06-03-2012 04:53 AM - edited 03-10-2019 07:09 PM
Hi guys,
I am testing a scenario in acs 5.3 with asa 8.4.3.
I have 3 set of users.
Group1 - admins with full cmd access
Group2 - admins with limited cmd access
Group3 - remote access vpn users access
Device Admins will connect via tacacs & I want to do authentication, authorization n accounting using ACS.
RA vpn users will use radius to get access to asa.
On acs, here's what I have done till now.
1. created network device groups - device type - MyGRP1
2. Added asa as aaa client
3. added test users mapped to their identity groups, for example
test1 -> full access group
test2 -> limited access group
test3 -> vpn access group
4. In Policy elements, I have created 2 command sets for users in full access and limited access.
question1: Do I create a new shell profile also for these user groups?
question2: what should I do here for vpn users?
5. In access policies, I have duplicated the default device admin and network access services.
question3: what should I do now in access policies?
I know I need to do some more configuration. But I am confused now so if anyone can guide me on this, it will be really helpful.
Thanks.
06-03-2012 05:10 AM
No, We don't need to create new shell-profile unless we are sending different attribute.
For VPN users, you need to go inside access-policies > default network access > Authorization policy > create new > as a consition you can use the "Identity group" and protocol as "Radius" and in the authorization you can use "Permit"
Don't forget to set default rule to "Deny".
Rememeber
For device administration, you need to configure "Deafult device admin"
For network access/connection, you need to configure "Default network acess"
Regds,
Jatin
Do rate helpful posts-
06-03-2012 09:39 AM
Thanx Jatin but it is still not clear. Sorry.
Is that all to be done? Do I not need to create an authorization policy and identity policy for each and map it to the NDG?
What do I need to do for the VPN users command set / authorization profile?
06-03-2012 01:55 PM
Command authorization feature only works for device administration purpose and that too with TACACS. This can not be used for VPN authentication.
In the identity tab you need to select the database against which you want your user to be queried/checked.
If you would like to select the NDG then that would be additional configuration or we can say more conditions. However What I suggested you in the last post was the bare minimum configuration on ACS to have vpn authentication to work.
Again, As I said for vpn authentication, you make changes under
Default Network Access—Used for RADIUS-based access to network connectivity
Hope that helps.
06-03-2012 02:20 PM
Okay Jatin.
I think I completed the ACS configuration. This is what I have in the end:
1. Network Device Groups
Device Type
-> 1. Internal Network
-> 2. VPN Guys
Network Devices and AAA Clients
-> Added my ASA vpn head end details
2. Users and Identity Stores
Identity Groups
-> Created 3 groups
--> a. Full cmd access
--> b. Restricted cmd access
--> c. VPN user access
Internal Identity Stores
-> Users -> added 3 users
--> 1. userA - Identity group - Full cmd access
--> 2. userB - Identity group - Restricted cmd access
--> 3. userC - Identity group - VPN user access
3. Policy Elements
Network Access - Authorization Profiles -> No change. Just keeping 'Permit Access'
Device Administration
-> Shell Profiles - no change
-> Command sets - created 2 command sets
--> Set1 - for Full cmd access users
--> Set2 - for Restricted cmd access users
4. Access Policies
Service Selection Rules
-> duplicated the default services - 'Default Device Admin' and 'Default Network Access'
-> New ones are - 'New Device Admin' and 'New Network Access'
A. 'New Device Admin'
-> Identity
--> default - Reject, Reject, Drop
-> Authorization
--> created 2 authorization policies
---> a. Full cmd access policy - identity group 'Full cmd access' (created before), NDG: Device type = 'Internal Network' (created before), Shell Profile = 'Permit Access' (default), Command Sets = Set1 (created before)
---> b. Restricted access policy - identity group 'Restricted cmd access' (created before), NDG: Device type = 'Internal Network' (created before), Shell Profile = 'Permit Access' (default), Command Sets = Set2 (created before)
B. 'New Network Access'
-> Identity
--> default - Reject, Reject, Drop
-> Authorization
--> created 1 authorization policy
---> VPN authorization policy - identity group 'VPN user access' (created before), NDG: Device type = 'VPN Guys' (created before), Protocol = match Radius, Authorization Profiles = 'Permit Access' (default)
..........
Now, does this look this correct or do I need to configure something else as well.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: