Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Anyconnect user authorization in ASA through RADIUS

Status
Not open for further replies.

rahulprat

Technical User
Jan 31, 2012
6
US
Hi all,

My requirement is to setup RADIUS authentication and authorization using Any connect client in ASA 6.2 (ASDM 8.0, 5200).

I have successfully setup the user authentication through anyconnect VPN client. This user resides in AD,and the validation of username,password and OTP(security code) happens in RADIUS server.(This RADIUS server is configured to use AD as user store).Here is how i have done it:
IN ASA,
1) Created a server group and added RADIUS as the server in it.Configured the RADIUS settings.
2) Created an IP pool.
3) Created a group policy.
4) Created an any connect connection profile by providing the AAA server, IP pool, group policy details.
As of now, when i launch any connect client and provide the username,password (here its a combination of password + OTP) and select the group(connection profile),authentication is successful and an IP from the pool gets assigned to the client. I can see the ACCESS GRANTED logs in the RADIUS Server.
But my question here is how do i perform the user authorization in ASA 5520 after a successful user authentication through any connect client.I would like to do it in this way:
A user who belongs to a certain group should only be allowed to login by selecting the group(connection profile). Any other user who belongs to a different group shouldn't be allowed to login by selecting the same connection profile.As of now any user in AD can login using any connect by selecting the group and entering the right credentials.Basically i would like to know, how do i perform a LDAP-RADIUS group mapping in ASA.
Any help on this would be really grateful to me.

Thanks.
 
Hi Andy,

Thanks for the reply, but i have already gone through these links, but its specific to LDAP attribute mapping with Cisco attributes.

After a successful LDAP to Cisco attribute map, you can add it in the LDAP attribute map field in LDAP AAA server.
The same doesn't work if we add a RADIUS AAA server as there isn't any option to provide the attribute map to a RADIUS server.

I have already provided an LDAP to RADIUS attribute map in the RADIUS Server. In the RADIUS Server, i provided LDAP mapping attribute as "MemberOf" and RADIUS attribute as "Class" (25).
But how do i do this LDAP to RADIUS mapping in ASA (OR) how does ASA recognize this mapping, such that a user from a specific group can only login and access his resources. Any other user in a different group shouldn't login using the same connection profile.

If required i can provide you with specific screen shots of my configuration.

Thanks,
Rahul.
 
Hi, Authentication and Authorisation can be separate. This is what I am doing. Authentication is via RADIUS, however Authorisation is via LDAP. In the connection profile advanced settings you can specify an Authorisation Server Group and a checkbox to force authorisation.

Andy
 
Hi,

I completely agree with you. But what im doing here is, we already have a RADIUS Server which is configured with an user store AD/LDAP.
In the RADIUS Server, we specify the LDAP details like user DN, base DN, port, IP.Once user store has been configured in RADIUS Server, we create a validation server (RADIUS)by providing details like shared secret,Local IP and while creating this we do a LDAP attribute to RADIUS attribute mapping. If its successfully mapped it would return the value present in the LDAP attribute.
EG: If we map RADIUS attribute "CLASS" to LDAP attribute "Department", and if the mapping is successful, it would return a value something as "Employee" which is present in the Department field.

So, we dont have to add an LDAP AAA Server into ASA and specify it in the connection profile -> Advanced -> Authorization field, as RADIUS server internally talks to the LDAP Server for validating 'username + password' which is considered as the first factor.
The second factor validation i.e, username + OTP is done by the RADIUS Server.
As far as the authorization is considered it depends on what attributes the RADIUS Server fetches for that user from LDAP, based on the mapping.
So, i think we will have to extend the LDAP scheme by creating an LDIF file which would contain the Cisco VPN concentrator class attributes by importing this LDIF into LDAP Server.
Not sure whether im rite or whether this would work.

 
Hi,

Figured out a way to achieve authorization through RADIUS in ASA.
Under configuration -> Dynamic access policy, you can add a policy which would map a RADIUS attribute to LDAP attribute.

For EG: In DAP, create an attribute mapping by mapping RADIUS class attribute i.e, 25 (here it accepts only attribute values) with LDAP attribute value HR/Finance (this is the value present in the LDAP attribute Department). As we have already mapped RADIUS - LDAP (class - Department) map in the RADIUS server, in DAP we will have to use the same attribute map.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top