03-11-2011 08:13 AM - edited 03-10-2019 05:54 PM
Hi, I'm migrating ACS 4.2 to ACS 5.2 for a customer and I'd like to find a service selection for TACACS+ protocol coming from an ASA.
I use TACACS+ for device administration but also for AAA of internal users internet access.
I also use RADIUS for vpn remote-access, without problems.
How to distinguish through the ACS service selection ?
thanks
03-11-2011 09:51 AM
I am not very sure but I think you might be able to use one of the following as a condition in the service selection to differentiate admin login from Internet authentication.
The device port identifier is an attribute of type string:
03-15-2011 11:38 AM
But for internet access autentication/authorization do you think it's better to move to radius ?
Could it be easier to select for radius protocol between vpn client and internet access services ?
thanks
rs
03-15-2011 12:10 PM
Yes, you can move it to Radius.
But in order to differentiate them, you have to find a unique items which can be used by your ACS.
You'd better to do the capture radius packet in both cases to see if there is way to differentiate them by using those parameters which I listed in my first post.
03-16-2011 02:18 AM
Yes sure, from a capture of radius request for vpn remote access, I've found the following:
AVP: l=6 t=NAS-Port(5): 24518656
NAS-Port 24518656
In case of radius protocol and that NAS-Port, I could select remote-access service, otherwise internet access service (radius too).
thanks
rs
03-16-2011 02:45 AM
But also I see the following:
AVP: l=6 t=NAS-Port-Type(61): Virtual(5)
Nas-Port-Type: Virtual (5)
Could it be useful ?
03-16-2011 08:57 AM
Please refer to my first post, we only check Radius attribute 5 (NAS-Port) or 87 (NAS-Port-Id).
So you can use attribute 5 for sure.
Please do the capture on Radius request for internet access as well.
03-18-2011 02:48 AM
Hi, capturing RADIUS communication for http authentication, the first time I have found NAS-Port (attr 5) = 2, but during other captures I have found NAS-Port (attr 5) = 4: is there a range ?
No attribute 87.
For vpn remote access, I have found NAS-Port (attr 5) = 24514560 but also NAS-Port (attr 5) = 24518656, is there a range for remote access too ?
No attribute 87.
thanks
rs
03-18-2011 02:49 AM
Dear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at mansrini@cisco.com and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-2447 or email tac@cisco.com and request to have the
service request re-assigned.
Best Regards,
Abhishek Neelakanata
03-18-2011 08:56 AM
attribute 87 is optional. So it might or might not be in Radius request.
I am not sure about range, but it looks like VPN access use a bigger port number. You might just configure it "greater than" certain number.
By the way, I took a look at ACS 5.2 GUI. I made a mistaken. It can actually use a lot more conditions when you configure service selection rule.
For example, you can use "Compound Condition" to configure a lot Radius attribute in the request to be used by "service selection rule".
As you mentioned before, if you find "NAS-Port-type" is different in two kind of Radius authentication requests, you can use it as well.
In "Service selection Rules" page, click "Customize" button, you can find all the condition items which you can use.
03-18-2011 08:57 AM
Dear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at mansrini@cisco.com and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-2447 or email tac@cisco.com and request to have the
service request re-assigned.
Best Regards,
Abhishek Neelakanata
03-18-2011 09:02 AM
Ok thank you, I used the compund condition for IETF Radius selection, but where can I find the ufficial NAS-Port values ?
I'd like to use the correct ranges
thanks
rs
03-18-2011 09:34 AM
Sorry, I did not find any document which mentions about the range of NAS-Port.
If in your radius packet capture, NAS-PORT-TYPE is a fixed number and different between two type of radius authentication, you might consider of using it instead of nas-port.
03-18-2011 09:34 AM
Dear Valued Cisco Customer,
I will be out of the office from 03/20/2010 until 04/04/2010. During
this time, I will have no access to email or voicemail. If you require
assistance during my absence, please contact Manivannan Srinivasan via
phone at 469-255-4806 or via email at mansrini@cisco.com and this
engineer will continue to work any immediate concerns you may have at
this time. If this issue can wait until my return on 04/05/2010, I will
be glad to continue working with you. If you require assistance outside
of our business hours (10:00am - 7:00pm CST), please contact the TAC by
calling 1800-553-244