How to separate authentication requests in ACS 4.2

Answered Question
Oct 28th, 2009

Hi,

I have an ACS 4.2 for AAA. Right now i'm using this server to authenticate users that login to all my cisco devices (routers, switches, ASAs, APs), and also to authenticate users for Remote Access VPN in ASA.

The problem I have is that the VPN users that are on a different group in ACS are able to authenticate to login to administer the network devices and this is a security issue. I need the vpn users to only be able to authenticate to the vpn and not be able to authenticate to login to the network devices.

Any ideas?? is it possible to separate the radius access-requests from vpn and from login?

Correct Answer by Jatin Katyal about 7 years 3 months ago

Hi Fernando,

Yes this is possible to restrict your VPN users only to VPN-ASA device. If you want that they should not have telnet/ssh/http access to other devices in the network then you may go for NAR (Network access restriction).

The only thing you need to know what are we getting in calling-station-id. I believe it is an ip address. You may check this reports and activity > passed authentication for VPN user.

Here are the steps:

On ACS > Go to the VPN group > Edit > look for NAR > Under Ip based NAR > set the action to "DENIED" > select the devices (router/switches) you want to deny access for > put * for the port and address field > hit submit +restart.

Doing that users will able to connect via vpn and unable to do ssh and telnet.

I've attached the screen shot of the same( I did this for 6509 switch)

HTH

JK

Plz rate helpful posts-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (5 ratings)
Loading.
ROBERTO GIANA Wed, 10/28/2009 - 15:41

Hi

I had the same issue. My solution was to configure the ASA twice in the ACS. Once as a TACACS device and once as a RADIUS device. Only the name has to be unique.

Therefore I use TACACS based authentications with command accounting for the management access authentication, authorization and accounting meanwhile for the VPN access I use the RADIUS authentication. Only firewall administrators get priv level 15 when they authenticate by TACACS on the firewall, meanwhile all users (including FW admins) don't get admin rights at all when they authenticate their VPN connection by RADIUS on the firewall.

For that you have also to configure the ACS twice on the ASA. Once as a TACACS server group member and once as a RADIUS server gorup member. On the VPN-Profile you just change the authentication and also the accounting server to the new RADIUS-ACS group.

Hope this helps.

fernandoaguirre Wed, 10/28/2009 - 16:30

Hi rgiana,

Thanks for your quick response. Actually I just tried to make the config you described using tacacs+ for management access and radius for vpn access. I have this on ACS:

vpn01

172.28.4.2

RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)

vpn01-tacacs

172.28.4.2

TACACS+ (Cisco IOS)

On ASA I have this:

aaa-server TACACS protocol tacacs+

reactivation-mode depletion deadtime 5

aaa-server TACACS (inside) host 172.28.2.27

key ******

aaa-server TACACS (inside) host 172.28.2.49

key ******

aaa-server TACACS (inside) host 172.29.1.12

key ******

aaa-server RADIUS protocol radius

reactivation-mode depletion deadtime 5

aaa-server RADIUS (inside) host 172.28.2.27

key ******

aaa-server RADIUS (inside) host 172.28.2.49

key ******

aaa-server RADIUS (inside) host 172.29.1.12

key ******

aaa authentication http console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

tunnel-group SERCOMGROUP general-attributes

authentication-server-group RADIUS

The problem I have now is that i don't have management access. I think tacacs+ is not working with this ASA.

Please help!!

ROBERTO GIANA Wed, 10/28/2009 - 16:47

Hi Fernando

Your configuration seems to be correct.

I see that you are using 3 ACS. Please keep in mind that the replication between the master ACS and the other two ACS has to be done first, after your changes! Check your replication settings for that.

Which ACS is your ASA using currently? Have you checked with "show aaa-server" that your ASA sees all of them as active?

And finally: What's your ASA trying to tell you in it's logs? Have you checked them?

What is written in the logs of the ACS? Especially in the failed attempts log?

And last but not least: What software release are you running on your ASA?

Correct Answer
Jatin Katyal Thu, 10/29/2009 - 05:03

Hi Fernando,

Yes this is possible to restrict your VPN users only to VPN-ASA device. If you want that they should not have telnet/ssh/http access to other devices in the network then you may go for NAR (Network access restriction).

The only thing you need to know what are we getting in calling-station-id. I believe it is an ip address. You may check this reports and activity > passed authentication for VPN user.

Here are the steps:

On ACS > Go to the VPN group > Edit > look for NAR > Under Ip based NAR > set the action to "DENIED" > select the devices (router/switches) you want to deny access for > put * for the port and address field > hit submit +restart.

Doing that users will able to connect via vpn and unable to do ssh and telnet.

I've attached the screen shot of the same( I did this for 6509 switch)

HTH

JK

Plz rate helpful posts-

Attachment: 
fernandoaguirre Thu, 10/29/2009 - 15:29

Thank you all for your help, it was very helpful. I have my configuration working!

Regards,

Fernando Aguirre

Actions

This Discussion