Task 5.2 - authorization through tacacs of telnet traffic

Hello,

I am having trouble replicating this task. According to the answer book, you should create a command authorization permission in ACS to restrict the authentication to just the loopback of R4 and R5; however, this solution doesn't work. This is traffic authorization no command usage authorization. Anyone can explain this to me? Is the answer incorrect?

Thanks

Comments

  • I don't have the security WB so I don't know the exact lab. However if the task says to restrict what devices we can telnet to, then yes we can do that via TACACS authorization. We can specify what parameters are allowed after the telnet command. So telnet 150.1.1.1 is allowed but not 150.1.3.3 etc.

    I'm not sure what would happen if we type 150.1.1.1 in exec prompt, would this bypass TACACS authorization? :) I guess we would need transport preferred none under VTY then.

  • I know the answer now. I wish there was an explanation in the book. For TACACS the ASA device needs to authorize each traffic individually the command authorization set is used for authorization. For example, when the ASA wants to authorize a user Telnet session to destination 192.168.1.1, it sends the following
    request:

    service=shell

    cmd=telnet 192.168.1.1



    Here, telnet is the command and the destination IP address is the argument. The command authorization set applied to the user should permit the command and the argument



    When ASA needs to authorize well-known protocols such as Telnet, HTTP, and so on, it sends the name of the protocol. If it has to authorize any other protocol, the request is sent as cmd=protocol/port destination address.



     If you want to restrict the match to only the given address, use the
    dollar sign ($) at the end. Otherwise, 192.168.1.1 could allow also 192.168.1.10

Sign In or Register to comment.