ACS 5.0版本以上进行ACL下发的配置.pdf-资料库

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第1页.png

第1页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第2页.png

第2页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第3页.png

第3页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第4页.png

第4页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第5页.png

第5页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第6页.png

第6页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第7页.png

第7页 / 共52页

6e9293a7-fe46-4c5b-8b4d-67f38adb845f.pdf-第8页.png

第8页 / 共52页

ASA 8.3 and Later: Radius Authorization (ACS 5.x) for VPN Access Using Downloadable ACL with CLI and ASDM Configuration Example Document ID: 113449 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information Configure Network Diagram Configure Remote Access VPN (IPsec) Configure the ASA with CLI Configure ACS for Downloadable ACL for Individual User Configure ACS for Downloadable ACL for Group Configure ACS for Downloadable ACL for a Network Device Group Configure IETF RADIUS Settings for a User Group Cisco VPN Client Configuration Verify Show Crypto Commands Downloadable ACL for User/Group Filter−Id ACL Troubleshoot Clear Security Associations Troubleshooting Commands Related Information Introduction This document describes how to configure the security appliance to authenticate users for network access. Since you can implicitly enable RADIUS authorizations, this document contains no information about the configuration of RADIUS authorization on the security appliance. It does provide information about how the security appliance handles access list information received from RADIUS servers. You can configure a RADIUS server to download an access list to the security appliance or an access list name at the time of authentication. The user is authorized to do only what is permitted in the user−specific access list. Downloadable access lists are the most scalable means when you use Cisco Secure Access Control Server (ACS) to provide the appropriate access lists for each user. For more information on Downloadable Access List Features and the Cisco Secure ACS, refer to Configuring a RADIUS Server to Send Downloadable Access Control Lists and Downloadable IP ACLs.

Refer to ASA/PIX 8.x: Radius Authorization (ACS) for Network Access using Downloadable ACL with CLI and ASDM Configuration Example for the identical configuration on Cisco ASA with versions 8.2 and earlier. Prerequisites Requirements This document assumes that the Adaptive Security Appliance (ASA) is fully operational and configured to allow the Cisco Adaptive Security Device Manager (ASDM) or CLI to make configuration changes. Note: Refer to Allowing HTTPS Access for ASDM in order to allow the device to be remotely configured by the ASDM or Secure Shell (SSH). Components Used The information in this document is based on these software and hardware versions: • • • • Cisco ASA Software version 8.3 and later Cisco ASDM version 6.3 and later Cisco VPN Client version 5.x and later Cisco Secure ACS 5.x The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Background Information You can use downloadable IP ACLs in order to create sets of ACL definitions that you can apply to many users or user groups. These sets of ACL definitions are called ACL contents. Downloadable IP ACLs operate this way: 1. 2. 3. When ACS grants a user access to the network, ACS determines whether a downloadable IP ACL is assigned to the Authorization Profile in the result section. If ACS locates a downloadable IP ACL that is assigned to the Authorization Profile, ACS sends an attribute (as part of the user session, in the RADIUS access−accept packet) that specifies the named ACL, and the version of the named ACL. If the AAA client responds that it does not have the current version of the ACL in its cache (that is, the ACL is new or has changed), ACS sends the ACL (new or updated) to the device. Downloadable IP ACLs are an alternative to the configuration of ACLs in the RADIUS Cisco cisco−av−pair attribute [26/9/1] of each user or user group. You can create a downloadable IP ACL once, give it a name, and then assign the downloadable IP ACL to any Authorization Profile if you reference its name. This method is more efficient than if you configure the RADIUS Cisco cisco−av−pair attribute for Authorization Profile.

When you enter the ACL definitions in the ACS web interface, do not use keyword or name entries; in all other respects, use standard ACL command syntax and semantics for the AAA client on which you intend to apply the downloadable IP ACL. The ACL definitions that you enter into ACS comprise one or more ACL commands. Each ACL command must be on a separate line. In ACS, you can define multiple Downloadable IP ACLs and use them in different Authorization Profiles. Based on the conditions in the Access Service Authorization rules, you can send different Authorization Profiles containing downloadable IP ACLs to different AAA clients. Further, you can change the order of the ACL contents in a downloadable IP ACL. ACS examines ACL contents, starting from the top of the table, and downloads the first ACL content that it finds. When you set the order, you can ensure system efficiency if you position the most widely applicable ACL contents higher on the list. In order to use a downloadable IP ACL on a particular AAA client, the AAA client must adhere to these rules: • • Use RADIUS for authentication Support downloadable IP ACLs These are examples of Cisco devices that support downloadable IP ACLs: • • ASA Cisco devices that run IOS version 12.3(8)T and later This is an example of the format that you must use in order to enter ASA ACLs in the ACL Definitions box: permit ip 10.153.0.0 0.0.255.255 host 10.158.9.1 permit ip 10.154.0.0 0.0.255.255 10.158.10.0 0.0.0.255 permit 0 any host 10.159.1.22 deny ip 10.155.10.0 0.0.0.255 10.159.2.0 0.0.0.255 log permit TCP any host 10.160.0.1 eq 80 log permit TCP any host 10.160.0.2 eq 23 log permit TCP any host 10.160.0.3 range 20 30 permit 6 any host HOSTNAME1 permit UDP any host HOSTNAME2 neq 53 deny 17 any host HOSTNAME3 lt 137 log deny 17 any host HOSTNAME4 gt 138 deny ICMP any 10.161.0.0 0.0.255.255 log permit TCP any host HOSTNAME5 neq 80 Configure In this section, you are presented with the information to configure the features described in this document. Network Diagram This document uses this network setup:

Note: The IP addressing schemes used in this configuration are not legally routable on the Internet. They are RFC 1918 addresses which were used in a lab environment. Configure Remote Access VPN (IPsec) ASDM Procedure Complete these steps in order to configure the remote access VPN: 1. Select Wizards > VPN Wizards > IPsec(IKEv1) Remote Access VPN Wizard from the Home window. 2. Select the VPN Tunnel Interface as required (Outside, in this example), and also make sure that the checkbox next to Enable inbound IPsec sessions to bypass interface access lists is checked.

3. Choose the VPN Client Type as Cisco VPN Client, Release 3.x or higher. Click Next. 4. Choose the Authentication Method and provide the Authentication information. The Authentication method used here is Pre−Shared Key. Also, provide a Tunnel Group name in the space provided. The Pre−shared Key used here is cisco123 and the Tunnel Group Name used here is Cisco−Tunnel. Click Next.

5. Choose whether you want remote users to be authenticated to the local user database or to an external AAA server group. Here, we choose Authenticate using an AAA server group. Click New next to the AAA Server Group Name field in order to create a new AAA Server Group Name. 6. Provide the Server Group Name, Authentication Protocol, Server IP Address, Interface name, and the Server Secret Key in the respective spaces provided, and click OK.

7. Click Next. 8. Define a pool of local addresses to be dynamically assigned to remote VPN Clients when they connect. Click New in order to create a new Pool of local address.

9. In the Add IP Pool window, provide the pool Name, Starting IP Address, Ending IP Address, and the Subnet Mask. Click OK. 10. Select the Pool Name from the drop−down list, and click Next. The Pool Name for this example is Sample−Pool which was created in Step 9.

资料库

ACS 5.0版本以上进行ACL下发的配置.pdf

相关推荐

安全技术

热门标签

最新资料