ASA as a customer Radius in ACA
Hi all
I added ASA as Radius (version 8.0) client to the ACS (version 4.2) server. When I do "test the aaa authentication" on SAA and run 'debug RADIUS', I got this error message:
aaa authentication ACS host 10.1.2.25 test test passwo username $
INFO: Attempt to <10.1.2.25>IP address authentication test (timeout: 12 seconds)
Ray mkreq: 0x6cb
alloc_rip 0x29f79044
new application 0x6cb--> 221 (0x29f79044)
obtained the user 'test '.
has obtained the password
add_req 0x29f79044 0x6cb 221 session id
RADIUS_REQUEST
RADIUS.c: rad_mkpkt
RADIUS packet decode (authentication request)
--------------------------------------
Data of raw packets (length = 62)...
01 dd 00 3F 11 76 77 02 13 50 49 6f 7 c 4F 4 d e4 | ... > .vw. M... PINo |
05 5 a 8 b 68 01 06 74 65 73 74 02 12 11 ca 28 65 | . Z.h.. test... (e
A4 49 ee 8 a 76 46 29 10 3rd f9 3f 04 06 ac 1B 1f | . I have... FV). >. ? .....
FB 02 05 06 00 00 00 28 06 00 00 00 05 3d | ....... (=.....
Packet analyzed data...
RADIUS: Code = 1 (0x01)
RADIUS: Identifier = 221 (0xDD)
RADIUS: Length = 62 (0x003E)
RADIUS: Vector: 117677E44D021350494E6F7C055A8B68
RADIUS: Type = 1 (0x01) - user name
RADIUS: Length = 6 (0x06)
RADIUS: Value (String) =
74 65 73 74 | test
RADIUS: Type = 2 (0x02) username-password
RADIUS: Length = 18 (0x12)
RADIUS: Value (String) =
11 ca 28 65 a4 49 ee 8 a 76 46 29 10 3rd f9 3f 1f | .. (EI. FV). >. ?.
RADIUS: Type = 4 NAS-IP-Address (0x04)
RADIUS: Length = 6 (0x06)
RADIUS: Value (IP address) = 172.27.251.2 (0xAC1BFB02)
RADIUS: Type = 5 (0x05) NAS-Port
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0 x 28
RADIUS: Type = 61 (0x3D) NAS-Port-Type
RADIUS: Length = 6 (0x06)
RADIUS: Value (Hex) = 0x5
Send 10.1.2.25/1645 pkt
RIP 0x29f79044 id State 7 221
rad_vrfy(): bad auth req
rad_procpkt: radvrfy failed
RADIUS_DELETE
remove_req 0x29f79044 0x6cb 221 session id
free_rip 0x29f79044
RADIUS: send empty queue
ERROR: Authentication server is unresponsive: failure of decoding AAA... secret server incompatibility
and I know not secret shared is the match between the ASA and ACS. any suggestions would be much appreciated.
Thank you
Alex
Hi Alex,
The ASA is defined in any NDG to GBA?
If so, please remove the secret shared the NDG and try once again to test authentication please.
Let me know how it goes.
Kind regards
Anisha
PS: Please mark this thread solved if you think that your query is answered.
10.1.2.25>
Tags: Cisco Security
Similar Questions
-
change the customer RADIUS attributes sent by switch
I recently started to use NPS to authenticate logins to my Cisco devices and I have the basics of work. However, I have a need to add an additional constraint corresponding to my NPS network policies.
Now I use the friendly name of the RADIUS client and/or IP address but I can't find the template for the syntax of these constraints NPS can do what I need without I create literally dozens of policies. I need somehow add an attribute to a certain group of switches so that I can "filter" which group AD Windows can connect to them by using a strategy that corresponds to that custom attribute.
In the constraint list NPS, I see I have a few options like 'Called Station ID', 'NAS ID' and 'Customer Vendor ID', etc. available. Is there a way to change these attributes of the switch and send them to the NPS then I could achieve what I want. For example, I could set up the 'Client Vendor ID' of my special switches with custom data that I could then use to match the political refusal NPS.
Any ideas?
TIA
Hello Diego again :)
I checked with a friend who used the NPS more than me and he was not aware of a way to create groups of location"in NPS or something similar where you can distinguish two different NADs.
However, it provided an interesting solution. He suggested that we use a regular expression in the field identifier Sin in NPS. The regular expression would be for the IP subnet for that particular site. For example, assume that you have two sites:
1 A: site with local subnet of 192.168.30.x 24
2. site B: with local subnet of 10.10.1.x 24
In NPS, you can build a rules like this:
If NAS Identifier is 10\.10\.1\.* and AD Group is Site_B_Admins Then Full access
And for the Site A
If NAS Identifier is 192\.168\.30\.* and AD Group is Site_A_Admins Then Full access
Of course, to do this, each site must have a single subnet that does not overlap with other sites.
Hope that gives you some kind of a solution
-
ASA college level of RADIUS (Cisco ISE)
Dear,
I have treid to authenticate access management ASA of ISE and it works fine, when I tried to push private level 15 to him even in private 1.
I am using my version, Cisco-AV-pair attribute ASA 9.0
Thank you
Even if you press on cisco-av-pair attribute as shell: priv-lvl = 15 ASA, it won't allow you to land directly on the privileged exec mode. You supply enable password until you get # mode.
https://supportforums.Cisco.com/thread/2201512
Let me know if you have any other requirement.
~ BR
Jatin kone* Does the rate of useful messages *.
-
ASA disconnects the customer due to the XAUTH failure even if XAUTH disabled
Dear friends,
I am creating an IPsec tunnel between a ZyXEL ZyWALL P1 hardware firewall and an ASA 5510, OS version 8.0 (2). The two parties should authenticate using X.509 PKI certificates without no XAUTH authentication only.
The current configuration of the ASA software Cisco VPN Clients to connect without any problems. However, when I try to connect the ZyWALL, ASA complains about the "peer is not authenticated by xauth - drop connection" and he abandoned the connection. This intrigues me, that both the ZyWALL hardware and software clients are managed by the same group of tunnel in which the XAUTH is disabled with the command ""isakmp ikev1-user authentication no"." My goal, obviously, is to configure the ASA in such a way that it will be possible to create a tunnel between the ASA and the ZyWALL IPsec authenticated using certificates only, without the XAUTH.
The ZyWALL does not seem compatible with the configuration MODE. I don't know if it is a remarkable fact, but I'm there to completeness.
I am attaching the relevant extracts from the configuration and the output of the command debug crypto isakmp 127 . A short explanation of the different addresses in the debug output:
- 158.193.139.0/24 is the public sector in the laboratory where the ZyWALL device is tested
- 192.168.167.0/24 is the segment private behind the ZyWALL (its 'LAN' interface) device
- 172.27.137.0/24 is the segment private behind the ASA to customers access via IPsec
I am very grateful for any advice you can give me!
Best regards
Peter
Peter,
Well, I needed to read a large part of your email address.
I understand you want to basically your firewall, zyxel to act as a clinet ezvpn (note that it doesn't send beacon of unity in MM1) and not a l2l tunnel.
Group = TG-RAIS, Username = Peter Paluch VPN, IP = 158.193.139.173, processing hash payload
Anywhere this username configured on the firewall, zyxel?
Marcin
-
ASA 5505 like customer VPN simple AM _ACTIVE status
Hi Experts,
We have an ASA5505 which is configured to operate as a simple customer VPN. The output of isakmp #show his indicates the State of the tunnels as AM_ACTIVE.
But we are not able to establish connectivity to one of the Interior knots.
What does AM_ACTIVE mean? My understanding of all the Clients VPN easy hardware or software, use aggressive Mode and the tunnel is set up and works. Easy VPN server configurations is not under our management, which is most likely a router, and we believe that it is the problem of configuration at the server end.
