Re: AAA .. Control Access To Devices
- From: nakhmanson@xxxxxxxxx
- Date: Fri, 27 Jul 2007 14:44:23 -0000
On Jul 26, 3:46 pm, GNY <geekfro...@xxxxxxxxx> wrote:
On Jul 26, 10:08 am, nakhman...@xxxxxxxxx wrote:
On Jul 25, 7:39 pm, GNY <geekfro...@xxxxxxxxx> wrote:
On Jul 25, 5:22 pm, nakhman...@xxxxxxxxx wrote:
On Jul 25, 4:56 pm, GNY <geekfro...@xxxxxxxxx> wrote:
On Jul 25, 4:27 pm, Al <ajsbu...@xxxxxxxxx> wrote:
On Jul 24, 4:08 pm, GNY <geekfro...@xxxxxxxxx> wrote:
On Jul 23, 12:08 pm, GNY <geekfro...@xxxxxxxxx> wrote:
On Jul 12, 4:40 am, "Gabriele Beltrame" <bel...@xxxxxxxxxxxxx> wrote:
"GNY" <geekfro...@xxxxxxxxx> ha scritto nel messaggionews:1184187414.346797.41010@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
On Jul 11, 11:11 am, GNY <geekfro...@xxxxxxxxx> wrote:
On Jul 11, 11:03 am, "Gabriele Beltrame" <bel...@xxxxxxxxxxxxx> wrote:
"GNY" <geekfro...@xxxxxxxxx> ha scritto nel
messaggionews:1184164831.680294.53100@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello..
Our VPN users use VPN clients to connect to our network (ASA) and
Windows IAS to allow the user access beyond that point.
I have a question .. Is there a way to control what network
addresses/
ranges can be accessed by the users by way of administration through
the ASA? or is this something that cant be done?
The goal is to prevent users from trying to telnet, ssh, etc to other
routers/devices in the network once inside..
any recommendations are appreciated..
GNY
Hi,
Since you're using RADIUS you can also use the "radius downloaded ACL"
( at
least on cisco routers ).
Regards,
Gabriele
Whats that about?
What exactly will this provide for me?
Thanks..
Hi,
Have a look at this for a brief explanation:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guid...
Regards,
Gabriele
Gabriel,
Thanks again.
This isnt exactly what I would like to do. :-)
I would like to restrict, grant and control access to devices on the
network using Radius for remote VPN users when they connect.
Not using ACL or using groups on the router locally, but using IAS or
Active Directory.
Has anyone ever heard of such a scenario?
Thanks..
GNY
Basically this is what I'm trying to do.
http://www.tech-recipes.com/rx/1479/how_to_use_microsoft_ias_cisco_vp...
But is it possible to control network access via this AD group also ..
Might be an MS list question.
But before heading there. Has anyone done this?
GNY
This sounds more like the "Configuring Authentication for Network
Access" & "Configuring Authorization for Network Access" sections of
the page mentioned above:http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guid...
I haven't tried it myself, but it sounds like you should be able to
get your users to authenticate once, and then use the authorization
with ACLs against IAS RADIUS to define what network resources are
available to them....
Al thanks ..
But isnt it fair to say regardless to any of these configuration syou
can determine what users have access to by ACL even without IAS?
So I'm trying to understand even how using IAS can prevent network
access. IAS/AD/windows doesnt care about networks. It cares about
users/groups/domains/computers. Cisco devices arent added to AD so how
can one use AD permissions to prevent access to certain portions of
the router.
My belief if that regardless, you must use ACLs to control network
access, not IAS. IAS is used to handle user permissions within the
domain.
Please correct me if im wrong.
GNY- Hide quoted text -
- Show quoted text -
GNY
1. you have to configure IAS/radius to return "Filter-ID" attribute
with ACL restricting access for the regular user and diff. value of
the ACL for the network admin
2. you have to configure ACLs on the devices they (users) are coming
from
Roman Nakhmanson
@Roman ..
Now We're getting somewhere :)
1. So the Windows IAS needs to be configured to return the filter-id
to the Cisco device?
yes
2. This is so the ACL is downloaded by the IAS?
So in short the ACL has to be created for each access-level type. IAS/
radius will download this ACL and only allow network access based on
these ACL attributes?
you have two choices here:
1. ACL exists on radius only - and you push it to the cisco box during
the authentication (more complex and you need to rely on compatibility
between IAS and Cisco IOS)
2. ACL exist on the EACH network access cisco box - and you just
"tell" cisco which ACL to use by sending Filter-Id (more copy/paste,
but always works)
Roman Nakhmanson
Roman, Thank you ver much for your help. Have any links for such a
setup? examples?- Hide quoted text -
- Show quoted text -
GNY
check
http://www.cisco.com/en/US/docs/ios/12_0/security/configuration/guide/scrad.html
http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hsec_c/part10/ch05/hacldir.htm#wp1015437
radius needs to return these attributes based on the user/group:
Service-Type = Framed,
Framed-Protocol = PPP,
Filter-Id = "myfilter"
where "myfilter" is the name of ACL in cisco device
in case of VPN you need to configure radius to return
"OU=name_of_the_ipsec_group" as well
Roman Nakhmanson
.
- Follow-Ups:
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- References:
- AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: Gabriele Beltrame
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: Gabriele Beltrame
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: Al
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: nakhmanson
- Re: AAA .. Control Access To Devices
- From: GNY
- Re: AAA .. Control Access To Devices
- From: nakhmanson
- Re: AAA .. Control Access To Devices
- From: GNY
- AAA .. Control Access To Devices
- Prev by Date: Re: Multiple PPPoE logins on an 827
- Next by Date: Re: campus architecture design guide
- Previous by thread: Re: AAA .. Control Access To Devices
- Next by thread: Re: AAA .. Control Access To Devices
- Index(es):
Relevant Pages
|
