topic Question on ASA & AAA using ACS 5.3 in Network Access Control

Question on ASA & AAA using ACS 5.3

newciscostudent — Mon, 11 Mar 2019 02:09:44 GMT

Hi guys,

I am testing a scenario in acs 5.3 with asa 8.4.3.

I have 3 set of users.

Group1 - admins with full cmd access

Group2 - admins with limited cmd access

Group3 - remote access vpn users access

Device Admins will connect via tacacs & I want to do authentication, authorization n accounting using ACS.

RA vpn users will use radius to get access to asa.

On acs, here's what I have done till now.

1. created network device groups - device type - MyGRP1

2. Added asa as aaa client

3. added test users mapped to their identity groups, for example

test1 -> full access group

test2 -> limited access group

test3 -> vpn access group

4. In Policy elements, I have created 2 command sets for users in full access and limited access.

question1: Do I create a new shell profile also for these user groups?

question2: what should I do here for vpn users?

5. In access policies, I have duplicated the default device admin and network access services.

question3: what should I do now in access policies?

I know I need to do some more configuration. But I am confused now so if anyone can guide me on this, it will be really helpful.

Thanks.

Question on ASA & AAA using ACS 5.3.

Jatin Katyal — Sun, 03 Jun 2012 12:10:27 GMT

No, We don't need to create new shell-profile unless we are sending different attribute.

For VPN users, you need to go inside access-policies > default network access > Authorization policy > create new > as a consition you can use the "Identity group" and protocol as "Radius" and in the authorization you can use "Permit"

Don't forget to set default rule to "Deny".

Rememeber

For device administration, you need to configure "Deafult device admin"

For network access/connection, you need to configure "Default network acess"

Regds,

Jatin

Do rate helpful posts-

Question on ASA & AAA using ACS 5.3

newciscostudent — Sun, 03 Jun 2012 16:39:25 GMT

Thanx Jatin but it is still not clear. Sorry.

Is that all to be done? Do I not need to create an authorization policy and identity policy for each and map it to the NDG?

What do I need to do for the VPN users command set / authorization profile?

Question on ASA & AAA using ACS 5.3

Jatin Katyal — Sun, 03 Jun 2012 20:55:14 GMT

Command authorization feature only works for device administration purpose and that too with TACACS. This can not be used for VPN authentication.

In the identity tab you need to select the database against which you want your user to be queried/checked.

If you would like to select the NDG then that would be additional configuration or we can say more conditions. However What I suggested you in the last post was the bare minimum configuration on ACS to have vpn authentication to work.

Again, As I said for vpn authentication, you make changes under

Default Network Access—Used for RADIUS-based access to network connectivity

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/access_policies.html#wp1064991

Hope that helps.

Question on ASA & AAA using ACS 5.3

newciscostudent — Sun, 03 Jun 2012 21:20:46 GMT

Okay Jatin.

I think I completed the ACS configuration. This is what I have in the end:

1. Network Device Groups

Device Type

-> 1. Internal Network

-> 2. VPN Guys

Network Devices and AAA Clients

-> Added my ASA vpn head end details

2. Users and Identity Stores

Identity Groups

-> Created 3 groups

--> a. Full cmd access

--> b. Restricted cmd access

--> c. VPN user access

Internal Identity Stores

-> Users -> added 3 users

--> 1. userA - Identity group - Full cmd access

--> 2. userB - Identity group - Restricted cmd access

--> 3. userC - Identity group - VPN user access

3. Policy Elements

Network Access - Authorization Profiles -> No change. Just keeping 'Permit Access'

Device Administration

-> Shell Profiles - no change

-> Command sets - created 2 command sets

--> Set1 - for Full cmd access users

--> Set2 - for Restricted cmd access users

4. Access Policies

Service Selection Rules

-> duplicated the default services - 'Default Device Admin' and 'Default Network Access'

-> New ones are - 'New Device Admin' and 'New Network Access'

A. 'New Device Admin'

-> Identity

--> default - Reject, Reject, Drop

-> Authorization

--> created 2 authorization policies

---> a. Full cmd access policy - identity group 'Full cmd access' (created before), NDG: Device type = 'Internal Network' (created before), Shell Profile = 'Permit Access' (default), Command Sets = Set1 (created before)

---> b. Restricted access policy - identity group 'Restricted cmd access' (created before), NDG: Device type = 'Internal Network' (created before), Shell Profile = 'Permit Access' (default), Command Sets = Set2 (created before)

B. 'New Network Access'

-> Identity

--> default - Reject, Reject, Drop

-> Authorization

--> created 1 authorization policy

---> VPN authorization policy - identity group 'VPN user access' (created before), NDG: Device type = 'VPN Guys' (created before), Protocol = match Radius, Authorization Profiles = 'Permit Access' (default)

..........

Now, does this look this correct or do I need to configure something else as well.

Thanks.