ASA Cut-Through Proxy TACACS Authorization

Hi,
I’m trying to configure cut-through proxy with tacacs authorization and I can’t find a reason why I don’t receive permit for ICMP traffic from ACS: “136.1.37.3/icmp/8”

-correct output from WB
ASA3# show uauth
                    Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'cut-through' at 136.1.17.9, authorized to
   port 136.1.37.3/telnet       136.1.37.3/icmp/8
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00

-my output (missing 136.1.37.3/icmp/8)
ASA3(config)# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          2
user 'user' at 136.1.17.9, authorized to:
   port 136.1.37.3/telnet 
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00


My config (taken from WB):

aaa-server TACACS protocol tacacs+
aaa-server TACACS (VLAN17) host 172.16.1.100
 key cisco

access-list AUTHENTICATION extended permit tcp any any eq telnet

access-list AUTHORIZATION extended permit tcp any host 136.1.37.3 eq telnet
access-list AUTHORIZATION extended permit icmp any host 136.1.37.3

aaa authentication match AUTHENTICATION VLAN17 TACACS

aaa authorization match AUTHORIZATION VLAN17 TACACS


On ACS I configured: user, command sets (permit: ping 136.1.37.3, telnet 136.1.37.3), authorization policy (device administration).

On ACS l see error message:

“13025 Command failed to match a Permit rule”

Did I miss something?

Thanks
Hubert

Comments

  • How did you configure  the command set?
    If you used the phrase ping with attribute 136.1.37.3 then that won't work.
    Check out the screenshot from the workbook:
    That 1/8 isn't a mistake, that's exactly what you need to put in there.

    1 stands for protocol ICMP
    and 8 stands for echo.
    So when you put 1/8 in the command and 136.1.37.3 into the attribute area, you are saying allow icmp echo to 136.1.37.3.
    -Dan


    On Sep 27, 2013, at 10:19 PM, HubertW <[email protected]> wrote:

    Hi,
    I’m trying to configure cut-through proxy with tacacs authorization and I can’t find a reason why I don’t receive permit for ICMP traffic from ACS: “136.1.37.3/icmp/8”

    -correct output from WB
    ASA3# show uauth
                        Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          1
    user 'cut-through' at 136.1.17.9, authorized to
       port 136.1.37.3/telnet       136.1.37.3/icmp/8
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00

    -my output (missing 136.1.37.3/icmp/8)
    ASA3(config)# sh uauth 
                            Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          2
    user 'user' at 136.1.17.9, authorized to:
       port 136.1.37.3/telnet  
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00


    My config (taken from WB):

    aaa-server TACACS protocol tacacs+
    aaa-server TACACS (VLAN17) host 172.16.1.100
     key cisco

    access-list AUTHENTICATION extended permit tcp any any eq telnet 

    access-list AUTHORIZATION extended permit tcp any host 136.1.37.3 eq telnet 
    access-list AUTHORIZATION extended permit icmp any host 136.1.37.3 

    aaa authentication match AUTHENTICATION VLAN17 TACACS

    aaa authorization match AUTHORIZATION VLAN17 TACACS


    On ACS I configured: user, command sets (permit: ping 136.1.37.3, telnet 136.1.37.3), authorization policy (device administration).

    On ACS l see error message:

    “13025 Command failed to match a Permit rule”

    Did I miss something?

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • By the way, sorry my replies aren't coming in faster, for some reason every time I reply I still have to get my post approved by a moderator.
    -Dan

    On Sep 27, 2013, at 10:19 PM, HubertW <[email protected]> wrote:

    Hi,
    I’m trying to configure cut-through proxy with tacacs authorization and I can’t find a reason why I don’t receive permit for ICMP traffic from ACS: “136.1.37.3/icmp/8”

    -correct output from WB
    ASA3# show uauth
                        Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          1
    user 'cut-through' at 136.1.17.9, authorized to
       port 136.1.37.3/telnet       136.1.37.3/icmp/8
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00

    -my output (missing 136.1.37.3/icmp/8)
    ASA3(config)# sh uauth
                            Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          2
    user 'user' at 136.1.17.9, authorized to:
       port 136.1.37.3/telnet 
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00


