ASDM Book 1: Cisco ASA Series General Operations ASDM Configuration Guide, 7.1
Configuring RADIUS Servers for AAA
Downloads: This chapterpdf (PDF - 372.0KB) The complete bookPDF (PDF - 20.37MB) | The complete bookePub (ePub - 6.37MB) | The complete bookMobi (Mobi - 8.32MB) | Feedback

Table of Contents

Configuring RADIUS Servers for AAA

Information About RADIUS Servers

Supported Authentication Methods

User Authorization of VPN Connections

Supported Sets of RADIUS Attributes

Supported RADIUS Authorization Attributes

Supported IETF RADIUS Authorization Attributes

RADIUS Accounting Disconnect Reason Codes

Licensing Requirements for RADIUS Servers

Guidelines and Limitations

Configuring RADIUS Servers

Task Flow for Configuring RADIUS Servers

Configuring RADIUS Server Groups

Adding a RADIUS Server to a Group

Adding an Authentication Prompt

Testing RADIUS Server Authentication and Authorization

Monitoring RADIUS Servers

Additional References

RFCs

Feature History for RADIUS Servers

Information About RADIUS Servers

The ASA supports the following RFC-compliant RADIUS servers for AAA:

  • Cisco Secure ACS 3.2, 4.0, 4.1, 4.2, and 5.x
  • Cisco Identity Services Engine (ISE)
  • RSA RADIUS in RSA Authentication Manager 5.2, 6.1, and 7.x
  • Microsoft

This section includes the following topics:

Supported Authentication Methods

The ASA supports the following authentication methods with RADIUS servers:

  • PAP—For all connection types.
  • CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.
  • MS-CHAPv2—For L2TP-over-IPsec connections, and for regular IPsec remote access connections when the password management feature is enabled. You can also use MS-CHAPv2 with clientless connections.
  • Authentication Proxy modes—For RADIUS-to Active-Directory, RADIUS-to-RSA/SDI, RADIUS- to-Token server, and RSA/SDI-to-RADIUS connections,

NoteTo enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of thepassword-management command for details.

If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.


User Authorization of VPN Connections

The ASA can use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic ACLs or ACL names per user. To implement dynamic ACLs, you must configure the RADIUS server to support them. When the user authenticates, the RADIUS server sends a downloadable ACL or ACL name to the ASA. Access to a given service is either permitted or denied by the ACL. The ASA deletes the ACL when the authentication session expires.

In addition to ACLs, the ASA supports many other attributes for authorization and setting of permissions for VPN remote access and firewall cut-through proxy sessions.

Supported Sets of RADIUS Attributes

The ASA supports the following sets of RADIUS attributes:

  • Authentication attributes defined in RFC 2138.
  • Accounting attributes defined in RFC 2139.
  • RADIUS attributes for tunneled protocol support, defined in RFC 2868.
  • Cisco IOS Vendor-Specific Attributes (VSAs), identified by RADIUS vendor ID 9.
  • Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
  • Microsoft VSAs, defined in RFC 2548.
  • Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with 1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first level (login) allows privileged EXEC access for the commands available at this level. The second level (enable) allows CLI configuration privileges.

Supported RADIUS Authorization Attributes

Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured. These attributes have vendor ID 3076.

Table 34-1 lists the supported RADIUS attributes that can be used for user authorization.


NoteRADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs enforce the RADIUS attributes based on attribute numeric ID, not attribute name.

All attributes listed in Table 34-1 are downstream attributes that are sent from the RADIUS server to the ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150 are sent from the ASA to the RADIUS server for authentication and authorization requests. All four previously listed attributes are sent from the ASA to the RADIUS server for accounting start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced in Version 8.4(3).

Cisco ACS 5.x and Cisco ISE do not support IPv6 framed IP addresses for IP address assignment using RADIUS authentication in Version 9.0(1).


