AAA .. Control Access To Devices

"GNY" ha scritto nel messaggio news: snipped-for-privacy@57g2000hsv.googlegroups.com...

Hi,

Since you're using RADIUS you can also use the "radius downloaded ACL" ( at least on cisco routers ).

Regards, Gabriele

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

Whats that about?

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

What exactly will this provide for me?

Thanks..

Hi,

Have a look at this for a brief explanation:

Regards, Gabriele

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

explanation:

Gabriel,

Thanks again.

This isnt exactly what I would like to do. :-)

I would like to restrict, grant and control access to devices on the network using Radius for remote VPN users when they connect.

Not using ACL or using groups on the router locally, but using IAS or Active Directory.

Has anyone ever heard of such a scenario?

Thanks..

GNY

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

explanation:

Basically this is what I'm trying to do.

But is it possible to control network access via this AD group also .. Might be an MS list question.

But before heading there. Has anyone done this?

GNY

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

explanation:

This sounds more like the "Configuring Authentication for Network Access" & "Configuring Authorization for Network Access" sections of the page mentioned above:

I haven't tried it myself, but it sounds like you should be able to get your users to authenticate once, and then use the authorization with ACLs against IAS RADIUS to define what network resources are available to them....

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

explanation:

above:

Al thanks ..

But isnt it fair to say regardless to any of these configuration syou can determine what users have access to by ACL even without IAS?

So I'm trying to understand even how using IAS can prevent network access. IAS/AD/windows doesnt care about networks. It cares about users/groups/domains/computers. Cisco devices arent added to AD so how can one use AD permissions to prevent access to certain portions of the router.

My belief if that regardless, you must use ACLs to control network access, not IAS. IAS is used to handle user permissions within the domain.

Please correct me if im wrong.

GNY

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

explanation:

above:

GNY

1. you have to configure IAS/radius to return "Filter-ID" attribute with ACL restricting access for the regular user and diff. value of the ACL for the network admin
2. you have to configure ACLs on the devices they (users) are coming from

Roman Nakhmanson

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

explanation:

above:

@Roman ..

Now We're getting somewhere :)

1. So the Windows IAS needs to be configured to return the filter-id to the Cisco device?

1. This is so the ACL is downloaded by the IAS?

So in short the ACL has to be created for each access-level type. IAS/ radius will download this ACL and only allow network access based on these ACL attributes?

Thanks..

GNY

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

explanation:

above:

yes

you have two choices here:

1. ACL exists on radius only - and you push it to the cisco box during the authentication (more complex and you need to rely on compatibility between IAS and Cisco IOS)
2. ACL exist on the EACH network access cisco box - and you just "tell" cisco which ACL to use by sending Filter-Id (more copy/paste, but always works)

Roman Nakhmanson

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

administration through

etc to other

downloaded ACL"

explanation:

above:

Roman, Thank you ver much for your help. Have any links for such a setup? examples?

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

administration through

ssh, etc to other

downloaded ACL"

explanation:

above:

GNY

check

radius needs to return these attributes based on the user/group: Service-Type = Framed, Framed-Protocol = PPP, Filter-Id = "myfilter"

where "myfilter" is the name of ACL in cisco device

in case of VPN you need to configure radius to return "OU=name_of_the_ipsec_group" as well

Roman Nakhmanson

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

network (ASA) and

administration through

ssh, etc to other

downloaded ACL"

explanation:

above:

check

Roman,

Thanks for the help

GNY

messaggionews: snipped-for-privacy@d55g2000hsg.googlegroups.com...

messaggionews: snipped-for-privacy@57g2000hsv.googlegroups.com...

network (ASA) and

administration through

ssh, etc to other

"radius downloaded ACL"

explanation:

above:

check

Here goes some support which helped me along the way .. The latter of the 2 methods is what worked for me.

What I am having problems with is acces based per group/user. I cant seem to set any configureations to actually deny a user/group from accessing VIA VPN without disabling their remote dial-in access in AD. I cannot also seperate which user/group is connecting.

Other issues, but ultimately the original idea can be done if you have just 1 group and want to manage their network access VIA MS Radius..

GNY