ASA - authentication proxy via Tacacs

 

Dears

I configures ASA to authenticated
any ftp , tftp , telnet traffic passing through to outside server and router
but i want to authorize specific  user to access TELNET to outside router and another to access SMTP server , how to do  so this via tacacs , i tried to configure the  ACS user as below

 

USER1

peruser command authorization :checked 

Unmatched Cisco IOS commands : deny 

command:checked 

TCP/23

unlisted atgument : permit 

 

USER2


peruser command authorization :checked 

Unmatched Cisco IOS commands : deny 

command:checked 

TCP/25

unlisted atgument : permit 

 

and the ASA as below 


access-list AP extended permit tcp any any eq smtp 

access-list AP extended permit tcp any any eq telnet 


access-list AUTH extended permit tcp any any eq telnet 

access-list AUTH extended permit udp any any eq tftp 

access-list AUTH extended permit tcp any any eq ftp 


aaa authentication match AUTH inside TAC

aaa authorization match AP inside TAC


virtual http 10.22.22.5

virtual telnet 10.22.22.5

 

 

 

but since i used authorization with these ACS settings for USER1 and USER2 and when i telnet to the virtual telnet to authenticate i get "AUTHORIZATION DENIED" but the asa show uauath as below


Rack1ASA1(config)# sh uauth   

                        Current    Most Seen

Authenticated Users       1          1

Authen In Progress        0          2

user 'user1' at 11.11.11.200, authenticated

   absolute   timeout: 0:05:00

   inactivity timeout: 0:00:00

 

the overall result the  TELNET and SMTP are not authorized 

 

when i set Unmatched Cisco IOS commands :permit it authorize everything  even if its not permitted on the ACS as below 


Rack1ASA1(config)# sh uauth 

                        Current    Most Seen

Authenticated Users       1          1

Authen In Progress        0          2

user 'user2' at 11.11.11.200, authorized to:

   port 10.22.22.5/telnet       10.0.0.100/tcp/25       10.0.0.100/http  

   absolute   timeout: 0:05:00

   inactivity timeout: 0:00:00

 

 

thank you for your cooperation 

 

 

 

 

 

 

 

Comments

  • Instead of TCP/23, use telnet

     

    With regards

    Kings

  • you are right Kings thank you


    what about if i want to login directly just once to outside
    router with the same credential , it worked for me when i removed the virtual
    http and tried to access outside web site but when i removed virtual telnet didn’t
    work as it asks me twice for the credential once for the ACS and another for
    the destination router , any idea?

Sign In or Register to comment.