 

Table 34-1 Supported RADIUS Authorization Attributes

Attribute Name
ASA
Attr. No.
Syntax/Type
Single or Multi-
Valued
Description or Value

Access-Hours

Y

1

String

Single

Name of the time range, for example, Business-hours

Access-List-Inbound

Y

86

String

Single

ACL ID

Access-List-Outbound

Y

87

String

Single

ACL ID

Address-Pools

Y

217

String

Single

Name of IP local pool

Allow-Network-Extension-Mode

Y

64

Boolean

Single

0 = Disabled
1 = Enabled

Authenticated-User-Idle-Timeout

Y

50

Integer

Single

1-35791394 minutes

Authorization-DN-Field

Y

67

String

Single

Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name

Authorization-Required

 

66

Integer

Single

0 = No
1 = Yes

Authorization-Type

Y

65

Integer

Single

0 = None
1 = RADIUS
2 = LDAP

Banner1

Y

15

String

Single

Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL

Banner2

Y

36

String

Single

Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string , if configured.

Cisco-IP-Phone-Bypass

Y

51

Integer

Single

0 = Disabled
1 = Enabled

Cisco-LEAP-Bypass

Y

75

Integer

Single

0 = Disabled
1 = Enabled

Client Type

Y

150

Integer

Single

1 = Cisco VPN Client (IKEv1)
2 = AnyConnect Client SSL VPN
3 = Clientless SSL VPN
4 = Cut-Through-Proxy
5 = L2TP/IPsec SSL VPN
6 = AnyConnect Client IPsec VPN (IKEv2)

Client-Type-Version-Limiting

Y

77

String

Single

IPsec VPN version number string

DHCP-Network-Scope

Y

61

String

Single

IP Address

Extended-Authentication-On-Rekey

Y

122

Integer

Single

0 = Disabled
1 = Enabled

Group-Policy

Y

25

String

Single

Sets the group policy for the remote access VPN session. For Versions 8.2.x and later, use this attribute instead of IETF-Radius-Class. You can use one of the following formats:

  • group policy name
  • OU= group policy name
  • OU= group policy name ;

IE-Proxy-Bypass-Local

 

83

Integer

Single

0 = None
1 = Local

IE-Proxy-Exception-List

 

82

String

Single

New line (\n) separated list of DNS domains

IE-Proxy-PAC-URL

Y

133

String

Single

PAC address string

IE-Proxy-Server

 

80

String

Single

IP address

IE-Proxy-Server-Policy

 

81

Integer

Single

1 = No Modify
2 = No Proxy
3 = Auto detect
4 = Use Concentrator Setting

IKE-KeepAlive-Confidence-Interval

Y

68

Integer

Single

10-300 seconds

IKE-Keepalive-Retry-Interval

Y

84

Integer

Single

2-10 seconds

IKE-Keep-Alives

Y

41

Boolean

Single

0 = Disabled
1 = Enabled

Intercept-DHCP-Configure-Msg

Y

62

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Allow-Passwd-Store

Y

16

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Authentication

 

13

Integer

Single

0 = None
1 = RADIUS
2 = LDAP (authorization only)
3 = NT Domain
4 = SDI
5 = Internal
6 = RADIUS with Expiry
7 = Kerberos/Active Directory

IPsec-Auth-On-Rekey

Y

42

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Backup-Server-List

Y

60

String

Single

Server Addresses (space delimited)

IPsec-Backup-Servers

Y

59

String

Single

1 = Use Client-Configured list
2 = Disable and clear client list
3 = Use Backup Server list

IPsec-Client-Firewall-Filter-Name

 

57

String

Single

Specifies the name of the filter to be pushed to the client as firewall policy

IPsec-Client-Firewall-Filter-Optional

Y

58

Integer

Single

0 = Required
1 = Optional

IPsec-Default-Domain

Y

28

String

Single

Specifies the single default domain name to send to the client (1-255 characters).

IPsec-IKE-Peer-ID-Check

Y

40

Integer

Single

1 = Required
2 = If supported by peer certificate
3 = Do not check

IPsec-IP-Compression

Y

39

Integer

Single

0 = Disabled
1 = Enabled

IPsec-Mode-Config

Y

31

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP

Y

34

Boolean

Single

0 = Disabled
1 = Enabled

IPsec-Over-UDP-Port

Y

35

Integer

Single

4001- 49151. The default is 10000.

IPsec-Required-Client-Firewall-Capability

Y

56

Integer

Single

0 = None
1 = Policy defined by remote FW Are-You-There (AYT)
2 = Policy pushed CPP
4 = Policy from server

IPsec-Sec-Association

 

12

String

Single

Name of the security association

IPsec-Split-DNS-Names

Y

29

String

Single

Specifies the list of secondary domain names to send to the client (1-255 characters).

IPsec-Split-Tunneling-Policy

Y

55

Integer

Single

0 = No split tunneling
1 = Split tunneling
2 = Local LAN permitted

IPsec-Split-Tunnel-List

Y

27

String

Single

Specifies the name of the network or ACL that describes the split tunnel inclusion list.

IPsec-Tunnel-Type

Y

30

Integer

Single

1 = LAN-to-LAN
2 = Remote access

IPsec-User-Group-Lock

 

33

Boolean

Single

0 = Disabled
1 = Enabled

IPv6-Address-Pools

Y

218

String

Single

Name of IP local pool-IPv6

IPv6-VPN-Filter

Y

219

String

Single

ACL value

L2TP-Encryption

 

21

Integer

Single

Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Req
15= 40/128-Encr/Stateless-Req

L2TP-MPPC-Compression

 

38

Integer

Single

0 = Disabled
1 = Enabled

Member-Of

Y

145

String

Single

Comma-delimited string, for example:

Engineering, Sales
 

An administrative attribute that can be used in dynamic access policies. It does not set a group policy.

MS-Client-Subnet-Mask

Y

63

Boolean

Single

An IP address

NAC-Default-ACL

 

92

String

 

ACL

NAC-Enable

 

89

Integer

Single

0 = No
1 = Yes

NAC-Revalidation-Timer

 

91

Integer

Single

300-86400 seconds

NAC-Settings

Y

141

String

Single

Name of the NAC policy

NAC-Status-Query-Timer

 

90

Integer

Single

30-1800 seconds

Perfect-Forward-Secrecy-Enable

Y

88

Boolean

Single

0 = No
1 = Yes

PPTP-Encryption

 

20

Integer

Single

Bitmap:
1 = Encryption required
2 = 40 bits
4 = 128 bits
8 = Stateless-Required
15= 40/128-Encr/Stateless-Req

PPTP-MPPC-Compression

 

37

Integer

Single

0 = Disabled
1 = Enabled

Primary-DNS

Y

5

String

Single

An IP address

Primary-WINS

Y

7

String

Single

An IP address

Privilege-Level

Y

220

Integer

Single

An integer between 0 and 15.

Required-Client- Firewall-Vendor-Code

Y

45

Integer

Single

1 = Cisco Systems (with Cisco Integrated Client)
2 = Zone Labs
3 = NetworkICE
4 = Sygate
5 = Cisco Systems (with Cisco Intrusion Prevention Security Agent)

Required-Client-Firewall-Description

Y

47

String

Single

String

Required-Client-Firewall-Product-Code

Y

46

Integer

Single

Cisco Systems Products:

1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC)

Zone Labs Products:
1 = Zone Alarm
2 = Zone AlarmPro
3 = Zone Labs Integrity

NetworkICE Product:
1 = BlackIce Defender/Agent

Sygate Products:
1 = Personal Firewall
2 = Personal Firewall Pro
3 = Security Agent

Required-Individual-User-Auth

Y

49

Integer

Single

0 = Disabled
1 = Enabled

Require-HW-Client-Auth

Y

48

Boolean

Single

0 = Disabled
1 = Enabled

Secondary-DNS

Y

6

String

Single

An IP address

Secondary-WINS

Y

8

String

Single

An IP address

SEP-Card-Assignment

 

9

Integer

Single

Not used

Session Subtype

Y

152

Integer

Single

0 = None
1 = Clientless
2 = Client
3 = Client Only

Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4.

