08-14-2012 01:23 PM - edited 03-10-2019 07:25 PM
I have this working with Microsoft RADIUS server however I only want to restrict access to one server sitting in the DMZ using this method and once users authenticate they can RDP to the server. When I apply all the settings I lose all access other than just to this server. Can this be done for one particular server in DMZ and rest of the traffic to the Internet stays the way it is?
08-14-2012 01:27 PM
Mohammad,
What acl are you handing down to the client from the radius server? After the user authenticates can you paste the show access-lists?
Thanks,
Tarik Admani
*Please rate helpful posts*
08-14-2012 01:37 PM
This is what I created on the ASA:
access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ" |
access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023 |
access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389 |
access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www |
access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet |
Then on the RADIUS server I have it like this:
ip:inacl#1=permit tcp any eq 3389 host 10.1.150.22 gt 1023
ip:inacl#2=permit tcp any gt 1023 host 10.1.150.22 eq 3389
ip:inacl#3=permit tcp any host 10.1.200.150 eq www
ip:inacl#4=permit tcp any host 10.1.200.150 eq telnet
Now once I signed in using cut through proxy all I was able to do was RDP to that IP and lost my access to the internet etc. I am trying for rest of the traffic to keep going out the way it is now but this ACL I only want to kick in when some one is trying to access the server in the DMZ.
08-14-2012 01:42 PM
With Cut through proxy the per user acl should have taken place, can you paste the show access-lists | inc
Either you can hand down the ACL or you can assign the RDPAuth acl you created using the radius ietf filter attribute. However once you assign this ACL that is all you will have network access too.
Also on your interface access-lists do you have the per-user-override statement configured?
thanks.
Tarik Admani
*Please rate helpful posts*
08-14-2012 02:17 PM
Hi Tarik those dynamic ACL's did get applied I just removed them so that I can access other resources. That whole part is working fine and it is doing what it needs to do and only giving me access to that one server.
But I want this limitation to be applied to the traffic going to the DMZ only not to the internet.
No I do not have the "per-user-override statement configured", what is the purpose of this command?
08-14-2012 02:22 PM
Mohammad,
Can you please clarify what you are requesting, you still want access to the DMZ and the internet after you authenticate? Then add another attribute:
ip:inacl#5=permit ip any any
Tarik Admani
*Please rate helpful posts*
08-14-2012 03:37 PM
I only want to use the cut through proxy for access to the DMZ servers, however it seems like that is not possible if I use that then it will also apply to the Internet and access to the other resrouces as well?
08-14-2012 03:45 PM
If you want to use cut through proxy then you have to create the authentication match statement in order to match the traffic that you want to block that will trigger cut-through proxy. When you authenticate then the ACL that you hand down to the client is what will determine where they have access to.
Can you please share your configuration, i am curious to see how you have this configured.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 08:59 AM
I understand that and I am doing exactly that but like I said it is blocking my access to the internet so looks like I need to configure it so there is "ip any any" statement in there too for rest of the access. What I was hoping to accomplish was only restrict access to the DMZ host not rest of the network.
access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"
access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023
access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389
access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www
access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet
08-15-2012 09:06 AM
Please post your entire configuration.
Thanks,
Tarik Admani
*Please rate helpful posts*
08-15-2012 10:46 AM
access-list RDPAuth remark "This ACL is for RDP access to the servers in the DMZ"
access-list RDPAuth extended permit tcp any eq 3389 host 10.1.150.22 gt 1023
access-list RDPAuth extended permit tcp any gt 1023 host 10.1.150.22 eq 3389
access-list RDPAuth extended permit tcp any host 10.1.200.150 eq www
access-list RDPAuth extended permit tcp any host 10.1.200.150 eq telnet
!
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 10.1.5.236
key *****
!
virtual http 10.1.200.150
!
aaa authentication match RDPAuth inside RADIUS
08-15-2012 10:55 AM
Mohammad,
I do not see any cut through proxy configuring present in this configuration. Here is the configuration guide on how to create cut-through proxy:
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_fwaaa.html#wp1150203
Thanks,
Tarik Admani
*Please rate helpful posts*
08-16-2012 08:58 AM
It is there you wanted the full config so I pasted it. I updated it with just the config related to cut through proxy. And I already have seen that guide. Like I said it is working but it is being applied to all the traffic I just need to know if there is a way to apply it to the traffic to DMZ ONLY.
08-16-2012 09:02 AM
Really?
I didnt see any of the authenticaiton match statements in the configuration you posted.
Usually when you add the authentication match statement (that forces authenticaiton for the traffic configured in the ACL).
thanks,
Tarik Admani
*Please rate helpful posts*
08-16-2012 09:24 AM
You are telling me you still don't see it? And previously Authentication match statement was in "bold".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide