Solved

checking ldap user and radius attribute on NAC Authentication

  • 11 January 2021
  • 8 replies
  • 79 views

Userlevel 4
Badge

Hi,

I’m currently on a migration process from Microsoft NPS to Extreme Control.

We have a Cisco ASA as VPN-Gateway.

I will authenticate VPN-Users and Mgmt-Logins.

In the past we separate this with different “called-station-id” values.

Can I realize this with NAC? AFAIK I can’t check/match LDAP-Criteria (LDAP-User-Group) and Radius-Attribute (Radius-User-Group) at the same time.

Or Is there a way to realize this?

icon

Best answer by Tomasz 12 January 2021, 15:47

Hi Mig, Peter,

 

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

 

Hope that helps,

Tomasz

View original

8 replies

Userlevel 6
Badge +1

PeterK,

 

Here a screenshot on how I manage Mgmt logins on Control for ERS/VSP switches.

For the VPN users, you can validate them on the location (originated on the VPN concentrator and User-Groups).

 

Regards

Mig

Userlevel 4
Badge

Hi Mig,

thanks for your answer, but this does not really helps.

Mgmt-Login for XOS Switches is no problem.

I will authenticate users for vpn-login und mgmt-login from Cisco ASA.

So, the source-IP is the same. So I need something to select. In the ASA we have different values which are send in Radius Request as called-station-id to the NAC.

Userlevel 6
Badge +1

Hi Peter,

 

Something is still unclear.

You want to

  1. Authenticate VPN users with authentication requests coming from the ASA
  2. Authenticate admin users loging into ASA?

If 2 is correct, the authentication request will be different in terms of inbound radius attributes and should be treated as such by Control.

Here an abstract of the event log of Control for a login on the switches:

This is an administrative request because Calling-Station-Id is not present

What attributes and values are you checking on your existing system?

Mig

Userlevel 4
Badge

Hi Mig,

thanks for your answer.

I will have both 1 and 2 (not at the same time).

On the current NPS I check:

  • NAS-IP (in both cases the same)
  • the ldap-user-group (different groups, but a user can be member of both groups
  • called-station-id (in case of VPN - value is WAN-IP; in case of mgmt its LAN-IP)

 

But in general, can I check/match/validate LDAP and Radius Information from Radius-Request at the same time?

Userlevel 6
Badge +1

Hi Peter,

I don’t think you can match both at the same time because they are both “User-Group” type.

Can you set an empty called-station-id instead of LAN-IP?

If so, Control will treat this as management access

Mig

Userlevel 6
Badge

Hi Mig, Peter,

 

just thinking loud, I suspect it would be possible to use User Group with LDAP/RADIUS lookups and End-System Group with LDAP lookups configured in a way that still a user is looked up…?

 

Hope that helps,

Tomasz

Userlevel 4
Badge

Hi Tomasz,

thanks for that idea.

That would be a very dirty workaround, but it should work.

I will test this. I’m excited how that will look in End-System View.

Userlevel 6
Badge

Hi Peter,

 

This idea came to my mind as in the past there were some issues with LDAP Configuration having both user and computer lookup settings and for computer authentication a separate LDAP Configuration had to be made, with computer-specific attributes and object type in user lookup fields. I don’t remember why it was so, but if it worked, the opposite should also work. Labels are just labels. ;)

 

Cheers,

Tomasz

Reply