BlogHome|INEHome|Members|ContactUs|Subscribe

Free Resources

View Archives

All Access Pass

CCIE Bloggers

18 UnderstandingExternalEasyVPNAuthorization PostedbyPetrLapukhov,4xCCIE/CCDEinVPN
May

Search
8Comments Search Submit

InthisblogpostwearegoingtoreviewandcomparethewaysinwhichIOSandASAEasyVPNservers performezVPNattributeauthorizationviaRADIUS.Theinformationontheseprocedureisscattered amongthedocumentationandtechnologyexamples,soIthoughtitwouldbehelpfultoputthethings together. Tobeginwith,letsestablishsomesortofequivalencebetweentheIOSandASAterminology.EventhoughASA inheritedmostofitsVPNconfigurationconceptsfromtheVPN3000platformitisstillpossibletofindsimilarities betweentheIOSandtheASAconfigurations.RecallthatIOSezVPNconfigurationdefineslocalezVPNgroup policybymeansofthecrypto isakmp client configuration group command.Thiscouldbeviewedasarough equivalenttotheASAsgroup-policy type internalcommand,thoughtheASAscommandscopeismuch broader.IOSISAKMPprofilescouldbeviewedasanequivalenttotheASAstunnel-group commanddefininga connectionprofile. Landing an Incoming Connection BothIOSandASAplatformsattempttomatchanincomingIPSecconnectionagainstISAKMPprofile/tunnel-groups (wedonotconsiderthelegacyIOSscenarioswithoutISAKMPprofilesdefined)definedinthesystem.Youmay findthedescriptionoftheprocedureusedbytheASAfirewallshereUnderstandinghowASAFirewallMatching tunnel-groupNames.IOSrouterusesimilarprocedure,whichissomewhatsimplifiedwhenusingjustezVPN clients.Asyouknow,atypicalezVPNclientwilleither a)UseIKEAggressiveModewithID_KEY_IDidentitytype,whichspecifiestheezVPNgroupname b)OruseIKEMainModewithdigitalcertificatesandID_DER_ASN1_DNidentitytype,whichspecifiestheusers DistinguishedName. Inthefirstcase,theIOSrouterwillmatchthegroupnameagainstthematch identitystatementsoftheISAKMP profilesconfiguredinthesystemandassociatetheconnectionwiththeconfigurationgroupspecifiedbyclient configuration group .Inthesecondcase,eithergroupnameisderivedfromtheOUfieldofthesubjectsDNor certificatemapsareusedtomapthenamesinthecertificatetoanISAKMPprofile.Additionally,youmayuse certificatemapsassociatedwithISAKMPprofilesbymeansofthecommandmatch certificate tomapthe incomingidentitytoanISAKMPprofile. Enabling External Authorization InIOS,youdefineISAKMPauthorizationtypebyassigninganappropriateAAAauthorizationlisttothegroupusing thecommandisakmp authorization list.IntheASA,ifyouwantthegrouptobeauthorizedexternally,youneed todefinethegroup-policyasexternal,associatingitwithanAAAservergroupandassigningapassword,e.g. group-policy EZVPN_GROUP external server-group RADIUS password CISCO.TheIOSroutersallowyouto pullthegrouppre-sharedkeyfromtheRADIUSserverwhentheclientusesPSKauthentication.Thisisnot possiblewiththeASAfirewall,asthekeyisstaticallydefinedundertherespectivetunnel-group.Inadditionto externalgroupauthorization,bothIOSandASAfirewallmayenableexternalXauthauthentication/authorization.In theIOSrouter,thisisdonebyusingtheISAKMPprofilecommandclient authentication listreferencingtheAAA listthatpointstoanAAAserver.IntheASAfirewallyouenableexternalXauthauthenticationbymeansofthe tunnel-groupipsec-attributescommandauthentication-server-group referencingtotheAAAservergroup linkedtoanexternalserver.InisimportanttonoticethatbothgroupauthorizationandXauthauthenticationmay pulldowngroupsofRADIUSattributesfromtheAAAserver.Theattributesarethenmergedandconflictsresolved toformthefinalauthorizationset. RADIUS Authorization with IOS Hereisastep-by-stepdescriptionoftheRADIUSauthorizationprocessintheIOSrouters.Firsofall,noticethat thegroupprofilestoredintheRADIUSserverisaregularuserwiththenamematchingtheezVPNgroupname andthepasswordvalueofcisco.AllthepolicyattributesarestoredasCiscoAVpairsassociatedwiththeuser. Step 1: Thisstepisneededforpre-sharedkeysauthentication.TherouterextractsthegroupnamefromIKEmessage. Thiscouldbesimplyagroupname(ID_KEY_ID)ortheOUfieldvaluefromadigitalcertificate.Usingthisname andthepasswordvalueofciscotherouterauthenticateswiththeRADIUSserverandpullsdownanumberof attributes.Themostimportantattributeisthepre-sharedkeyusedbytheroutertoauthenticationtheremote peer.Naturally,digitalsignaturesauthenticationprocessdoesnotusethisvalue.TheprofilestoredintheRADIUS servershoulddefineattheveryleastthefollowingIETFRADIUSattributes: Service-Type=Outboundtodefinethetypeofservice. Tunnel-Type=IPESPtodefinetheIPSectunnel. Tunnel-Password=definesthepre-sharedkeyforthegroup,ifPSKauthenticationisused.Youdontneedthis attributefordigitalsignaturesauthentication. InadditiontotheaboveIETFRADIUSattributes,thefollowingtwoCiscoAV-Pairsmustbedefinedforthegroup: ipsec:tunnel-type=ESP ipsec:key-exchange=IKE AllotheroptionalezVPNattributearedefinedbymeansofCiscoAV-Pairusingthesyntaxipsec:,forexample ipsec:addr-pool=ADDRESS_POOL,ipsec:default-domain=INE.comandsoon.ThisisincontrarywiththeASA firewall,whichusesspecificRADIUSattributes(Altigaset). Step 2: IftherespectiveoptionisconfiguredunderISAKMPprofile,therouterstartsXauthfortheremoteuser.Iftheuser shouldbeauthenticatedagainsttheRADIUSserver,therouterwillusethenameandpasswordprovidedfor authentication.Asaresult,theRADIUSserverwillreturnanumberofattributesassociatedwiththeuser.Atthis steptheroutercomparestheav-pairipsec:user-vpn-group attributevalue(ifpresent)withtheIKEgroupname andabortstheconnectioniftheydontmatch.Thisisthenewerimplementationofthewell-knownGroupLock feature. Step 3: TherouteronceagainauthenticateswiththeRADIUSserverusingthegroupnameandthepasswordvalueof cisco.ThisisneededastheattributeslearnedonStep1mayhavebeenlostduringtheprevioussteps,andwe needthemnowtoauthorizeISAKMPconfigurationmoderequests.Theroutercombinesallattributeslearnedfrom theRADIUSserverinthefollowingorderofpreference: a)Userattributes b)Groupattributes Thatis,anyattributemissingfromUserattributesisfilledwithGroupattributes,andtheuserattributesoverride thegroupattributes Tosummarize:IOSrouterdownloadsthegrouppolicyfromtheAAAserverusingthegroupnameandthe passwordofcisco.Theprofileisretrievedtoperformgroupauthenticationprocessastoperformgroup authorization.AllpolicysettingsarestoredusingCiscoAV-Pairsipsec:*. Debugging Output for IOS RADIUS Policy Download Thefollowingistheoutputofthecommanddebug crypto isakmp fortheremoteezVPNclientconnectingtoan IOSrouterconfiguredforRADIUSauthorization.Theprocessstartswiththeremoteclient(IP136.1.100.200) startingIKEAMexchangewiththeserver.

Categories
SelectCategory

CCIE Bloggers
BrianDennisCCIE#2210 Routing&Sw itching ISPDial Security ServiceProvider Voice BrianMcGahanCCIE#8593 Routing&Sw itching Security ServiceProvider PetrLapukhovCCIE#16379 Routing&Sw itching Security ServiceProvider Voice MarkSnow CCIE#14073 Voice Security

Popular Posts
New UpcomingClassesfor CCNA/CCNP/CCIESecurity& CCIEServiceProviderv3.0 RSCCIEAdvancedTechnologies ClassDow nloadsReleased! CCIEVoiceAdvanced TechnologiesClassStreaming andDow nloadsReleased!

ISAKMP (0:0): received packet from 136.1.100.200 dport 500 sport 1419 Global (N) NEW SA ISAKMP: Created a peer struct for 136.1.100.200, peer port 1419 ISAKMP: New peer created peer = 0x83F035D4 peer_handle = 0x8000000B ISAKMP: Locking peer struct 0x83F035D4, refcount 1 for crypto_isakmp_process_block ISAKMP: local port 500, remote port 1419 insert sa successfully sa = 82F100E8 ISAKMP:(0): processing SA payload. message ID = 0 ISAKMP:(0): processing ID payload. message ID = 0 ISAKMP (0:0): ID payload nextpayload : 13 type group id protocol port length : 11 : EZVPN : 17 : 500 : 13

ThepeeradvertisesgroupnameEZVPNasitsID.TherouterfindamatchingezVPNprofileforthisconnection.

ISAKMP:(0):: peer matches EZVPN profile ISAKMP:(0):Setting client config settings 83C36734 ISAKMP:(0):(Re)Setting client xauth list ISAKMP/xauth: initializing AAA request AAA/BIND(00000015): Bind i/f ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 215 mismatch ISAKMP:(0): vendor ID is XAUTH ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is DPD ISAKMP:(0): processing vendor id payload ISAKMP:(0): processing IKE frag vendor id payload ISAKMP:(0): Support for IKE Fragmentation not enabled ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch ISAKMP:(0): vendor ID is NATT v2 ISAKMP:(0): processing vendor id payload ISAKMP:(0): vendor ID is Unity ISAKMP:(0): Authentication by xauth preshared ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ... ISAKMP:(0):Checking ISAKMP transform 10 against priority 10 policy ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: encryption 3DESCBC hash MD5 default group 2 auth XAUTHInitPreShared life type in seconds life duration (VPI) of 0x0 0x20 0xC4 0x9B encryption AESCBC hash SHA default group 2 auth XAUTHInitPreShared life type in seconds life duration (VPI) of keylength of 256 0x0 0x20 0xC4 0x9B and state

ISAKMP:(0):atts are acceptable. Next payload is 3 ISAKMP:(0):Acceptable atts:actual life: 86400 ISAKMP:(0):Acceptable atts:life: 0 ISAKMP:(0):Fill atts in sa vpi_length:4 ISAKMP:(0):Fill atts in sa life_in_seconds:2147483 ISAKMP:(0):Returning Actual lifetime: 86400 ISAKMP:(0)::Started lifetime timer: 86400.