Session Type

Y

151

Integer

Single

0 = None
1 = AnyConnect Client SSL VPN
2 = AnyConnect Client IPSec VPN (IKEv2)
3 = Clientless SSL VPN
4 = Clientless Email Proxy
5 = Cisco VPN Client (IKEv1)
6 = IKEv1 LAN-LAN
7 = IKEv2 LAN-LAN
8 = VPN Load Balancing

Simultaneous-Logins

Y

2

Integer

Single

0-2147483647

Smart-Tunnel

Y

136

String

Single

Name of a Smart Tunnel

Smart-Tunnel-Auto

Y

138

Integer

Single

0 = Disabled
1 = Enabled
2 = AutoStart

Smart-Tunnel-Auto-Signon-Enable

Y

139

String

Single

Name of a Smart Tunnel Auto Signon list appended by the domain name

Strip-Realm

Y

135

Boolean

Single

0 = Disabled
1 = Enabled

SVC-Ask

Y

131

String

Single

0 = Disabled
1 = Enabled
3 = Enable default service
5 = Enable default clientless
(2 and 4 not used)

SVC-Ask-Timeout

Y

132

Integer

Single

5-120 seconds

SVC-DPD-Interval-Client

Y

108

Integer

Single

0 = Off
5-3600 seconds

SVC-DPD-Interval-Gateway

Y

109

Integer

Single

0 = Off)
5-3600 seconds

SVC-DTLS

Y

123

Integer

Single

0 = False
1 = True

SVC-Keepalive

Y

107

Integer

Single

0 = Off
15-600 seconds

SVC-Modules

Y

127

String

Single

String (name of a module)

SVC-MTU

Y

125

Integer

Single

MTU value
256-1406 in bytes

SVC-Profiles

Y

128

String

Single

String (name of a profile)

SVC-Rekey-Time

Y

110

Integer

Single

0 = Disabled
1-10080 minutes

Tunnel Group Name

Y

146

String

Single

1-253 characters

Tunnel-Group-Lock

Y

85

String

Single

Name of the tunnel group or “none”

Tunneling-Protocols

Y

11

Integer

Single

1 = PPTP
2 = L2TP
4 = IPSec (IKEv1)
8 = L2TP/IPSec
16 = WebVPN
32 = SVC
64 = IPsec (IKEv2)
8 and 4 are mutually exclusive.
0 - 11, 16 - 27, 32 - 43, 48 - 59 are legal values.

Use-Client-Address

 

17

Boolean

Single

0 = Disabled
1 = Enabled

VLAN

Y

140

Integer

Single

0-4094

WebVPN-Access-List

Y

73

String

Single

Access-List name

WebVPN ACL

Y

73

String

Single

Name of a WebVPN ACL on the device

WebVPN-ActiveX-Relay

Y

137

Integer

Single

0 = Disabled
Otherwise = Enabled

WebVPN-Apply-ACL

Y

102

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Auto-HTTP-Signon

Y

124

String

Single

Reserved

WebVPN-Citrix-Metaframe-Enable

Y

101

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Content-Filter-Parameters

Y

69

Integer

Single

1 = Java ActiveX
2 = Java Script
4 = Image
8 = Cookies in images

WebVPN-Customization

Y

113

String

Single

Name of the customization

WebVPN-Default-Homepage

Y

76

String

Single

A URL such as http://example-example.com

WebVPN-Deny-Message

Y

116

String

Single

Valid string (up to 500 characters)

WebVPN-Download_Max-Size

Y

157

Integer

Single

0x7fffffff

WebVPN-File-Access-Enable

Y

94

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Browsing-Enable

Y

96

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-File-Server-Entry-Enable

Y

95

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Group-based-HTTP/HTTPS-Proxy-Exception-List

Y

78

String

Single

Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com)

WebVPN-Hidden-Shares

Y

126

Integer

Single

0 = None
1 = Visible

WebVPN-Home-Page-Use-Smart-Tunnel

Y

228

Boolean

Single

Enabled if clientless home page is to be rendered through Smart Tunnel.

