topic Hi, If you use per in Network Security

User Authentication with Downloadable ACLs

owalter — Tue, 12 Mar 2019 04:33:05 GMT

I have config on ASA 9.1.3 with User Authentication via RADIUS ACS 5.5.

On one ASA interface i have 5 permits inbound

permit ip dest A

permit ip dest B

permit ip dest C

permit ip dest D

permit ip dest E

On the ACS i have two downloadable ACEs for a user :

permit ip dest F

permit ip dest G

In case i do not use per-user override option in access-group syntax, a packet needs to be

matched on interface AND on downloadable ACL.

In my case dest A to G will not work.

In case i do use per -user override option in access-group syntax, a packet needs to be

matched only on downloadable ACL.

In my case dest F and G will work.

I did not find a way to merge both interface and downloadable ACL.

Requirement would be that without User Auth, A to E works.

In case User authenticates F and G work in ADDITION to A and E.

Hello, How they work is :

Julio Carvajal — Wed, 30 Jul 2014 23:57:08 GMT

Hello,

How they work is :

-Without the user-override option:

Both ACLs (Configured on the FW and the ACS) will need to permit the traffic.

-With the user-override option:

Only the ACS downloable ACL is check.

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Hello Jcarvaja,i did

owalter — Thu, 31 Jul 2014 10:37:41 GMT

Hello Jcarvaja,

i did understand what the per user override means and how it works.

Unfortunately it does not give me a solution for my requirement in both options.

My intention was to ask about if there is a possibility to cover my requirement :

I did not find a way to merge both interface and downloadable ACL.

Requirement would be that without User Auth, A to E works.

In case User authenticates F and G work in ADDITION to A and E.

Hi, If you use per

nkarthikeyan — Thu, 31 Jul 2014 10:57:34 GMT

Hi,

If you use per-useroverride option, then you have to define everything on the auto/dynamic acl attributes you set in ACS/Radius server.....

If you do not use the per-user-override option then you need to have both interface ACL and Downloadable ACL as same... say it has to have all the 7 permit statements..... on ACL & ACS.

Regards

Karthik

Hello

Julio Carvajal — Thu, 31 Jul 2014 12:24:26 GMT

Hello Well thats what I am telling you. You only have those options You would have to construct the acl on the acá as you require

Hello Karthik,thanks for your

owalter — Thu, 31 Jul 2014 12:45:13 GMT

Hello Karthik,

thanks for your reply.

"If you use per-useroverride option, then you have to define everything on the auto/dynamic acl attributes you set in ACS/Radius server….."

Yes, but in case I have 500 ACEs on an interface already and need 5 additional per user authentication

i have to hold 505 on the ACS system. This looks very inefficient and is obviously either an ASA
or RADIUS limitation.

"If you do not use the per-user-override option then you need to have both interface ACL and Downloadable ACL as same... say it has to have all the 7 permit statements..... on ACL & ACS."

This does not really make sense to me.

In case i have all the 7 permits already on my interface, why should I bother with

User Authentication to download exactly the same 7 permits to this interface ?

Best regards

Oliver

Hello jcarvaja,Yes, but in

owalter — Thu, 31 Jul 2014 12:47:39 GMT

Hello jcarvaja,

Yes, but in case I have 500 ACEs on an ASA interface already and need 5 additional per user authentication

i have to hold 505 on the ACS system. This looks very inefficient and is obviously either an ASA
or RADIUS limitation.

Best regards

Oliver

Hi, Yes. I agree with you for

nkarthikeyan — Thu, 31 Jul 2014 13:14:48 GMT

Hi,

Yes. I agree with you for my second suggestion it was supposed to be or not &.... having the same on both doesn't make sense...... But i see those are the limited options.... else you can have the access-restriction on the auth server itself restricted to the 5 hosts NDG/User group... something like that....

Regards

Karthik

Regards

Karthik