AAA with RADIUS of ASA
Hey everybody,
I'm with RADIUS AAA configuration on our Firewall remote ASA. It's pretty simple, but I have some firewall that does not work on. I upgraded the IOS image on the ASA 5510 to ASA804-K8. BIN on each of them. The weird part is some of them work and some of them do not work.
I was wondering if anyone else has encountered this before and what information do you need to give me a reference to help.
Thanks in advance,
Kimberly
Hi Kimberly,
just curious: why 8.0.4 and not 8.0.5?
What you use radius for? What is the radius server? You have configured all the ASAs of the radius servers? Did you use the right shared secret?
Is there something different between the ASAs working and does lack those? Configuration, location in the network, etc.?
If the above does not help, please post the config of ASA failure (or at least the relevant items and be sure to remove all sensitive data) and the output of:
Debug RADIUS
Debug aaa authentic
Debug aaa 254 Commons
You can test only the part of RADIUS with the command «test aaa-server authentication cli...» »
HTH
Herbert
Tags: Cisco Security
Similar Questions
-
Integration of AAA with RADIUS NPS Microsoft Active Directory
Hi all...
We are looking to centralize administrative authentication of our switches and routers using domain AD groups. The oldest switches being 3560 s. There are a lot of great guides online on how to do it using MS NPS, but they all seem to require NPS to the use of the PAP and SPAP for authentication methods between the RADIUS (switches) clients and NPS-clear text protocols. It is the only option to make this work? Of course, the main concern would be the high-level AD user passwords transmitted through the wire. Am I right in thinking that the AD passwords are indeed involved in the process and NOT only verification of the Shared Secret between the NPS RADIUS clients... and then membership in one group AD? Also, what would be a safe alternative where AD passwords would not be sent in clear text. Any clarification would be great...
Thank you... Dennis
Hello Dennis.
The password is not sent in clear text. Instead, it is encrypted by the n (in your case the switch) until this draft is forwarded to the Radius server. The 'shared secret' is used in the encryption process, that's why the secret is not sent over the network. In addition, this is why the shared secret should be complex. For more information, see the links below:
http://TechNet.Microsoft.com/en-us/library/cc771660%28V=WS.10%29.aspx
I hope this helps!
Thank you for evaluating useful messages!
-
WiFi WPA2 Enterprise with RADIUS - connection problem
Hello
I have here a new ISA 570w with the latest firmware (1.2.17).
Anyway, I can't get wifi to work in mode WPA2 Enterprise with RADIUS authentication.
Mode WPA2 PSK are not a problem.
I have configured the BEAM properly and I can connect directly to him via NTRadPing without any problem. Also the test in the web interface works without any problem (see Figure 2, 3).
The RADIUS server is a server Synology RADIUS on a Synology NAS, which is a FreeRADIUS server under the hood.
In the settings of the ISA wireless, I put this RADIUS server for authentication (see screenshot 1, 4).
However, I can not connect to connect to the network:
On the iPhone (iOS 6.1.3) I get a prompt for a user name and password, but when I click on connect, it says 'connect to 'cisco3'... ". "and stays there.
In ISA 570w newspaper, he said:
Information
Wireless
MSG = add MAC station in the list of the ATU. VID = 5; MAC = 5 C: 59:48:02:78:3E;
Information
Wireless
MSG = Wireless mode is a 802.11 mixed b_g_n
When I cancel the connection attempt, he said:
Information
Wireless
MSG = the Client has dissociated;
On my Thinkpad with Windows 7 Professional I have everything configured as usual (see screenshots 5,6,7,8) but when I try to connect I do not get a command prompt where I wonder username and password, and finally the connection cannot be established (see Figure 9). Also tried with the same configuration on an another Windows 7 Pro installed costs for laptop with the same problem.
I can't see any attempt of 570w ISA to authenticate anything in the logs of the RADIUS.
Also the capture of network traffic on the LAN to the Synology NAS port does not show the RADIUS datagrams.
I already disabled COP because I read that it can cause problems, but it did not help.
