Hi Kings,
It is working here without any problems.
aaa authentication match aaa Inside tac
aaa authorization match aaa Inside tac
aaa accounting match aaa Inside tac
access-list aaa line 1 extended permit tcp any any (hitcnt=119) 0xfb2783bb
access-list aaa line 2 extended permit icmp any any (hitcnt=246) 0xe893359d
In the ACS server,
Unmatched Cisco IOS commands is "deny"
command "telnet" arguments "permit 150.1.4.4"
command "1/8" arguments "permit 150.1.5.5"
command "http" arguments "permit 150.1.2.2"
Unlisted arguments is "deny" for all commands
-----------------------
SW2#telnet 150.1.4.4
Trying 150.1.4.4 ... Open
Username: cisco
Password:
Error: Authorization Denied
[Connection to 150.1.4.4 closed by foreign host]
SW2#telnet 150.1.4.4
Trying 150.1.4.4 ...
% Connection timed out; remote host not responding
SW2#telnet 150.1.5.5
Trying 150.1.5.5 ... Open
User Access Verification
Password:
SW2#telnet 150.1.2.2 80
Trying 150.1.2.2, 80 ... Open
HTTP/1.1 400 Bad Request
Date: Thu, 08 Oct 2009 07:47:58 GMT
Server: cisco-IOS
Accept-Ranges: none
400 Bad Request
[Connection to 150.1.2.2 closed by foreign host]
SW2#telnet 150.1.5.5 80
Trying 150.1.5.5, 80 ...
% Connection timed out; remote host not responding
SW2#ping 150.1.4.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/59/64 ms
SW2#ping 150.1.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
ASA1(config)# show uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'cisco' at 12.1.235.8, authorized to:
port 150.1.5.5/telnet 150.1.2.2/http 150.1.4.4/icmp/8
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
ASA1(config)#
Regards,
Mohammed Gazzaz
Date: Thu, 8 Oct 2009 18:02:58 +0530
From: [email protected]
To: [email protected]
Subject: [OSL | CCIE_Security] ASA cut-through proxy authorization for icmp
Hi all
I am trying to configure cut-through proxy for any traffic (authentication and
authorization).
access-list mine permit ip any any
aaa authentication match mine inside mine
aaa authorization match mine inside mine
Under "shell authorization > Per user command authorization" of User setup in
ACS, I have permitted the command "1/8".
1 is ICMP protocol number and 8 is type.
Unmatched Cisco IOS commands is "deny"
Unlisted arguments is "permit"
This should allow ping from inside to outside.
The ping fails and the reason in the reports and activites mentions that
command "1/8" is denied.
First, I used a telnet session to ensure that there is "uauth" for device from
where I am going to ping because ping can't be authenticated.
Has any tried this?
With regards
Kings
_________________________________________________________________
Keep your friends updated—even when you’re not signed in.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_5:092010_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
