[PacketFence-users] Cisco ASA VPN Configuration in PF 9.0

Fri, 17 May 2019 09:56:28 -0700 

Cisco ASA VPN Configuration in 9.0
Hi, I'm trying to configure our ASA for VPN authentication but the docs are a little bit vague considering this is a new concept 

Steps I did:

* Added the asa in the switch group, configured PSK etc
* Configured access list in "Role by Access List"

* Added a connection profile with the following filter: switch=<asa ip 
address>

* I used an existing authentication source with LDAP role assignment

* Configured the Packetfence Radius server in the ASA and the vpn as in 
the example provided


Now what?

I can connect via vpn and surf the Internet
In the audit log I see my authentication:

Request Time
0
RADIUS Request
User-Name = "c.mammoli"
User-Password = "******"
NAS-IP-Address = 10.11.10.254
NAS-Port = 186806272
Called-Station-Id = "X.X.X.X"
Calling-Station-Id = "5.90.220.187"
NAS-Port-Type = Virtual
Tunnel-Client-Endpoint:0 = "5.90.220.187"
Event-Timestamp = "May 17 2019 18:27:47 CEST"
Cisco-AVPair = "audit-session-id=0a0b0afe0b2270005cdee105"
Cisco-AVPair = "ip:source-ip=5.90.220.187"
Cisco-AVPair = "coa-push=true"
ASA-TunnelGroupName = "VPN"
ASA-ClientType = AnyConnect-Client-SSL-VPN
Stripped-User-Name = "c.mammoli"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.11.10.254
SQL-User-Name = "c.mammoli"

RADIUS Reply

But the reply is empty

In the logs:

httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Unable to extract MAC from 
Called-Station-Id: 89.97.236.20 (pf::radius::extractApMacFromRadiusRequest)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] [apra-machine-auth-dc01] 
No entries found (0) with filter (servicePrincipalName=c.mammoli) from 
dc=apra,dc=it on 192.168.0.76:389 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] LDAP testing connection 
(pf::LDAP::expire_if)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] [apra-user-auth-dc01] 
Authentication successful for c.mammoli 
(pf::Authentication::Source::LDAPSource::authenticate)
httpd.aaa(6766) INFO: [mac:c4:86:e9:96:61:e1] Authentication successful 
for c.mammoli in source apra-user-auth-dc01 (AD) 
(pf::authentication::authenticate)
httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value 
$roleName in hash element at /usr/local/pf/lib/pf/Switch.pm line 783.



httpd.aaa(6766) WARN: [mac:c4:86:e9:96:61:e1] Use of uninitialized value 
$roleName in concatenation (.) or string at 
/usr/local/pf/lib/pf/Switch.pm line 786.

 (pf::Switch::getRoleByName)


It looks like the connection profile isn't even matched, and all 
authentication sources are tried even if I only specified one



BTW, what is the redirect acl int he docs used for?? It is not applied 
anywhere and I can't see it int he ASA.pm code



The docs say: "You can force VPN users to authenticate first on the 
captive portal and based on the role of the device allow it and/or set 
dynamic ACL."
Is the portal authentication a requirement? I would like to authenticate 
users and assign a dynamic ACL without external portal authentication


Thanks

C.





_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to