Can you please suggest something else I can try?
Thanks in advance!
Kind regards
Dominik
I saw these screenshots, but that screen settings just select the button set up next to the authentication method in the section user authentication, under users. In each of your screenshots, the RADIUS server identification number is 1, so I would also ensure that I configured the server ID RADIUS 1 that can be configured by going to users-> RADIUS servers.
All that said, I have seen that your tests have passed and I also do not understand the point of having the RADIUS settings on other screens and then to have info ID RADIUS. My thought is that you'd be able to pre-set RADIUS users of-> screen RADIUS servers and then select the RADIUS server ID in all other screens without having to enter the RADIUS news over and over again. He also thinks that you could ignore the users-> screen RADIUS server and enter RADIUS information over and over again and it should work... as you set up initially. However, based on the past experience of programming errors, I recommend configuring the ID from RADIUS server 1 under user-> RADIUS servers if you have not already... just in case where.
Shawn Eftink
CCNA/CCDAPlease note all useful messages and mark the correct answers to help others looking for solutions in the community.
-
Color of 3D text drawn with RADIUS Excursion
3D using drawn with RADIUS, I can extrude text to make it 3D. How to change the color of the excursion on the text. I don't know how on a form, but not on the thanks text.
Go to animate - side - colors - RGB
-
AAA ACS RADIUS ASA administrative access
We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.
Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.
Installation on the ASA:
RADIUS protocol Server AAA rad-group1
AAA-server host of rad-Group1 (inside_pd) rad-server-1
key *.
AAA-server host of rad-Group1 (inside_pd) rad-Server-2
key *.
authentication AAA ssh console LOCAL rad-group1
AAA authentication telnet console LOCAL rad-group1
HTTP authentication AAA console LOCAL rad-group1
AAA authorization exec-authentication serverHave you tried pushing various combinations of these attributes of the ACS:
Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
Value of RADIUS-IETF Service-Type = administrative (6)
Cisco-av-pair value = "" shell: priv-lvl = 15 ""Hi Phil,
You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.
-
Assign privileges on ASA with RADIUS
Hello. I use ASA 5510 8.2, ACS 4.2 for windows and RADIUS for auth.
I would attribute private user to logon level. Docs says that I must send Cisco VAS CVPN3000-privilege-level (id is 220), but I don't see this option in the configuration of the Interfaces.
How to set this attribute to the ACS? Maybe somehow I can specify manually GO?
Thank you.
You can control the level of privilege maximum with this pair of AV, but you cannot assign a privilege level during its connection as you can do with authorization exec on IOS.
-
SE2 RADIUS AAA with 3750E Version 12.2 (53)
Hi guys,.
I'm fighting with NPS AA configuration for our 3750 array... authentication and authorization
I tried almost every config I could find online, but the more I got out it is a simple authentication. What I need is quite simple:
We have several ad groups
1 - Admin
2 - Readonly with few privileges for ping, traceroute and show, telnet
I need my switches to recognize groups and assign the correct private. But it doesn't seem to be the case. Can someone show a clean config for the switch and NPS?
Thank you
P.S. I created and deleted most of my configs so if someone has something to clean and detail I would very much apreciate it.
Hello
This is the configuration I have on my IOS switch:
AAA authentication login default local radius group
AAA authentication enable default group enable RADIUS
RADIUS group AAA authorization exec default authenticated if
RADIUS-server host x.x.250.20 auth-port 1645 acct-port 1646 key xxxxxxx
I created two policies on the IAS (yours would be NPS). Both have Windows groups such as designating a ReadOnly condition and the other in the FullAccess group.
ReadOnly results return Service-Type NAS-Prompt
FullAccess results return Type of Administrative Service
When a user of ReadOnly access, I get:
User access audit
Username: priv1
Password:
Switch > en
Password:
% Authentication failure.
Switch >
Thus, the user is limited to the unpriviledged (>) mode controls.
When a user of FullAccess accessing:
User access audit
Username: priv15
Password:
Switch #.
I get directly affected to activate the Mode (#) due to the Administrative value of the attribute Type of service.
