganymede group.

AAA accounting system default start-stop Ganymede group.

orders accounting AAA 0 arrhythmic default group Ganymede +.

orders accounting AAA 1 by default start-stop Ganymede group.

orders accounting AAA 15 by default start-stop Ganymede group.

--------------------

ACS configuration

--------------------

[1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.

Provide any name at all.

provide sufficient description (if necessary)

(a) for full administrative access set.

In the unmatched controls, select 'allow '.

(b) for all access limited.

In the unmatched controls, select "decline."

And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.

For example: If we want the user to only have access to the following commads:

opening of session

Logout

output

Enable

Disable

Show

Then, the configuration should be:

-----------------------------------------------

-Allowed unparalleled Args.

-----------------------------------------------

connection permit

permit disconnection

exit permits

Select the permit

disable the permit

license terminal configuration

ethernet interface license

permits 0

to see the running-config

------------------------------------------------

in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.

[2] press 'submit '.

[3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.

(more...)

WLC with RADIUS question

Hello

I have the following strange behavior:

My WLCs connects to the RADIUS server by using the IP address of a dynamic interface instead of using the IP address of the management interface.

Dynamic interface Tha is on the same subnet / vlan from the RADIUS server.

What is the best interface to use for RADIUS authentication?

And how do I decide which interface shuold be RADIUS-source IP interface to connect with my radius servers?

Thank you all

Johnny

If you have the Radius Server on a subnet in which you have any interface on the wlc on, you will see the wlc by using this ip address. The ip address of the client AAA you should use is the dynamic ip address. The only time where you will see the wlc use its management interface is your wired and wireless (dynamic interfaces) are on different subnets.

C2960 with RADIUS

Hello, everyone!

I have a problem with the dynamic assignment of VLANS. The Setup is actually the following:

RADIUS host - Switch - Server

I have no problem with authentication, messages without any problems.

The thing is that the switch does not seem to notice the extra info than the server RADIUS provides, for example the [64] Tunnel-Type, [65] Tunnel-Medium-Type and [81] Tunnel-private-Group-ID.

Here is my configuration sw and RADIUS configurations

Current configuration: 1795 bytes

!

version 12.2

no service button

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

Switch host name

!

boot-start-marker

boot-end-marker

!

!

AAA new-model

!

!

Group AAA dot1x default authentication RADIUS

!

!

!

AAA - the id of the joint session

mtu 1500 routing system

IP subnet zero

!

!

!

!

!

!

control-dot1x system-auth

!

!

!

pvst spanning-tree mode

spanning tree extend id-system

!

internal allocation policy of VLAN ascendant

!

!

!

interface GigabitEthernet0/2

switchport mode access

dot1x EAP authenticator

self control-port dot1x

protect the dot1x violation-mode

!

interface GigabitEthernet0/3

switchport mode access

dot1x EAP authenticator

self control-port dot1x

protect the dot1x violation-mode

!

interface Vlan1

10.2.1.4 IP address 255.255.255.0

no ip route cache

!

IP http server

IP http secure server

RADIUS-server host 10.2.1.2 auth-port 1812 acct-port 1813

RADIUS testing123 key server

!

control plan

!

!

!

end

The VLAN are:

Ports of status for the name of VLAN

---- -------------------------------- --------- -------------------------------

1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4

Gi0/5, Gi0/6, Gi0/7, Gi0/8

Gi0/9, Gi0/10, Gi0/11, Gi0/12

Gi0/13, Gi0/14, Gi0/15, Gi0/16

Gi0/17, Gi0/18, Gi0/19, Gi0/20

Gi0/21, Gi0/22, Gi0/23, Gi0/24

2. the active MAN

3 active GRE

4 active BLU

13 COMMENTS active

99 active NATVIE

1002 fddi-default law/unsup

1003 token-ring-default law/unsup

1004 default fddinet law/unsup

1005 trnet default law/unsup

The RADIUS user is:

UserC Cleartext-Password: = "pass3".

Service-Type = Framed - User,

Tunnel-Medium-Type = "802,"

Tunnel-Type = "VLANS."

Tunnel-private-Group-Id = 'free WILL '.

Version of IOS 12.2 (44) SE6

As you can see, it's a pretty standard configuration, and although authentication works, dynamic assignment of VLANS is not.

Any ideas on what might solve the problem?

