06-27-2012 01:03 PM - edited 03-10-2019 07:15 PM
Dears
I configures ASA to authenticated any ftp , tftp , telnet traffic passing through to outside server and router but i want to authorize specific user to access TELNET to outside router and another to access SMTP server , how to do so this via tacacs , i tried to configure the ACS user as below
USER1
USER2
peruser command authorization :checked
Unmatched Cisco IOS commands : deny
command:checked
TCP/25
unlisted atgument : permit
and the ASA as below
access-list AP extended permit tcp any any eq smtp
access-list AP extended permit tcp any any eq telnet
access-list AUTH extended permit tcp any any eq telnet
access-list AUTH extended permit udp any any eq tftp
access-list AUTH extended permit tcp any any eq ftp
aaa authentication match AUTH inside TAC
aaa authorization match AP inside TAC
virtual http 10.22.22.5
virtual telnet 10.22.22.5
but since i used authorization with these ACS settings for USER1 and USER2 and when i telnet to the virtual telnet to authenticate i get "AUTHORIZATION DENIED" but the asa show uauath as below
Rack1ASA1(config)# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 2
user 'user1' at 11.11.11.200, authenticated
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
the overall result the TELNET and SMTP are not authorized
when i set Unmatched Cisco IOS commands :permit it authorize everything even if its not permitted on the ACS as below
Rack1ASA1(config)# sh uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 2
user 'user2' at 11.11.11.200, authorized to:
port 10.22.22.5/telnet 10.0.0.100/tcp/25 10.0.0.100/http
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
thank you for your cooperation
06-27-2012 03:35 PM
This configuration will not work the way you want it to, if you want to restrict access to telnet then you can try to use a downloadable acl, where port 23 is blocked for the user.
Here are is the configuration for the ASA to support this: (this section also shows how to enter the dACL
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html
You can also create an ACL on the asa that blocks traffic to port 23, and in the user or group radius configuration you can send back the ietf attribute "Filter-Id" and that will be equal to the ACL you configured locally on the ASA.
Thanks
Tarik Admani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide