Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1257
Views
0
Helpful
1
Replies

ASA - authentication proxy and authorization via Tacacs

eng.malak
Level 1
Level 1

‎06-27-2012 01:03 PM - edited ‎03-10-2019 07:15 PM


Dears

I configures ASA to authenticated any ftp , tftp , telnet traffic passing through to outside server and router but i want to authorize specific  user to access TELNET to outside router and another to access SMTP server , how to do  so this via tacacs , i tried to configure the  ACS user as below

USER1

USER2

peruser command authorization :checked

Unmatched Cisco IOS commands : deny

command:checked

TCP/25

unlisted atgument : permit

and the ASA as below

access-list AP extended permit tcp any any eq smtp

access-list AP extended permit tcp any any eq telnet

access-list AUTH extended permit tcp any any eq telnet

access-list AUTH extended permit udp any any eq tftp

access-list AUTH extended permit tcp any any eq ftp

aaa authentication match AUTH inside TAC

aaa authorization match AP inside TAC

virtual http 10.22.22.5

virtual telnet 10.22.22.5

but since i used authorization with these ACS settings for USER1 and USER2 and when i telnet to the virtual telnet to authenticate i get "AUTHORIZATION DENIED" but the asa show uauath as below

Rack1ASA1(config)# sh uauth  

                        Current    Most Seen

Authenticated Users       1          1

Authen In Progress        0          2

user 'user1' at 11.11.11.200, authenticated

   absolute   timeout: 0:05:00

   inactivity timeout: 0:00:00

the overall result the  TELNET and SMTP are not authorized

when i set Unmatched Cisco IOS commands :permit it authorize everything  even if its not permitted on the ACS as below

Rack1ASA1(config)# sh uauth

                        Current    Most Seen

Authenticated Users       1          1

Authen In Progress        0          2

user 'user2' at 11.11.11.200, authorized to:

   port 10.22.22.5/telnet       10.0.0.100/tcp/25       10.0.0.100/http 

   absolute   timeout: 0:05:00

   inactivity timeout: 0:00:00

thank you for your cooperation

Labels:
0 Helpful
1 Reply 1

Tarik Admani
VIP Alumni
VIP Alumni

‎06-27-2012 03:35 PM

This configuration will not work the way you want it to, if you want to restrict access to telnet then you can try to use a downloadable acl, where port 23 is blocked for the user.

Here are is the configuration for the ASA to support this: (this section also shows how to enter the dACL

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html

You can also create an ACL on the asa that blocks traffic to port 23, and in the user or group radius configuration you can send back the ietf attribute "Filter-Id" and that will be equal to the ACL you configured locally on the ASA.

Thanks

Tarik Admani

0 Helpful
Customers Also Viewed These Support Documents