In addition, there is virtually nothing to do on one customer another easy VPN that specify authentication and tunnel group information in the client, and it must be connected. All other configurations are pushed from the end of Easy VPN Server, right?
The output of ipsec #show his , noted the following
dynamic allocated peer ip: 0.0.0.0 ---> is this to say that this isn't my ASA5505 assigned any IP by the easy VPN server?
#pkts program: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0 ---> no decryption, which probably means that there is no response from the remote end, right?
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 3, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0
#show vpnclient detail out I saw a lot of ISAKMP policy being created.
-------------------------------------------
crypto ISAKMP policy 65001
xauth-pre-sharing authentication
aes-256 encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65002
xauth-pre-sharing authentication
aes-256 encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65003
xauth-pre-sharing authentication
aes-192 encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65004
xauth-pre-sharing authentication
aes-192 encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65005
xauth-pre-sharing authentication
aes encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65006
xauth-pre-sharing authentication
aes encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65007
xauth-pre-sharing authentication
3des encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65008
xauth-pre-sharing authentication
3des encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65009
xauth-pre-sharing authentication
the Encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65010
preshared authentication
aes-256 encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65011
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65012
preshared authentication
aes-192 encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65013
preshared authentication
aes-192 encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65014
preshared authentication
aes encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65015
preshared authentication
aes encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65016
preshared authentication
3des encryption
sha hash
Group 2
life 2147483647
crypto ISAKMP policy 65017
preshared authentication
3des encryption
md5 hash
Group 2
life 2147483647
crypto ISAKMP policy 65018
preshared authentication
the Encryption
md5 hash
Group 2
life 2147483647
--------------------
This may possibly be due to a bad end of server configuration and the cause of not being able to establish connectivity to the end server nodes?
Help, please! Sorry for the mess, but we want to just make sure that it isn't something wrong with the configuration on our side!
Kind regards
ANUP sisi
There are 2 phases of IPSec: IKE (Phase 1), status of the AM_Active Phase 1 means is running, and IPSec (Phase 2), and if you have both figure and decrypts increment which means the tunnel past the traffic.
Based on the output, the VPN tunnel is up and sends traffic to the network/VPN server, however, there is no response in return.
You should check the end of the VPN server to see if there is no configuration issues. Discover the NAT exemption and ensure that you have configured on the network head. How do you set as? PAT/Client mode or NEM?
-
IPSec VPN authentication problem against AD by RADIUS/ISA
As background, I have a VPN IPSec authentication against the local database upward and running with access to my internal network and work with zero issues.
So I would move offshore to the local database authentication and boince it is outside my ad. I am running 2003 server so I configure ISA Server RADIUS and think I have it properly configured. It is registered in the AD, I added my asa as a customer radius, customized remote access and connection request policies.
The test of authentication in the ASDM he succeeds with all users who need.
During the test through my client vpn on a remote computer, I get the connection terminated by a peer, no reason given.
It is said of the event on the domain controller logs
-l' user domain - user % name % has had access.
directly after this, there is an entry
-VPN-RADIUS-GP is denied access
where VPN-RADIUS-GP is the name of the tunnel group policy in my ASA.
Ive tried a lot of literature and a few forums and have not yet find any explanation as to why this would happen as username trying to authenticate to the ISA
Anyone have any ideas?
Thank you
Mac
group-policy VPN-Radius-GP external server-group VPN_Radius_Auth password aaaaaaaaaaaaaaaaaaaaaa
It is a group-foreign policy, by definition, that it is defined on the AAA server group policy, so the ASA sends a radius access request to retrieve the attributes of group policy.
See for example http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/vpngrp.html#wp1133706
If this isn't what you want, then just remove the group policy and use internal (as the "q101 VPN GP" you).