WebVPN-HTML-Filter

Y

69

Bitmap

Single

1 = Java ActiveX
2 = Scripts
4 = Image
8 = Cookies

WebVPN-HTTP-Compression

Y

120

Integer

Single

0 = Off
1 = Deflate Compression

WebVPN-HTTP-Proxy-IP-Address

Y

74

String

Single

Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443)

WebVPN-Idle-Timeout-Alert-Interval

Y

148

Integer

Single

0-30. 0 = Disabled.

WebVPN-Keepalive-Ignore

Y

121

Integer

Single

0-900

WebVPN-Macro-Substitution

Y

223

String

Single

Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

WebVPN-Macro-Substitution

Y

224

String

Single

Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html

WebVPN-Port-Forwarding-Enable

Y

97

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-Exchange-Proxy-Enable

Y

98

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-HTTP-Proxy

Y

99

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-Port-Forwarding-List

Y

72

String

Single

Port forwarding list name

WebVPN-Port-Forwarding-Name

Y

79

String

Single

String name (example, “Corporate-Apps”).

This text replaces the default string, “Application Access,” on the clientless portal home page.

WebVPN-Post-Max-Size

Y

159

Integer

Single

0x7fffffff

WebVPN-Session-Timeout-Alert-Interval

Y

149

Integer

Single

0-30. 0 = Disabled.

WebVPN Smart-Card-Removal-Disconnect

Y

225

Boolean

Single

0 = Disabled
1 = Enabled

WebVPN-Smart-Tunnel

Y

136

String

Single

Name of a Smart Tunnel

WebVPN-Smart-Tunnel-Auto-Sign-On

Y

139

String

Single

Name of a Smart Tunnel auto sign-on list appended by the domain name

WebVPN-Smart-Tunnel-Auto-Start

Y

138

Integer

Single

0 = Disabled
1 = Enabled
2 = Auto Start

WebVPN-Smart-Tunnel-Tunnel-Policy

Y

227

String

Single

One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels.

WebVPN-SSL-VPN-Client-Enable

Y

103

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Keep- Installation

Y

105

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSL-VPN-Client-Required

Y

104

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SSO-Server-Name

Y

114

String

Single

Valid string

WebVPN-Storage-Key

Y

162

String

Single

 

WebVPN-Storage-Objects

Y

161

String

Single

 

WebVPN-SVC-Keepalive-Frequency

Y

107

Integer

Single

15-600 seconds, 0=Off

WebVPN-SVC-Client-DPD-Frequency

Y

108

Integer

Single

5-3600 seconds, 0=Off

WebVPN-SVC-DTLS-Enable

Y

123

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-SVC-DTLS-MTU

Y

125

Integer

Single

MTU value is from 256-1406 bytes.

WebVPN-SVC-Gateway-DPD-Frequency

Y

109

Integer

Single

5-3600 seconds, 0=Off

WebVPN-SVC-Rekey-Time

Y

110

Integer

Single

4-10080 minutes, 0=Off

WebVPN-SVC-Rekey-Method

Y

111

Integer

Single

0 (Off), 1 (SSL), 2 (New Tunnel)

WebVPN-SVC-Compression

Y

112

Integer

Single

0 (Off), 1 (Deflate Compression)

WebVPN-UNIX-Group-ID (GID)

Y

222

Integer

Single

Valid UNIX group IDs

WebVPN-UNIX-User-ID (UIDs)

Y

221

Integer

Single

Valid UNIX user IDs

WebVPN-Upload-Max-Size

Y

158

Integer

Single

0x7fffffff

WebVPN-URL-Entry-Enable

Y

93

Integer

Single

0 = Disabled
1 = Enabled

WebVPN-URL-List

Y

71

String

Single

URL list name

WebVPN-User-Storage

Y

160

String

Single

 

WebVPN-VDI

Y

163

String

Single

List of settings

Supported IETF RADIUS Authorization Attributes

Table 34-2 lists the supported IETF RADIUS attributes.

