07-06-2007 08:53 PM
Hi,
I have very fluid environment where consultants need to VPN is to specific IP of the network for a few days. Doing this with static configuration means, maintaining 70+ client profiles with different ACLs associated to each profile.
Is there any way to store per user ACL in the TACACS and push that out to the ASA upon extended authentication?
Thanks,
Sam
07-06-2007 09:07 PM
Hi Sam
Do you have a Cisco Secure ACS server in your environment. If so yes, you can use downloadable ACL's on the ACS server and you can tie these ACL's to individual users or groups of users.
Let me know if you have an ACS and what version and i'll hunt out the relevant docs. I've also got this setup in our lab at work so i can send you a config example when i'm back in next week.
HTH
Jon
07-07-2007 06:07 PM
Hi Jon,
Yes. I do have ACS server 4.0 version purchased which I already use for the VPN client authentication piece. I am just trying to figure out the authorization piece with downloadable ACLs.
If you have config examples, I would really appreciate it. I am not in rush so whenever time permits, please post or email to sam@munzani.com.
Thanks,
Sam
07-08-2007 10:14 AM
Yes, this should be possible. I used it on VPN3k + RADIUS. On ACS try "Shared Profile Components". Write an ACL like "permit ip
This mechanism is non-standard. The standard one is cisco av-pair ip:inacl#1=
For successful authorization other VPN3k attributes are needed. See VPN3k docs on CCO for details. ASA attrs are the same (I believe).
HTH
07-08-2007 11:33 PM
Hi Sam
Okay, if you have authentication for users working on your ASA already then the only change you need to do on the ASA is if you have an access-list applied on the outside interface you need to apply it as such
access-group acl_outside in interface outside per-user-override.
The per-user-override is very important. What this does is add the per user downloadable acl to the existing access-list applied to the outside interface of your ASA. If you didn't have it then even if the ASA downloads a per user acl from the ACS server it would not work unless you are already permitting that users traffic on your outside access-list, but then that kind of defeats the purpose :)
On your ACS server
Shared Profile Components ->
Downloadable IP ACL's
Add in your per user acl's ( note that you can use per-group acl's if you want to apply the same acl to multiple users ).
example of acl would be
permit tcp any host 10.5.1.10 eq 23
permit tcp any host 10.5.1.10 eq www
deny ip any any
Make sure you click on submit in both windows ( you'll see what i mean ).
Then under
User Setup ->
Edit the user details ->
Scroll down to Downloadable ACLs box, select the correct acl from the drop down box and check the box.
Save it all and that should be it.
Let me know how you get on.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide