Wireless (General)

Expand all | Collapse all

What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

  • 1.  What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 17:37
    I am trying to add a Cisco ASA to the NAC appliance for RADIUS Management Access. I started by enabling SNMP between the ASA and NetSight Console. But in order to add the ASA to the NAC appliance, I need to specify a RADIUS attribute to send. What do I need to put?


  • 2.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:10
    Hello Pierre,

    as Radius attribute you need only the Service-Type like:

    Service-Type=%CUSTOM2%

    Corresponding I set the Accept Policy to 6 in Custom 2. Please be aware of the setting in the Management Attributes field. You need this settings to get access via GUI and SSH to your ASA.

    As far as I found out you can not distinguish the privilege level!

    Best regards
    Stephan





  • 3.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:28
    I could be wrong but after reading this...

    https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

    ...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

    -Ron


  • 4.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:46
    I'm looking in the drop-down box for the 'RADIUS Attribute to Send' in the NAC. How do set it to Service Type you mentioned?


  • 5.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:55
    Hello Pierre,

    you have to configure the radius attribute to sind in the Switch context and you can create a new attribute group.



  • 6.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-19-2018 15:36
    Hello all, thanks for the assistance. I'm still having issues getting it to work.

    I configured a new attribute group and set it with Service-Type=%CUSTOM2%. I then did 2 things: I created a new rule specific for the ASA access management. Then I created a new profile with a new policy mapping to include the instructions that SH provided above. I did this because I had an existing rule and policy mapping that was set for Enterasys and EXOS access management. I didn't want to break those.

    The issue may lie with the SNMP configuration. It loses connectivity with the ASA intermittently. The ASA SNMP User/Group configuration is confusing.



  • 7.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-25-2018 14:18
    So we got this to work by using the following:

    Service-Type=%CUSTOM2% for the custom RADIUS attribute.

    The Policy mapping is as follows:



    Most of the config work has to be done on the ASA side. I did it using the ASDM. This method allows for RADIUS auth to both the ASMD and SSH. Priv exec mode also works as well. These settings were configured through the ASDM.


  • 8.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:28




  • 9.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:28
    Thanks, I'll see if that can work. I'll report back.


  • 10.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:28
    Hmm Ronald,

    this granular settings you mentioned works with Cisco Prime and I can switch different user groups and view, but not with Cisco ASA. Maybe I did a mistake but my mentioned setting work for me and my customer and so I did no more investigations 😉.



  • 11.  RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

    Posted 01-17-2018 19:28
    I was just thinking out loud but never tried it with any C device.