Got it, I didn't realize from the first site that you use Radius indeed. I remember doing similar task and it worked for me. Will try to lab it again later today. That's very strange that you don't have interface ACL counter incrementing for HTTPS traffic.
Eugene From: Karthik sagar [mailto:[email protected]] Sent: Monday, August 13, 2012 12:30 PM To: Mike Rojas; Eugene Pefti Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Issue with ASA - CTP with downloadable ACLs Eugene, No, the interface ACLoutside counter did not increase. I did not have aaa authorization as i was using radius. Radius authorization is not supported as radius combines authentication and authorization. ASA(config)# aaa authorization match ACLctp outside RADIUS Authorization is not supported in RADIUS Usage: [no] aaa mac-exempt match <mac-list-id> [no] aaa authentication secure-http-client [no] aaa authentication listener http|https <if_name> [port <port>] [redirect] [no] aaa authentication|authorization|accounting include|exclude <svc> <if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag> Mike, Yes, i had the per-user-override keyword. My earlier suspicion was true. With "per-user-override" - interface ACL is ignored. Without the keyword , traffic should be allowed by both ACLs, not just the user specific-one. Here is a note from cisco doc - http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_fwaaa.html#wp1043588 Note If you have used the access-group command to apply access lists to interfaces, be aware of the following effects of the per-user-override keyword on authorization by user-specific access lists: *Without the per-user-override keyword, traffic for a user session must be permitted by both the interface access list and the user-specific access list. *With the per-user-override keyword, the user-specific access list determines what is permitted. Thank you all :-) Karthik
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
