|
Home > Archive > Radius Server > November 2005 > Cisco ASA and Multiple Radius groups
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Cisco ASA and Multiple Radius groups
|
|
| adavidm 2005-10-28, 4:54 pm |
| We are evaluating using cisco ASA and MS IAS radius on some of our firewalls.
We have an IAS server set up to allow access to the VPN, based on AD group
membership. This works fine.
The same firewall has a web server behind it that we would like to
authenticate access to using a different IAS policy.
I have two AAA groups on the Cisco, pointing at the same IAS server, and the
cisco happily submits requests to IAS through the different radius groups for
VPN and Web server access.
The problem is that there appears to be no way of telling IAS that the two
types of requests should be treated differently. I have tried setting up two
radius clients on IAS, both pointing to the same firewall, but the radius
replies always come back from the first client entry in the list (with an
incorrect secret, if they are different).
I thought of telling the cisco to use different ports for the two different
policies, but there is no way of differentiating the requests by port number
on IAS.
Any ideas? My apologies if this post is confusing, it's one of those
problems thats easy to understand but difficult to explain properly.
Regards
| |
| Denton B 2005-11-10, 6:03 pm |
| Did you ever get a working soultion for this? I am fighting the same
issue.
adavidm wrote:
> We are evaluating using cisco ASA and MS IAS radius on some of our firewalls.
>
> We have an IAS server set up to allow access to the VPN, based on AD group
> membership. This works fine.
>
> The same firewall has a web server behind it that we would like to
> authenticate access to using a different IAS policy.
>
> I have two AAA groups on the Cisco, pointing at the same IAS server, and the
> cisco happily submits requests to IAS through the different radius groups for
> VPN and Web server access.
>
> The problem is that there appears to be no way of telling IAS that the two
> types of requests should be treated differently. I have tried setting up two
> radius clients on IAS, both pointing to the same firewall, but the radius
> replies always come back from the first client entry in the list (with an
> incorrect secret, if they are different).
>
> I thought of telling the cisco to use different ports for the two different
> policies, but there is no way of differentiating the requests by port number
> on IAS.
>
> Any ideas? My apologies if this post is confusing, it's one of those
> problems thats easy to understand but difficult to explain properly.
>
> Regards
| |
| adavidm 2005-11-11, 2:54 am |
| No,
The best we could come up with was using a different Radius server for the
HTTP authentication. This is fine for now, but very wasteful, and if we ever
need more services authenticated, it will more more radius servers, which is
ridiculous.
Let me know if you turn anything up, I will reply to the thread here if I
see anything useful.
Cheers
"Denton B" wrote:
> Did you ever get a working soultion for this? I am fighting the same
> issue.
>
> adavidm wrote:
>
>
|
|
|
|
|