Howdy. This is a follow-up / addition to a previous post re: Cisco gear & RADIUS & Server 2008 NPS.
I have finally finished getting all of my Cisco routers, switches, firewalls and also Dell switches into our overall RADIUS / AAA infrastructure. I thought I'd take time to wrap up a couple loose ends on the Cisco side.
Managing Cisco ASAs Using RADIUS for AAA
Similar to my Cisco IOS-fu #7 post mentioned above, I wanted to drop a note re: how we we handle AAA for our Cisco ASA 5520 cluster and also our remote campus DualISP ASA 5505 gear (which we're looking to rollout at all campuses this year).
The Windows Server 2008 NPS config is identical to the Cisco IOS-fu #7 post. No changes need made. We just need to add a new client – for the ASAs to be added – and then the NPS setup is done.
On the Cisco ASA, here's what the config changes look like:
First of all, we need a local username so we can still access the gear if RADIUS goes down
#username lctvcisco password iPSVSC0nQNhXDlWu encrypted privilege 15
Next we will add the actual RADIUS group and set the radius host
#aaa-server <group name> protocol radius
#aaa-server <group name> (inside) host <ip address>
key 013B072C5A26070B2475411C350A18192218313A6A671F1A1B
Finally we make sure that RADIUS is used for our access
#(config)aaa authentication ssh console <group name> LOCAL
That's it. Really. Enjoy!