User Authentication with Downloadable ACLs

owalter · ‎07-29-2014

I have config on ASA 9.1.3 with User Authentication via RADIUS ACS 5.5.

On one ASA interface i have 5 permits inbound

permit ip dest A

permit ip dest B

permit ip dest C

permit ip dest D

permit ip dest E

On the ACS i have two downloadable ACEs for a user :

permit ip dest F

permit ip dest G

In case i do not use per-user override option in access-group syntax, a packet needs to be

matched on interface AND on downloadable ACL.

In my case dest A to G will not work.

In case i do use per -user override option in access-group syntax, a packet needs to be

matched only on downloadable ACL.

In my case dest F and G will work.

I did not find a way to merge both interface and downloadable ACL.

Requirement would be that without User Auth, A to E works.

In case User authenticates F and G work in ADDITION to A and E.

Julio Carvajal · ‎07-30-2014

Hello,

How they work is :

-Without the user-override option:

Both ACLs (Configured on the FW and the ACS) will need to permit the traffic.

-With the user-override option:

Only the ACS downloable ACL is check.

Jcarvaja

CCIE 42930, 2xCCNP, JNCIS-SEC

For inmediate support http://iNetworks.cr

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

owalter · ‎07-31-2014

Hello Jcarvaja,

i did understand what the per user override means and how it works.

Unfortunately it does not give me a solution for my requirement in both options.

My intention was to ask about if there is a possibility to cover my requirement :

I did not find a way to merge both interface and downloadable ACL.

Requirement would be that without User Auth, A to E works.

In case User authenticates F and G work in ADDITION to A and E.

nkarthikeyan · ‎07-31-2014

Hi,

If you use per-useroverride option, then you have to define everything on the auto/dynamic acl attributes you set in ACS/Radius server.....

If you do not use the per-user-override option then you need to have both interface ACL and Downloadable ACL as same... say it has to have all the 7 permit statements..... on ACL & ACS.

Regards

Karthik

owalter · ‎07-31-2014

Hello Karthik,

thanks for your reply.

"If you use per-useroverride option, then you have to define everything on the auto/dynamic acl attributes you set in ACS/Radius server….."

Yes, but in case I have 500 ACEs on an interface already and need 5 additional per user authentication

i have to hold 505 on the ACS system. This looks very inefficient and is obviously either an ASA
or RADIUS limitation.

"If you do not use the per-user-override option then you need to have both interface ACL and Downloadable ACL as same... say it has to have all the 7 permit statements..... on ACL & ACS."

This does not really make sense to me.

In case i have all the 7 permits already on my interface, why should I bother with

User Authentication to download exactly the same 7 permits to this interface ?

Best regards

Oliver

nkarthikeyan · ‎07-31-2014

Hi,

Yes. I agree with you for my second suggestion it was supposed to be or not &.... having the same on both doesn't make sense...... But i see those are the limited options.... else you can have the access-restriction on the auth server itself restricted to the 5 hosts NDG/User group... something like that....

Regards

Karthik

Regards

Karthik

Julio Carvajal · ‎07-31-2014

Hello Well thats what I am telling you. You only have those options You would have to construct the acl on the acá as you require

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

owalter · ‎07-31-2014

Hello jcarvaja,

Yes, but in case I have 500 ACEs on an ASA interface already and need 5 additional per user authentication

i have to hold 505 on the ACS system. This looks very inefficient and is obviously either an ASA
or RADIUS limitation.

Best regards

Oliver