Cisco Systems ASA5515K9, ASA 5500 Configuring the Security Appliance to Support RADIUS/SDI Messages

67-35

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter67 Configuring Connection Profiles, Group Policies, and Users

Configuring Connection Profiles

During authentication, the RADIUS server presents access challenge messages to the ASA. Within these

challenge messages are reply messages containing text from the SDI server. The message text is different

when the ASA is communicating directly with an SDI server than when communicating through the

RADIUS proxy. Therefore, in order to appear as a native SDI server to the AnyConnect client, the ASA

must interpret the messages from the RADIUS server.

Also, because the SDI messages are configurable on the SDI server, the message text on the ASA must

match (in whole or in part) the message text on the SDI server. Otherwise, the prompts displayed to the

remote client user may not be appropriate for the action required during authentication. The AnyConnect

client may fail to respond and authentication may fail.

The following section describes how to configure the ASA to ensure successful authentication between

the client and the SDI server:

Configuring the Security Appliance to Support RADIUS/SDI Messages

The following section describes the steps to configure the ASA to interpret SDI-specific RADIUS reply

messages and prompt the AnyConnect user for the appropriate action:

Step1 Configure a connection profile (tunnel group) to forward RADIUS reply messages in a manner that

simulates direct communication with an SDI server using the proxy-auth sdi command from

tunnel-group webvpn configuration mode. Users authenticating to the SDI server must connect over this

connection profile.

For example:

hostname(config)# tunnel-group sales webvpn attributes

hostname(tunnel-group-webvpn)# proxy-auth sdi

Step2 Configure the RADIUS reply message text on the ASA to match (in whole or in part) the message text

sent by the RADIUS server with the proxy-auth_map sdi command from tunnel-group webvpn

configuration mode.

The default message text used by the ASA is the default message text used by

Cisco Secure Access Control Server(ACS). If you are using Cisco Secure ACS, and it is using the

default message text, you do not need to configure the message text on the ASA. Otherwise, use the

proxy-auth_map sdi command to ensure the message text matches.

Table67-3 shows the message code, the default RADIUS reply message text, and the function of each

message. Because the security appliance searches for strings in the order that they appear in the table,

you must ensure that the string you use for the message text is not a subset of another string.

For example, “new PIN” is a subset of the default message text for both new-pin-sup and

next-ccode-and-reauth. If you configure new-pin-sup as “new PIN”, when the security appliance

receives “new PIN with the next card code” from the RADIUS server, it will match the text to the

new-pin-sup code instead of the next-ccode-and-reauth code.

Table67-3 SDI Op-codes, Default Message Text, and Message Function

Message Code

Default RADIUS Reply

Message Text Function

next-code Enter Next PASSCODE Indicates the user must enter the NEXT tokencode

without the PIN.

new-pin-sup Please remember your

new PIN

Indicates the new system PIN has been supplied and

displays that PIN for the user.