I don't think so. I reckon for ASA auth-proxy and Tacacs it is
recommended to use command authorization sets, say for Telnet it would
be command telnet arg permit 1.1.1.1
For ASA and RADIUS it is recommended to use downloadable ACLs in ASA format.
Cheers,
A.
On 7/23/2012 3:29 AM, Eugene Pefti wrote:
Auth-proxy examples:
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_auth/configuration/12-4/sec-cfg-authen-prxy.html#GUID-06899095-B258-4A9C-85F1-5832D29E754C
A question/comment on ASA EZVPN and SSL VPN related guide. There's
table D4 in the guide "Table D-4 Examples of Cisco AV Pairs and their
Permitting or Denying Action"
And it shows the ACL like this:
ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log
Will ASA understand the wilcard notation ?
Eugene
From: Alexei Monastyrnyi <[email protected]
<mailto:[email protected]>>
Reply-To: "[email protected] <mailto:[email protected]>"
<[email protected] <mailto:[email protected]>>
Date: Sunday, July 22, 2012 4:24 AM
To: Eugene Pefti <[email protected]
<mailto:[email protected]>>
Cc: Marta Sokolowska <[email protected]
<mailto:[email protected]>>, GuardGrid <[email protected]
<mailto:[email protected]>>, ccie_security
<[email protected]
<mailto:[email protected]>>
Subject: Re: [OSL | CCIE_Security] Radius VSA
Hi guys,
here are some links covering RADIUS attributes.
For the purpose of quick navigation during the lab, I reckon it is
better to refer to some documents where those attributes are within a
context, not just a bare list.
IOS EZ VPN related
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-srvr.html#GUID-D0BC5B4D-7BDB-44B6-B49F-EBBD79F1D185
*IOS SSL VPN related*
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/12-4t/sec-conn-sslvpn-ssl-vpn.html#GUID-F005501D-8992-48A9-8D4A-7650D7554A3F
ASA EZ VPN and SSL VPN related
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1661512
ACS RADIUS attributes reference list
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html
ACS TACACS attributes list
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/A_TACAtr.html
CAR RADIUS attributes list
http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/5.1/user/guide/a_attrib.html
HTHJ
A.
On 7/22/2012 12:10 PM, Eugene Pefti wrote:
Good point, Marta,
I wish there’s a consolidated documentation showing how to properly
form those attributes with the required service for different
scenarios – auth-proxy, shell access, VPN and so on.
I.e. we do auth-proxy via RADIUS and it’s not enough to know the
attribute name - Name=proxyacl.
The syntax is auth-proxy:proxyacl#1=permit ip any any”
And so on for other situations and scenarios.
Eugene
*From:*[email protected]
[mailto:[email protected]] *On Behalf Of
*Marta Sokolowska
*Sent:* Saturday, July 21, 2012 4:35 PM
*To:* GuardGrid
*Cc:* ccie_security
*Subject:* Re: [OSL | CCIE_Security] Radius VSA
Type the following command on the router's CLI:
show aaa attributes
--
Marta Sokolowska.
2012/7/22 GuardGrid <[email protected] <mailto:[email protected]>>
Guys,
Where in the documentation do we get the complete listing of all
attributes like below for RADIUS and TACACS for that matter,
ipsec:tunnel-type=ESP
ipsec:key-exchange=IKE
ipsec:tunnel-password=ipexpert
ipsec:inacl=SPLIT
ipsec:save-password=1
I found some in examples for configuring EZVPN but not a seperate
section of just these VSA not IETF's.
Let me know.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visitwww.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check outwww.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