SApolicyhasbeenselected,performingDHkey-exchangenow.Atthismomenttherouterattemptstopulldown thegroupattributestoperformpeerauthentication,usingthepre-sharedkeystoredintheRADIUSdatabase. Noticetheusernameusedforauthenticationitmatchesthegroupname.

ISAKMP:(0): processing KE payload. message ID = 0 ISAKMP:(0): processing NONCE payload. message ID = 0 ISAKMP:(0): vendor ID is NATT v2 AAA/AUTHOR (0x15): Pick method list 'AUTHOR_RADIUS' ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH ISAKMP:(0):Old State = IKE_READY New State = IKE_R_AM_AAA_AWAIT

RADIUS/ENCODE(0000002F):Orig. component type = VPN_IPSEC RADIUS: RADIUS: AAA Unsupported Attr: interface 31 33 36 2E 31 2E 31 30 30 [174] 11 [136.1.100]

RADIUS(0000002F): Config NAS IP: 150.1.3.3 RADIUS/ENCODE(0000002F): acct_session_id: 45 RADIUS(0000002F): sending RADIUS(0000002F): Send AccessRequest to 10.0.0.100:1645 id 1645/50, len 97 RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: authenticator 58 56 FD AE 5B DF 91 24 9D C5 51 CC 7B F0 60 05 UserName UserPassword CallingStationId NASPortType NASPort NASPortId ServiceType NASIPAddress [1] [2] [31] [61] [5] [87] [6] [4] 7 18 15 6 6 13 6 6 "EZVPN" * "136.1.100.200" Virtual 0 "136.1.100.3" Outbound 150.1.3.3 [5] [5]

TheserverreturnsACCESS-ACCEPTmessagealongwiththeauthorizationattributes.NoticetheAVpairvalues.

RADIUS: Received from id 1645/50 10.0.0.100:1645, AccessAccept, len 145 RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: authenticator 29 27 57 5D AF 05 4A C2 B4 DE F0 05 4A 78 52 51 Vendor, Cisco Cisco AVpair Vendor, Cisco Cisco AVpair ServiceType TunnelType TunnelPassword FramedIPAddress Class [26] [1] [26] [1] [6] [64] [69] [8] [25] 29 23 32 26 6 6 21 6 25 [CACS:0/1875e/960] [10303/0] "ipsec:inacl=SPLIT_TUNNEL" Outbound 01:ESP 01:* 255.255.255.255 [5] [9] "ipsec:addrpool=EZVPN"

43 41 43 53 3A 30 2F 31 38 37 35 65 2F 39 36 30 31 30 33 30 33 2F 30

RADIUS(0000002F): Received from id 1645/50 ISAKMP:(1023): constructed NATT vendor02 ID

Theserverfinallyauthenticatesthegroupandsendsaresponsepacket.

ISAKMP:(1023):SA is doing preshared key authentication plus XAUTH using id type ID_IPV4_ADDR ISAKMP (0:1023): ID payload nextpayload : 10 type address protocol port length : 1 : 136.1.100.3 : 0 : 0 : 12

ISAKMP:(1023):Total payload length: 12 ISAKMP:(1023): sending packet to 136.1.100.200 my_port 500 peer_port 1604 (R) AG_INIT_EXCH ISAKMP:(1023):Sending an IKE IPv4 Packet. ISAKMP:(1023):Input = IKE_MESG_FROM_AAA, PRESHARED_KEY_REPLY ISAKMP:(1023):Old State = IKE_R_AM_AAA_AWAIT New State = IKE_R_AM2

NowtheserverrequestsXuathcredentialsfromtheremotepeer.

ISAKMP:(1023):Need XAUTH ISAKMP: set new node 1195294443 to CONF_XAUTH ISAKMP/xauth: request attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: request attribute XAUTH_USER_PASSWORD_V2 ISAKMP:(1023): initiating peer config to 136.1.100.200. ID = 1195294443 ISAKMP:(1023): sending packet to 136.1.100.200 my_port 500 peer_port 1604 (R) CONF_XAUTH ISAKMP:(1023):Sending an IKE IPv4 Packet. ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP:(1023):Old State = IKE_P1_COMPLETE New State = IKE_XAUTH_REQ_SENT

ISAKMP (0:1023): received packet from 136.1.100.200 dport 500 sport 1604 Global (R) CONF_XAUTH ISAKMP:(1023):processing transaction payload from 136.1.100.200. message ID = 1195294443 ISAKMP: Config payload REPLY ISAKMP/xauth: reply attribute XAUTH_USER_NAME_V2 ISAKMP/xauth: reply attribute XAUTH_USER_PASSWORD_V2

ThecredentialsaresenttotheRADIUSserverforauthentication.

AAA/AUTHEN/LOGIN (00000030): Pick method list 'AUTH_RADIUS' ISAKMP:(1023):deleting node 1195294443 error FALSE reason "Done with xauth request/reply exchange" ISAKMP:(1023):Input = IKE_MESG_FROM_PEER, IKE_CFG_REPLY ISAKMP:(1023):Old State = IKE_XAUTH_REQ_SENT New State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT

RADIUS/ENCODE(00000030):Orig. component type = VPN_IPSEC RADIUS: RADIUS: AAA Unsupported Attr: interface 31 33 36 2E 31 2E 31 30 30 [174] 11 [136.1.100]

RADIUS/ENCODE(00000030): dropping service type, "radiusserver attribute 6 onforloginauth" is off RADIUS(00000030): Config NAS IP: 150.1.3.3 RADIUS/ENCODE(00000030): acct_session_id: 46 RADIUS(00000030): sending RADIUS(00000030): Send AccessRequest to 10.0.0.100:1645 id 1645/51, len 91 RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: authenticator 45 51 AD B1 9F 57 60 0E 6D 75 24 37 CD 23 DC 9D UserName UserPassword CallingStationId NASPortType NASPort NASPortId NASIPAddress [1] [2] [31] [61] [5] [87] [4] 7 18 15 6 6 13 6 "CISCO" * "136.1.100.200" Virtual 0 "136.1.100.3" 150.1.3.3 [5]

Theresponsecontainstheuser-vpn-group attributevalueofEZVPN.

RADIUS: Received from id 1645/51 10.0.0.100:1645, AccessAccept, len 85 RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: authenticator 48 5E 75 29 58 1D DC 53 42 FB 1F 5C 35 12 24 22 FramedIPAddress Vendor, Cisco Cisco AVpair Class [8] [26] [1] [25] 6 34 28 25 [CACS:0/1875f/960] [10303/0] "ipsec:uservpngroup=EZVPN" 255.255.255.255

43 41 43 53 3A 30 2F 31 38 37 35 66 2F 39 36 30 31 30 33 30 33 2F 30

RADIUS(00000030): Received from id 1645/51 ISAKMP: set new node 1673765102 to CONF_XAUTH ISAKMP:(1023): initiating peer config to 136.1.100.200. ID = 1673765102 ISAKMP:(1023): sending packet to 136.1.100.200 my_port 500 peer_port 1604 (R) CONF_XAUTH ISAKMP:(1023):Sending an IKE IPv4 Packet. ISAKMP:(1023):Input = IKE_MESG_FROM_AAA, IKE_AAA_CONT_LOGIN ISAKMP:(1023):Old State = IKE_XAUTH_AAA_CONT_LOGIN_AWAIT New State = IKE_XAUTH_SET_SENT

Theclientrequestconfigurationattributesnowandconfigurationmodeproceedsasusual.

ISAKMP: Config payload REQUEST ISAKMP:(1023):checking request: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: ISAKMP: IP4_ADDRESS IP4_NETMASK IP4_DNS IP4_NBNS ADDRESS_EXPIRY MODECFG_BANNER MODECFG_SAVEPWD DEFAULT_DOMAIN SPLIT_INCLUDE SPLIT_DNS PFS MODECFG_BROWSER_PROXY BACKUP_SERVER APPLICATION_VERSION FW_RECORD MODECFG_HOSTNAME CONFIG_MODE_UNKNOWN Unknown Attr: 0x7005

AAA/AUTHOR (0x30): Pick method list 'AUTHOR_RADIUS' ISAKMP/author: Author request for group EZVPNsuccessfully sent to AAA ISAKMP:(1023):Input = IKE_MESG_FROM_PEER, IKE_CFG_REQUEST ISAKMP:(1023):Old State = IKE_P1_COMPLETE New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

RADIUS/ENCODE(00000030):Orig. component type = VPN_IPSEC RADIUS: RADIUS: AAA Unsupported Attr: interface 31 33 36 2E 31 2E 31 30 30 [174] 11 [136.1.100]

RADIUS(00000030): Config NAS IP: 150.1.3.3 RADIUS/ENCODE(00000030): acct_session_id: 46 RADIUS(00000030): sending ISAKMP:(1023):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE ISAKMP:(1023):Old State = IKE_CONFIG_AUTHOR_AAA_AWAIT New State = IKE_CONFIG_AUTHOR_AAA_AWAIT

TherouteronceagainauthenticatesthegroupnamewiththeRADIUSserver.Thistime,itlooksforauthorization attributestopreparearesponsetotheclient.

RADIUS(00000030): Send AccessRequest to 10.0.0.100:1645 id 1645/52, len 103 RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: RADIUS: authenticator D5 03 85 B5 36 F4 30 D5 1A 12 E3 DE DA A5 5E 10 UserName UserPassword CallingStationId NASPortType NASPortType NASPort NASPortId ServiceType NASIPAddress [1] [2] [31] [61] [61] [5] [87] [6] [4] 7 18 15 6 6 6 13 6 6 "EZVPN" * "136.1.100.200" Virtual Virtual 0 "136.1.100.3" Outbound 150.1.3.3 [5] [5] [5]

RADIUS: Received from id 1645/52 10.0.0.100:1645, AccessAccept, len 145 authenticator 0B 8B BA 22 EB DF BF 31 56 5A 30 EB C0 7B 77 FA Vendor, Cisco Cisco AVpair Vendor, Cisco Cisco AVpair ServiceType TunnelType TunnelPassword FramedIPAddress Class [26] [1] [26] [1] [6] [64] [69] [8] [25] 29 23 32 26 6 6 21 6 25 [CACS:0/18760/960] [10303/0] "ipsec:inacl=SPLIT_TUNNEL" Outbound 01:ESP 01:* 255.255.255.255 [5] [9] "ipsec:addrpool=EZVPN"

43 41 43 53 3A 30 2F 31 38 37 36 30 2F 39 36 30 31 30 33 30 33 2F 30

RADIUS(00000030): Received from id 1645/52 ISAKMP:(1023):attributes sent in message: Address: 0.2.0.0