According to the role based there is a document on the Forum that refers to GANYMEDE + as well
https://supportforums.Cisco.com/docs/doc-15765
Kind regards.
-
802. 1 x authentication with Radius and win7 Mab
Good afternoon!
I have a question about 802.1 x I've set up a laboratory in which I have configured authentication mab with 802. 1 x, but I have a weird behavior of my network controller. On the switch (4948e), I see that the user is authenticated and authorized, and I can see my switch these outputs:
21 April 15:13:30.263: % AUTHMGR-5-START: start "mab" for the customer (a01d.48ac.b7f
(5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* Apr 21 15:13:30.267: % MAB-5-SUCCESS: authentication successful for the client (a01d
. 48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DAC
* April 21 15:13:30.267: % AUTHMGR-7-RESULT: authentication result 'success' of me
ab' for the client (a01d.48ac.b7f5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C00000
02E002F3DAC
* Apr 21 15:13:31.299: % AUTHMGR-5-SUCCESS: authorization succeeds in for the customer (a0
1d.48AC.B7F5) on the Interface item in gi1/11 AuditSessionID C0A8DF9C0000002E002F3DACIf I type "see the authentication session", the corresponding output.
Switch #show authentication sessions
Interface MAC address method ID of Session of field status
Item in gi1/11 a01d.48ac.b7f5 mab DATA Authz success C0A8DF9C0000002E002F3DACThe thing is that when I check my network controller, it said "authentication failure". That's what I've done so far:
1. I restarted my pc, the same behavior.
2. I disabled and enabled my network controller, the same behavior.
3. I rebooted the switch and re-configured. Same behavior.
4. I tried with another PC configuration. Same behavior.
5. I changed the configuration of "user authentication" using dot1x EAP authenticator and it worked.
This is the configuration I have on my switch:
AAA new-model
Group AAA dot1x default authentication RADIUS
Group AAA authorization network default RADIUS
start-stop radius group AAA accounting dot1x default
AAA - the id of the joint session!
control-dot1x system-auth
!
Switch #show run gigabitEthernet int 1/11
Building configuration...Current configuration: 128 bytes
!
interface GigabitEthernet1/11Cx-to-Host description
switchport access vlan 223
switchport mode access
Auto control of the port of authentication
MAB
endThis is the first time I'll put up a configuration 802. 1 x. I'm doing something wrong?
I really hope that I am not the only one with this kind of behavior!
Thank you for any assistance you can give me!
Status: Authz success
This means that the port is open. Is this permanent? Keep looking at the output of the show a few minutes see if it tries to dot1x too. Can you ping from the PC?
As authentication of 802. 1 X is enabled in the properties of the map NETWORK PC that you can expect dot1x method runs on the switch and eventually respond to the computer with auth fail. Authentication in the PC box is not necessary for MAB.
What type of RADIUS server you use and there 802.1 policy X in addition to MAB policy?
IP address: unknown
This means that the switch did not recognize the IP address of the host, probably due to the lack of
analysis of IP device
command. But it is not necessary for the plain MAB or dot1x.
-
Permission of AAA with ACS Shell-games
Hi all
I use a router cisco 871 running that version 12.4 (11) T advanced IP Services.
I have difficulty getting permission to AAA to work properly with ACS.
I am able to configure ACS fine users and assign them shell and private level 7.
I then install a set of Shell Auth and enter the issuance of orders and configure.
When I log in as a user, I get an exec with a level of 7 priv no problem, but I never seem to be able to
to access global configuration mode by typing in conf (or set up) terminal or t.
If I type con? It is the only command connect, configure is never an option...
The only way I can get this to work is by entering the command:
privilege exec level 7 Configure terminal
I thought the whole purpose of the ACS Shell Set to provide this information to the router?
It's frustrating
The ACS server is set up with the Shell Set named Level_7 order authorization
It is attributed to the relevant groups and I have the 'Unmatched orders' option selected in the 'license '.
The "unmatched Args allowed" is also selected.