HTH
Herbert
-
False claims RADIUS of customer VPN Cisco ASA 5510
Hello world
I use the Cisco VPN client 5.0.7 and Cisco ASA 5510 (7.4 and 8.4.2) VPN RAS solution. Clients are authenticated using certificates and RADIUS AAA (ACS 3.3) and AD.
Each time, when the client connects, ASA 2 RADIUS requests questions, correct first - which is successfully authenticated by FAC and immediately - second that always fails. I couldn't find information related to this strange behaivor. Function "Double Authentication" (more sympathetic to his name) is only accessible to Anyconnect customers who we do not. When I'm authenicated by using password group, there is only one query RADIUS.
What is the source of such behavior?
The negative impact is that my logs are filled with the failed authentication attempts fallacious and users are incrementig attempts failed in the AD meter.
Debugging of ASA:
-First application-
RDS 2011-10-24 16:16:01 0232 14884 request code 172.16.8.1:1645 host = 1 id = 22, length = 145 on port 1025
RDS 2011-10-24 16:16:01 I 2519 14884 [001] value of username: User1
RDS 2011-10-24 16:16:01 I 2519 14884 [002] value username-password: 2D A9 B2 D0 15 5F 1E B8 BB DB 3A 38 F5 24 72 B5
RDS 2011-10-24 16:16:01 I 2538 14884 [005] NAS-Port value:-1072693248
RDS 2011-10-24 16:16:01 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:01 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:01 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1
RDS 2011-10-24 16:16:01 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14
RDS 2011-10-24 16:16:01 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 2011-10-24 16:16:01 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 2011-10-24 16:16:01 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1
RDS 2011-10-24 16:16:01 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:01 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14
RDS 2011-10-24 16:16:01 I 0282 14884 ExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]
RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...
RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:01 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]
RDS 2011-10-24 16:16:01 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...
RDS 2011-10-24 16:16:01 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 I 14884 0475 AuthorExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:02 I 14884 0507 AuthorExtensionPoint: requesting provider [Download Cisco ACL] [AuthorisationExtension]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: looking for ACL from [DnldACLs] to [user1]
RDS 2011-10-24 16:16:02 I 0512 14884 AuthorExtensionPoint: [DnldACLs.dll-> AuthorisationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 3360 14884 sent response code 2, id 22 to 172.16.8.1 on port 1025
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:addr - pool = vpnpool
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:wins - servers = 10.2.9.12 10.3.9.10 10.4.2.202
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: IP: DNS-servers = 10.2.9.12 10.3.9.10 10.4.2.202
RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:02 I 2538 14884 [013] box-Compression value: 1
RDS 2011-10-24 16:16:02 I 14884 2556 [008] value box-IP-Address: 255.255.255.254
RDS 2011-10-24 16:16:02 I 2519 14884 [025] value class: CISCOACS:002cb2a9/ac100801/3222274048
-The second request-
RDS 2011-10-24 16:16:02 0232 14884 request code 172.16.8.1:1645 host = 1 id = 23, length = 145 on port 1025
RDS 2011-10-24 16:16:02 I 2519 14884 [001] value of username: User1
RDS 2011-10-24 16:16:02 I 2519 14884 [002] value username-password: 06 EA 08 AB C7 8F 75 D0 A5 E5 AE B7 A8 1 48 96 b
RDS 2011-10-24 16:16:02 I 2538 14884 [005] NAS-Port value:-1072693248
RDS 2011-10-24 16:16:02 I 2538 14884 [006] Type of Service value: 2
RDS 2011-10-24 16:16:02 I 2538 14884 [007] value Framed-Protocol: 1
RDS 2011-10-24 16:16:02 I 2519 14884 [030] value Called-Station-Id: 172.16.8.1
RDS 2011-10-24 16:16:02 I 2519 14884 [031] value of Calling-Station-Id: 10.4.14.14
RDS 2011-10-24 16:16:02 I 2538 14884 [061] NAS-Port-Type value: 5
RDS 2011-10-24 16:16:02 I 2533 14884 [066] Tunnel-Client-Endpoint value: [T1] 10.4.14.14
RDS 2011-10-24 16:16:02 I 14884 2556 [004] value of NAS-IP-Address: 172.16.8.1
RDS 2011-10-24 16:16:02 I 2561 14884 [026] Vendor-Specific vsa id: 9
RDS 2011-10-24 16:16:02 I 2596 14884 [001] cisco-av-pair value: ip:source - ip = 10.4.14.14
RDS 2011-10-24 16:16:02 I 0282 14884 ExtensionPoint: run the configured scan extension points...
RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: advertising [AuthenticationExtension] provider [Cisco EAP generic]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: Message-[generic EAP] lack of EAP, ignorant...
RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [GenericEAP.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 I 0314 14884 ExtensionPoint: asking provider [Download Cisco ACL] [AuthenticationExtension]
RDS 2011-10-24 16:16:02 I 0763 14884 ExtensionPoint: [DnldACLs] asking not a download of ACL, ignorant...
RDS 2011-10-24 16:16:02 I 0319 14884 ExtensionPoint: [DnldACLs.dll-> AuthenticationExtension] returned [1 - ignored]
RDS 2011-10-24 16:16:02 P 2237 14884 user: User1 - Windows user unknown or invalid password
RDS 2011-10-24 16:16:02 3360 14884 sent response code 3, id 23 to 172.16.8.1 on port 1025
RDS 2011-10-24 16:16:02 I 2519 14884 [018] value Reply-Message: rejected...
RDS 2011-10-24 16:16:03 0232 14884 request code 10.2.47.200:1812 host = 1 id = 254, length = 227 on port 32769
RDS 2011-10-24 16:16:03 2788 14884 (VSA unknown Vendor ID 14179)
GBA debug:
-First application-
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user01] user authentication
AUTH 24/10/2011 16:16:01 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 userAUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: authentication Windows successfully (by DCCORPMSK04)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: information get RAS to the user user1 DCCORPMSK04-The second request-
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: from [user1] user authentication
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: retry authentication to the CORP domain
AUTH 24/10/2011 16:16:02 I 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication attempt for the user1 user
AUTH 24/10/2011 16:16:02 0365 13060 external DB [NTAuthenDLL.dll]: Windows authentication FAILED (Error 1326 L)The ASA config:
Crypto ikev1 allow outside
Crypto ikev1 allow inside
IKEv1 crypto ipsec-over-tcp port 10000
life 86400
IKEv1 crypto policy 65535
authentication rsa - sig
3des encryption
md5 hash
Group 2
life 86400!
internal Cert_auth group strategy
attributes of Group Policy Cert_auth
client ssl-VPN-tunnel-Protocol ikev1 l2tp ipsec
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list aclVPN2
the address value vpnpool pools
rule of access-client-none!
attributes global-tunnel-group DefaultRAGroup
address (inside) vpnpool pool
address vpnpool pool
authentication-server-group RADIUS01
authorization-server-group RADIUS01
authorization-server-group (inside) RADIUS01
Group Policy - by default-Cert_auth!
RADIUS protocol AAA-server RADIUS01
AAA-server host 10.2.9.224 RADIUS01 (inside)
key *.
RADIUS-common-pw *.
AAA-server host 10.4.2.223 RADIUS01 (inside)
key *.Hello
It is a 'classic' error and has nothing to do with dual authentication, but rather with the fact that you do both radius and authorization of RADIUS authentication.
If you remove this line:
authorization-server-group RADIUS01
you will see that it starts to work properly
In short: when ASA no authorization of RADIUS, it sends a request to access radius with the username as a password, that's why you see the second application fails all the time.
This is because the RADIUS authorization is intended to be used when authentication happens using certificates (only) so there is no password.
