Re: network authorization to ppp dialup client using tacacs+ ACS

davbarby · ‎11-15-2002

I'm using ACS 3.0 with a 3640 NAS with analog modems and channelized serial interface. I'm configuring authorization to ppp dialup users to specify which resources they can see and which others they cannot see.

Is it possible to perform this kind of authorization, not only specifying the access-list which has to be applied when a user logs (this way is not so much scalable) but also specifying the allowed or denied resources on the ACS server, like one can do with the pix firewall?

Thank you.

4brown · ‎11-15-2002

If I understand you correctly, you want to deny access to ports on the NAS for specific users. Then use the port filertering option. You can permit or deny access through authorization on a per port basis with port filtering. For example, the AAA profile would look like this: service=ppp { allow "" "^tty1[5-9]$" "" refuse "" "^tty1[0-4]$" "" protocol=ip { set addr-pool=default } Where 10.0.0.1 is the NAS. This allows access to tty ports 15-19 and denies access to ports 10-14. Never did this in CSNT if you are using it, but you should be able to apply this attribute as an advanced TACACS+ AVP or there should be another option to deny the ports. Hope this helps.

4brown · ‎11-15-2002

Left the NAS out sorry: service=ppp { allow "10.1.1.1" "^tty1[5-9]$" "" refuse "10.1.1.1" "^tty1[0-4]$" "" protocol=ip { set addr-pool=default }

davbarby · ‎11-15-2002

unfortunately no.

I would like to filter the ip or tcp traffic, like access-lists do, not using the access lists, but specifying the allowed or denied sites on the cisco ACS. I know this can be done with the PIX firewall, and I don't know why a similar authorization cannot be done with IOS access-servers. Or, if it's possible, I haven't found the way.

Thank you