Afterthis,thenegotiationsproceedasusual,finishingwithestablishmentofIPSecSA. RADIUS Authorization with ASA ThestepsbelowareshowninthelogicalsequenceandwelldiscusstheactualflowofRADIUSrequestsafterthe outline.UnliketheIOSrouter,thefirewallstoresthegroupprofileusingacustompassword.Youspecifythis passwordwhenconfiguringthegroup-policyasexternal.Thepolicyattributesarespecifiedusingaspecialsetof AltigaRADIUSattributes.ASAfirewallextendedthissetbyaddingnewnamesanddeprecatingsomeolder configurationoptions. Step 1: Thefirewallacceptsincomingconnectionandmapsittoalocaltunnel-group..Oncethetunnel-groupisfound,the group-policynameassociatedwiththistunnel-groupisextracted.Ifthepolicyislocallyconfigured,thefirewall alreadyhasallauthorizationattributesonhand.Ifthepolicyisexternal,thefirewallusesthepolicynameandthe policyauthenticationpasswordtocontacttheremoteserver,i.e.theRADIUShost.Iftheauthenticationwas successful,theserverreturnsauthorizationattributesandthefirewallstoresthemlocally. Step 2: Ifthetunnel-grouprequiresuserauthentication,itpromptstheuseforXauthcredentials.Oncetheuserenters them,thefirewallauthenticatestheuserusingtheconfiguredservergroup(localorremote). 2.1)Ifuserauthenticationisperformedlocally,thefirewallobtainstheauthorizationattributesfromusersettings (username attributes).Additionally,therecouldbeagroup-policyassociatedwiththeuser(user-specific group-policy).Ifthepolicyislocal,attributesareimmediatelyavailable.Ifthepolicyisexternal,thefirewallagain authenticateswiththeremoteAAAserver,usingthepolicynameandconfiguredpassword.Incaseofsuccessful authentication,theremoteserverwillreturnauthorizationattributes. 2.2)Ifuserauthenticationisperformedexternally,thefirewallqueriestheremoteAAAserver.Iftheauthentication wassuccessful,anumberofauthorizationattributesisreturned.Amongthem,therecouldbeanIETFRADIUS attributenumber25namedClass.ThisattributevaluemustbeinformatOU=Policy_Name;(OUinuppercase, stringterminatedbysemicolon).ThefirewallparsesthisRADIUSattributevalue(ifany)andusesthe Policy_Nametofindagroup-policy.Thisgroup-policyisuser-specific,andinturnmaybeeitherlocalorexternal. Ifthepolicyisexternal,itsinturndownloadedfromtheremoteserver. Step 3: NowthefirewallcombinesallattributeslearnedatStep 1andStep 2.User-specificattributes(valuesassociated withtheuserlocallyorintheAAAserver)takepreferenceoverusergroup-policy(group-policyassociatedwiththe usereitherlocallyorviaRADIUSClassattribute).Theuser-specificgroup-policysettingstakeprecedenceover thegroup-policyassociatedwiththetunnel-group.Lastly,theattributesdefinedinthedefaultsystemgroup-policy (DfltGrpPolicy)areusedtofillinthegaps. Asusual,thegroupprofilesstoredintheRADIUSserverareregularusers.However,unliketheIOScase,youmay setanypasswordyouwantfortheseusers,andspecifythesamepasswordintheASAconfiguration.Keepin mindthatASAfirewallusesthesamesetofRADIUSattributesasVPN3000appliancedid(therearesome incompatibilitiesthough).YoumayfindthefulllistingoftheattributesintheASAfirewallVPNconfigurationguide appendixhereConfiguringanExternalServerforSecurityApplianceUserAuthorization Now,theactualorderusedbythefirewalltoauthorizethesettingsisabitdifferent.First,theRADIUSserverisnot querieduntiltheclientreturnsXauthcredentials.Atthispoint,thefirewallauthenticatestheXauthuser,possibly queryingtheexternalserver.IftheuserattributescontaintheClassattributeamongthem,thefirewallmayquery theAAAserverforthegroup-policyattributes(ifthepolicyisnotlocal).Onlyafterthis,theappliancewillultimately authorizethegroup-policydefinedinthetunnel-groupwiththeRADIUSserver.Thissequenceisdifferentfromthe oneusedinIOSrouters,becauseIOSmayneedRADIUSattributesforISAKMPauthentication,i.e.downloadthe grouppre-sharedkey.ThisiswhyIOSqueriesAAAserverintheverybeginningofIKEexchange. AfewwordsaboutGroupLockfeatureintheASAfirewall.TheASAfirewallusesspecialAltigaRADIUSattribute calledTunnel-Group-Lock.Thisattributespecifiesthenameofthetunnelgroupthattheuserisallowedtolog into.TheattributeissimilartoUser-VPN-Group attributeusedinIOSrouters.Noticethatthisdiffersfromthe GroupLockfeatureusedpreviouslyinVPN3000appliances. Debugging Output for IOS RADIUS Policy Download NowletshavealookattheRADIUSdebuggingoutputfortheremoteuserconnectingtotheASAfirewall configuredasanezVPNserver.Thefollowingoutputistheresultoftwdebuggingcommands:debugradiusalland debugcryptoisakmp10.ThefirstpacketfromtheclientstartsIKEAMexchangeasusual.Theconnectionlands onthetunnel-groupEZVPNandthefirewallfindsamatchingpolicyentry.Everythingelseproceedsasusual,until themomentofPhase1.5