See an extract of my IOS config below:
AAA new-model
!
!
AAA group Ganymede Server + ACS
Server 10.90.0.11
!
AAA authentication login default group local ACS
AAA authorization exec default group ACS
AAA authorization commands 7 by default local ACS group
!
Cisco radius-server host 10.90.0.11 keys
!
!
privilege exec level 7 Configure terminal
privilege exec level 7 set up
privilege exec level 7 show running-config
privileges exec level 7 show
!
Hope you can help me with this one...
PS I tried with orders of privilege on the router and remove the router and just keep getting the same results!
Hello
So now,
You're actually using two different options and trying to couple then together. What I would say is you either use authorization Command Shell function or play with level privileges. Not mixed together both.
Above scenario might work, if you move orders to focus on level 6 and give the 7 user privilege level. He couldn't be sure. Try it and share the results.
That's what I suggest that orders back to a normal level.
Provided below are the steps to set up the shell command authorization:
-------------------------------------------
Follow these steps on the router:
-------------------------------------------
! - is the desired username
! - is the password
! create - us a local user name and password
! - in case we are not able to get authenticated via
! - our Ganymede server +. To provide a backdoor.
password username 15 privilege
! - To apply the aaa on the router model
AAA new-model
! - Following command is to specify our ACS
! - location of the server, where is the
! - ip address of the ACS server. And
! - is the key which must be the same during the FAC and the router.
radius-server host key
! - To get the authentication of users through ACS, when they try to log - in
! - If our router is unable to join the ACS, we will use
! - our local user name & the password that we created above. This
! - we prevent locking.
AAA authentication login default group Ganymede + local
AAA authorization exec default group Ganymede + local
AAA authorization config-commands
AAA authorization commands 0 default group Ganymede + local
AAA authorization commands 1 default group Ganymede + local
AAA authorization commands 15 default group Ganymede + local
! - Sequence of commands are for posting to the activity of the user.
! - When the user connects to the device.
AAA accounting exec default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
orders accounting AAA 0 arrhythmic default group Ganymede +.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
--------------------
ACS configuration
--------------------
[1] Goto 'Profile components shared' a-> 'Shell command authorization sets'-> 'Add '.
Provide any name at all.
provide sufficient description (if necessary)
(a) for full administrative access set.
In the unmatched controls, select 'allow '.
(b) for all access limited.
In the unmatched controls, select "decline."
And in the field above 'Add a command' box, type in the box below and the main command "permit unmatched Args" Order under allow.
For example: If we want the user to only have access to the following commads:
opening of session
Logout
output
Enable
Disable
Show
Then, the configuration should be:
-----------------------------------------------
-Allowed unparalleled Args.
-----------------------------------------------
connection permit
permit disconnection
exit permits
Select the permit
disable the permit
license terminal configuration
ethernet interface license
permits 0
to see the running-config
------------------------------------------------
in example above, user will be allowed to run only from commands. If the user tries to run the interface ethernet 1', the user will get "failed command authorization.
[2] press 'submit '.
[3] Goto Group on which we want to apply these command authorization set. Select 'change settings '.
(more...)
-
Hello
I have the following strange behavior:
My WLCs connects to the RADIUS server by using the IP address of a dynamic interface instead of using the IP address of the management interface.
Dynamic interface Tha is on the same subnet / vlan from the RADIUS server.
What is the best interface to use for RADIUS authentication?
And how do I decide which interface shuold be RADIUS-source IP interface to connect with my radius servers?
Thank you all
Johnny
If you have the Radius Server on a subnet in which you have any interface on the wlc on, you will see the wlc by using this ip address. The ip address of the client AAA you should use is the dynamic ip address. The only time where you will see the wlc use its management interface is your wired and wireless (dynamic interfaces) are on different subnets.
-
Hello, everyone!
I have a problem with the dynamic assignment of VLANS. The Setup is actually the following:
RADIUS host - Switch - Server
I have no problem with authentication, messages without any problems.
