cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4400
Views
4
Helpful
24
Replies

ASA 8.2 with ACS 5.2 and TACACS+ for device admin and Internet access

r.spiandorello
Level 1
Level 1

Hi, I'm migrating ACS 4.2 to ACS 5.2 for a customer and I'd like to find a service selection for TACACS+ protocol coming from an ASA.

I use TACACS+ for device administration but also for AAA of internal users internet access.

I also use RADIUS for vpn remote-access, without problems.

How to distinguish through the ACS service selection ?

thanks

24 Replies 24

Yudong Wu
Level 7
Level 7

I am not very sure but I think you might be able to use one of the following as a condition in the service selection to differentiate admin login from Internet authentication.

  • End Station Filters  <-- if you are able to differentiate them based on client's IP
  • Device Port Filters

  • Device Port Filter—Filters the physical port of the device that the end station is connected to.  Filtering is based on the device's IP address, name, NDG it belongs to, and port.
  • The device port identifier is an attribute of type string:

    • In a RADIUS  request, if Attribute 5 (NAS-Port) is present in the request, ACS  obtains the value from Attribute 5; or, if Attribute 87 (NAS-Port-Id) is  present in the request, ACS obtains the request from Attribute 87.
    • In a TACACS request, ACS obtains this identifier from the port field of the start request (of every phase).

    You might need to do the packet capture to see if there is any difference in TACACS request between two kind of authentication request. In Wireshark, you can decode the packet with the sharedkey so that you can see the info in TACACS request.

  • But for internet access autentication/authorization do you think it's better to move to radius ?

    Could it be easier to select for radius protocol between vpn client and internet access services ?

    thanks

    rs

    Yes, you can move it to Radius.

    But in order to differentiate them, you have to find a unique items which can be used by your ACS.

    You'd better to do the capture radius packet in both cases to see if there is way to differentiate them by using those parameters which I listed in my first post.

    Yes sure, from a capture of radius request for vpn remote access, I've found the following:

    AVP:   l=6    t=NAS-Port(5):   24518656

                   NAS-Port 24518656

    In case of radius protocol and that NAS-Port, I could select remote-access service, otherwise internet access service (radius too).

    thanks

    rs

    But also I see the following:

    AVP: l=6 t=NAS-Port-Type(61): Virtual(5)

              Nas-Port-Type: Virtual (5)

    Could it be useful ?

    Please refer to my first post, we only check Radius attribute 5 (NAS-Port) or  87 (NAS-Port-Id).

    So you can use attribute 5 for sure.

    Please do the capture on Radius request for internet access as well.

    Hi, capturing RADIUS communication for http authentication, the first time I have found NAS-Port (attr 5) = 2, but during other captures I have found NAS-Port (attr 5) = 4: is there a range ?

    No attribute 87.

    For vpn remote access, I have found NAS-Port (attr 5) = 24514560 but also NAS-Port (attr 5) = 24518656, is there a range for remote access too ?

    No attribute 87.

    thanks

    rs

    Dear Valued Cisco Customer,

    I will be out of the office from 03/20/2010 until 04/04/2010. During

    this time, I will have no access to email or voicemail. If you require

    assistance during my absence, please contact Manivannan Srinivasan via

    phone at 469-255-4806 or via email at mansrini@cisco.com and this

    engineer will continue to work any immediate concerns you may have at

    this time. If this issue can wait until my return on 04/05/2010, I will

    be glad to continue working with you. If you require assistance outside

    of our business hours (10:00am - 7:00pm CST), please contact the TAC by

    calling 1800-553-2447 or email tac@cisco.com and request to have the

    service request re-assigned.

    Best Regards,

    Abhishek Neelakanata

    attribute 87 is optional. So it might or might not be in Radius request.

    I am not sure about range, but it looks like VPN access use a bigger port number. You might just configure it "greater than" certain number.

    By the way, I took a look at ACS 5.2 GUI. I made a mistaken. It can actually use a lot more conditions when you configure service selection rule.

    For example, you can use "Compound Condition" to configure a lot Radius attribute in the request to be used by "service selection rule".

    As you mentioned before, if you find "NAS-Port-type" is different in two kind of Radius authentication requests, you can use it as well.

    In "Service selection Rules" page, click "Customize" button, you can find all the condition items which you can use.

    Dear Valued Cisco Customer,

    I will be out of the office from 03/20/2010 until 04/04/2010. During

    this time, I will have no access to email or voicemail. If you require

    assistance during my absence, please contact Manivannan Srinivasan via

    phone at 469-255-4806 or via email at mansrini@cisco.com and this

    engineer will continue to work any immediate concerns you may have at

    this time. If this issue can wait until my return on 04/05/2010, I will

    be glad to continue working with you. If you require assistance outside

    of our business hours (10:00am - 7:00pm CST), please contact the TAC by

    calling 1800-553-2447 or email tac@cisco.com and request to have the

    service request re-assigned.

    Best Regards,

    Abhishek Neelakanata

    Ok thank you, I used the compund condition for IETF Radius selection, but where can I find the ufficial NAS-Port values ?

    I'd like to use the correct ranges

    thanks

    rs

    Sorry, I did not find any document which mentions about the range of NAS-Port.

    If in your radius packet capture, NAS-PORT-TYPE is a fixed number and different between two type of radius authentication, you might consider of using it instead of nas-port.

    Dear Valued Cisco Customer,

    I will be out of the office from 03/20/2010 until 04/04/2010. During

    this time, I will have no access to email or voicemail. If you require

    assistance during my absence, please contact Manivannan Srinivasan via

    phone at 469-255-4806 or via email at mansrini@cisco.com and this

    engineer will continue to work any immediate concerns you may have at

    this time. If this issue can wait until my return on 04/05/2010, I will

    be glad to continue working with you. If you require assistance outside

    of our business hours (10:00am - 7:00pm CST), please contact the TAC by

    calling 1800-553-2447 or email tac@cisco.com and request to have the

    service request re-assigned.

    Best Regards,

    Abhishek Neelakanata

    aneelaka
    Level 1
    Level 1

    Dear Valued Cisco Customer,

    I will be out of the office from 03/20/2010 until 04/04/2010. During

    this time, I will have no access to email or voicemail. If you require

    assistance during my absence, please contact Manivannan Srinivasan via

    phone at 469-255-4806 or via email at mansrini@cisco.com and this

    engineer will continue to work any immediate concerns you may have at

    this time. If this issue can wait until my return on 04/05/2010, I will

    be glad to continue working with you. If you require assistance outside

    of our business hours (10:00am - 7:00pm CST), please contact the TAC by

    calling 1800-553-2447 or email tac@cisco.com and request to have the

    service request re-assigned.

    Best Regards,

    Abhishek Neelakanata