Thank You:)
On Mon, May 10, 2010 at 12:19 AM, Tolulope Ogunsina <togunsina_at_gmail.com>wrote:
> Hi,
>
> Answers Inline
>
> On 5/9/10, karim jamali <karim.jamali_at_gmail.com> wrote:
> Dear Experts,
>
> If you don't feel like reading the whole thing these are my questions:
>
> 1)What is the radius-common-pw command doing?
> From the command reference:
> To specify a common password to be used for all users who are
> accessing this RADIUS authorization server through this security
> appliance, use the radius-common-pw command in AAA-server host mode.
>
> > The configuratoin I have looks like:
> > aaa-server XYZ protocol raidus
> > aaa-server XYZ (management) host 1.1.1.1
> > key 1234
> > radius-common-pw <>
> > max-failed attempts and the 2 modes for re-activation (timed/depletion
> > mode). I am not getting this. Suppose that one user tries to authenticate
> > and exceed the number of failed attempts/
> > does this mean that the server will be deactivated??
>
> No, The user would be locked out
>
> > 2)Is Cut-through Proxy Authorization only possible by Downloadable ACL?
>
> Cut-Through Proxy Authorization can be implemented using Radius(using
> downloadable access-lists) or Tacacs+ (using command Authorization
> sets). Details below
>
> With Radius, Downloadable access-lists are used, you can either;
> 1. Define a downloadable ACL on the ACS (under shared profile
> components or on the cisco-av-pair) or
> 2. Reference an access-list on the ASA by placing the name on either
> the cisco-av-pair attribute or the filter-id attribute.
>
> I posted some information about this on my blog sometime ago:
>
>
> http://amplebrain.blogspot.com/2009/12/asa-cut-through-proxy-part-2-radius.html
>
> With Tacacs+, you perform cut-through authorizations using the command
> authorization set. Its just like performing command authorization on
> the IOS. The command authorization set is configured under shared
> profile components.
>
>
> > I am going through AAA and its various uses on an ASA. Let me summarize
> my
> > findings as it will help me re-cap and will help you answer my questions.
> >
> > Authentication is used to check who is allowed to Access
> > (Administration/Management of the ASA).
> > Authorization: has to do with the privileges
> > Accounting: Reporting
> >
> > The different "consoles" to access the ASA are:
> > 1)Serial
> > 2)Telnet/SSH (Note that Telnet is not allowed from the outside unless it
> > comes through IPSec Tunnel)
> > 3)ASDM/HTTP
> >
> > Authentication can be made either using the local database or an external
> > one. For an external one,
> > 1) We have to define the AAA Server Group and associate servers with it.
> In
> > this configuration, what is the radius-common-pw command doing?
> > The configuratoin I have looks like:
> > aaa-server XYZ protocol radius
> > aaa-server XYZ (management) host 1.1.1.1
> > key 1234
> > radius-common-pw <>
> > max-failed attempts and the 2 modes for re-activation (timed/depletion
> > mode). I am not getting this. Suppose that one user tries to authenticate
> > and exceed the number of failed attempts/
> > does this mean that the server will be de-activated??
> >
> > Cut-Through Proxy:is just a means by which the ASA authenticates your
> > session before allowing it through (It just reminds me of Dynamic ACLs
> > (Lock/Key)Principle
>
> Cut-through proxy is a step ahead of Lock and key, more like
> Auth-proxy on the IOS
>
> > So I have a user and he tries to access a web server for instance through
> > the ASA, which in turn intercepts the communication and asks the user for
> > authentication. If he has got the right credentials then he is allowed to
> go
> > through/if not sorry you just have to stay there and you are grounded!
> > But can someone explain to me what does Cut-through Proxy Authorization
> > mean? How will a user be authorized?Is it based on the Downloadable ACLs
> you
> > get from the RADIUS server?
> > .
>
> Yes, the user is authorized using downloadable access-lists on the
> radius server.
>
> This link might be of help
>
>
> http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1056570
>
> > Thank You for Sharing Your Knowledge!
> >
> > --
> > KJ
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
> --
> Best Regards,
>
> Tolulope.
>
-- KJ Blogs and organic groups at http://www.ccie.netReceived on Mon May 10 2010 - 00:55:55 ART
This archive was generated by hypermail 2.2.0 : Tue Jun 01 2010 - 07:09:52 ART