I agree with that latter but what about the former, i.e. ASA CTP with TACACS. Why would you need to authorize telnet to 1.1.1.1 with commands set if you don't run this command on ASA. Here are my reasoning. You enable CTP on ASA with CTP ACL that has to contain at least one of the protocols that would trigger CTP.
E.g. (I want to authenticate the user with HTTP and then allow access to the host behind the ASA via SSH) access-list CTP-ACL extended permit tcp any host 136.1.125.5 eq www access-list CTP-ACL extended permit tcp any host 136.1.125.5 eq ssh What's the use of command authorization set ? E.g. If I want to allow telnet traffic to my host behind ASA via "telnet permit 136.1.125.5" then it will never be useful because telnet is not on CTP-ACL and it will always work providing it is allowed by interface ACL. Simply speaking, telnet traffic will always bypass CTP. Eugene From: Alexei Monastyrnyi [mailto:[email protected]] Sent: Sunday, July 22, 2012 3:52 PM To: Eugene Pefti Cc: Marta Sokolowska; GuardGrid; ccie_security Subject: Re: [OSL | CCIE_Security] Radius VSA I don't think so. I reckon for ASA auth-proxy and Tacacs it is recommended to use command authorization sets, say for Telnet it would be command telnet arg permit 1.1.1.1 For ASA and RADIUS it is recommended to use downloadable ACLs in ASA format. Cheers, A. On 7/23/2012 3:29 AM, Eugene Pefti wrote: Auth-proxy examples: http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_auth/configuration/12-4/sec-cfg-authen-prxy.html#GUID-06899095-B258-4A9C-85F1-5832D29E754C A question/comment on ASA EZVPN and SSL VPN related guide. There's table D4 in the guide "Table D-4 Examples of Cisco AV Pairs and their Permitting or Denying Action" And it shows the ACL like this: ip:inacl#1=deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log Will ASA understand the wilcard notation ? Eugene From: Alexei Monastyrnyi <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Sunday, July 22, 2012 4:24 AM To: Eugene Pefti <[email protected]<mailto:[email protected]>> Cc: Marta Sokolowska <[email protected]<mailto:[email protected]>>, GuardGrid <[email protected]<mailto:[email protected]>>, ccie_security <[email protected]<mailto:[email protected]>> Subject: Re: [OSL | CCIE_Security] Radius VSA Hi guys, here are some links covering RADIUS attributes. For the purpose of quick navigation during the lab, I reckon it is better to refer to some documents where those attributes are within a context, not just a bare list. IOS EZ VPN related http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-srvr.html#GUID-D0BC5B4D-7BDB-44B6-B49F-EBBD79F1D185 IOS SSL VPN related http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_sslvpn/configuration/12-4t/sec-conn-sslvpn-ssl-vpn.html#GUID-F005501D-8992-48A9-8D4A-7650D7554A3F ASA EZ VPN and SSL VPN related http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1661512 ACS RADIUS attributes reference list http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RADAtr.html ACS TACACS attributes list http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/User_Guide/A_TACAtr.html CAR RADIUS attributes list http://www.cisco.com/en/US/docs/net_mgmt/access_registrar/5.1/user/guide/a_attrib.html HTHJ A. On 7/22/2012 12:10 PM, Eugene Pefti wrote: Good point, Marta, I wish there's a consolidated documentation showing how to properly form those attributes with the required service for different scenarios - auth-proxy, shell access, VPN and so on. I.e. we do auth-proxy via RADIUS and it's not enough to know the attribute name - Name=proxyacl. The syntax is auth-proxy:proxyacl#1=permit ip any any" And so on for other situations and scenarios. Eugene From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Marta Sokolowska Sent: Saturday, July 21, 2012 4:35 PM To: GuardGrid Cc: ccie_security Subject: Re: [OSL | CCIE_Security] Radius VSA Type the following command on the router's CLI: show aaa attributes -- Marta Sokolowska. 2012/7/22 GuardGrid <[email protected]<mailto:[email protected]>> Guys, Where in the documentation do we get the complete listing of all attributes like below for RADIUS and TACACS for that matter, ipsec:tunnel-type=ESP ipsec:key-exchange=IKE ipsec:tunnel-password=ipexpert ipsec:inacl=SPLIT ipsec:save-password=1 I found some in examples for configuring EZVPN but not a seperate section of just these VSA not IETF's. Let me know. _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com<http://www.ipexpert.com> Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com<http://www.PlatinumPlacement.com>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