[IKEv1]: IP = 136.1.100.200, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + KE (4) + NONCE (10) + ID (5) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 849 [IKEv1 DEBUG]: IP = 136.1.100.200, processing SA payload [IKEv1 DEBUG]: IP = 136.1.100.200, processing ke payload [IKEv1 DEBUG]: IP = 136.1.100.200, processing ISA_KE payload [IKEv1 DEBUG]: IP = 136.1.100.200, processing nonce payload [IKEv1 DEBUG]: IP = 136.1.100.200, processing ID payload [IKEv1 DEBUG]: IP = 136.1.100.200, processing VID payload [IKEv1 DEBUG]: IP = 136.1.100.200, Received xauth V6 VID [IKEv1 DEBUG]: IP = 136.1.100.200, processing VID payload [IKEv1 DEBUG]: IP = 136.1.100.200, Received DPD VID [IKEv1 DEBUG]: IP = 136.1.100.200, processing VID payload [IKEv1 DEBUG]: IP = 136.1.100.200, Received Fragmentation VID [IKEv1 DEBUG]: IP = 136.1.100.200, IKE Peer included IKE fragmentation capability flags: True Aggressive Mode: False [IKEv1 DEBUG]: IP = 136.1.100.200, processing VID payload [IKEv1 DEBUG]: IP = 136.1.100.200, Received NATTraversal ver 02 VID [IKEv1 DEBUG]: IP = 136.1.100.200, processing VID payload [IKEv1 DEBUG]: IP = 136.1.100.200, Received Cisco Unity client VID [IKEv1]: IP = 136.1.100.200, Connection landed on tunnel_group EZVPN [IKEv1 DEBUG]: Group = EZVPN, IP = 136.1.100.200, processing IKE SA payload [IKEv1 DEBUG]: Group = EZVPN, IP = 136.1.100.200, IKE SA Proposal # 1, Transform # 10 acceptable Matches global IKE entry # 1 Main Mode:

NowthefirewallstartsXauthtransactions.Theclientrespondswithcredentials,andthefirewallattempts authenticationwiththeRADIUSserver.ThefirewallsendsthenameXAUTH_USERalongwiththepasswordof CISCO.

[IKEv1]: IP = 136.1.100.200, IKE_DECODE SENDING Message (msgid=cdc0c17f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 68 [IKEv1]: IP = 136.1.100.200, IKE_DECODE RECEIVED Message (msgid=cdc0c17f) with payloads : HDR + HASH (8) + ATTR (14) + NONE (0) total length : 87 RADIUS packet decode (authentication request) Raw packet data (length = 160)..... 01 00 00 a0 df 2c f5 8a fb 18 71 56 d7 c4 ad e2 73 30 a9 2e 01 0c 58 41 55 54 48 5f 55 53 45 52 02 12 a7 99 79 db cb 12 41 fb bc 53 30 b2 60 b7 ae bb 05 06 00 00 f0 00 06 06 00 00 00 02 07 06 00 00 00 01 1e 0e 31 33 36 2e 31 2e 31 32 33 2e 31 32 1f 0f 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 3d 06 00 00 00 05 42 0f 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 04 06 88 01 7b 0c 1a 24 00 00 00 09 01 1e 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 0d a2 | | | | | | | | | | .....,....qV.... s0....XAUTH_USER ....y...A..S0.`. ................ ......136.1.123. 12..136.1.100.20 0=.....B.136.1.1 00.200....{..$.. ....ip:sourceip =136.1.100.200..

TheserverrespondsandyoucanseetheRADIUSClassattributeintheresponse.Noticethattheresponsealso containstheIPaddress20.0.0.100tobeassignedtotheclient.

RADIUS packet decode (response) Raw packet data (length = 71)..... 02 00 00 47 2e 49 12 20 d5 49 31 ca 26 b5 a8 68 8a f6 c7 2e 08 06 14 00 00 64 19 10 4f 55 3d 45 5a 56 50 4e 5f 55 53 45 52 3b 19 1d 43 41 43 53 3a 30 2f 31 38 63 37 36 2f 38 38 30 31 37 62 30 63 2f 36 31 34 34 30 Parsed packet data..... Radius: Code = 2 (0x02) Radius: Identifier = 0 (0x00) Radius: Length = 71 (0x0047) Radius: Vector: 2E491220D54931CA26B5A8688AF6C72E Radius: Type = 8 (0x08) FramedIPAddress Radius: Length = 6 (0x06) Radius: Value (IP Address) = 20.0.0.100 (0x14000064) Radius: Type = 25 (0x19) Class Radius: Length = 16 (0x10) Radius: Value (String) = 4f 55 3d 45 5a 56 50 4e 5f 55 53 45 52 3b Radius: Type = 25 (0x19) Class Radius: Length = 29 (0x1D) Radius: Value (String) = 43 41 43 53 3a 30 2f 31 38 63 37 36 2f 38 38 30 31 37 62 30 63 2f 36 31 34 34 30 rad_procpkt: ACCEPT | | CACS:0/18c76/880 17b0c/61440 | OU=EZVPN_USER; | | | | | ...G.I. .I1.&..h .........d.. OU=E ZVPN_USER;..CACS :0/18c76/88017b0 c/61440

NowthefirewallparsestheclassattributeandextractthegrouppolicynameEZVPN_USER.Sincethispolicyis definedasexternal,anotherrequestismadetotheAAAserver.Theserverrespondswiththeattributes correspondingtothisgrouppolicy.