    My config (taken from WB):

    aaa-server TACACS protocol tacacs+
    aaa-server TACACS (VLAN17) host 172.16.1.100
     key cisco

    access-list AUTHENTICATION extended permit tcp any any eq telnet

    access-list AUTHORIZATION extended permit tcp any host 136.1.37.3 eq telnet
    access-list AUTHORIZATION extended permit icmp any host 136.1.37.3

    aaa authentication match AUTHENTICATION VLAN17 TACACS

    aaa authorization match AUTHORIZATION VLAN17 TACACS


    On ACS I configured: user, command sets (permit: ping 136.1.37.3, telnet 136.1.37.3), authorization policy (device administration).

    On ACS l see error message:

    “13025 Command failed to match a Permit rule”

    Did I miss something?

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx

  • Your command set on ACS is not correct from syntax perspective, check workbook solution.
    Regards,
    Cristian.

    Sent from my iPhone
    On Sep 27, 2013, at 16:18, HubertW <[email protected]> wrote:

    Hi,
    I’m trying to configure cut-through proxy with tacacs authorization and I can’t find a reason why I don’t receive permit for ICMP traffic from ACS: “136.1.37.3/icmp/8”

    -correct output from WB
    ASA3# show uauth
                        Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          1
    user 'cut-through' at 136.1.17.9, authorized to
       port 136.1.37.3/telnet       136.1.37.3/icmp/8
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00

    -my output (missing 136.1.37.3/icmp/8)
    ASA3(config)# sh uauth
                            Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          2
    user 'user' at 136.1.17.9, authorized to:
       port 136.1.37.3/telnet 
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00


    My config (taken from WB):

    aaa-server TACACS protocol tacacs+
    aaa-server TACACS (VLAN17) host 172.16.1.100
     key cisco

    access-list AUTHENTICATION extended permit tcp any any eq telnet

    access-list AUTHORIZATION extended permit tcp any host 136.1.37.3 eq telnet
    access-list AUTHORIZATION extended permit icmp any host 136.1.37.3

    aaa authentication match AUTHENTICATION VLAN17 TACACS

    aaa authorization match AUTHORIZATION VLAN17 TACACS


    On ACS I configured: user, command sets (permit: ping 136.1.37.3, telnet 136.1.37.3), authorization policy (device administration).

    On ACS l see error message:

    “13025 Command failed to match a Permit rule”

    Did I miss something?

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Reply from email not from web, there should be no authorization required.
    Regards,
    Cristian.

    Sent from my iPhone

    On Sep 27, 2013, at 17:28, artagel <[email protected]> wrote:

    By the way, sorry my replies aren't coming in faster, for some reason every time I reply I still have to get my post approved by a moderator.
    -Dan

    On Sep 27, 2013, at 10:19 PM, HubertW <[email protected]> wrote:

    Hi,
    I’m trying to configure cut-through proxy with tacacs authorization and I can’t find a reason why I don’t receive permit for ICMP traffic from ACS: “136.1.37.3/icmp/8”

    -correct output from WB
    ASA3# show uauth
                        Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          1
    user 'cut-through' at 136.1.17.9, authorized to
       port 136.1.37.3/telnet       136.1.37.3/icmp/8
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00

    -my output (missing 136.1.37.3/icmp/8)
    ASA3(config)# sh uauth
                            Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          2
    user 'user' at 136.1.17.9, authorized to:
       port 136.1.37.3/telnet 
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00


    My config (taken from WB):

    aaa-server TACACS protocol tacacs+
    aaa-server TACACS (VLAN17) host 172.16.1.100
     key cisco

    access-list AUTHENTICATION extended permit tcp any any eq telnet

    access-list AUTHORIZATION extended permit tcp any host 136.1.37.3 eq telnet
    access-list AUTHORIZATION extended permit icmp any host 136.1.37.3

    aaa authentication match AUTHENTICATION VLAN17 TACACS

    aaa authorization match AUTHORIZATION VLAN17 TACACS


    On ACS I configured: user, command sets (permit: ping 136.1.37.3, telnet 136.1.37.3), authorization policy (device administration).

