The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure RADIUS servers for AAA and includes the following sections:
The ASA supports the following RFC-compliant RADIUS servers for AAA:
This section includes the following topics:
The ASA supports the following authentication methods with RADIUS servers:
Note To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic ACLs or ACL names per user. To implement dynamic ACLs, you must configure the RADIUS server to support them. When the user authenticates, the RADIUS server sends a downloadable ACL or ACL name to the ASA. Access to a given service is either permitted or denied by the ACL. The ASA deletes the ACL when the authentication session expires.
In addition to ACLs, the ASA supports many other attributes for authorization and setting of permissions for VPN remote access and firewall cut-through proxy sessions.
The ASA supports the following sets of RADIUS attributes:
Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured. These attributes have vendor ID 3076.
Table 35-1 lists the supported RADIUS attributes that can be used for user authorization.
Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs enforce the RADIUS attributes based on attribute numeric ID, not attribute name.
All attributes listed in Table 35-1 are downstream attributes that are sent from the RADIUS server to the ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150 are sent from the ASA to the RADIUS server for authentication and authorization requests. All four previously listed attributes are sent from the ASA to the RADIUS server for accounting start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced in Version 8.4(3).
Cisco ACS 5.x and Cisco ISE do not support IPv6 framed IP addresses for IP address assignment using RADIUS authentication in Version 9.0(1).
|
|
|
|
Valued |
|
---|---|---|---|---|---|
Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name |
|||||
Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL |
|||||
Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string, if configured. |
|||||
1 = Cisco VPN Client (IKEv1) |
|||||
Sets the group policy for the remote access VPN session. For Versions 8.2.x and later, use this attribute instead of IETF-Radius-Class. You can use one of the following formats: |
|||||
1 = No Modify |
|||||
0 = None |
|||||
1 = Use Client-Configured list |
|||||
Specifies the name of the filter to be pushed to the client as firewall policy |
|||||
Specifies the single default domain name to send to the client (1-255 characters). |
|||||
1 = Required |
|||||
0 = None |
|||||
Specifies the list of secondary domain names to send to the client (1-255 characters). |
|||||
0 = No split tunneling |
|||||
Specifies the name of the network or ACL that describes the split tunnel inclusion list. |
|||||
Bitmap: |
|||||
Comma-delimited string, for example: Engineering, Sales
An administrative attribute that can be used in dynamic access policies. It does not set a group policy. |
|||||
Bitmap: |
|||||
1 = Cisco Systems (with Cisco Integrated Client) |
|||||
1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: NetworkICE Product: Sygate Products: |
|||||
0 = None Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4. |
|||||
0 = None |
|||||
Name of a Smart Tunnel Auto Signon list appended by the domain name |
|||||
0 = Disabled |
|||||
1 = PPTP |
|||||
1 = Java ActiveX |
|||||
Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com) |
|||||
Enabled if clientless home page is to be rendered through Smart Tunnel. |
|||||
Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443) |
|||||
Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html |
|||||
Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html |
|||||
String name (example, “Corporate-Apps”). This text replaces the default string, “Application Access,” on the clientless portal home page. |
|||||
Name of a Smart Tunnel auto sign-on list appended by the domain name |
|||||
One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels. |
|||||
Table 35-2 lists the supported IETF RADIUS attributes.
|
|
|
|
Valued |
|
For Versions 8.2.x and later, we recommend that you use the Group-Policy attribute (VSA 3076, #25) as described in Table 35-1 : |
|||||
ACL name that is defined on the ASA, which applies only to full tunnel IPsec and SSL VPN clients. |
|||||
These codes are returned if the ASA encounters a disconnect when sending packets:
|
---|
|
|
---|---|
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
This section includes the following topics:
Step 1 Load the ASA attributes into the RADIUS server. The method that you use to load the attributes depends on which type of RADIUS server that you are using:
Step 2 Add a RADIUS server group. See Configuring RADIUS Server Groups.
Step 3 For a server group, add a server to the group. See Adding a RADIUS Server to a Group.
Step 4 (Optional) Specify text to display to the user during the AAA authentication challenge process. See Adding an Authentication Prompt.
If you want to use an external RADIUS server for authentication, authorization, or accounting, you must first create at least one RADIUS server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name.
Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups.
Step 2 In the AAA Server Groups area, click Add.
The Add AAA Server Group dialog box appears.
Step 3 In the Server Group field, enter a name for the group.
Step 4 From the Protocol drop-down list, choose the RADIUS server type.
Step 5 In the Accounting Mode field, click Simultaneous or Single.
In Single mode, the ASA sends accounting data to only one server.
In Simultaneous mode, the ASA sends accounting data to all servers in the group.
Step 6 In the Reactivation Mode field, click Depletion or Timed.
In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive.
In Timed mode, failed servers are reactivated after 30 seconds of down time.
Step 7 If you chose the Depletion reactivation mode, enter a time interval in the Dead Time field.
The Dead Time is the duration of time, in minutes, that elapses between the disabling of the last server in a group and the subsequent re-enabling of all servers.
Step 8 In the Max Failed Attempts field, add the number of failed attempts allowed.
This option sets the number of failed connection attempts allowed before declaring a nonresponsive server to be inactive.
Step 9 (Optional) If you are adding a RADIUS server type, perform the following steps:
a. Check the Enable interim accounting update check box if you want to enable multi-session accounting for clientless SSL and AnyConnect sessions.
b. Check the Enable Active Directory Agent Mode check box to specify the shared secret between the ASA and the AD agent and indicate that a RADIUS server group includes AD agents that are not full-function RADIUS servers. Only a RADIUS server group that has been configured using this option can be associated with user identity.
c. Check the Enable dynamic authorization check box to enable ISE to send Change of Authorization (CoA) RADIUS packets. This enables policy changes made on the ISE to be enforced during the lifetime of the VPN connection.
d. Enter the Dynamic Authorization Port. This is the listening port for RADIUS CoA requests. Typically it is 1700. The valid range is 1 to 65535.
e. Check the Use authorize only mode check box to enable authorize-only mode for the RADIUS server group. When this check box is selected, the common password configured for individual AAA servers is not required and does not need to be configured.
f. Click the VPN3K Compatibility Option down arrow to expand the list, and click one of the following options to specify whether or not a downloadable ACL received from a RADIUS packet should be merged with a Cisco AV pair ACL:
– Place the downloadable ACL after Cisco AV-pair ACL
– Place the downloadable ACL before Cisco AV-pair ACL
The Add AAA Server Group dialog box closes, and the new server group is added to the AAA Server Groups table.
Step 11 In the AAA Server Groups dialog box, click Apply to save the changes to the running configuration.
To add a RADIUS server to a group, perform the following steps:
Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups, and in the AAA Server Groups area, click the server group to which you want to add a server.
The row is highlighted in the table.
Step 2 In the Servers in the Selected Group area (lower pane), click Add.
The Add AAA Server Group dialog box appears for the server group.
Step 3 From the Interface Name drop-down list, choose the interface name on which the authentication server resides.
Step 4 In the Server Name or IP Address field, add either a server name or IP address for the server that you are adding to the group.
Step 5 In the Timeout field, either add a timeout value or keep the default. The timeout is the length of time, in seconds, that the ASA waits for a response from the primary server before sending the request to the backup server.
Step 6 In the ACL Netmask Convert field, specify how you want the ASA to handle netmasks received in downloadable ACLs. Choose from the following options:
Note Because some wildcard expressions are difficult to detect clearly, this setting may misinterpret a wildcard netmask expression as a standard netmask expression.
Step 7 In the Common Password field, specify a case-sensitive password that is common among users who access this RADIUS authorization server through this ASA. Be sure to provide this information to your RADIUS server administrator.
Note For an authentication RADIUS server (rather than authorization), do not configure a common password.
If you leave this field blank, the username is the password for accessing this RADIUS authorization server.
Never use a RADIUS authorization server for authentication. Common passwords or usernames as passwords are less secure than assigning unique user passwords.
Although the password is required by the RADIUS protocol and the RADIUS server, users do not need to know it.
Step 8 If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by unchecking this check box.
Step 9 In the Retry Interval field, specify the length of time, from 1 to 10 seconds, that the ASA waits between attempts to contact the server.
Note The interval between subsequent retries will be always 50ms or 100ms, regardless of the retry-interval settings you have entered. This is the intended behavior.
Step 10 In the Accounting Mode field, click Simultaneous or Single.
In Single mode, the ASA sends accounting data to only one server.
In Simultaneous mode, the ASA sends accounting data to all servers in the group.
Step 11 In the Server Accounting Port field, specify the server port to be used for accounting of users. The default port is 1646.
Step 12 In the Server Authentication Port field, specify the server port to be used for authentication of users. The default port is 1645.
Step 13 In the Server Secret Key field, specify the shared secret key used to authenticate the RADIUS server to the ASA. The server secret that you configure should match the one configured on the RADIUS server. If you do not know the server secret, ask the RADIUS server administrator. The maximum field length is 64 characters.
The Add AAA Server Group dialog box closes, and the AAA server is added to the AAA server group.
Step 15 In the AAA Server Groups pane, click Apply to save the changes to the running configuration.
You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the ASA when requiring user authentication from RADIUS servers. This text is primarily for cosmetic purposes and appears above the username and password prompts that users see when they log in. If you do not specify an authentication prompt, users see the following when authenticating with a RADIUS server:
|
|
---|---|
To add an authentication prompt, perform the following steps:
Step 1 From the Configuration > Device Management > Users/AAA > Authentication Prompt pane, enter text in the Prompt field to add as a message to appear above the username and password prompts that users see when they log in.
The following table shows the allowed character limits for authentication prompts:
|
|
---|---|
Step 2 In the Messages area, add messages in the User accepted message and User rejected message fields.
If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is either accepted or rejected by the RADIUS server.
If the RADIUS server authenticates the user, the ASA displays the User accepted message text, if specified, to the user; otherwise, the ASA displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.
Step 3 Click Apply to save the changes to the running configuration.
To determine whether the ASA can contact a RADIUS server and authenticate or authorize a user, perform the following steps:
Step 1 From the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups table, click the server group in which the server resides.
The row is highlighted in the table.
Step 2 From the Servers in the Selected Group table, click the server that you want to test.
The row is highlighted in the table.
The Test AAA Server dialog box appears for the selected server.
Step 4 Click the type of test that you want to perform— Authentication or Authorization.
Step 5 In the Username field, enter a username.
Step 6 If you are testing authentication, in the Password field, enter the password for the username.
The ASA sends an authentication or authorization test message to the server. If the test fails, ASDM displays an error message.
To monitor RADIUS servers, see the following panes:
|
|
For additional information related to implementing AAA through RADIUS servers, see RFCs.
|
|
---|---|
Table 35-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.