The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure RADIUS servers for AAA and includes the following sections:
The ASA supports the following RFC-compliant RADIUS servers for AAA:
This section includes the following topics:
The ASA supports the following authentication methods with RADIUS servers:
Note To enable MS-CHAPv2 as the protocol used between the ASA and the RADIUS server for a VPN connection, password management must be enabled in the tunnel group general attributes. Enabling password management generates an MS-CHAPv2 authentication request from the ASA to the RADIUS server. See the description of the password-management command for details.
If you use double authentication and enable password management in the tunnel group, then the primary and secondary authentication requests include MS-CHAPv2 request attributes. If a RADIUS server does not support MS-CHAPv2, then you can configure that server to send a non-MS-CHAPv2 authentication request by using the no mschapv2-capable command.
The ASA can use RADIUS servers for user authorization of VPN remote access and firewall cut-through-proxy sessions using dynamic ACLs or ACL names per user. To implement dynamic ACLs, you must configure the RADIUS server to support them. When the user authenticates, the RADIUS server sends a downloadable ACL or ACL name to the ASA. Access to a given service is either permitted or denied by the ACL. The ASA deletes the ACL when the authentication session expires.
In addition to ACLs, the ASA supports many other attributes for authorization and setting of permissions for VPN remote access and firewall cut-through proxy sessions.
The ASA supports the following sets of RADIUS attributes:
Authorization refers to the process of enforcing permissions or attributes. A RADIUS server defined as an authentication server enforces permissions or attributes if they are configured. These attributes have vendor ID 3076.
Table 36-1 lists the supported RADIUS attributes that can be used for user authorization.
Note RADIUS attribute names do not contain the cVPN3000 prefix. Cisco Secure ACS 4.x supports this new nomenclature, but attribute names in pre-4.0 ACS releases still include the cVPN3000 prefix. The ASAs enforce the RADIUS attributes based on attribute numeric ID, not attribute name.
All attributes listed in Table 36-1 are downstream attributes that are sent from the RADIUS server to the ASA except for the following attribute numbers: 146, 150, 151, and 152. These attribute numbers are upstream attributes that are sent from the ASA to the RADIUS server. RADIUS attributes 146 and 150 are sent from the ASA to the RADIUS server for authentication and authorization requests. All four previously listed attributes are sent from the ASA to the RADIUS server for accounting start, interim-update, and stop requests. Upstream RADIUS attributes 146, 150, 151, and 152 were introduced in Version 8.4(3).
Cisco ACS 5.x and Cisco ISE do not support IPv6 framed IP addresses for IP address assignment using RADIUS authentication in Version 9.0(1).
|
|
|
|
Valued |
|
---|---|---|---|---|---|
Possible values: UID, OU, O, CN, L, SP, C, EA, T, N, GN, SN, I, GENQ, DNQ, SER, use-entire-name |
|||||
Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL |
|||||
Banner string to display for Cisco VPN remote access sessions: IPsec IKEv1, AnyConnect SSL-TLS/DTLS/IKEv2, and Clientless SSL. The Banner2 string is concatenated to the Banner1 string, if configured. |
|||||
1 = Cisco VPN Client (IKEv1) |
|||||
Sets the group policy for the remote access VPN session. For Versions 8.2.x and later, use this attribute instead of IETF-Radius-Class. You can use one of the following formats: |
|||||
1 = No Modify |
|||||
0 = None |
|||||
1 = Use Client-Configured list |
|||||
Specifies the name of the filter to be pushed to the client as firewall policy |
|||||
Specifies the single default domain name to send to the client (1-255 characters). |
|||||
1 = Required |
|||||
0 = None |
|||||
Specifies the list of secondary domain names to send to the client (1-255 characters). |
|||||
0 = No split tunneling |
|||||
Specifies the name of the network or ACL that describes the split tunnel inclusion list. |
|||||
Bitmap: |
|||||
Comma-delimited string, for example: Engineering, Sales
An administrative attribute that can be used in dynamic access policies. It does not set a group policy. |
|||||
Bitmap: |
|||||
1 = Cisco Systems (with Cisco Integrated Client) |
|||||
1 = Cisco Intrusion Prevention Security Agent or Cisco Integrated Client (CIC) Zone Labs Products: NetworkICE Product: Sygate Products: |
|||||
0 = None Session Subtype applies only when the Session Type (151) attribute has the following values: 1, 2, 3, and 4. |
|||||
0 = None |
|||||
Name of a Smart Tunnel Auto Signon list appended by the domain name |
|||||
0 = Disabled |
|||||
1 = PPTP |
|||||
1 = Java ActiveX |
|||||
Comma-separated DNS/IP with an optional wildcard (*) (for example *.cisco.com, 192.168.1.*, wwwin.cisco.com) |
|||||
Enabled if clientless home page is to be rendered through Smart Tunnel. |
|||||
Comma-separated DNS/IP:port, with http= or https= prefix (for example http=10.10.10.10:80, https=11.11.11.11:443) |
|||||
Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html |
|||||
Unbounded. For examples, see the SSL VPN Deployment Guide at the following URL: http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html |
|||||
String name (example, “Corporate-Apps”). This text replaces the default string, “Application Access,” on the clientless portal home page. |
|||||
Name of a Smart Tunnel auto sign-on list appended by the domain name |
|||||
One of “e networkname,” “i networkname,” or “a,” where networkname is the name of a Smart Tunnel network list, e indicates the tunnel excluded, i indicates the tunnel specified, and a indicates all tunnels. |
|||||
Table 36-2 lists the supported IETF RADIUS attributes.
|
|
|
|
Valued |
|
For Versions 8.2.x and later, we recommend that you use the Group-Policy attribute (VSA 3076, #25) as described in Table 36-1 : |
|||||
ACL name that is defined on the ASA, which applies only to full tunnel IPsec and SSL VPN clients. |
|||||
These codes are returned if the ASA encounters a disconnect when sending packets:
|
---|
|
|
---|---|
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
This section includes the following topics:
Step 1 Load the ASA attributes into the RADIUS server. The method that you use to load the attributes depends on which type of RADIUS server that you are using:
Step 2 Add a RADIUS server group. See Configuring RADIUS Server Groups.
Step 3 For a server group, add a server to the group. See Adding a RADIUS Server to a Group.
If you want to use an external RADIUS server for authentication, authorization, or accounting, you must first create at least one RADIUS server group per AAA protocol and add one or more servers to each group. You identify AAA server groups by name.
The following example shows how to add one RADIUS group with a single server:
The following example shows how to configure an ISE server object for authorization-only, dynamic authorization (CoA) updates, and hourly periodic accounting:
The following example shows how to configure a tunnel group for password authentication with ISE:
The following example shows how to configure a tunnel group for local certificate validation and authorization with ISE:
To add a RADIUS server to a group, perform the following steps:
The following example shows how to add a RADIUS server to an existing RADIUS server group:
To monitor RADIUS servers,enter one of the following commands:
For additional information related to implementing AAA through RADIUS servers, see RFCs.
|
|
---|---|
Table 36-3 lists each feature change and the platform release in which it was implemented.