Cisco ASA - RADIUS Configuration with Cloud Authentication Service - RSA Ready Implementation Guide
a year ago

This article describes how to integrate Cisco ASA with RSA Cloud Authentication Service using RADIUS.  
    

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using RADIUS.
Procedure

  1. Sign in to the RSA Cloud Administrative Console and browse to Authentication Clients > RADIUS.
  2. Click Add RADIUS Client and Profiles and enter:
    1. Enter Name.
    2. IP Address - The IP address of the RADIUS Client that is ASA Firewall. The IP address will be of the ASA’s interface that sources the RADIUS request.
    3. Shared Secret.
  3. Click Save and Next Step and click Publish Changes.

  

Notes

The IP address of the ASA’s interface can be determined using:

  • The Show ip or Show Interface command on CLI of the ASA firewall.
  • Or from the Web UI of CDO, which is the cloud management platform for ASA.

Enable the Message authenticator attribute option on the configured radius client for Blast-RADIUS (CVE-2024-3596) Protocol Spoofing Mitigation by using the following steps:

  1. Sign in to the Cloud Authentication Console and navigate to Authentication Clients > RADIUS.
  2. Edit the RADIUS client and enable Message authenticator attribute.

The identity router configured for the testing included two IP addresses (management and portal).
This guide was prepared by setting up the ASA with an internal (inside) network and an external (outside) interface. The outside interface was configured as a VPN server. Cisco AnyConnect VPN Client was used to connect to the VPN server (ASA) and authenticated using the RSA identity solutions.  

  

Configure Cisco ASA

Perform these steps to configure Cisco ASA.
Procedure

  1. Sign in to Cisco Defense Orchestrator (CDO) and browse to Objects.
  2. Click Create Object in the upper-right corner.
  3. To create the RADIUS Server Group, select Identity Source.
  4. Define the Object Name, select the Device Type as ASA, choose RADIUS Server Group, and click Continue to add a server to the group.
  5. Click + to create RADIUS AAA Server.
  6. Click Create New RADIUS Server.
  7. Provide the following details:
    1. Device Type: Select ASA.
    2. Server Name or IP Address: Enter the Radius Server Name or management IP address of your RSA Identity Router. 
    3. Timeout (seconds): Set to 10 seconds (default).
    4. Authentication Port: Set to 1812.
    5. Server Secret Key: Enter the RADIUS shared secret.  It must match the secret as entered in the RSA Cloud Administration Console.
  8. Click Save.
  9. Select the newly created RADIUS server and click Select.
  10. Sign in to CDO, browse to VPN > ASA/FDM Remote Access VPN Configuration > AnyConnect Connection Profiles and edit your profile.
  11. For RADIUS, select AAA Only in the Authentication Type drop-down list and select your AAA Server Group in the Primary Identity Source for User Authentication drop-down list.
  12. Click Continue.

Note:  
This guide focuses on Configuring RADIUS component needed for the authentication of the VPN user. For AnyConnect VPN configuration, refer to Cisco documentation:
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html

 

The configuration is complete.

Return to Cisco Adaptive Security Appliance (ASA) - RSA Ready Implementation Guide.

Related Articles

Trending Articles

Don't see what you're looking for?