RADIUS packet decode (authentication request) Raw packet data (length = 160)..... 01 01 00 a0 cf 5c 65 3a eb 48 e1 06 c7 f4 1d 92 63 60 19 de 01 0c 45 5a 56 50 4e 5f 55 53 45 52 02 12 31 26 3f 4c 0c 58 cb 9b 20 ab 48 76 d8 70 a3 03 05 06 00 00 00 00 06 06 00 00 00 02 07 06 00 00 00 01 1e 0e 31 33 36 2e 31 2e 31 32 33 2e 31 32 1f 0f 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 3d 06 00 00 00 05 42 0f 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 04 06 88 01 7b 0c 1a 24 00 00 00 09 01 1e 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 a7 a0 RADIUS packet decode (response) Raw packet data (length = 101)..... 02 01 00 65 b7 d9 60 2d 8f a5 a4 cd 1c bb 76 1e d3 44 00 ba 1a 19 00 00 0c 04 1b 13 53 50 4c 49 54 5f 54 55 4e 4e 45 4c 5f 55 53 45 52 1a 0c 00 00 0c 04 37 06 00 00 00 01 1a 0d 00 00 0c 04 55 07 45 5a 56 50 4e 08 06 ff ff ff ff 19 19 43 41 43 53 3a 30 2f 31 38 63 37 37 2f 38 38 30 31 37 62 30 63 2f 30 | | | | | | | ...e..`......v. .D..........SPLI T_TUNNEL_USER... ...7...........U .EZVPN........CA CS:0/18c77/88017 b0c/0 | | | | | | | | | | .....e:.H...... c`....EZVPN_USER ..1&?L.X.. .Hv.p ................ ......136.1.123. 12..136.1.100.20 0=.....B.136.1.1 00.200....{..$.. ....ip:sourceip =136.1.100.200..

Theattributescontainsplit-tunnelpolicydefinitionandtheTunnel-Group-LockattributewiththevalueofEZVPN.

Parsed packet data..... Radius: Code = 2 (0x02) Radius: Identifier = 1 (0x01) Radius: Length = 101 (0x0065) Radius: Vector: B7D9602D8FA5A4CD1CBB761ED34400BA Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 25 (0x19) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 27 (0x1B) SplitTunnelInclusionList Radius: Length = 19 (0x13) Radius: Value (String) = 53 50 4c 49 54 5f 54 55 4e 4e 45 4c 5f 55 53 45 52 Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 12 (0x0C) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 55 (0x37) SplitTunnelingPolicy Radius: Length = 6 (0x06) Radius: Value (Integer) = 1 (0x0001) Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 13 (0x0D) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 85 (0x55) The tunnel group that tunnel must be associated with Radius: Length = 7 (0x07) Radius: Value (String) = 45 5a 56 50 4e Radius: Type = 8 (0x08) FramedIPAddress Radius: Length = 6 (0x06) Radius: Value (IP Address) = 255.255.255.255 (0xFFFFFFFF) Radius: Type = 25 (0x19) Class Radius: Length = 25 (0x19) Radius: Value (String) = 43 41 43 53 3a 30 2f 31 38 63 37 37 2f 38 38 30 31 37 62 30 63 2f 30 rad_procpkt: ACCEPT | | CACS:0/18c77/880 17b0c/0 | EZVPN | | SPLIT_TUNNEL_USE R

NowthefirewallrequestsAAAattributesassociatedwiththetunnel-groupgroup-policy.Thisgroup-policyis definedasexternalinthefirewall,andthustheappliancesendstherespectivenametotheAAAserver.

RADIUS packet decode (authentication request) Raw packet data (length = 161)..... 01 02 00 a1 bf 8c d5 ea db 78 51 b6 b7 24 8d 42 53 90 89 8e 01 0d 45 5a 56 50 4e 5f 47 52 4f 55 50 02 12 59 a6 eb 66 f7 79 8b 26 16 cb 0e cd ab 23 9b b7 05 06 00 00 00 00 06 06 00 00 00 02 07 06 00 00 00 01 1e 0e 31 33 36 2e 31 2e 31 32 33 2e 31 32 1f 0f 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 3d 06 00 00 00 05 42 0f 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 04 06 88 01 7b 0c 1a 24 00 00 00 09 01 1e 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 33 36 2e 31 2e 31 30 30 2e 32 30 30 da a1 | | | | | | | | | | | .........xQ..$.B S.....EZVPN_GROU P..Y..f.y.&..... #............... .......136.1.123 .12..136.1.100.2 00=.....B.136.1. 100.200....{..$. .....ip:sourcei p=136.1.100.200. .

Theserverespondswiththetunnelgrouppolicyattributes.Theattributesaredecodedintheoutputbelow.You canseethesplittunnelaccess-list,whichisoverriddenbytheusergroup-policysettingthough.

RADIUS packet decode (response) Raw packet data (length = 131)..... 02 02 00 83 b8 c5 22 ec c6 29 37 c0 6d c1 cd ae 23 4f 36 bc 1a 0c 00 00 0c 04 0b 06 00 00 00 04 1a 0c 00 00 0c 04 0d 06 00 00 00 01 1a 14 00 00 0c 04 1b 0e 53 50 4c 49 54 5f 54 55 4e 4e 45 4c 1a 0c 00 00 0c 04 05 06 0a 00 00 64 1a 0c 00 00 0c 04 37 06 00 00 00 01 1a 0c 00 00 0c 04 3d 06 14 00 00 0c 08 06 ff ff ff ff 19 19 43 41 43 53 3a 30 2f 31 38 63 37 38 2f 38 38 30 31 37 62 30 63 2f 30 Parsed packet data..... Radius: Code = 2 (0x02) Radius: Identifier = 2 (0x02) Radius: Length = 131 (0x0083) Radius: Vector: B8C522ECC62937C06DC1CDAE234F36BC Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 12 (0x0C) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 11 (0x0B) TunnellingProtocol Radius: Length = 6 (0x06) Radius: Value (Integer) = 4 (0x0004) Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 12 (0x0C) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 13 (0x0D) IPSecAuthentication Radius: Length = 6 (0x06) Radius: Value (Integer) = 1 (0x0001) Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 20 (0x14) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 27 (0x1B) SplitTunnelInclusionList Radius: Length = 14 (0x0E) Radius: Value (String) = 53 50 4c 49 54 5f 54 55 4e 4e 45 4c Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 12 (0x0C) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 5 (0x05) PrimaryDNS Radius: Length = 6 (0x06) Radius: Value (IP Address) = 10.0.0.100 (0x0A000064) Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 12 (0x0C) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 55 (0x37) SplitTunnelingPolicy Radius: Length = 6 (0x06) Radius: Value (Integer) = 1 (0x0001) Radius: Type = 26 (0x1A) VendorSpecific Radius: Length = 12 (0x0C) Radius: Vendor ID = 3076 (0x00000C04) Radius: Type = 61 (0x3D) Groupgiaddr Radius: Length = 6 (0x06) Radius: Value (IP Address) = 20.0.0.12 (0x1400000C) Radius: Type = 8 (0x08) FramedIPAddress Radius: Length = 6 (0x06) Radius: Value (IP Address) = 255.255.255.255 (0xFFFFFFFF) Radius: Type = 25 (0x19) Class Radius: Length = 25 (0x19) Radius: Value (String) = 43 41 43 53 3a 30 2f 31 38 63 37 38 2f 38 38 30 31 37 62 30 63 2f 30 rad_procpkt: ACCEPT | | CACS:0/18c78/880 17b0c/0 | SPLIT_TUNNEL | | | | | | | | | ......"..)7.m... #O6............. ................ ....SPLIT_TUNNEL ...........d.... ..7...........=. ............CACS :0/18c78/88017b0 c/0

Tags:aaa,asa,authorization,ezvpn,ios,radius DownloadthispageasaPDF
About Petr Lapukhov, 4xCCIE/CCDE:
PetrLapukhov'scareerinITbegainin1988w ithafocusoncomputerprogramming,andprogressedintonetw orking w ithhisfirstexposuretoNovellNetWarein1991.Initiallyinvolvedw ithKazanStateUniversity'scampusnetw ork supportandUNIXsystemadministration,hew entthroughthepathofbecominganetw orkingconsultant,takingpartin manynetw orkdeploymentprojects.Petrcurrentlyhasover12yearsofexperiencew orkingintheCisconetw orking field,andistheonlypersoninthew orldtohaveobtainedfourCCIEsinundertw oyears,passingeachonhisfirst attempt.Petrisanexceptionalcaseinthathehasbeenw orkingw ithallofthetechnologiescoveredinhisfourCCIE tracks(R&S,Security,SP,andVoice)onadailybasisformanyyears.Whennotactivelyteachingclasses,developing self-pacedproducts,studyingfortheCCDEPractical&theCCIEStorageLabExam,andcompletinghisPhDinApplied Mathematics. Find all posts by Petr Lapukhov, 4xCCIE/CCDE|Visit Website

Youcanleavearesponse,ortrackbackfromyourownsite.

8ResponsestoUnderstandingExternalEasyVPNAuthorization

May18,2009at1:01pm

SickMonkey
Petr, Doyouhaveanyupdatesonthev3releaseschedule?

Reply
May18,2009at1:03pm

PetrLapukhov,CCIE#16379
Yeah,ivejustuploadedmoreVPNlabs(about15)andplanningtopostanotherVOL2labsoon.Ithinkofchagingthe updatesstrategyalittlebit,focusingonthehottesttopicsfirst,andthencatchingupontheremainingones.AlsotheOEQ simulatorproductiscomingthisweekaswell.

Reply
May18,2009at1:11pm

SickMonkey
Thanksfortheupdate,Iappreciatethat. Asav2multiplefailedattemptcandidate,Iwouldlovetoseethefocusingonthehottesttopicsfirstportions.Myparticularhot topicswouldincludethenewtechnologieslikeGETVPNandZoneBasedFw.

Reply
May18,2009at2:00pm

PremdeepBanga
Petr, Goodresourcetounderstandgroupauthorization. Regards, Prem

Reply
May18,2009at2:25pm

Yanchong
Petr: DoyouplantoreleasetheSecurityvolumeI/volumeIIalittlelater?Couldyougiveanapproximatetimethen,willthatbelaterthan middleofJuly?

Reply
July11,2009at2:39pm

peter
Goodread, WelldonePetr,,detailedasusual

Reply
Dec ember22,2009at11:30pm

Tacack
GreatjobPetr!

Reply
May29,2010at9:38am

AQuietSaturdayTacAckMysecurityjourney!
[...]http://blog.ine.com/2009/05/18/understanding-external-easy-vpn-authorization/->HowdotheASAandIOSperformeasy-vpn externalgroupauthentication.[...]

Reply

LeaveaReply
Name(required)

Mail(willnotbepublished)(required)

Website

Submit Comment

twitter.com/inetraining

Ciscopartnerannouncedas TelePresenceVideoMaster AuthorizedTechnologyProvider http://dlvr.it/Y1ts7

Thisw eekendonly!Saveover50% onyournextrackrentalpurchase fromINE.com.http://t.co/oaIjruH

Long-aw aitedCiscoproducttoship soonhttp://dlvr.it/XhN4d

2010InternetworkExpert,Inc.,AllRightsReserved

pdfcrowd.com