Header Only - DO NOT REMOVE - Extreme Networks

What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?


I am trying to add a Cisco ASA to the NAC appliance for RADIUS Management Access. I started by enabling SNMP between the ASA and NetSight Console. But in order to add the ASA to the NAC appliance, I need to specify a RADIUS attribute to send. What do I need to put?

10 replies

Userlevel 5
Hello Pierre,

as Radius attribute you need only the Service-Type like:

Service-Type=%CUSTOM2%

Corresponding I set the Accept Policy to 6 in Custom 2. Please be aware of the setting in the Management Attributes field. You need this settings to get access via GUI and SSH to your ASA.

As far as I found out you can not distinguish the privilege level!

Best regards
Stephan

Userlevel 7
I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron
Userlevel 7
Ron wrote:

I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron

Ron wrote:

I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron

Thanks, I'll see if that can work. I'll report back.
Userlevel 5
Ron wrote:

I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron

Hmm Ronald,

this granular settings you mentioned works with Cisco Prime and I can switch different user groups and view, but not with Cisco ASA. Maybe I did a mistake but my mentioned setting work for me and my customer and so I did no more investigations 😉.
Userlevel 7
Ron wrote:

I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron

I was just thinking out loud but never tried it with any C device.
I'm looking in the drop-down box for the 'RADIUS Attribute to Send' in the NAC. How do set it to Service Type you mentioned?
Userlevel 5
Hello Pierre,

you have to configure the radius attribute to sind in the Switch context and you can create a new attribute group.

Hello all, thanks for the assistance. I'm still having issues getting it to work.

I configured a new attribute group and set it with Service-Type=%CUSTOM2%. I then did 2 things: I created a new rule specific for the ASA access management. Then I created a new profile with a new policy mapping to include the instructions that SH provided above. I did this because I had an existing rule and policy mapping that was set for Enterasys and EXOS access management. I didn't want to break those.

The issue may lie with the SNMP configuration. It loses connectivity with the ASA intermittently. The ASA SNMP User/Group configuration is confusing.
So we got this to work by using the following:

Service-Type=%CUSTOM2% for the custom RADIUS attribute.

The Policy mapping is as follows:



Most of the config work has to be done on the ASA side. I did it using the ASDM. This method allows for RADIUS auth to both the ASMD and SSH. Priv exec mode also works as well. These settings were configured through the ASDM.

Reply