ACS 5.2 - add DACL to 2 devices

jasonrpell20 · ‎12-16-2011

I have an ASA 5510 on the outside with a Remote Access VPN. The user will need to get from the 5510, then go through an ASA 5540, then out to the subnet where they will be doing their work. I have a Cisco ACS version 5.2 that sits on a separte VLAN off of the 5540. I can authenticate users with Radius on the 5510 VPN and use DACLs from the ACS with no problems. However, the DACL only gets downloaded to the 5510 (as expected) and I need it to also download to the 5540. Is there a way to do this? I understand this could mean multiple authentications needed somehow.

Right now when I authenticate, the DACL shows up fine in the 5510, but I get blocked from the devices I need to get to because it of course is not getting added to the 5540 as well. Any help is appreciated. Thanks,

Here's the basic topology I have:

remote client

|

(outside--internet--VPN)

5510

(vlan X)

|

(vlan X)

5540-------------(vlan Y)ACS

(vlan Z)

|

devices being accessed

Tarik Admani · ‎12-16-2011

Jason,

You can have your clients authenticate to the 5510 through the vpn connection that you specified, for the dACL to work on the second ASA you will have to setup cut-through proxy. You can setup an ACL that matches any interesting traffic and they will be presented with a second authentication window where they can login and receive another dACL to let them through.

This is the guide you are looking for the second ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150203

Thanks,

Tarik Admani

jasonrpell20 · ‎12-16-2011

Thanks for the reply.

So if I understand correctly, I'll first set up a 2nd Radius between my 5540 and the ACS. Second I'll set up a AAA Rule that says if an address from the specific VPN pool on the 5510 hits the selected interface on the 5540, then the 5540 will provide a prompt for them to authenticate a second time and if it is successful, the DACL will download to the 5540 as well?

It make sense to work this way. Do I understand correctly?

Tarik Admani · ‎12-16-2011

What you will have to do on the second ASA is setup an ACL that inspect the "interesting" traffic. In your case will be the devices, keep in mind that if they are not using http, ftp, telnet and https, if you are blocking other ports then you will have to have the users authenticate directly to the ASA.

So yes after the clients vpn into the network the second ASA will also have to hit a radius server to get another dACL.

let me know if that clears it up for you.

Tarik Admani

jasonrpell20 · ‎12-16-2011

The remote clients will of course use the Cisco VPN client to connect, and that works fine with ACS. After that, they'll be trying to get to the devices over a proprietary port, not http, ftp, telnet, or https. So are you saying the authentication will have to be directly from the ASA or can it still work with the ACS? Sorry if I'm missing something here. Thanks.

Tarik Admani · ‎12-16-2011

If this is a proprietary port you will have to authenticate directly to the ASA and here is a example of how to configure this.

1. Start with an acl to match the authentication traffic to the ASA (access-list permit tcp any host eq

2. Configure authentication to the ASA - aaa authentication match radius

3. configure authorization for DACL - aaa authorization match radius

4. configure you listener - aaa authentication listener http port xxxx

5 configure your dacl and radius server configuration on the ASA, ip of radius server, shared secret...etc

Then have you clients after they authenticate via vpn hit the following url:

http://asaip:xxxx/connstatus/netaccess.html

Once you get there you will see the authentication page and then login, the dACL from the radius should come down.

Then have your clients connect to the proprietary ports.

Thanks,

Tarik Admani