question

PatrickB-0656 avatar image
0 Votes"
PatrickB-0656 asked PatrickB-0656 answered

Network Policy Server (NPS) with Custom Cisco-AV-Pair as an Integer

We have Cisco ASA firewalls that we want to do automatic-enable when the user logs in with valid administrative credentials. We have this working with Cisco ISE, which we are decommissioning. The short version is that as part of the RADIUS response, the RADIUS server needs to return back the "Service-type = 6" as an INTEGER value.

In NPS, when I go to RADIUS Attributes > Vendor Specific > Click Add > Select Cisco as the Vendor and then Cisco-AV-Pair as the attribute, the Attribute format is String, which will not work.

If I select Custom, instead of Cisco, in the drop down then select Vendor-Specific, the attribute format is OctetString. I have seen in some debugs where the Octet value that is returned in a correctly formatted Service-Type=6 is (0x06). I am not sure if using this will work.

My first question is, is there a truly customizable VSA that I can configure where I can give it an attribute number and set the attribute format to Integer?

My second question is, has anyone tried using NPS with Cisco ASAs and got the auto-enable to work?

windows-platform-networkwindows-network-access-protection
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PatrickB-0656 avatar image
0 Votes"
PatrickB-0656 answered

I did some more work on this and found I was selecting the wrong setting in NPS.

When going to <Network Policy Name> > Settings tab > chose Standard under RADIUS Attributes.

Click Add
Select Service-Type
Under Attribute Value: select Other
In that drop down select Administrative

135075-image.png

As seen in that screen shot, Service-Type is an Enumerated Value, which is what Cisco ASAs need for the RADIUS response.

The debug on the ASA also confirms the correct value. For those having this same issue, this can be found by doing a "debug radius all" and searching for "Service Type". If your Service-Type response is not exactly like this, then auto-enable will not work.

Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6

Additionally, on the Cisco ASA, you will need the following command if it is not already configured.

aaa authorization exec authentication-server auto-enable






image.png (29.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered

Hello @PatrickB-0656,

Thank you for your question.

In your doubts I recommend that you post on the Cisco forum, as this is a policy issue that exclusively involves cisco services.

To find the Cisco forum, just type in Google: Cisco Community which will appear among the first links.



If the answer is helpful, please vote positively and accept as an answer.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.