The thing is that the switch does not seem to notice the extra info than the server RADIUS provides, for example the [64] Tunnel-Type, [65] Tunnel-Medium-Type and [81] Tunnel-private-Group-ID.
Here is my configuration sw and RADIUS configurations
Current configuration: 1795 bytes
!
version 12.2
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
Switch host name
!
boot-start-marker
boot-end-marker
!
!
AAA new-model
!
!
Group AAA dot1x default authentication RADIUS
!
!
!
AAA - the id of the joint session
mtu 1500 routing system
IP subnet zero
!
!
!
!
!
!
control-dot1x system-auth
!
!
!
pvst spanning-tree mode
spanning tree extend id-system
!
internal allocation policy of VLAN ascendant
!
!
!
interface GigabitEthernet0/2
switchport mode access
dot1x EAP authenticator
self control-port dot1x
protect the dot1x violation-mode
!
interface GigabitEthernet0/3
switchport mode access
dot1x EAP authenticator
self control-port dot1x
protect the dot1x violation-mode
!
interface Vlan1
10.2.1.4 IP address 255.255.255.0
no ip route cache
!
IP http server
IP http secure server
RADIUS-server host 10.2.1.2 auth-port 1812 acct-port 1813
RADIUS testing123 key server
!
control plan
!
!
!
end
The VLAN are:
Ports of status for the name of VLAN
---- -------------------------------- --------- -------------------------------
1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4
Gi0/5, Gi0/6, Gi0/7, Gi0/8
Gi0/9, Gi0/10, Gi0/11, Gi0/12
Gi0/13, Gi0/14, Gi0/15, Gi0/16
Gi0/17, Gi0/18, Gi0/19, Gi0/20
Gi0/21, Gi0/22, Gi0/23, Gi0/24
2. the active MAN
3 active GRE
4 active BLU
13 COMMENTS active
99 active NATVIE
1002 fddi-default law/unsup
1003 token-ring-default law/unsup
1004 default fddinet law/unsup
1005 trnet default law/unsup
The RADIUS user is:UserC Cleartext-Password: = "pass3".Service-Type = Framed - User,Tunnel-Medium-Type = "802,"Tunnel-Type = "VLANS."Tunnel-private-Group-Id = 'free WILL '.Version of IOS 12.2 (44) SE6As you can see, it's a pretty standard configuration, and although authentication works, dynamic assignment of VLANS is not.Any ideas on what might solve the problem?Add the following code to your configuration and test again:
Group AAA authorization network default RADIUS
-
I have problem in LDAP ASA, I want to create LDAP authentication in remote access VPN before I try, I want to try local LDAP and the problem
debugging ldap 255
ldap authentication, aaa-server test
Name or IP address of the server: 10.40.5.2
Username: rian
Password: *.
[2] starting a session
[2] new query Session, context 0x41d1a04
starItedr
[2] create LDAP context with uri = ldap://10.40.5.2:389
NFO: Attempt to <10.40.5.2>IP address authentication test (timeout: 12 seconds)
[2] to connect to the LDAP server: ldap://10.40.5.2:389, status = success
[2] failed to bind as returned administrator code of invalid credentials (49)
[2] output fiber Tx = 37 bytes Rx = 109 bytes, status =-2
[2] end of session
ERROR: Authentication server fails: invalid password
What is the problem?
If I connect to the server with the username and password for ldap, I can connect. more information I have 2 domain first id.seapro.ad.crs.org second ID (ID of the domain user). I have the first field of use Plug and second not too.
Please help me, what is the problem?
Right answers. 'administrator' is not a valid dn connection in an ldap infrastructure. Follow what srue said and that will lead you in the right direction.
(6 points in this conversation).
