Cisco ASA VPN Configuration in 9.0
Hi, I'm trying to configure our ASA for VPN authentication but the docs
are a little bit vague considering this is a new concept
Steps I did:
* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"
* Added a connection profile with the following filter: switch=<asa ip
address>
* I used an existing authentication source with LDAP role assignment
* Configured the Packetfence Radius server in the ASA and the vpn as in
the example provided
Now what?
I can connect via vpn and surf the Internet
In the audit log I see my authentication:
Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "******"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"
RADIUS Reply
But the reply is empty
In the logs:
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC from
Called-Station-Id: 89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection
(pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] [apra-machine-auth-dc01]
No entries found (0) with filter (servicePrincipalName=c.mammoli) from
dc=apra,dc=it on 192.168.0.76:389
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection
(pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01]
Authentication successful for c.mammoli
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication successful
for c.mammoli in source apra-user-auth-dc01 (AD)
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value
$roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 783.
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value
$roleName in concatenation (.) or string at
/usr/local/pf/lib/pf/Switch.pm line 786.
(pf::Switch::getRoleByName)
It looks like the connection profile isn't even matched, and all
authentication sources are tried even if I only specified one
BTW, what is the redirect acl int he docs used for?? It is not applied
anywhere and I can't see it int he ASA.pm code
The docs say: "You can force VPN users to authenticate first on the
captive portal and based on the role of the device allow it and/or set
dynamic ACL."
Is the portal authentication a requirement? I would like to authenticate
users and assign a dynamic ACL without external portal authentication
Thanks
C.
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
