Network Policy Server (NPS) with Custom Cisco-AV-Pair as an Integer

PatrickB 96 Reputation points
2021-09-23T12:45:49.14+00:00

We have Cisco ASA firewalls that we want to do automatic-enable when the user logs in with valid administrative credentials. We have this working with Cisco ISE, which we are decommissioning. The short version is that as part of the RADIUS response, the RADIUS server needs to return back the "Service-type = 6" as an INTEGER value.

In NPS, when I go to RADIUS Attributes > Vendor Specific > Click Add > Select Cisco as the Vendor and then Cisco-AV-Pair as the attribute, the Attribute format is String, which will not work.

If I select Custom, instead of Cisco, in the drop down then select Vendor-Specific, the attribute format is OctetString. I have seen in some debugs where the Octet value that is returned in a correctly formatted Service-Type=6 is (0x06). I am not sure if using this will work.

My first question is, is there a truly customizable VSA that I can configure where I can give it an attribute number and set the attribute format to Integer?

My second question is, has anyone tried using NPS with Cisco ASAs and got the auto-enable to work?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,188 questions
Windows Network
Windows Network
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Network: A group of devices that communicate either wirelessly or via a physical connection.
657 questions
0 comments
Accepted answer
  1. PatrickB 96 Reputation points
    2021-09-24T13:44:04.123+00:00

    I did some more work on this and found I was selecting the wrong setting in NPS.

    When going to <Network Policy Name> > Settings tab > chose Standard under RADIUS Attributes.

    Click Add
    Select Service-Type
    Under Attribute Value: select Other
    In that drop down select Administrative

    135075-image.png

    As seen in that screen shot, Service-Type is an Enumerated Value, which is what Cisco ASAs need for the RADIUS response.

    The debug on the ASA also confirms the correct value. For those having this same issue, this can be found by doing a "debug radius all" and searching for "Service Type". If your Service-Type response is not exactly like this, then auto-enable will not work.

    Radius: Type = 6 (0x06) Service-Type
    Radius: Length = 6 (0x06)
    Radius: Value (Hex) = 0x6

    Additionally, on the Cisco ASA, you will need the following command if it is not already configured.

    aaa authorization exec authentication-server auto-enable

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,386 Reputation points
    2021-09-24T09:13:16.627+00:00

    Hello anonymous user-0656,

    Thank you for your question.

    In your doubts I recommend that you post on the Cisco forum, as this is a policy issue that exclusively involves cisco services.

    To find the Cisco forum, just type in Google: Cisco Community which will appear among the first links.

    ----------------------------------------------------------------------------------------------------------

    If the answer is helpful, please vote positively and accept as an answer.

    0 comments