RADIUS Servers for AAA
This chapter describes how to configure RADIUS servers for AAA and includes the following sections:
Information About RADIUS Servers
The ASA supports the following RFC-compliant RADIUS servers for AAA:
- Cisco Secure ACS 3.2, 4.0, 4.1, 4.2, and 5.x
- Cisco Identity Services Engine (ISE)
- RSA RADIUS in RSA Authentication Manager 5.2, 6.1, and 7.x
- Microsoft
This section includes the following topics:
- Supported Authentication Methods
- User Authorization of VPN Connections
- Supported Sets of RADIUS Attributes
- Supported RADIUS Authorization Attributes
- Supported IETF RADIUS Authorization Attributes
- RADIUS Accounting Disconnect Reason Codes
Supported Authentication Methods
The ASA supports the following authentication methods with RADIUS servers:
- PAP—For all connection types.
- CHAP and MS-CHAPv1—For L2TP-over-IPsec connections.
- MS-CHAPv2—For L2TP-over-IPsec connections, and for regular IPsec remote access connections when the password management feature is enabled. You can also use MS-CHAPv2 with clientless connections.
- Authentication Proxy modes—For RADIUS-to Active-Directory, RADIUS-to-RSA/SDI, RADIUS- to-Token server, and RSA/SDI-to-RADIUS connections,
Note
To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.
User Authorization of VPN Connections
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic ACLs or ACL names per user. To implement dynamic ACLs, you must configure the RADIUS server to support them. When the user authenticates, the RADIUS server sends a downloadable ACL or ACL name to the ASA. Access to a given service is either permitted or denied by the ACL. The ASA deletes the ACL when the authentication session expires.
In addition to ACLs, the ASA supports many other attributes for authorization and setting of permissions for VPN remote access and firewall cut-through proxy sessions.
Supported Sets of RADIUS Attributes
The ASA supports the following sets of RADIUS attributes:
- Authentication attributes defined in RFC 2138.
- Accounting attributes defined in RFC 2139.
- RADIUS attributes for tunneled protocol support, defined in RFC 2868.
- Cisco IOS Vendor-Specific Attributes (VSAs), identified by RADIUS vendor ID 9.
- Cisco VPN-related VSAs, identified by RADIUS vendor ID 3076.
- Microsoft VSAs, defined in RFC 2548.
- Cisco VSA (Cisco-Priv-Level), which provides a standard 0-15 numeric ranking of privileges, with 1 being the lowest level and 15 being the highest level. A zero level indicates no privileges. The first level (login) allows privileged EXEC access for the commands available at this level. The second level (enable) allows CLI configuration privileges.
Supported RADIUS Authorization Attributes
Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured. These attributes have vendor ID 3076.
Table 35-1 lists the supported RADIUS attributes that can be used for user authorization.
Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs enforce the RADIUS attributes based on attribute numeric ID, not attribute name.
All attributes listed in Table 35-1 are downstream attributes that are sent from the RADIUS server to the ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150 are sent from the ASA to the RADIUS server for authentication and authorization requests. All four previously listed attributes are sent from the ASA to the RADIUS server for accounting start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced in Version 8.4(3).
Cisco ACS 5.x and Cisco ISE do not support IPv6 framed IP addresses for IP address assignment using RADIUS authentication in Version 9.0(1).
|
|
|
|
|
Valued |
|
|---|---|---|---|---|---|
Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name |
|||||
Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL |
|||||
Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string, if configured. |
|||||
1 = Cisco VPN Client (IKEv1) |
|||||
Sets the group policy for the remote access VPN session. For Versions 8.2.x and later, use this attribute instead of IETF-Radius-Class. You can use one of the following formats: |
|||||
1 = No Modify |
|||||
0 = None |
|||||
1 = Use Client-Configured list |
|||||
Specifies the name of the filter to be pushed to the client as firewall policy |
|||||
Specifies the single default domain name to send to the client (1-255 characters). |
|||||
1 = Required |
|||||
0 = None |
|||||
Specifies the list of secondary domain names to send to the client (1-255 characters). |
|||||
0 = No split tunneling |
|||||
Specifies the name of the network or ACL that describes the split tunnel inclusion list. |
|||||
Bitmap: |
|||||
Comma-delimited string, for example: Engineering, Sales
An administrative attribute that can be used in dynamic access policies. It does not set a group policy. |
|||||
Bitmap: |
|||||
1 = Cisco Systems (with Cisco Integrated Client) |
|||||
| 1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: NetworkICE Product: Sygate Products: |
|||||
0 = None Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4. |
|||||
0 = None |
|||||
Name of a Smart Tunnel Auto Signon list appended by the domain name |
|||||
0 = Disabled |
|||||
1 = PPTP |
|||||
1 = Java ActiveX |
|||||
Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com) |
|||||
Enabled if clientless home page is to be rendered through Smart Tunnel. |
|||||
Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443) |
|||||
Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html |
|||||
Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html |
|||||
String name (example, “Corporate-Apps”). This text replaces the default string, “Application Access,” on the clientless portal home page. |
|||||
Name of a Smart Tunnel auto sign-on list appended by the domain name |
|||||
One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels. |
|||||
Supported IETF RADIUS Authorization Attributes
Table 35-2 lists the supported IETF RADIUS attributes.
|
|
|
|
|
Valued |
|
For Versions 8.2.x and later, we recommend that you use the Group-Policy attribute (VSA 3076, #25) as described in Table 35-1 : |
|||||
ACL name that is defined on the ASA, which applies only to full tunnel IPsec and SSL VPN clients. |
|||||
RADIUS Accounting Disconnect Reason Codes
These codes are returned if the ASA encounters a disconnect when sending packets:
|
|
|---|
Licensing Requirements for RADIUS Servers
|
|
|
|---|---|
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
- You can have up to 100 server groups in single mode or 4 server groups per context in multiple mode.
