NPAS: How do I use Cisco ASA RADIUS attribute 146?

We have a Cisco ASA 5520 running firmware 8.4.5 and are using it for AnyConnect SSL VPN.  We are using Microsoft Network Policy and Access Services (NPAS) as a RADIUS server to handle authentication requests coming from the ASA.
We have three tunnel groups configured on the ASA, and have three Active Directory security groups that correspond with each one.  At this time, we are using Cisco's vendor-specific RADIUS attribute 85 (tunnel-group-lock) to send back to the ASA a string
that corresponds to a policy rule in NPAS based on the matched group membership.  This works in the sense that each user can only be a member of one of the three AD security groups used for VPN, and if they pick a tunnel group in the AnyConnect client
that doesn't correspond to them, the ASA doesn't set up the session for them.
Well, Cisco added vendor-specific RADIUS attribute 146 (tunnel-group-name) in firmware 8.4.3.  This is an *upstream* attribute, and is one that is sent by the ASA to the RADIUS server.  We would like to use this attribute in our policies in NPAS
to help with policy matching.  By doing this, we could allow people to be in more than one VPN group and select more than one of the tunnel groups in the AnyConnect client, each of which may provide different network access.
The question becomes, how can I use this upstream RADIUS attribute in my policy conditions?  I tried putting it in the policy in the Vendor-Specific section under Policies (the same place where we had attribute 85 defined), but this doesn't work. 
These are just downstream attributes that the NPAS server sends back to the RADIUS client (the ASA).  The ASA seems to ignore attribute 146 if it is sent back in this manner and the result is that the first rule that contains a group the user is a member
of is matched and authentication is successful.  This is undesirable, because it means the person could potentially select a tunnel group and successfully authenticate even though that isn't what we desire.
Here is Cisco's documentation that describes these attributes: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/ref_extserver.html

Philippe:
Thank you for the response, but I am already aware how to use Cisco's group-lock or tunnel-group-lock with RADIUS and, in fact, we are already using tunnel-group-lock (attribute 85).
Using tunnel-group-lock works in the sense that you have three RADIUS policies and three AD security groups (one per tunnel group configured on the ASA).  Each AD group basically is designed to map to a specific tunnel group.  Each RADIUS policy
contains vendor-specific attribute 85 with the name of the tunnel group.  So when you connect and attempt authentication through NPAS, it goes down the RADIUS policies until the conditions match (in this case the conditions are the source RADIUS client
- the ASA - and membership in a particular AD security group), it determines if your authentication attempt is successful, and if so it sends the tunnel group name back to the ASA.  If the tunnel group name matches the one associated to the user group
you selected from the list in the AnyConnect client, a VPN tunnel is established.  Otherwise, the ASA rejects the connection attempt.
Frankly, tunnel-group-lock works fine so long as it is only necessary for a given individual to need to connect to only a single tunnel group.  If there is a need for an individual to be able to use two out of the three or all three tunnel groups in
order to gain different access, using tunnel-group-lock or group-lock won't work.  This is because the behavior will be when the RADIUS server processes the policies, the first one in the list that has the AD security group that the user is a member of
will be matched and the tunnel group name associated with that policy will be sent back to the ASA every time.  If that name doesn't match the one they picked, the tunnel will not be established.  This will happen every time if the tunnel group is
associated with the second or third AD group they are a member of in terms of order in the NPAS policy list.
Group-lock (attribute 25) works similarly.  In such a case, the result won't be a failure to connect if the user group chosen is associated with the second or third AD group in the policy list; rather, it will just always send the ASA the first group
name and the ASA will establish the session but always apply the same policy to the client rather than the desired one.
We upgraded to firmware 8.4.5 on our ASA 5520 specifically so that we could make use of attribute 146 (tunnel-group-name).   Since this is an upstream attribute sent by the ASA to the RADIUS server (rather than something send by the RADIUS server
to the ASA as part of the authentication response), we were hoping to be able to use it as an additional condition in the NPAS policies.  In this way, people could be members of more than one of the AD security groups related to VPN at a time.  The
problem is, I just do not know how to leverage it in the NPAS policy conditions or if it is even possible.

Similar Messages

  • Firewalling vlans on Catalyst 6500 by using Cisco ASA Firewalls

    Hello,
    How to secure vlans on Catalyst 6500 by using Cisco ASA Firewalls?
    There are no free modules on Catalyst 6500 to install a FWSM module.
    What is the best configuration to secure vlans (~80 vlans) by using cisco ASA firewalls (context, hairpining...)?
    Thanks

    Hi Bro
    Just to understand your question once again, you don't have anymore available slots in your present Cat6K, but you want to know how to secure your VLANs or SVIs that has been configured in your Cat6K?
    If you were to ask me, I would not apply a bunch of ACLs in the Cat6K, for starters. You might wanna look into COPP (Control Plane Policing) instead. Furthermore you could also refer to this Cisco document http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00801b49a4.shtml
    However, if you do have Cisco ASA FW appliance (not module, I presume from your question), you could enable ACLs, threat-detection feature, IP Audit features, reverse-path policing, capping of the embryonic values etc.
    P/S: If you think this comment is useful, please do rate them nicely :-)

  • Dear All, I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me. Thanks Vijay

    Dear All,
                         I'm using Cisco ASA 5505 Firewall and I want the email alert from my Firewall if the CPU increase more than 70 %. Is it possible, Please help me.
    Thanks
    Vijay

    Hi Vijay,
    If can be done but you need any network management software. I personally dont think you can ask your ask to send mails. ASA can trigger alert to a SNMP configured server which will intern send mail to you 
    HTH,

  • How to determine the IPS throughput using Cisco ASA 5500 IPS Solution?

    Hello there!
    I´ve been desinging a solution to protect de Server Farm and I intend to use the ASA 5500 series with AIP-SSM module. There´s any tool to determine the real throughput that I need? I mean, how to determine the performance (Firewall + IPS  throughput), what main points I should consinder?

    If the server farm is running production levels of traffic today you can get statistics off a variety of networking devices passing the existing traffic. Switches, routers and firewalls all count every byte of traffic they pass. There are plenty of tools that can gather this traffic into tables via SNMP too, such as MRTG.
    Do not average your traffic over too great a time peroid, you will miss busy hour peaks. At most, use 5 min averages.
    - Bob

  • How do I use Cisco Registered Email Service with 10.7?

    I received a email via someone using Cisco Registered Email/Envelope Service.  The authentication process required the latest version of JAVA for 10.7, which I downloaded and installed.  When I try to logon, the screen hangs with the message "Loading Envelope Tools."  If I press "open" again it states "Inactive tools."  The alternate method is to open the mail via a secure Web site, which I can open, but I am unable to download attachments.  To download attachments, I am directed to a page that begins with "x-msg:" and I get a message that says: "Safari can't open the address .. . because MAC OX doesn't recognize Internet Addresses starting with "x-msg:"

    Thanks for the info Roger, this is indeed did work for me (at least the part about signing in on apple.com, haven't tried the rest). Since Apple does not allow for the merging of Apple IDs, my plan is to use the old me.com address (from the free trial) with iCloud but then forward all the messages from the old me.com to my current Apple ID. Problem is all my devices are already associated with iCloud. So... if I want to activate iCloud using the old me.com, how do I do it?
    I have two ideas: 1) as you suggest, signing out and signing back in through the iCloud preference pane (either on Mac OS or iOS); but I'm worried this will have consequence - will I be able to sign back in to my main Apple ID account after doing this?
    2) create a new user on my Mac and then sign in to iCloud with the old me.com address there, then delete the account.
    Thanks for any help with this.

  • How do I use Cisco MARS to monitor two ASA (active/stby) with IPS modules?

    Hi
    The two ASA with IPS modules are in active/standby mode. When I try to add both the two IP (active/standby) into the MARS, the MARS will complain duplicated hostnames.
    How to setup MARS to monitor ASA with IPS with active standby topology?
    Thanks!

    Hi,
    The fundamental problem with this scenario is that you have non-failover capable modules in a failover chassis - think of the ASA failover pair as one device and the IPS modules as two completely separate devices.
    Then, as already mentioned, add only the primary ASA. (The secondary will never be passing traffic in standby mode so it's not actually needed in MARS) Then, with the first IPS module you can add it as a module of the ASA or as a standalone device (MARS doesn't care). With the second IPS module the only option is to add it as a separate device anyway.
    In a failover scenario the ASA's swap IP's but the IPS's don't so whereas you'll only ever get messages from the active ASA you'll get messages from both IPS IP's depending on which one happens to be in the active ASA at the time.
    Don't forget that you have to manually replicate all IPS configuration every time you make a change.
    HTH
    Andrew.

  • How to identify used AP in RADIUS Accounting

    We are using 5508 WLC with 3602 APs.
    Looks like in RADIUS Authentication Called-Station-Id is the MAC address of the AP,
    but in RADIUS Accounting Called-Station-Id is the MAC address of the WLC.
    How can we change that behaviour so that Called-Station-Id will always be the MAC address of the AP?
    Or is there some other way to identify the actual AP to which the user is connected?
    Regards
    Timo

    Hmm, I did some trial and error and solved the problem.
    On the WLC, go to Security > AAA > RADIUS > Authentication and set the Call Station ID Type to "AP MAC Address:SSID". Even tho that seems to be for RADIUS Authentication, it changes the Called-Station-Id also for RADIUS Accounting.
    Thx anyway
    Timo

  • How to easily bring Cisco ASA back into failover.

    We had two asa's that were never upgraded so I decided to upgrade them.  However the failover was never turned off.  If I copy the config off the one asa to the other and bring both back online will this take care of the issue or will I need to re-do the config on both the the primary unit and the secondary unit?

    Hello,
    1) First thing is to keep up to date with the Cisco vulnerabilities announcements to check whether your box is not compliant, etc.
    Use Scanning tools like NMAP,ZEN-MAP, Veracode, etc.
    Use Dictionary attacks to determie whether you can hack into the Device.
    Etc,etc.
    2) To audit the ASA well
    Check the ACLs (make sure they are as specific as possible) Show run access-list
    Make sure a failover cluster is in place (show failover)
    Make sure traffic not desired is denied (packet-tracer tool)
    Make sure you are sending logs to a syslog server for further audit stuff.( show run logging)
    Check the Authentication ,Authorization and Accounting variables (show run aaa)
    Etc
    3) Change the ACLs to satisfy your needs. Being more specific is always more secure.
    access-list outside_inside permit tcp any host 4.2.2.2
    to
    access-list outside_inside permit tcp any host 4.2.2.2 eq 80 (In the case of a HTTP server)
    4) Always check release-notes and Cisco vulnerabilities announcements
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • How do I use Cisco Anyconnect?

    I'm not sure if this is the right place for this.
    My work has provided Cisco Anyconnect to access their network. I'm able to download and install successfully but once I establish the connection, then what. I'm connected but nothing seems to happen. How do I actually access my works network? Do I need to connect to a server (Using Go/Connect to a server...)?
    Thanks

    All Anyconnect does is connect you to you work's network. Once you've established a connection, you should have access to work resources (servers, desktops, printers) by connecting to them as you would if you were at your office.
    If there are any special connection requirements to use your work resources, you would need to contact the I/T people at your workplace.

  • How do I use Cisco MARS to monitor two FWSMs in two Cat6500 in failover ?

    Hello,
    I understad that I can add both Catalysts to MARS and that I can add primary FWSM as a module to primary catalyst as well. But how can I add secondary FWSM.
    Any ideas appreciated
    Thanks

    If you have already configured the primary, you don't have to configure the secondary. No need to configure the secondary as it is not recommended to do so, In case of a failover the secondary firewall will automatically take over the active configuration( EX: IP address) of the primary so the source of the syslogs will remain the same

  • How can we use the feilds "Product Attribute" -sales org2 in material maste

    give me any simple scenario/ example where you can use the above feild
    Thanks in advance
    Jaya Ho
    regds

    Hi Sunitha,
    This prevents customers from buying products that they are not allowed or do not want.
    For Example,
    Say Product Attribute 1 = FAT content above 30%.
    And Material 100001 has Fat content above 30%... So you mark Prod Attribute 1 in material master.
    Now you need to mark "Prod Attribute 1" in the customer master (Ship to Party) who does not want to buy materials which has Fat content above 30%.....
    Say you marked Prod Attribute 1 for Customer XXXXX.... and trying to create Sales order for this customer with material 100001... You will get the message as per Sales Doc Type settings.
    So now the system will give you an Error/ Warning/No message as per setting done in Sales Doc Type - Product Attribute message filed in VOV8.
    Hope this will be helpful to you...
    Muthu
    Edited by: Muthupandiyan C on Mar 4, 2009 8:09 PM

  • Web Filtering Cisco ASA 5510

    Hello !
    I m a netword administrator, and i have been looking how to setup web filtering in a network, we are using cisco asa 5510 as a firewall and i have been looking for a way to block url such as facebook and streaming web sites since users are allowed to access to any website and they have been downloding stuff lately and i cant controll the bandwith!!
    What u guys recommand !
    Thanks

    Hi Neji,
    Here you have all the content security options available on the ASA. I think only the CX doesn't apply to your HW but the other options are available.
    Block URLs using Regular Experessions (Regex)
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
    CSC module:
    http://www.cisco.com/en/US/products/ps6823/index.html
    How to enable the CSC module:
    http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/ssm.html
    ASA CX module (ASA 5512,5525,5545,5545,5555)
    http://www.cisco.com/en/US/docs/security/asa/quick_start/cx/cx_qsg.html
    Scansafe:
    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/scansafe.html
    Configuration Cisco Cloud Web Security
    http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/protect_cloud_web_security.html#wp1559223
    Ironport:
    http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/ironport.html
    How to integrate the ASA with Ironport (WCCP):
    https://supportforums.cisco.com/docs/DOC-12623
    HTH
    Luis Silva
    "If you need PDI (Planning, Design, Implement) assistance feel free to reach"
    http://www.cisco.com/web/partners/tools/pdihd.html

  • Unable to find out asdm image file cisco asa

    Hello,
    i am using cisco asa in gns 3 simulator ,unable find out the ASDM image or .bin file in
    ASA flash .If not how can i
    Uploade the ASDM image onto the ASA flash.
    Please help me out

    Follow this:
    http://www.xerunetworks.com/2012/03/asa-84-asdm-on-gns3-step-by-step-guide/
    For Networking Posts check my blog at http://laguiadelnetworking.com/
    Cheers,
    Julio Carvajal Segura

  • Cisco ASA 5505 as VPN client

    Hello all thanks for looking,
    I need to know how to setup my cisco asa 5505 as a vpn client to services like HMA or privateinternet and other paid VPN services. If someone else has already written a guide to this then that would be great. What I want to do is route all my secure traffice through the asa and have it go across the internet as encrypted VPN stuff and have my other stuff that does not need to be encrypted just go through to my other router. 
    Thanks in advance,

    If your remote end of the services in question support IPsec IKEv1 as the VPN type then, yes - the 5505 can be a client for that service. At that point it looks like a regular LAN-LAN VPN which is documented in many Cisco and 3rd party how-to documents.

  • Azure multiple site-to-site VPNs (dynamic gateway) with Cisco ASA devices

    Hello
    I've been experimenting with moving certain on-premise servers to Azure however they would need a site-to-site VPN link to our many branch sites e.g. monitoring of nodes.
    The documentation says I need to configure a dynamic gateway to have multiple site-to-site VPNs. This is not a problem for our typical Cisco ISR's. However three of our key sites use Cisco ASA devices which are listed as 'Not Compatible' with dynamic routing.
    So I am stuck...
    What options are available to me? Is there any sort of tweak-configuration to make a Cisco ASA work with Azure and dynamic routing?
    I was hoping Azure's VPN solution would be very flexible.
    Thanks

    Hello RTF_Admin,
    1. Which is the Series of CISCO ASA device you are using?
    Thank you for your interest in Windows Azure. The Dynamic routing is not supported for the Cisco ASA family of devices.
    Unfortunately, a dynamic routing VPN gateway is required for Multi-Site VPN, VNet to VNet, and Point-to-Site.
    However, you should be able to setup a site-to-site VPN with Cisco ASA 5505 series security appliance as demonstrated in this blog:
    Step-By-Step: Create a Site-to-Site VPN between your network and Azure
    http://blogs.technet.com/b/canitpro/archive/2013/10/09/step-by-step-create-a-site-to-site-vpn-between-your-network-and-azure.aspx
    You can refer to this article for Cisco ASA templates for Static routing:
    http://msdn.microsoft.com/en-us/library/azure/dn133793.aspx
    If your requirement is only for Multi-Site VPN then there is no option but to upgrade the device as Multisite VPN requires dyanmic routing and unfortunately there is no tweak or workaround due to hardware compatibility issue.
    I hope that this information is helpful
    Thanks,
    Syed Irfan Hussain

Maybe you are looking for

  • FF doesn't open a pop up log in all of a sudden. No error message either.

    Since yesterday, FF 15.0.1 won't let me log into one of my sites, as the '''pop up log in''' will not open. It works for SeaMonkey after giving script permissions, and it works in Opera, but on FF the page has all permissions from NoScript and it sti

  • How do I apply for a Back to School 50$ itunes card?

    Hello everyone, I apologise in advance if I have posted this in the wrong section. My step-mother recently visited the US for holiday and bought me a brand new iPad 3 from the apple store as a present because I am starting university in England in Se

  • Need help fast!

    Last night I was told (on this forum) I should password protect my wireless router so this AM I printed out the instructions and followed the steps. http://192.168.1.1 and went to Wireless>Wireless Security Set to WEP Typed a passpphrase and hit gene

  • Error in Creating Purchase Order (ME21N)

    Dear Experts, A pleasant day to all of you! I would like to ask help because when I try to save Purchase Order, error messages "There is an error in the specifications for area 04 in co. code XXXX". Message no. AC391 Diagnosis You specified for depre

  • Positive & Negative Time Management

    Dear Seniors, What is positive & negative time management? Which time management status do we use for these? What r time pairs & where can these be configured? Thx & Regards WARNED-> No more basic questions please.