Also note that within the RADIUS protocol, authentication and authorization are not separate things, both occur in a single step. So if the ASA makes the radius authentication, he already gets the user attributes in the authentication step and it makes no sense to also make a separate authorization stage (except in a few very rare scenario where you have 2 radius servers, one for authentication and another for permission).
HTH
Herbert
-
Question about authentication SDI on AnyConnct and ASA
Hi all
I would like to know about the flow of communication for the AnyConnect client authentication and ASA 5520 SDI.
My client wants to use RSA SecurID On-Demand authenticator (token RSA SecurID On-Demand) between ASA 5520 for SSL VPN and AnyConnect client.
I understand that ASA provides two modes to allow authentication SDI.
Native SDI - ASA communicates directly with the SDI server to manage authentication SDI
RADIUS SDI - ASA communicates to a RADUIS SDI (such as Cisco ACS) proxy and the proxy RADIUS SDI communicates with the SDI server, this means that the ASA does not communicate directly on the SDI server.I think that, in general (not consider ASA), the client (remote user) needs access to the web page on the server of the SDI for an SDI authentication token when it starts / SSL VPN connection configuration. However, I understand clearly that how SDI authentication works if I use ASA as secure gateway and configure ASA to allow authentication SDI.
So my question is how authentication SDI work on ASA when I use ASA as secure gateway and configure ASA to allow authentication SDI (in both modes).
The customer does not want the AnyConnect client to communicate with the server of SDI directly, but to communicate to ASA only because of their security problem. I don't know why the customer say...
I found the following information of CEC.
==========
When a remote user using authentication RADIUS SDI connects to the ASA with AnyConnect and attempts to authenticate using RSA SecurID token, the ASA communicates with the RADIUS server, which in turn, communicates with the SDI server for validation.
==========This means that the AnyConnect client does not communicate with the SDI server directly for authentication of SDI when it starts / SSL VPN connection configuration and the AnyConnect client must communicate with the SAA, because ASA communicates to the SDI server (instead of the AnyConnect client) as proxy?
Your information would be appreciated.
Best regards
Shinichi
Shinichi,
I had a quick glance at the data sheet
http://www.RSA.com/node.aspx?ID=3481
I couldn't find the authentication of SMS as code ' on demand ', IE. RSA will communicate somehow with network cellular provider to deliver SMS with part user token. (Phone number should uniquely identify a user)
Please note that it is a little suspicious if the device that you authenticate provide you authentication credentials :-)
Unless you mean a scenario where users connect through ASA to request a token (be it via NAT or perhaps via SSL Portal?) anyway, ASA is usually unconscious because the user has their authentication from the two parties.
Let me know if you meant different on the the request token. I'm curious to see what RSA has in store for us.
Marcin
-
ASA VPN with ISE and different backends WBS for authentication
Hello
I have an AAA-problem I hope to have a few problems help.
The problem ultimately is: how the ASA via ISE send Radius Access requests to different given OTP backends provided a connection to a certain group of Tunnel.
BACKGROUND:
I'll try to give you a brief picture of the scenario, this is what I currently have.
A VPN system (ASA 8.4 (4)) where I let my users to choose among 3 different methods of authentication being
(1) certificate (on chip card)
(2) token - token of the OTP (One Time Password provided via the smartphone application: using pledge of Nordic OTP-Edge transport server)
(3) SMS - OTP token (Nordic OTP - Edge transport server SMS OTP)
The choice corresponds to different groups of profiles/Tunnel connection.
Today, all authentication requests go directly to the OTP server and authorization goes directly to the AD via LDAP.
THE PROBLEM:
The problem occurs when I try to put in the ISE in the mixture.
What I obviously (?) would like to do is have all the network authentication/authorization to go through my ISE platform to take advantage of a centralized administration, monitoring etc.
Again I would need to use data bases different backend such as AD and Nordic OTP - Edge server, but then mandated by ISE.
For me to be able to know what back-end AAA to the proxy system, to somehow be able to distinguish the incoming Radius Access-requests.
WHAT WE CALL:
At the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects.
