Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
374
Views
0
Helpful
4
Replies

Per user VPN envryption domain with TACACS - Possible?

smunzani
Level 1
Level 1

‎07-06-2007 08:53 PM

Hi,

I have very fluid environment where consultants need to VPN is to specific IP of the network for a few days. Doing this with static configuration means, maintaining 70+ client profiles with different ACLs associated to each profile.

Is there any way to store per user ACL in the TACACS and push that out to the ASA upon extended authentication?

Thanks,

Sam

Labels:
0 Helpful
4 Replies 4

Jon Marshall
Hall of Fame
Hall of Fame

‎07-06-2007 09:07 PM

Hi Sam

Do you have a Cisco Secure ACS server in your environment. If so yes, you can use downloadable ACL's on the ACS server and you can tie these ACL's to individual users or groups of users.

Let me know if you have an ACS and what version and i'll hunt out the relevant docs. I've also got this setup in our lab at work so i can send you a config example when i'm back in next week.

HTH

Jon

0 Helpful

smunzani
Level 1
Level 1
In response to Jon Marshall

‎07-07-2007 06:07 PM

Hi Jon,

Yes. I do have ACS server 4.0 version purchased which I already use for the VPN client authentication piece. I am just trying to figure out the authorization piece with downloadable ACLs.

If you have config examples, I would really appreciate it. I am not in rush so whenever time permits, please post or email to sam@munzani.com.

Thanks,

Sam

0 Helpful

ovt
Level 4
Level 4
In response to smunzani

‎07-08-2007 10:14 AM

Yes, this should be possible. I used it on VPN3k + RADIUS. On ACS try "Shared Profile Components". Write an ACL like "permit ip ". Apply this Component to the user or user's group.

This mechanism is non-standard. The standard one is cisco av-pair ip:inacl#1=, but the ACL should be created on the tunnel-endpoint device int this case.

For successful authorization other VPN3k attributes are needed. See VPN3k docs on CCO for details. ASA attrs are the same (I believe).

HTH

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to smunzani

‎07-08-2007 11:33 PM

Hi Sam

Okay, if you have authentication for users working on your ASA already then the only change you need to do on the ASA is if you have an access-list applied on the outside interface you need to apply it as such

access-group acl_outside in interface outside per-user-override.

The per-user-override is very important. What this does is add the per user downloadable acl to the existing access-list applied to the outside interface of your ASA. If you didn't have it then even if the ASA downloads a per user acl from the ACS server it would not work unless you are already permitting that users traffic on your outside access-list, but then that kind of defeats the purpose :)

On your ACS server

Shared Profile Components ->

Downloadable IP ACL's

Add in your per user acl's ( note that you can use per-group acl's if you want to apply the same acl to multiple users ).

example of acl would be

permit tcp any host 10.5.1.10 eq 23

permit tcp any host 10.5.1.10 eq www

deny ip any any

Make sure you click on submit in both windows ( you'll see what i mean ).

Then under

User Setup ->

Edit the user details ->

Scroll down to Downloadable ACLs box, select the correct acl from the drop down box and check the box.

Save it all and that should be it.

Let me know how you get on.

Jon

0 Helpful
Customers Also Viewed These Support Documents