Good call Luan, I didn't completely understand what you were saying before
about the 'double ACL check'...
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.
html#wp1043588
If you have used the access-group command to apply access lists to
interfaces, be aware of the following effects of the per-user-override
keyword on authorization by user-specific access lists:
� Without the per-user-override keyword, traffic for a user session must be
permitted by both the interface access list and the user-specific access
list.
� With the per-user-override keyword, the user-specific access list
determines what is permitted.
Please let me know if you have any queries.
On Tue, Apr 7, 2009 at 12:54 PM, Luan Nguyen <luan_at_netcraftsmen.net> wrote:
> Without the per-user-override, you could look at it like the old IOS double
> ACL check with crypto-map.
>
> Usually, logging console debugging and logging on should be enough to see
> what goes wrong.
> Issue a show uauth. It is the most useful tool when troubleshooting
> cut-through proxy. It shows the current authenticated users along with any
> authorization completed for the users.
>
> To do a capture:
>
>
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_/_A
> SA_packet_capture_feature
> If in a lab, just do a capture lab int inside/outside, then send some
> traffic and show capture lab.
>
> Can you show your configuration?
> Here's a sample configuration I have for dynamips using https
> authentication
> and radius downloadable ACL authorization.
> interface Ethernet0
> nameif outside
> security-level 0
> ip address 192.168.137.8 255.255.255.0
> !
> interface Ethernet1
> no nameif
> no security-level
> no ip address
> !
> interface Ethernet1.1
> vlan 1
> nameif inside
> security-level 100
> ip address 10.100.100.8 255.255.255.0
> !
> access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius host
> 192.168.137.8
> access-list OUTSIDE extended permit udp host 192.168.137.10 eq radius-acct
> host 192.168.137.8
> access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1812 host
> 192.168.137.8
> access-list OUTSIDE extended permit udp host 192.168.137.10 eq 1813 host
> 192.168.137.8
> !
> access-list AUTH extended permit tcp any any eq www
> access-list AUTH extended permit tcp any any eq HTTPS
> access-list AUTH extended permit tcp any any eq Telnet
> !
> static (inside,outside) 192.168.137.2 10.100.100.2 netmask 255.255.255.255
> !
> access-group OUTSIDE in interface outside per-user-override
> !
> aaa-server RADIUS protocol radius
> aaa-server RADIUS (outside) host 192.168.137.10
> key cisco
> aaa authentication match AUTH outside RADIUS
> aaa accounting match AUTH outside RADIUS
> aaa authentication listener HTTPS outside port HTTPS redirect
> !
> auth-prompt prompt Enter Lab Authentication
> auth-prompt accept You're In
> auth-prompt reject You're Out
>
>
> -Luan
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Jason Morris
> Sent: Tuesday, April 07, 2009 12:10 PM
> To: Luan Nguyen
> Cc: ccielab_at_groupstudy.com
> Subject: Re: downloadable ACLs
>
> After looking a little a closer at the ASA it appears that my pings, after
> authentication aren't making it to the outside interface. The interface
> counters aren't incrementing. But it does match on the inside ACL on a
> permit line. So it looks like there is another reason that its stopping
> the
> traffic after i authenticate.
>
> Luan, thats my understanding as well, if i correctly understand what your
> saying.
>
> Without the 'per-user-override' command i should be allowed to pass traffic
> that is permitted in the interface ACL, right?
>
> Like i said i'm matching on a permit line on the inbound ACL, but the
> traffic isn't leaving the ASA on the outside interface.
>
> I've poked around and tried to run some debugs but i'm not famliar enough
> with ASA's. I've ran a debug icmp trace and i get no output. Am i missing
> something on the whole debugging thing with the ASA, does it not work the
> same way?
>
> Thanks
> Jason
>
>
>
> On Tue, Apr 7, 2009 at 11:40 AM, Luan Nguyen <luan_at_netcraftsmen.net>
> wrote:
>
> > The downloadable ACL defines what the user is authorized to access after
> > successful authentication. There are 2 ways:
> > First, requires that the same access provided through the downloadable
> ACL
> > also exists in the interface ACL.
> > 1) authentication and authorization ACLs are checked
> > 2) Interface ACL is checked.
> > After successful authorization, the traffic is then checked by the
> > interface
> > ACL.
> > Second, is the "per-user-override"
> >
> > There's a really good document on troubleshooting ASA that we did for the
> > Mid Atlantic Cisco User Group here:
> >
> >
>
>
http://www.netcraftsmen.net/cmug/20090115-CMUG-Troubleshooting_Firewalls.pdf
> >
> > Regards,
> >
> >
> >
>
>
----------------------------------------------------------------------------
> > ---------
> > Luan Nguyen
> > Chesapeake NetCraftsmen, LLC.
> > http://www.netcraftsmen.net
> > ------------------------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Jason Morris
> > Sent: Tuesday, April 07, 2009 9:45 AM
> > To: ccielab_at_groupstudy.com
> > Subject: downloadable ACLs
> >
> > I'm having some issues with a downloadable ACL on an ASA and ACS4.2.
> >
> > I have the authentication on the ASA configed and the ACL gets pushed
> down
> > just fine. I want the ASA to process the downloaded ACL for the user and
> > then process the ACL on the in coming interface. Seems simple enough, as
> i
> > understand it thats the default operation.
> >
> > This is what i'm currently seeing. I have a host on the inside of the
> ASA
> > which, before authenticating can ping a host on the outside of the ASA.
> I
> > see counters on the interface ACL increment when he pings, i get a
> > response,
> > everything is peachy. Once that user authenticates I can pass all the
> > traffic permitted in the downloadable ACL and I still see the counters in
> > the interface ACL increment but I dont get a responce from the traffic
> that
> > passes on the interface ACL.
> >
> > Anyone familiar with this?
> >
> > Thanks
> > Jason
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Wed Apr 08 2009 - 11:38:55 ART