 

Table 34-2 Supported IETF RADIUS Attributes

Attribute Name
ASA
Attr. No.
Syntax/Type
Single or Multi-
Valued
Description or Value

IETF-Radius-Class

Y

25

 

Single

For Versions 8.2.x and later, we recommend that you use the Group-Policy attribute (VSA 3076, #25) as described in Table 34-1 :

  • group policy name
  • OU= group policy name
  • OU= group policy name

IETF-Radius-Filter-Id

Y

11

String

Single

ACL name that is defined on the ASA, which applies only to full tunnel IPsec and SSL VPN clients.

IETF-Radius-Framed-IP-Address

Y

n/a

String

Single

An IP address

IETF-Radius-Framed-IP-Netmask

Y

n/a

String

Single

An IP address mask

IETF-Radius-Idle-Timeout

Y

28

Integer

Single

Seconds

IETF-Radius-Service-Type

Y

6

Integer

Single

Seconds. Possible Service Type values:

  • .Administrative—User is allowed access to the configure prompt.
  • .NAS-Prompt—User is allowed access to the exec prompt.
  • .remote-access—User is allowed network access

IETF-Radius-Session-Timeout

Y

27

Integer

Single

Seconds

RADIUS Accounting Disconnect Reason Codes

These codes are returned if the ASA encounters a disconnect when sending packets:

 

Disconnect Reason Code

ACCT_DISC_USER_REQ = 1

ACCT_DISC_LOST_CARRIER = 2

ACCT_DISC_LOST_SERVICE = 3

ACCT_DISC_IDLE_TIMEOUT = 4

ACCT_DISC_SESS_TIMEOUT = 5

ACCT_DISC_ADMIN_RESET = 6

ACCT_DISC_ADMIN_REBOOT = 7

ACCT_DISC_PORT_ERROR = 8

ACCT_DISC_NAS_ERROR = 9

ACCT_DISC_NAS_REQUEST = 10

ACCT_DISC_NAS_REBOOT = 11

ACCT_DISC_PORT_UNNEEDED = 12

ACCT_DISC_PORT_PREEMPTED = 13

ACCT_DISC_PORT_SUSPENDED = 14

ACCT_DISC_SERV_UNAVAIL = 15

ACCT_DISC_CALLBACK = 16

ACCT_DISC_USER_ERROR = 17

ACCT_DISC_HOST_REQUEST = 18

ACCT_DISC_ADMIN_SHUTDOWN = 19

ACCT_DISC_SA_EXPIRED = 21

ACCT_DISC_MAX_REASONS = 22

Licensing Requirements for RADIUS Servers

 

Model
License Requirement

All models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines

Configuring RADIUS Servers

This section includes the following topics:

Task Flow for Configuring RADIUS Servers


Step 1 Load the ASA attributes into the RADIUS server. The method that you use to load the attributes depends on which type of RADIUS server that you are using:

    • If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
    • For RADIUS servers from other vendors (for example, Microsoft Internet Authentication Service): you must manually define each ASA attribute. To define an attribute, use the attribute name or number, type, value, and vendor code (3076).

Step 2 Add a RADIUS server group. See the “Configuring RADIUS Server Groups” section.

Step 3 For a server group, add a server to the group. See the “Adding a RADIUS Server to a Group” section.

Step 4 (Optional) Specify text to display to the user during the AAA authentication challenge process. See the “Adding an Authentication Prompt” section.


 

Configuring RADIUS Server Groups

If you want to use an external RADIUS server for authentication, authorization, or accounting, you must first create at least one RADIUS server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name.

To add a RADIUS server group, perform the following steps:

Detailed Steps


Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups .

Step 2 In the AAA Server Groups area, click Add .

The Add AAA Server Group dialog box appears.

Step 3 In the Server Group field, enter a name for the group.

Step 4 From the Protocol drop-down list, choose the RADIUS server type.

Step 5 In the Accounting Mode field, click Simultaneous or Single .

In Single mode, the ASA sends accounting data to only one server.

