AAA .. Control Access To Devices

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Hello..

Our VPN users use VPN clients to connect to our network (ASA) and
Windows IAS to allow the user access beyond that point.

I have a question .. Is there a way to control what network addresses/
ranges can be accessed by the users by way of administration through
the ASA? or is this something that cant be done?

The goal is to prevent users from trying to telnet, ssh, etc to other
routers/devices in the network once inside..

any recommendations are appreciated..

GNY


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

Hi,

Since you're using RADIUS you can also use the "radius downloaded ACL" ( at
least on cisco routers ).

Regards,
Gabriele



Re: AAA .. Control Access To Devices
Quoted text here. Click to load it


Whats that about?


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

What exactly will this provide for me?

Thanks..


Re: AAA .. Control Access To Devices

Quoted text here. Click to load it

Hi,

Have a look at this for a brief explanation:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043620

Regards,
Gabriele




Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

Gabriel,

Thanks again.

This isnt exactly what I would like to do. :-)

I would like to restrict, grant and control access to devices on the
network using Radius for remote VPN users when they connect.

Not using ACL or using groups on the router locally, but using IAS or
Active Directory.

Has anyone ever heard of such a scenario?

Thanks..

GNY


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

Basically this is what I'm trying to do.

http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vpn_concentrator_asa_pix

But is it possible to control network access via this AD group also ..
Might be an MS list question.

But before heading there. Has anyone done this?

GNY


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

This sounds more like the "Configuring Authentication for Network
Access" & "Configuring Authorization for Network Access" sections of
the page mentioned above:
http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1046750

I haven't tried it myself, but it sounds like you should be able to
get your users to authenticate once, and then use the authorization
with ACLs against IAS RADIUS to define what network resources are
available to them....


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

Al thanks ..

But isnt it fair to say regardless to any of these configuration syou
can determine what users have access to by ACL even without IAS?

So I'm trying to understand even how using IAS can prevent network
access. IAS/AD/windows doesnt care about networks. It cares about
users/groups/domains/computers. Cisco devices arent added to AD so how
can one use AD permissions to prevent access to certain portions of
the router.

My belief if that regardless, you must use ACLs to control network
access, not IAS. IAS is used to handle user permissions within the
domain.

Please correct me if im wrong.

GNY


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

GNY

1. you have to configure IAS/radius to return "Filter-ID" attribute
with ACL restricting access for the regular user and diff. value of
the ACL for the network admin
2. you have to configure ACLs on the devices they (users) are coming
from

Roman Nakhmanson


Re: AAA .. Control Access To Devices
On Jul 25, 5:22 pm, nakhman...@gmail.com wrote:
Quoted text here. Click to load it

@Roman ..

Now We're getting somewhere :)

1. So the Windows IAS needs to be configured to return the filter-id
to the Cisco device?

2. This is so the ACL is downloaded by the IAS?

So in short the ACL has to be created for each access-level type. IAS/
radius will download this ACL and only allow network access based on
these ACL attributes?

Thanks..

GNY


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

yes


you have two choices here:
1. ACL exists on radius only - and you push it to the cisco box during
the authentication (more complex and you need to rely on compatibility
between IAS and Cisco IOS)
2. ACL exist on the EACH network access cisco box - and you just
"tell" cisco which ACL to use by sending Filter-Id (more copy/paste,
but always works)

Roman Nakhmanson


Re: AAA .. Control Access To Devices
On Jul 26, 10:08 am, nakhman...@gmail.com wrote:
Quoted text here. Click to load it

Roman, Thank you ver much for your help. Have any links for such a
setup? examples?


Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

GNY

check
http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/scrad.html
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part10/ch05/hacldir.htm#wp1015437

radius needs to return these attributes based on the user/group:
Service-Type = Framed,
Framed-Protocol = PPP,
Filter-Id = "myfilter"

where "myfilter" is the name of ACL in cisco device

in case of VPN you need to configure radius to return
"OU=name_of_the_ipsec_group" as well


Roman Nakhmanson


Re: AAA .. Control Access To Devices
Re: AAA .. Control Access To Devices
Quoted text here. Click to load it

Here goes some support which helped me along the way .. The latter of
the 2 methods is what worked for me.

What I am having problems with is acces based per group/user. I cant
seem to set any configureations to actually deny a user/group from
accessing VIA VPN without disabling their remote dial-in access in AD.
I cannot also seperate which user/group is connecting.

Other issues, but ultimately the original idea can be done if you have
just 1 group and want to manage their network access VIA MS Radius..

GNY


Site Timeline