10-28-2009 03:07 PM - edited 03-10-2019 04:46 PM
Hi,
I have an ACS 4.2 for AAA. Right now i'm using this server to authenticate users that login to all my cisco devices (routers, switches, ASAs, APs), and also to authenticate users for Remote Access VPN in ASA.
The problem I have is that the VPN users that are on a different group in ACS are able to authenticate to login to administer the network devices and this is a security issue. I need the vpn users to only be able to authenticate to the vpn and not be able to authenticate to login to the network devices.
Any ideas?? is it possible to separate the radius access-requests from vpn and from login?
Solved! Go to Solution.
10-29-2009 05:03 AM
Hi Fernando,
Yes this is possible to restrict your VPN users only to VPN-ASA device. If you want that they should not have telnet/ssh/http access to other devices in the network then you may go for NAR (Network access restriction).
The only thing you need to know what are we getting in calling-station-id. I believe it is an ip address. You may check this reports and activity > passed authentication for VPN user.
Here are the steps:
On ACS > Go to the VPN group > Edit > look for NAR > Under Ip based NAR > set the action to "DENIED" > select the devices (router/switches) you want to deny access for > put * for the port and address field > hit submit +restart.
Doing that users will able to connect via vpn and unable to do ssh and telnet.
I've attached the screen shot of the same( I did this for 6509 switch)
HTH
JK
Plz rate helpful posts-
10-28-2009 03:41 PM
Hi
I had the same issue. My solution was to configure the ASA twice in the ACS. Once as a TACACS device and once as a RADIUS device. Only the name has to be unique.
Therefore I use TACACS based authentications with command accounting for the management access authentication, authorization and accounting meanwhile for the VPN access I use the RADIUS authentication. Only firewall administrators get priv level 15 when they authenticate by TACACS on the firewall, meanwhile all users (including FW admins) don't get admin rights at all when they authenticate their VPN connection by RADIUS on the firewall.
For that you have also to configure the ACS twice on the ASA. Once as a TACACS server group member and once as a RADIUS server gorup member. On the VPN-Profile you just change the authentication and also the accounting server to the new RADIUS-ACS group.
Hope this helps.
10-28-2009 04:30 PM
Hi rgiana,
Thanks for your quick response. Actually I just tried to make the config you described using tacacs+ for management access and radius for vpn access. I have this on ACS:
vpn01
172.28.4.2
RADIUS (Cisco VPN 3000/ASA/PIX 7.x+)
vpn01-tacacs
172.28.4.2
TACACS+ (Cisco IOS)
On ASA I have this:
aaa-server TACACS protocol tacacs+
reactivation-mode depletion deadtime 5
aaa-server TACACS (inside) host 172.28.2.27
key ******
aaa-server TACACS (inside) host 172.28.2.49
key ******
aaa-server TACACS (inside) host 172.29.1.12
key ******
aaa-server RADIUS protocol radius
reactivation-mode depletion deadtime 5
aaa-server RADIUS (inside) host 172.28.2.27
key ******
aaa-server RADIUS (inside) host 172.28.2.49
key ******
aaa-server RADIUS (inside) host 172.29.1.12
key ******
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
tunnel-group SERCOMGROUP general-attributes
authentication-server-group RADIUS
The problem I have now is that i don't have management access. I think tacacs+ is not working with this ASA.
Please help!!
10-28-2009 04:47 PM
Hi Fernando
Your configuration seems to be correct.
I see that you are using 3 ACS. Please keep in mind that the replication between the master ACS and the other two ACS has to be done first, after your changes! Check your replication settings for that.
Which ACS is your ASA using currently? Have you checked with "show aaa-server" that your ASA sees all of them as active?
And finally: What's your ASA trying to tell you in it's logs? Have you checked them?
What is written in the logs of the ACS? Especially in the failed attempts log?
And last but not least: What software release are you running on your ASA?
10-29-2009 05:03 AM
Hi Fernando,
Yes this is possible to restrict your VPN users only to VPN-ASA device. If you want that they should not have telnet/ssh/http access to other devices in the network then you may go for NAR (Network access restriction).
The only thing you need to know what are we getting in calling-station-id. I believe it is an ip address. You may check this reports and activity > passed authentication for VPN user.
Here are the steps:
On ACS > Go to the VPN group > Edit > look for NAR > Under Ip based NAR > set the action to "DENIED" > select the devices (router/switches) you want to deny access for > put * for the port and address field > hit submit +restart.
Doing that users will able to connect via vpn and unable to do ssh and telnet.
I've attached the screen shot of the same( I did this for 6509 switch)
HTH
JK
Plz rate helpful posts-
10-29-2009 05:33 AM
You may also refer NAR white paper:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801a8fd0.shtml
HTH
JK
Plz rate helpful posts-
10-29-2009 03:29 PM
Thank you all for your help, it was very helpful. I have my configuration working!
Regards,
Fernando Aguirre
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: