ACS-Auth-proxy Security misconfig

e-alvarez · ‎09-19-2006

Hi,

I have an issue with ACS and authentication proxy. It turns out that I want users to have only one session at a given time, but the ACS is allowing more than one session per user.

Imagine the following sequence of events:

1) user A logs in ok

2) another user A tries to log in and is correctly blocked

3) user B logs in ok

4) another user B tries to log in and is correctly blocked

5) If at this point another user A tries to log in, it is not blocked

and I have the same user A account logged in twice.

At this point, I can log another user B, without problem, resulting in two accounts conected for user B, wich is not what I want.

The router config is attached.

On the ACS Server, I have the User max session set to 1, and the auth-proxy priv-lvl is as follows:

priv-lvl=15

proxyacl#1=deny tcp any host 10.10.10.1 eq telnet ! this is to prevent users from telnetting into the rtr.

proxyacl#2=permit ip any any

proxyacl#3=permit icmp any any

Any help you can provide, will be greatly appreciated.

Regards,

Eduardo

darpotter · ‎09-21-2006

I assume you have full session accounting on - max sessions wont work otherwise.

Also, how are you testing this? If ACS see's a second authentication on the same port it will 1st session must have ended and clear it.

Look in the ACS accounting report and/or passed auths - do you see any "NAS Port re-used" messages

Darran

e-alvarez · ‎09-22-2006

Thanks for your reply, Darran.

Yes, I have lines for accounting for things that I do not even plan to use, just to be on the safe side:

aaa new-model

!

aaa group server tacacs+ Oasis

server 10.10.10.5

!

aaa authentication login default group Oasis none

aaa authorization exec default group Oasis none

aaa authorization commands 15 default group Oasis none

aaa authorization auth-proxy default group Oasis local

aaa accounting send stop-record authentication failure

aaa accounting auth-proxy default start-stop group Oasis

aaa accounting commands 15 default start-stop group Oasis

aaa accounting network default start-stop group Oasis

aaa accounting system default start-stop group tacacs+ group Oasis

aaa accounting resource default start-stop group Oasis

aaa session-id common

ip dhcp relay information trust-all

ip dhcp excluded-address 10.10.10.1 10.10.10.10

!

ip dhcp pool Oasis_dhcp

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy

lease infinite

update arp

ip auth-proxy auth-proxy-banner http

ip auth-proxy auth-proxy-audit

ip auth-proxy name acceso http inactivity-time 60

ip admission auth-proxy-banner http

ip admission auth-proxy-audit

ip name-server xxx.xxx.xxx.xxx

interface Vlan1

description Switch Ethernet 4Ptos 10-100

ip dhcp relay information trusted

ip dhcp client update dns

ip address 10.10.10.1 255.255.255.0

ip access-group 150 in

ip auth-proxy acceso

.

!

ip http server

ip http authentication aaa

no ip http secure-server

ip nat inside source list 20 interface Dialer1 overload

!

Also, on the ACS, I have the Max sessions set to 1, but on the acs reports, I do not see any port re-used message.

I have a lab with 4 pc?s and the ACS server (Win2003, standard).

Again, thanks for your interest.

Eduardo

e-alvarez · ‎09-22-2006

Another thing I have noticed, is that when I go to see "Connected Users" in the ACS, the users "disappear" from the ACS after a while, although the same user is still connected in the router (as seen with the "sh ip auth-proxy cache")

Thanks

Eduardo