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/ref_extserver.html#wp1802187
QUESTION:
The seams, that I can achieve what I want by looking at the access request attribute Radius "Tunnel Group Name" and forward my request to different backends OTP for the authentication part therefore in theory. But, how do I actually go ahead and set that up in ISE?
I don't see this attribute when I look at the details of Radius Authentication for an authentication AAA of the ASA at the ISE.
Best regards
/ Mattias
I think you can hit the following problem:
CSCtz49846: ISE does not match the condition with VPN 146 Tunnel-Group-Name attribute
This issue is not specific to this attribute, as shown in the solution shown in the accompanying note
Workaround
Ensure that the attribute name does not include a '.' character. This also applies to some of the existing attributes in the dictionary of Cisco-VPN300. Attribute names should be changed so that they do not include a "." character.
-
Hello
I want to combine all the features of AAA we have today in different radius to an ISE installation servers.
I now wonder how to differentiate a connection of the administrative apparatus (SSH/ASDM) a VPN to the user, so the radius requests to the same server.
I see that nothing in the ASA - request - attributes Radius which differs depending on the use of Microsoft case. Any advice?
Best regards
/ Mattias
Mattias salvation,
at the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects. Don't know if an admin access request must contain the customer Type = 0 or if it does not include this attribute.
But without doubt, you have even those which, as you can simply press the IETF service type attribute, cfr:
http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_aaa.html#wp1136429
HTH
Herbert
-
ACS NAC 5.2 comments Sponor Radius Authentication
For some reason, I can't get the Hall "sponsors" for authentication on the server of comments of the NAC (2.0.2) using ACS 5.2 via Radius.
I managed to find a way to get feedback from the NAC authentication Radius for 'Administrator' to work by adding the value of custom RADIUS IEFT-6 under...
- Elements of strategy
- Authorization & permissions
- Access to the network
- Authorization profiles
I added a strategy & tab attributes Radius... I manually entered an attribute that looks like the following:
- Dictionary type: = IETF RADIUS
- The RADIUS attribute: = Type of Service
- Type of attribute: = enumeration
- Attribute value: = static
- Value = "administrative".
Then I created an access policy... I looked for an ad group specific - result = 'Name of custom political upstairs'...
All this works fine... the Docs of the NAC comments you say the Radius server must return a value of IETF-6...
When he enters in the sponsor section, it does not tell you the value of your server Radius must return... so just to smile, instead of 'Name custom top political', I tried "Allow access"... I tried the 'name of the custom policy above "... Don't know what else to try to get this working... Anyone have any ideas?
This is a similar to the document I'm following:
http://www.Cisco.com/en/us/docs/security/NAC/guestserver/configuration_guide/20/nacguestsrvr.PDF
Page 68 refers to the "Sponsor configuration authentication" Ray... it just tell you to change the order of authentication & add the Radius server...
Use NAS prompt (7) instead of administrative (6) for users of sponsor.
-Jesse
-
connect Cisco VPN client v5 to asa 5505
I have remote vpn configuration issues between ASA5505 and Cisco VPN client v5. Successfully, I can establish a connection between the client Vpn and ASA and receive the IP address of the ASA. Statistical customer VPN windows shows that packets are sent and encrypted but none of the packages is received/decrypted.
Cannot ping asa 5505
Any ideas on what I missed?
Try adding...
ISAKMP nat-traversal crypto
In addition, you cannot ping the inside interface of the ASA vpn without this command...
management-access inside
Please evaluate the useful messages.
-
I'll try to get my ASA to authenticate users Anyconnect with Phonefactor authentication. Has anyone successfully done this before?
Hi Jason,
For that to work, you must configure the ASA to send a RADIUS request to PhoneFactor, you must set the timeout of RADIUS there so so that the ASA is not downtime waiting for a response from PhoneFactor. Thus, both the ASA and the AnyConnect client must have enough downtime for the call that will take place and get an answer.