In Simultaneous mode, the ASA sends accounting data to all servers in the group.

Step 6 In the Reactivation Mode field, click Depletion or Timed .

In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive.

In Timed mode, failed servers are reactivated after 30 seconds of down time.

Step 7 If you chose the Depletion reactivation mode, enter a time interval in the Dead Time field.

The Dead Time is the duration of time, in minutes, that elapses between the disabling of the last server in a group and the subsequent re-enabling of all servers.

Step 8 In the Max Failed Attempts field, add the number of failed attempts allowed.

This option sets the number of failed connection attempts allowed before declaring a nonresponsive server to be inactive.

Step 9 (Optional) If you are adding a RADIUS server type, perform the following steps:

a. Check the Enable interim accounting update check box if you want to enable multi-session accounting for clientless SSL and AnyConnect sessions.

b. Check the Enable Active Directory Agent Mode check box to specify the shared secret between the ASA and the AD agent and indicate that a RADIUS server group includes AD agents that are not full-function RADIUS servers. Only a RADIUS server group that has been configured using this option can be associated with user identity.

c. Click the VPN3K Compatibility Option down arrow to expand the list, and click one of the following options to specify whether or not a downloadable ACL received from a RADIUS packet should be merged with a Cisco AV pair ACL:

Do not merge

Place the downloadable ACL after Cisco AV-pair ACL

Place the downloadable ACL before Cisco AV-pair ACL

Step 10 Click OK .

The Add AAA Server Group dialog box closes, and the new server group is added to the AAA Server Groups table.

Step 11 In the AAA Server Groups dialog box, click Apply to save the changes to the running configuration.


 

Adding a RADIUS Server to a Group

To add a RADIUS server to a group, perform the following steps:

Detailed Steps


Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups , and in the AAA Server Groups area, click the server group to which you want to add a server.

The row is highlighted in the table.

Step 2 In the Servers in the Selected Group area (lower pane), click Add .

The Add AAA Server Group dialog box appears for the server group.

Step 3 From the Interface Name drop-down list, choose the interface name on which the authentication server resides.

Step 4 In the Server Name or IP Address field, add either a server name or IP address for the server that you are adding to the group.

Step 5 In the Timeout field, either add a timeout value or keep the default. The timeout is the length of time, in seconds, that the ASA waits for a response from the primary server before sending the request to the backup server.

Step 6 In the ACL Netmask Convert field, specify how you want the ASA to handle netmasks received in downloadable ACLs. Choose from the following options:

  • Detect automatically—The ASA attempts to determine the type of netmask expression used. If the ASA detects a wildcard netmask expression, the ASA converts it to a standard netmask expression.

Note Because some wildcard expressions are difficult to detect clearly, this setting may misinterpret a wildcard netmask expression as a standard netmask expression.


  • Standard—The ASA assumes downloadable ACLs received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed.
  • Wildcard—The ASA assumes downloadable ACLs received from the RADIUS server contain only wildcard netmask expressions, and it converts them all to standard netmask expressions when the ACLs are downloaded.

Step 7 In the Common Password field, specify a case-sensitive password that is common among users who access this RADIUS authorization server through this ASA. Be sure to provide this information to your RADIUS server administrator.


Note For an authentication RADIUS server (rather than authorization), do not configure a common password.

If you leave this field blank, the username is the password for accessing this RADIUS authorization server.

Never use a RADIUS authorization server for authentication. Common passwords or usernames as passwords are less secure than assigning unique user passwords.

Although the password is required by the RADIUS protocol and the RADIUS server, users do not need to know it.


Step 8 If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by unchecking this check box.

Step 9 In the Retry Interval field, specify the length of time, from 1 to 10 seconds, that the ASA waits between attempts to contact the server.

Step 10 In the Accounting Mode field, click Simultaneous or Single .

In Single mode, the ASA sends accounting data to only one server.

In Simultaneous mode, the ASA sends accounting data to all servers in the group.

Step 11 In the Server Accounting Port field, specify the server port to be used for accounting of users. The default port is 1646.

