Configuring ASA5520 for User Authenticated Downloadable acl's

swharvey · ‎02-01-2007

I have an ASA5520 that I have created a Tunnel-Group and Group-policy to authenticate our remote Cisco VPN software clients via RADIUS. In addition, I have the ACS server setup to assign DHCP ip addresses to the users, as well as integrated AD authentication working for these users.

All this is working beautifully.

The last piece I can't seem to get working is pushing Downloadable ACL's to the users based on the user group the users are in on the ACS server. I have been able to configure a Downloadable ACL, and associated it to the user group on the ACS, but the acl is not applying on the ASA or to the user once the user connects and authenticates to the ASA.

What configurations need to be defined on the ASA to allow the Tunnel-Group and Group-Policy for the remote users to use the Downloadable acl from the ACS server

(e.g vpn-filter or other acl reference)?

Thanks,

-Scott

bthibode · ‎02-03-2007

Scott,

The aaa authorization match command ties the ACLs on your ACS server to when users are authenticated and authorized to your network. Here's a link that describes how to set this up on your ASA:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063734d.html#wp1064936

I hope this helps.

swharvey · ‎02-04-2007

Thanks for the response. After my posting I found this link on Cisco's site and have been reviewing it. We have one complication that I'm not sure is feasable, and I don't won't to attempt it on our production ASA:

We currently run an ACS 3.3 for our tacacs_ server, and this server handles all AAA admin functions for the ASA and other network devices. In addition, we are running a separate ACS 4.0 server for radius, which is authenticating remote vpn users to the ASA via Windows AD authentication.

My concern/question is: Can I configure the ASA to simulataneously use the ACS 3.3 for admin AAA tacacs services of the ASA, but use the ACS 4.0 AAA radius services for radius authentication and downloadable acl's for the remote users?

Thanks,

-Scott

bthibode · ‎02-04-2007

Sure, this is not a problem. All you have to do is create 2 different aaa server groups and then reference the respective groups in the function that you want to use them. For example: aaa server-group Admin and aaa server-goup Remote_Access.

Hope this helps!

swharvey · ‎02-05-2007

Thank you that helps very much. One last question please. How do I associate the aaa server-group x to the remote access users? Is that done within the Group-policy or Tunnel-group for that I have setup for the remote users?

bthibode · ‎02-05-2007

This is done in your tunnel group.

swharvey · ‎02-05-2007

This is a production firewall so I need to make sure my syntax is correct. Below is an example of our current tacacs admin aaa group, and the radius aaa definition that auth's remote users against AD. Beneath that are the proposed commands I'm defining to push the downloadable acl's from the radius server. Can you review and let me know if this is correct?

Current AAA tacacs for authen/author of Admin's of the ASA:

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host 1.1.1.1

Current AAA radius for remote user authen:

aaa-server COL-RADIUS protocol radius

aaa-server COL-RADIUS host 1.1.1.2

Current tunnel-group for remote users access:

tunnel-group TEST-attributes

authentication-server-group COL-RADIUS

default-group-policy TEST

Proposed command additions to allow downloadable ACL's from RADIUS server:

tunnel-group TEST-attributes (existing)

authorization-server-group COL-RADIUS (new)

Any other commands on the ASA needed to be able to push acl's from the RADIUS ACS server?

Thanks,

-Scott