ACS 3.3, downloadable ACLs

Unanswered Question
Jul 8th, 2009

I am trying to configure downloadable ACLs for the users and groups that will be accessing our network via RA VPN on an ASA5510.

Currently everything is working with the exception of the downloadable ACL component restricting the traffic.

THe RA config has been in place for a while using Cisco client through the ASA.

I have the ACL configured per the syntax shown, and the ACL is applied to a test user, but I can still get to everything beyond what the ACL is restricting

The tunnel groups are configured to use TACACS and not RADIUS for authentication.

I read that one of the requirements was that the authentication had to be RADIUS to use the downloadable ACL with the ACS.

Would it be easier to restrict the groups directly in the ASA appliance in the RA tunnel config?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
wilson_1234_2 Wed, 07/08/2009 - 12:23

Thanks for the reply,

Is there any benefit to using TACACS over RADIUS?

Also, is there any way to log the RA VPN connections with the ASA?

Like accounting for example?

I would like to be able to look at the time and duration of a RA VPN tunnel via a log file.

We are doing Accounting and Administration of our network devices.

We had 3005 VPN Concentrators and you could paruse log files that showed connection times and the duration of the connection.

It seems you can only see the successful log in via TACACS for the RA VPN users.

wilson_1234_2 Wed, 07/08/2009 - 12:25

Thanks for the reply,

Is there any benefit to using TACACS over RADIUS?

Also, is there any way to log the RA VPN connections with the ASA?

Like accounting for example?

I would like to be able to look at the time and duration of a RA VPN tunnel via a log file.

We are doing Accounting and Administration of our network devices.

We had 3005 VPN Concentrators and you could paruse log files that showed connection times and the duration of the connection.

It seems you can only see the successful log in via TACACS for the RA VPN users.

srue Fri, 07/10/2009 - 11:52

here are the asa/pix syslog ID's of relevant start/stop messages for remote ipsec vpn sessions.

713120

713050

113019

i'm not sure off hand what kind of accounting can be done through typical AAA.

Actions

This Discussion