- Each group can have up to 16 servers in single mode or 4 servers in multiple mode.
- If you need to configure fallback support using the local database, see Fallback Support and the How Fallback Works with Multiple Servers in a Group.
- To prevent lockout from the ASA when using RADIUS authentication, see Recovering from a Lockout.
Configuring RADIUS Servers
This section includes the following topics:
- Task Flow for Configuring RADIUS Servers
- Configuring RADIUS Server Groups
- Adding a RADIUS Server to a Group
- Adding an Authentication Prompt
Task Flow for Configuring RADIUS Servers
Step 1 Load the ASA attributes into the RADIUS server. The method that you use to load the attributes depends on which type of RADIUS server that you are using:
- If you are using Cisco ACS: the server already has these attributes integrated. You can skip this step.
- For RADIUS servers from other vendors (for example, Microsoft Internet Authentication Service): you must manually define each ASA attribute. To define an attribute, use the attribute name or number, type, value, and vendor code (3076).
Step 2 Add a RADIUS server group. See Configuring RADIUS Server Groups.
Step 3 For a server group, add a server to the group. See Adding a RADIUS Server to a Group.
Step 4 (Optional) Specify text to display to the user during the AAA authentication challenge process. See Adding an Authentication Prompt.
Configuring RADIUS Server Groups
If you want to use an external RADIUS server for authentication, authorization, or accounting, you must first create at least one RADIUS server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name.
Detailed Steps
Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups.
Step 2 In the AAA Server Groups area, click Add.
The Add AAA Server Group dialog box appears.
Step 3 In the Server Group field, enter a name for the group.
Step 4 From the Protocol drop-down list, choose the RADIUS server type.
Step 5 In the Accounting Mode field, click Simultaneous or Single.
In Single mode, the ASA sends accounting data to only one server.
In Simultaneous mode, the ASA sends accounting data to all servers in the group.
Step 6 In the Reactivation Mode field, click Depletion or Timed.
In Depletion mode, failed servers are reactivated only after all of the servers in the group are inactive.
In Timed mode, failed servers are reactivated after 30 seconds of down time.
Step 7 If you chose the Depletion reactivation mode, enter a time interval in the Dead Time field.
The Dead Time is the duration of time, in minutes, that elapses between the disabling of the last server in a group and the subsequent re-enabling of all servers.
Step 8 In the Max Failed Attempts field, add the number of failed attempts allowed.
This option sets the number of failed connection attempts allowed before declaring a nonresponsive server to be inactive.
Step 9 (Optional) If you are adding a RADIUS server type, perform the following steps:
a. Check the Enable interim accounting update check box if you want to enable multi-session accounting for clientless SSL and AnyConnect sessions.
b. Check the Enable Active Directory Agent Mode check box to specify the shared secret between the ASA and the AD agent and indicate that a RADIUS server group includes AD agents that are not full-function RADIUS servers. Only a RADIUS server group that has been configured using this option can be associated with user identity.
c. Check the Enable dynamic authorization check box to enable ISE to send Change of Authorization (CoA) RADIUS packets. This enables policy changes made on the ISE to be enforced during the lifetime of the VPN connection.
d. Enter the Dynamic Authorization Port. This is the listening port for RADIUS CoA requests. Typically it is 1700. The valid range is 1 to 65535.
e. Check the Use authorize only mode check box to enable authorize-only mode for the RADIUS server group. When this check box is selected, the common password configured for individual AAA servers is not required and does not need to be configured.
f. Click the VPN3K Compatibility Option down arrow to expand the list, and click one of the following options to specify whether or not a downloadable ACL received from a RADIUS packet should be merged with a Cisco AV pair ACL:
– Place the downloadable ACL after Cisco AV-pair ACL
– Place the downloadable ACL before Cisco AV-pair ACL
The Add AAA Server Group dialog box closes, and the new server group is added to the AAA Server Groups table.
Step 11 In the AAA Server Groups dialog box, click Apply to save the changes to the running configuration.
Adding a RADIUS Server to a Group
To add a RADIUS server to a group, perform the following steps:
Detailed Steps
Step 1 Choose Configuration > Device Management > Users/AAA > AAA Server Groups, and in the AAA Server Groups area, click the server group to which you want to add a server.
The row is highlighted in the table.
Step 2 In the Servers in the Selected Group area (lower pane), click Add.
The Add AAA Server Group dialog box appears for the server group.
Step 3 From the Interface Name drop-down list, choose the interface name on which the authentication server resides.
Step 4 In the Server Name or IP Address field, add either a server name or IP address for the server that you are adding to the group.
Step 5 In the Timeout field, either add a timeout value or keep the default. The timeout is the length of time, in seconds, that the ASA waits for a response from the primary server before sending the request to the backup server.
Step 6 In the ACL Netmask Convert field, specify how you want the ASA to handle netmasks received in downloadable ACLs. Choose from the following options:
- Detect automatically—The ASA attempts to determine the type of netmask expression used. If the ASA detects a wildcard netmask expression, the ASA converts it to a standard netmask expression.
Note Because some wildcard expressions are difficult to detect clearly, this setting may misinterpret a wildcard netmask expression as a standard netmask expression.
- Standard—The ASA assumes downloadable ACLs received from the RADIUS server contain only standard netmask expressions. No translation from wildcard netmask expressions is performed.
- Wildcard—The ASA assumes downloadable ACLs received from the RADIUS server contain only wildcard netmask expressions, and it converts them all to standard netmask expressions when the ACLs are downloaded.
Step 7 In the Common Password field, specify a case-sensitive password that is common among users who access this RADIUS authorization server through this ASA. Be sure to provide this information to your RADIUS server administrator.
Note For an authentication RADIUS server (rather than authorization), do not configure a common password.
If you leave this field blank, the username is the password for accessing this RADIUS authorization server.
Never use a RADIUS authorization server for authentication. Common passwords or usernames as passwords are less secure than assigning unique user passwords.
Although the password is required by the RADIUS protocol and the RADIUS server, users do not need to know it.
Step 8 If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by unchecking this check box.
Step 9 In the Retry Interval field, specify the length of time, from 1 to 10 seconds, that the ASA waits between attempts to contact the server.
Note The interval between subsequent retries will be always 50ms or 100ms, regardless of the retry-interval settings you have entered. This is the intended behavior.
Step 10 In the Accounting Mode field, click Simultaneous or Single.
In Single mode, the ASA sends accounting data to only one server.
In Simultaneous mode, the ASA sends accounting data to all servers in the group.
Step 11 In the Server Accounting Port field, specify the server port to be used for accounting of users. The default port is 1646.
Step 12 In the Server Authentication Port field, specify the server port to be used for authentication of users. The default port is 1645.
Step 13 In the Server Secret Key field, specify the shared secret key used to authenticate the RADIUS server to the ASA. The server secret that you configure should match the one configured on the RADIUS server. If you do not know the server secret, ask the RADIUS server administrator. The maximum field length is 64 characters.
The Add AAA Server Group dialog box closes, and the AAA server is added to the AAA server group.
Step 15 In the AAA Server Groups pane, click Apply to save the changes to the running configuration.
Adding an Authentication Prompt
You can specify the AAA challenge text for HTTP, FTP, and Telnet access through the ASA when requiring user authentication from RADIUS servers. This text is primarily for cosmetic purposes and appears above the username and password prompts that users see when they log in. If you do not specify an authentication prompt, users see the following when authenticating with a RADIUS server:
|
|
|
|---|---|
To add an authentication prompt, perform the following steps:
Step 1 From the Configuration > Device Management > Users/AAA > Authentication Prompt pane, enter text in the Prompt field to add as a message to appear above the username and password prompts that users see when they log in.
The following table shows the allowed character limits for authentication prompts:
|
|
|
|---|---|
Step 2 In the Messages area, add messages in the User accepted message and User rejected message fields.
If the user authentication occurs from Telnet, you can use the User accepted message and User rejected message options to display different status prompts to indicate that the authentication attempt is either accepted or rejected by the RADIUS server.
If the RADIUS server authenticates the user, the ASA displays the User accepted message text, if specified, to the user; otherwise, the ASA displays the User rejected message text, if specified. Authentication of HTTP and FTP sessions displays only the challenge text at the prompt. The User accepted message and User rejected message text are not displayed.
Step 3 Click Apply to save the changes to the running configuration.
Testing RADIUS Server Authentication and Authorization
To determine whether the ASA can contact a RADIUS server and authenticate or authorize a user, perform the following steps:
Step 1 From the Configuration > Device Management > Users/AAA > AAA Server Groups > AAA Server Groups table, click the server group in which the server resides.
The row is highlighted in the table.
Step 2 From the Servers in the Selected Group table, click the server that you want to test.
The row is highlighted in the table.
The Test AAA Server dialog box appears for the selected server.
Step 4 Click the type of test that you want to perform— Authentication or Authorization.
Step 5 In the Username field, enter a username.
Step 6 If you are testing authentication, in the Password field, enter the password for the username.
The ASA sends an authentication or authorization test message to the server. If the test fails, ASDM displays an error message.
Monitoring RADIUS Servers
To monitor RADIUS servers, see the following panes:
|
|
|
Additional References
For additional information related to implementing AAA through RADIUS servers, see RFCs.
RFCs
|
|
|
|---|---|
Feature History for RADIUS Servers
Table 35-3 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.
Feedback