10.40.5.2> -
Unable to set authentication of IPSec with RADIUS clients
Hello
I configured the VPN IPSec server for remote clients on Cisco 2811 with XAuth (see attached cisco vpn configuration). Initially, I configured clients extended authentication (Xauth) using a local database of IOS users and it worked fine, but then I tried to configure the authentication of clients through FreeRADIUS and got authentication errors (see part of freeradius log attached): in fact, instead of username/password name customer shipped Xauth Cisco sends a VPN-group/pre-shared key combination to FreeRADIUS. Obviously FreeRADIUS does not name of user and password in its database and answers with an error. Is it possible somehow to reconfigure Cisco such that it would be sent insead of name of user and password to VPN-group/pre-shared key or reconfigure FreeRADIUS so that he would interpret the VPN-group/pre-shared key parameters?
xauth to the radius server must be not sending the group name and the password to the RADIUS. xauth should send the user name and password when the user authenticates.
(1) you can try to authenticate to the server radius of the router itself, using the command 'test aaa'--> check if authentication works.
(2) when you connect with the vpn client, you get prompted for the user name and password, and what do you have?
-
Using CHAP with RADIUS authentication
Hello
I configured a Cisco 877 router to send the RADIUS requests when a user connects to the console (Console line) or VTY Line using the following configuration:
AAA new-model
Group AAA authentication login default RADIUS
Group AAA authentication ppp default of RADIUS
RADIUS-server host 10.0.0.1 auth-port 1812 acct-port 1812 mysharedkey key
When I connect the RADIUS packets I see the Cisco router sends the initial AccessRequest using PAP.
How can I configure my router to send it's original AccessRequest package with CHAP?
My apologies if this has already been discussed, I searched high and low for an answer.
Thanks in advance.
John
Hi John,.
PPP connection supported by CHAP because a configuration command to activate the CHAP protocol as Protocol of stimulus / response. However, the Console VTY connections and to THE will always go on PAP when using RADIUS authentication. There is no command to activate the CHAP protocol for these types of connections.
Best regards.
-
listener authentication AAA with the custom login page
Hello
is it possible to customize the page of connection on an ASA 5520 8.2 (1) that appears when you use the "listener authentication aaa" by adding images? I know that there is the command 'auth-guest' but it only allows to add text. Is there a form any HTML that allows the inclusion of the gif, bmp or jpg?
Any hint is appreciated.
Carpet
Hi Matthias,
officially, this is not possible. There is an improvement for this request:
CSCsh02789 Improvement: Ability to customize the page of connection through proxy cut
So you can open a TAC case and ask to link to the application (to add a little more weight) or contact your account team and ask them to talk to the business unit (to add more weight).
That said, there is a possible hack you might want to try:
for example, I have configured:
AUTH-guest guest Please loghttp://myserver/image.gif' > '.
and it shows the picture below to the command prompt. So it is a hack of course not supported, so it can break in future versions. And of course, it's pretty limited in what you can do.
Now, if you disable the listener, for HTTP, it will use basic browser (no login form) authentication, but for HTTPS, it will use always a form, but a much more basic, so you can always use the same hack with a little more flexibility.
HTH
Herbert
Maybe you are looking for
-
Hello! I would like to know how to save my SMS messages from my I phone 4 (IOS 7.1.2) before moving on to a new Iphone. Thanks for your replies
-
One of my podcast episodes will not be shown on itunes!
Episode #6 will not be displayed even if its on our food. He Wen to applications podcast of our subscriber with no problem, but its not appearing is not on itunes. The next episode, #7 shows! RSS: http://feeds.feedburner.com/moopoints animal origin:
-
Need to upgrade RAM to HP Envy m6-n010dx
Hello I need help to upgrade my RAM memory to my HP touchsmart m6-n010dx desire. In fact, I have 6 GB of Ram and would like to know taken maximum supported by this model of ENVY. Thank you for your help
-
Satellite L100 PSLA0E and mass storage devices
Hello I tried to recover my computer laptop just now and I followed all the instructions of the user manual.I press F12 soon after the computer and choose CD/DVD.The display shows something like "Loading RAMDISK". After that is finished, the laptop r
-
My laptop is the graphics very slowly.
I ran the Windows experience index and here are the results:Processor: 4.7Memory: 4.5Graphics: 2.6Games graphics: 3.0Hard drive: 4.5 Loading anything with graphics made my computer 'slide' big time! Solutions anyone?