cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4576
Views
4
Helpful
24
Replies

ASA 8.2 with ACS 5.2 and TACACS+ for device admin and Internet access

r.spiandorello
Level 1
Level 1

Hi, I'm migrating ACS 4.2 to ACS 5.2 for a customer and I'd like to find a service selection for TACACS+ protocol coming from an ASA.

I use TACACS+ for device administration but also for AAA of internal users internet access.

I also use RADIUS for vpn remote-access, without problems.

How to distinguish through the ACS service selection ?

thanks

24 Replies 24

mansrini
Cisco Employee
Cisco Employee

Yudong,

Here is what you can do.. Hit customize on 'service selection rules' and include 'compound condition'.. Now lets begin first for TACACS+ admin users.. Chose 'TACACS+' in the dictionary and the attribute 'service'. Now match the service to 'login' OR 'enable' ( I mean 'OR' the values and include both ) and point to to the appropriate access service for admin users..

Now that all admin authentications are going to match this first rule, you can let the 2nd rule match for 'cut through proxy' users irrespective of what service type it comes with and point it to the appropriate access policy.. I think you can also match with 'service' equals 'FW Proxy' but I am not sure..

Hope this helps..

Thanks,

Mani

Yes, compound condition could give us more option to differentiate the admin login and cut-through authen.

Ok, thank you, it helps me in case of TACACS+ for cut through proxy, but now I'm more oriented on RADIUS for http authentication because RADIUS is more oriented to service.

Now I need to distinguish  between remote access vpn and http authenticiation.

thanks

rs

Please attach radius packet captures, one for http auth and one for vpn remote access and I will be able to tell you how to differentiate.. The same concept of tacacs+ that I said should apply here also.. Select radius IETF from the dictionary and chose the 'service-type' attribute.. The http auth and remote access should come with different values for service-type I would think and packet captures will help to find the difference

Hi, followibg the RADIUS and vpn ipsec client capture:

following the RADIUS and anyconnect client capture:

following the RADIUS and http cut-through proxy capture:

If I repeat the capture for the same type of authentication, NAS-Port has a diffent value but near the captured.

thank you in advance

greatings

rs

Hi, do you have updates about the radius analysis ?

thanks

rs

Did you listed all radius attributes which you captured?

If yes, I don't see any other way to differentiate between cut-through and VPN besides using NAS Port.

If all your cut-through clients are from your internal network and their IP is within certain network range, you might consider of using "Calling-Station-ID 31".

Hi, I'm sorry but the firewall could receive a vpn request from inside, so Calling-Station-ID is not useful.

I think we need the NAS-Port ranges used by ASA 8.2(x).

thank you

renato

Sorry, I don't know this Nas-port range.

One more look at your last capture, it looks like Cut-through did not include "Called-Station-ID" attribute. If it is ture, you might use it.

Yes, I confirm you there is no "Called-Station-ID" in cut-through, but why is so hard to find NAS-Port ranges ?

thanks

rs