Per user VPN envryption domain with TACACS - Possible?

Unanswered Question

Hi,


I have very fluid environment where consultants need to VPN is to specific IP of the network for a few days. Doing this with static configuration means, maintaining 70+ client profiles with different ACLs associated to each profile.


Is there any way to store per user ACL in the TACACS and push that out to the ASA upon extended authentication?


Thanks,

Sam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Fri, 07/06/2007 - 21:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Sam


Do you have a Cisco Secure ACS server in your environment. If so yes, you can use downloadable ACL's on the ACS server and you can tie these ACL's to individual users or groups of users.


Let me know if you have an ACS and what version and i'll hunt out the relevant docs. I've also got this setup in our lab at work so i can send you a config example when i'm back in next week.


HTH


Jon

Yes, this should be possible. I used it on VPN3k + RADIUS. On ACS try "Shared Profile Components". Write an ACL like "permit ip ". Apply this Component to the user or user's group.


This mechanism is non-standard. The standard one is cisco av-pair ip:inacl#1=, but the ACL should be created on the tunnel-endpoint device int this case.


For successful authorization other VPN3k attributes are needed. See VPN3k docs on CCO for details. ASA attrs are the same (I believe).


HTH


Jon Marshall Sun, 07/08/2007 - 23:33
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Sam


Okay, if you have authentication for users working on your ASA already then the only change you need to do on the ASA is if you have an access-list applied on the outside interface you need to apply it as such


access-group acl_outside in interface outside per-user-override.


The per-user-override is very important. What this does is add the per user downloadable acl to the existing access-list applied to the outside interface of your ASA. If you didn't have it then even if the ASA downloads a per user acl from the ACS server it would not work unless you are already permitting that users traffic on your outside access-list, but then that kind of defeats the purpose :)


On your ACS server


Shared Profile Components ->

Downloadable IP ACL's


Add in your per user acl's ( note that you can use per-group acl's if you want to apply the same acl to multiple users ).


example of acl would be


permit tcp any host 10.5.1.10 eq 23

permit tcp any host 10.5.1.10 eq www

deny ip any any


Make sure you click on submit in both windows ( you'll see what i mean ).


Then under


User Setup ->


Edit the user details ->


Scroll down to Downloadable ACLs box, select the correct acl from the drop down box and check the box.


Save it all and that should be it.


Let me know how you get on.


Jon



Actions

This Discussion