    On ACS l see error message:

    “13025 Command failed to match a Permit rule”

    Did I miss something?

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I always reply from email, I always require moderator approval. 


    On Sep 27, 2013, at 11:48 PM, cristian.matei <[email protected]> wrote:

    Reply from email not from web, there should be no authorization required.
    Regards,
    Cristian.

    Sent from my iPhone

    On Sep 27, 2013, at 17:28, artagel <[email protected]> wrote:

    By the way, sorry my replies aren't coming in faster, for some reason every time I reply I still have to get my post approved by a moderator.
    -Dan

    On Sep 27, 2013, at 10:19 PM, HubertW <[email protected]> wrote:

    Hi,
    I’m trying to configure cut-through proxy with tacacs authorization and I can’t find a reason why I don’t receive permit for ICMP traffic from ACS: “136.1.37.3/icmp/8”

    -correct output from WB
    ASA3# show uauth
                        Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          1
    user 'cut-through' at 136.1.17.9, authorized to
       port 136.1.37.3/telnet       136.1.37.3/icmp/8
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00

    -my output (missing 136.1.37.3/icmp/8)
    ASA3(config)# sh uauth
                            Current    Most Seen
    Authenticated Users       1          1
    Authen In Progress        0          2
    user 'user' at 136.1.17.9, authorized to:
       port 136.1.37.3/telnet 
       absolute   timeout: 0:05:00
       inactivity timeout: 0:00:00


    My config (taken from WB):

    aaa-server TACACS protocol tacacs+
    aaa-server TACACS (VLAN17) host 172.16.1.100
     key cisco

    access-list AUTHENTICATION extended permit tcp any any eq telnet

    access-list AUTHORIZATION extended permit tcp any host 136.1.37.3 eq telnet
    access-list AUTHORIZATION extended permit icmp any host 136.1.37.3

    aaa authentication match AUTHENTICATION VLAN17 TACACS

    aaa authorization match AUTHORIZATION VLAN17 TACACS


    On ACS I configured: user, command sets (permit: ping 136.1.37.3, telnet 136.1.37.3), authorization policy (device administration).

    On ACS l see error message:

    “13025 Command failed to match a Permit rule”

    Did I miss something?

    Thanks
    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx



    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • My laptop screen is not too big and that section is totally illegible - I assumed there was 'ping' there. I wonder for what kind of commands/protocols I have to know protocol numbers ? Is there any list with these exception ? I can't find any information in User Guide for ACS

    thanks

    Hubert

  • You can zoom in the browser.
    Cristian.

    Sent from my iPhone

    On Sep 27, 2013, at 18:12, HubertW <[email protected]> wrote:

    My laptop screen is not too big and that section is totally illegible - I assumed there was 'ping' there. I wonder for what kind of commands/protocols I have to know protocol numbers ? Is there any list with these exception ? I can't find any information in User Guide for ACS

    thanks

    Hubert




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • I can't see the screenshots clearly either, but you can right click on it, open in new tab, and then zoom in on the screenshot. 
    They are actually large images scaled down, you should be able to view them in full resolution.

    For protocol numbers, the best place to find them is in the doc-cd under the ASA references.
    I believe it's security->firewall->ASA 5500-x->Configuration Guides->ASA 5500 version 8.4 & 8.6
    Go to References at the bottom, Then click on Address, Protocols, and Ports.  There's a bunch of good stuff in there, including protocol numbers and port numbers.
    -Dan

    On Sep 28, 2013, at 12:13 AM, HubertW <[email protected]> wrote:

    My laptop screen is not too big and that section is totally illegible - I assumed there was 'ping' there. I wonder for what kind of commands/protocols I have to know protocol numbers ? Is there any list with these exception ? I can't find any information in User Guide for ACS

    thanks

    Hubert




    INE - The Industry Leader in CCIE Preparation
    http://www.INE.com

    Subscription information may be found at:
    http://www.ieoc.com/forums/ForumSubscriptions.aspx

Sign In or Register to comment.