RE: downloadable ACLs

Without the per-user-override, you could look at it like the old IOS double
ACL check with crypto-map.

Usually, logging console debugging and logging on should be enough to see
what goes wrong.
Issue a show uauth. It is the most useful tool when troubleshooting
cut-through proxy. It shows the current authenticated users along with any
authorization completed for the users.

To do a capture:
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_/_A
SA_packet_capture_feature
If in a lab, just do a capture lab int inside/outside, then send some
traffic and show capture lab.

Can you show your configuration?
Here's a sample configuration I have for dynamips using https authentication
and radius downloadable ACL authorization.
interface Ethernet0
 nameif outside
 security-level 0
 ip address 192.168.137.8 255.255.255.0
!
interface Ethernet1
 no nameif
 no security-level
 no ip address
!
interface Ethernet1.1
 vlan 1
 nameif inside
 security-level 100
 ip address 10.100.100.8 255.255.255.0
!
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius host
192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius-acct
host 192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1812 host
192.168.137.8
access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1813 host
192.168.137.8
!
access-list AUTH extended permit tcp any any eq www
access-list AUTH extended permit tcp any any eq HTTPS
access-list AUTH extended permit tcp any any eq Telnet
!
static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
!
access-group OUTSIDE in interface outside per-user-override
!
aaa-server RADIUS protocol radius
aaa-server RADIUS (outside) host 192.168.137.10
 key cisco
aaa authentication match AUTH outside RADIUS
aaa accounting match AUTH outside RADIUS
aaa authentication listener HTTPS outside port HTTPS redirect
!
auth-prompt prompt Enter Lab Authentication
auth-prompt accept You're In
auth-prompt reject You're Out
 

-Luan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Jason Morris
Sent: Tuesday, April 07, 2009 12:10 PM
To: Luan Nguyen
Cc: ccielab_at_groupstudy.com
Subject: Re: downloadable ACLs

After looking a little a closer at the ASA it appears that my pings, after
authentication aren't making it to the outside interface. The interface
counters aren't incrementing. But it does match on the inside ACL on a
permit line. So it looks like there is another reason that its stopping the
traffic after i authenticate.

Luan, thats my understanding as well, if i correctly understand what your
saying.

Without the 'per-user-override' command i should be allowed to pass traffic
that is permitted in the interface ACL, right?

Like i said i'm matching on a permit line on the inbound ACL, but the
traffic isn't leaving the ASA on the outside interface.

I've poked around and tried to run some debugs but i'm not famliar enough
with ASA's. I've ran a debug icmp trace and i get no output. Am i missing
something on the whole debugging thing with the ASA, does it not work the
same way?

Thanks
Jason

On Tue, Apr 7, 2009 at 11:40 AM, Luan Nguyen <luan_at_netcraftsmen.net> wrote:

> The downloadable ACL defines what the user is authorized to access after
> successful authentication. There are 2 ways:
> First, requires that the same access provided through the downloadable ACL
> also exists in the interface ACL.
> 1) authentication and authorization ACLs are checked
> 2) Interface ACL is checked.
> After successful authorization, the traffic is then checked by the
> interface
> ACL.
> Second, is the "per-user-override"
>
> There's a really good document on troubleshooting ASA that we did for the
> Mid Atlantic Cisco User Group here:
>
>
http://www.netcraftsmen.net/cmug/20090115-CMUG-Troubleshooting_Firewalls.pdf
>
> Regards,
>
>
>
----------------------------------------------------------------------------
> ---------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> http://www.netcraftsmen.net
> ------------------------------------------------------------------------
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Jason Morris
> Sent: Tuesday, April 07, 2009 9:45 AM
> To: ccielab_at_groupstudy.com
> Subject: downloadable ACLs
>
> I'm having some issues with a downloadable ACL on an ASA and ACS4.2.
>
> I have the authentication on the ASA configed and the ACL gets pushed down
> just fine. I want the ASA to process the downloaded ACL for the user and
> then process the ACL on the in coming interface. Seems simple enough, as
i
> understand it thats the default operation.
>
> This is what i'm currently seeing. I have a host on the inside of the ASA
> which, before authenticating can ping a host on the outside of the ASA. I
> see counters on the interface ACL increment when he pings, i get a
> response,
> everything is peachy. Once that user authenticates I can pass all the
> traffic permitted in the downloadable ACL and I still see the counters in
> the interface ACL increment but I dont get a responce from the traffic
that
> passes on the interface ACL.
>
> Anyone familiar with this?
>
> Thanks
> Jason
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Apr 07 2009 - 12:54:43 ART