topic RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access? in ExtremeWireless (General)

What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Pierre_Demassey — Thu, 18 Jan 2018 01:37:00 GMT

I am trying to add a Cisco ASA to the NAC appliance for RADIUS Management Access. I started by enabling SNMP between the ASA and NetSight Console. But in order to add the ASA to the NAC appliance, I need to specify a RADIUS attribute to send. What do I need to put?

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

StephanH — Thu, 18 Jan 2018 03:10:00 GMT

Hello Pierre,

as Radius attribute you need only the Service-Type like:

Service-Type=%CUSTOM2%

Corresponding I set the Accept Policy to 6 in Custom 2. Please be aware of the setting in the Management Attributes field. You need this settings to get access via GUI and SSH to your ASA.

As far as I found out you can not distinguish the privilege level!

Best regards
Stephan

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Ronald_Dvorak — Thu, 18 Jan 2018 03:28:00 GMT

I could be wrong but after reading this...

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur_c/scfrdat1.html

...I wonder whether you could use RADIUS attribute "cisco-avpair= "shell:priv-lvl=%CUSTOM2%"" and then make more then one rule with different custom#2 values to represent the privilege levels ?!

-Ron

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Ronald_Dvorak — Thu, 18 Jan 2018 03:28:00 GMT

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Pierre_Demassey — Thu, 18 Jan 2018 03:28:00 GMT

Thanks, I'll see if that can work. I'll report back.

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

StephanH — Thu, 18 Jan 2018 03:28:00 GMT

Hmm Ronald,

this granular settings you mentioned works with Cisco Prime and I can switch different user groups and view, but not with Cisco ASA. Maybe I did a mistake but my mentioned setting work for me and my customer and so I did no more investigations .

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Ronald_Dvorak — Thu, 18 Jan 2018 03:28:00 GMT

I was just thinking out loud but never tried it with any C device.

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Pierre_Demassey — Thu, 18 Jan 2018 03:46:00 GMT

I'm looking in the drop-down box for the 'RADIUS Attribute to Send' in the NAC. How do set it to Service Type you mentioned?

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

StephanH — Thu, 18 Jan 2018 03:55:00 GMT

Hello Pierre,

you have to configure the radius attribute to sind in the Switch context and you can create a new attribute group.

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Pierre_Demassey — Fri, 19 Jan 2018 23:36:00 GMT

Hello all, thanks for the assistance. I'm still having issues getting it to work.

I configured a new attribute group and set it with Service-Type=%CUSTOM2%. I then did 2 things: I created a new rule specific for the ASA access management. Then I created a new profile with a new policy mapping to include the instructions that SH provided above. I did this because I had an existing rule and policy mapping that was set for Enterasys and EXOS access management. I didn't want to break those.

The issue may lie with the SNMP configuration. It loses connectivity with the ASA intermittently. The ASA SNMP User/Group configuration is confusing.

RE: What RADIUS attribute to send is needed when adding a Cisco ASA to the NAC appliance for AAA Mangement Access?

Pierre_Demassey — Thu, 25 Jan 2018 22:18:00 GMT

So we got this to work by using the following:

Service-Type=%CUSTOM2% for the custom RADIUS attribute.

The Policy mapping is as follows:

Most of the config work has to be done on the ASA side. I did it using the ASDM. This method allows for RADIUS auth to both the ASMD and SSH. Priv exec mode also works as well. These settings were configured through the ASDM.