By default, AnyConnect expects up to 12 seconds for authentication of the SAA before terminating the connection attempt. You can change this value in the XML profile as follows:
To set the time of 90 seconds authentication:
90
You can see the release notes that describes the 'authentication Timeout control' to:
Control of authentication Timeout
The rest of the configuration is a client AnyConnect fairly common authentication with a Radius server.
Let me know if you have any questions.
Portu.
Please note all useful posts
-
I wonder if anyone has experience due to error.
I have cisco ASA firewall, I configure AAA authentication to my Active Directory server. In my Active Directory server, I set up my ASA firewall as my Radius client.
For authentication user my VPN, I set up my VPN user to authenticate through Active Directory server.
In my Active Directory server, I have several groups. Some users are ABC GROUP, most of the users are in GROUP-XYZ.
Users who are members of the ABC GROUP can connect successfully.
Users who are members of the GROUP-XYZ cannot connect, keep Cisco VPN client to invite users to authenticate.
ASA firewall gives error: load error processing useful: payload ID: 14
When I add the user to become a member of the ABC GROUP, the user is able to connect successfully.
Cisco ASA firewall, I see not all configurations that associate on behalf of Active Directory group.
Hello
Check the output of radius aaa/debugging debugging on the SAA for clues.
I guess you are using NPS Microsoft, search newspapers all index.
My assumption (a wild guess): check on your Active Directory directory group policies, check the 'grant dial in' setting and next to her another similar setting (I forgot the details, if there is more than one year, when I finally saw him), compare with NPS documentation and compare the two groups (pass/fail).
Also check your policies for authentication on the network POLICY server if you have more than one.
Hope that helps,
MiKa
-
Cisco ASA webvpn - recording of the ACL
Hello
I try to configure my cisco asa 5520 without customer webvpn connections get recorded. My ACEs getting hit, but no logentry is created:
SSLVPN_Personal list of access; 2 items
access-list SSLVPN_Personal line 1 webtype allow url https://*. XYZ. ABC.de 1 interval (hitcnt = 41) alertsHow can I check the webvpn users do?
Look at syslogs 716003 and 716004 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/system/message/logmsgs.html#wp4776945
716003
Error Message %ASA-6-716003: Group group User user IP ip WebVPN access "GRANTED: url"
Explanation of the WebVPN user in this group at the specified IP address has access to that URL. The user access to various locations can be controlled using WebVPN specific ACL.
Recommended not required action.
716004
Error Message %ASA-6-716004: Group group User user WebVPN access DENIED to specified location: url
WebVPN user explanation in this group has denied access to this URL. The user access to various places of WebVPN can be controlled using WebVPN specific ACL. In this case, a particular entry is denying access to this URL.
Recommended not required action.
Maybe you are looking for
-
Satellite C660-28 d - keyboard and touch pad problems
Hey guys,. In the past months, my laptop had become almost unusable. It began with the key odd work stoppage or becomes difficult to use, but now it happened to many of them and last night my touch pad stopped working all together. I'm not really a t
-
Hi, my laptop is not a serial port. If I want to connect to some hardware using RS-232, RS-485, CANBUS etc, will I have problems using a serial USB adapter? When I was programming PIC microcontrollers, we were told not to use adapters to program the
-
Windows Installer does not not with vista basic error code #641
WINDOWS INSTALL DOES NOT WORK ON VISTA BASIC. I HAVE RCD CODE ERROR #641 PLEASE HELP
-
Problem connecting to some websites on the internet
My son is in the training camp at Great Lakes, HE. I keep trying to go online marine sites to get info and will not open. For example www.bootcamp.navy.mil I could access these sites on different PC, so the problem must be just this PC. If you cou
-
To load a png image using img_load_file()
I'm trying to load a png image file in my application to screen_blit later to a window. I have a few questions: 1. How can I find the full path to a file in my package? 2. can I use img_load_file to decompress a png in RGBA8888 fits the image uncomp