Add the following code to your configuration and test again:

Group AAA authorization network default RADIUS

With LDAP in ASA 5510 VPN

I have problem in LDAP ASA, I want to create LDAP authentication in remote access VPN before I try, I want to try local LDAP and the problem

debugging ldap 255

ldap authentication, aaa-server test

Name or IP address of the server: 10.40.5.2

Username: rian

Password: *.

[2] starting a session

[2] new query Session, context 0x41d1a04

starItedr

[2] create LDAP context with uri = ldap://10.40.5.2:389

NFO: Attempt to <10.40.5.2>IP address authentication test (timeout: 12 seconds)

[2] to connect to the LDAP server: ldap://10.40.5.2:389, status = success

[2] failed to bind as returned administrator code of invalid credentials (49)

[2] output fiber Tx = 37 bytes Rx = 109 bytes, status =-2

[2] end of session

ERROR: Authentication server fails: invalid password

What is the problem?

If I connect to the server with the username and password for ldap, I can connect. more information I have 2 domain first id.seapro.ad.crs.org second ID (ID of the domain user). I have the first field of use Plug and second not too.

Please help me, what is the problem?

Right answers. 'administrator' is not a valid dn connection in an ldap infrastructure. Follow what srue said and that will lead you in the right direction.

(6 points in this conversation).

Unable to set authentication of IPSec with RADIUS clients

Hello

I configured the VPN IPSec server for remote clients on Cisco 2811 with XAuth (see attached cisco vpn configuration). Initially, I configured clients extended authentication (Xauth) using a local database of IOS users and it worked fine, but then I tried to configure the authentication of clients through FreeRADIUS and got authentication errors (see part of freeradius log attached): in fact, instead of username/password name customer shipped Xauth Cisco sends a VPN-group/pre-shared key combination to FreeRADIUS. Obviously FreeRADIUS does not name of user and password in its database and answers with an error. Is it possible somehow to reconfigure Cisco such that it would be sent insead of name of user and password to VPN-group/pre-shared key or reconfigure FreeRADIUS so that he would interpret the VPN-group/pre-shared key parameters?

xauth to the radius server must be not sending the group name and the password to the RADIUS. xauth should send the user name and password when the user authenticates.

(1) you can try to authenticate to the server radius of the router itself, using the command 'test aaa'--> check if authentication works.

(2) when you connect with the vpn client, you get prompted for the user name and password, and what do you have?

Using CHAP with RADIUS authentication

Hello

I configured a Cisco 877 router to send the RADIUS requests when a user connects to the console (Console line) or VTY Line using the following configuration:

AAA new-model

Group AAA authentication login default RADIUS

Group AAA authentication ppp default of RADIUS

RADIUS-server host 10.0.0.1 auth-port 1812 acct-port 1812 mysharedkey key

When I connect the RADIUS packets I see the Cisco router sends the initial AccessRequest using PAP.

How can I configure my router to send it's original AccessRequest package with CHAP?

My apologies if this has already been discussed, I searched high and low for an answer.

Thanks in advance.

John

Hi John,.

PPP connection supported by CHAP because a configuration command to activate the CHAP protocol as Protocol of stimulus / response. However, the Console VTY connections and to THE will always go on PAP when using RADIUS authentication. There is no command to activate the CHAP protocol for these types of connections.

Best regards.

listener authentication AAA with the custom login page

Hello

is it possible to customize the page of connection on an ASA 5520 8.2 (1) that appears when you use the "listener authentication aaa" by adding images? I know that there is the command 'auth-guest' but it only allows to add text. Is there a form any HTML that allows the inclusion of the gif, bmp or jpg?

Any hint is appreciated.

Carpet
Hi Matthias,

officially, this is not possible. There is an improvement for this request:

CSCsh02789 Improvement: Ability to customize the page of connection through proxy cut

So you can open a TAC case and ask to link to the application (to add a little more weight) or contact your account team and ask them to talk to the business unit (to add more weight).

That said, there is a possible hack you might want to try:

for example, I have configured:

AUTH-guest guest Please loghttp://myserver/image.gif' > '.

and it shows the picture below to the command prompt. So it is a hack of course not supported, so it can break in future versions. And of course, it's pretty limited in what you can do.

Now, if you disable the listener, for HTTP, it will use basic browser (no login form) authentication, but for HTTPS, it will use always a form, but a much more basic, so you can always use the same hack with a little more flexibility.

HTH

Herbert

AAA with RADIUS of ASA

Similar Questions

Maybe you are looking for