Step 12 In the Server Authentication Port field, specify the server port to be used for authentication of users. The default port is 1645.

Step 13 In the Server Secret Key field, specify the shared secret key used to authenticate the RADIUS server to the ASA. The server secret that you configure should match the one configured on the RADIUS server. If you do not know the server secret, ask the RADIUS server administrator. The maximum field length is 64 characters.

Step 14 Click OK .

The Add AAA Server Group dialog box closes, and the AAA server is added to the AAA server group.

Step 15 In the AAA Server Groups pane, click Apply to save the changes to the running configuration.


 

 

Adding an Authentication Prompt

You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the ASA when requiring user authentication from RADIUS servers. This text is primarily for cosmetic purposes and appears above the username and password prompts that users see when they log in. If you do not specify an authentication prompt, users see the following when authenticating with a RADIUS server:

 

Connection Type
Default Prompt

FTP

FTP authentication

HTTP

HTTP authentication

Telnet

None

To add an authentication prompt, perform the following steps:


Step 1 From the Configuration > Device Management > Users/AAA > Authentication Prompt pane, enter text in the Prompt field to add as a message to appear above the username and password prompts that users see when they log in.

The following table shows the allowed character limits for authentication prompts:

 

Application
Character Limit

Microsoft Internet Explorer

37

Telnet

235

FTP

235

Step 2 In the Messages area, add messages in the User accepted message and User rejected message fields.

If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is either accepted or rejected by the RADIUS server.

If the RADIUS server authenticates the user, the ASA displays the User accepted message text, if specified, to the user; otherwise, the ASA displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.

Step 3 Click Apply to save the changes to the running configuration.


 

Testing RADIUS Server Authentication and Authorization

To determine whether the ASA can contact a RADIUS server and authenticate or authorize a user, perform the following steps:


Step 1 From the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups table, click the server group in which the server resides.

The row is highlighted in the table.

Step 2 From the Servers in the Selected Group table, click the server that you want to test.

The row is highlighted in the table.

Step 3 Click Test .

The Test AAA Server dialog box appears for the selected server.

Step 4 Click the type of test that you want to perform— Authentication or Authorization .

Step 5 In the Username field, enter a username.

Step 6 If you are testing authentication, in the Password field, enter the password for the username.

Step 7 Click OK .

The ASA sends an authentication or authorization test message to the server. If the test fails, ASDM displays an error message.


 

Monitoring RADIUS Servers

To monitor RADIUS servers, see the following panes:

 

Path
Purpose

Monitoring > Properties > AAA Servers

Shows the configured RADIUS server statistics.

Monitoring > Properties > AAA Servers

Shows the RADIUS server running configuration.

Additional References

For additional information related to implementing AAA through RADIUS servers, see the “RFCs” section.

RFCs

RFC
Title

2138

Remote Authentication Dial In User Service (RADIUS)

2139

RADIUS Accounting

2548

Microsoft Vendor-specific RADIUS Attributes

2868

RADIUS Attributes for Tunnel Protocol Support

Feature History for RADIUS Servers

Table 34-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

,

Table 34-3 Feature History for RADIUS Servers

Feature Name
Platform Releases
Feature Information

RADIUS Servers for AAA

7.0(1)

Describes how to configure RADIUS servers for AAA.

We introduced the following screens:

Configuration > Device Management > Users/AAA > AAA Server Groups
Configuration > Device Management > Users/AAA > Authentication Prompt.

Key vendor-specific attributes (VSAs) sent in RADIUS access request and accounting request packets from the ASA

8.4(3)

Four New VSAs—Tunnel Group Name (146) and Client Type (150) are sent in RADIUS access request packets from the ASA. Session Type (151) and Session Subtype (152) are sent in RADIUS accounting request packets from the ASA. All four attributes are sent for all accounting request packet types: Start, Interim-Update, and Stop. The RADIUS server (for example, ACS and ISE) can then enforce authorization and policy attributes or use them for accounting and billing purposes.