What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

  • 1
  • 1
  • Question
  • Updated 4 months ago
  • Answered
I am trying to add a Cisco ASA to the NAC appliance for RADIUS Management Access.  I started by enabling SNMP between the ASA  and NetSight Console. But in order to add the ASA to the NAC appliance, I need to specify a RADIUS attribute to send.  What do I need to put?
Photo of Pierre Demassey

Pierre Demassey

  • 282 Points 250 badge 2x thumb

Posted 4 months ago

  • 1
  • 1
Photo of SH

SH

  • 1,894 Points 1k badge 2x thumb
Hello Pierre,

as Radius attribute you need only the Service-Type like:

Service-Type=%CUSTOM2%

Corresponding I set the Accept Policy to 6 in Custom 2. Please be aware of the setting in the Management Attributes field. You need this settings to get access via GUI and SSH to your ASA.


As far as I found out you can not distinguish the privilege level!

Best regards
Stephan

Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,332 Points 20k badge 2x thumb
I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,332 Points 20k badge 2x thumb
Photo of Pierre Demassey

Pierre Demassey

  • 282 Points 250 badge 2x thumb
Thanks, I'll see if that can work.  I'll report back.
Photo of SH

SH

  • 1,894 Points 1k badge 2x thumb
Hmm Ronald, 

this granular settings you mentioned works with Cisco Prime and I can switch different user groups and view, but not with Cisco ASA. Maybe I did a mistake but my mentioned setting work for me and my customer and so I did no more investigations ;-).
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 44,332 Points 20k badge 2x thumb
I was just thinking out loud but never tried it with any C device.
Photo of Pierre Demassey

Pierre Demassey

  • 282 Points 250 badge 2x thumb
I'm looking in the drop-down box for the 'RADIUS Attribute to Send' in the NAC.  How do set it to Service Type you mentioned?
Photo of SH

SH

  • 1,894 Points 1k badge 2x thumb
Hello Pierre,

you have to configure the radius attribute to sind in the Switch context and you can create a new attribute group.

(Edited)
Photo of Pierre Demassey

Pierre Demassey

  • 282 Points 250 badge 2x thumb
Hello all, thanks for the assistance.  I'm still having issues getting it to work. 

I configured a new attribute group and set it with Service-Type=%CUSTOM2%.  I then did 2 things: I created a new rule specific for the ASA access management.  Then I created a new profile with a new policy mapping to include the instructions that SH provided above. I did this because I had an existing rule and policy mapping that was set for Enterasys and EXOS access management. I didn't want to break those.

The issue may lie with the SNMP configuration.  It loses connectivity with the ASA intermittently.  The ASA SNMP  User/Group configuration is confusing.  
Photo of Pierre Demassey

Pierre Demassey

  • 282 Points 250 badge 2x thumb
So we got this to work by using the following:

Service-Type=%CUSTOM2% for the custom RADIUS attribute. 

The Policy mapping is as follows:




Most of the config work has to be done on the ASA side.  I did it using the ASDM.  This method allows for RADIUS auth to both the ASMD and SSH.  Priv exec mode also works as well.  These settings were configured through the ASDM.