Ho un pix 515E in 6.3(4).
Ho configurato un acceso remoto tramite certificati digitali con in più l'autenticazione radius fatta tramite Microsoft IAS. Mi interessava infatti poter stabilire regole d'accesso diverse a seconda dell'utente che effettuta il collegamento. Dalla documentazione del pix sembra che sia possibile configurare i server radius affinchè rispondano riportando, per ogni utente diverso autenticato, una stringa del tipo acl=acl_ID.
In questo modo vengono applicate, per quella connessione, le acl identificate da acl_ID presenti nella configurazione del Pix.
Le informazioni su come effettuare la configurazione del server radius sono riferite a prodotti diversi da IAS e forse a causa di ciò non sono riuscito a far funzionare la cosa. L'autenticazione riesce, ma le acl addizionali che vorrei non vengono applicate. Qualcuno ha risolto problemi simili con Pix e IAS ?
Grazie
Filippo
Radius server per stabilire le acl
Moderatore: Federico.Lagni
-
setecastronomy
- n00b
- Messaggi: 7
- Iscritto il: gio 20 mar , 2008 12:13 pm
Endless internet searches gave no result.
Then I noticed that the user was authenticated by a default Remote Access Policy and not the one I created which had a modified profile to include the acl. So I removed all the Remote Access Policies from IAS except the one I needed and changed what was wrong with it.
My Pix already had some acl named '100' which were not associated to an access-group and were there to be applied only to vpn users.
I tried again writing the acl ID as stated in the PIX documentation, 'acl=100' but I got no results. Fortunately from the syslog I learnt that the PIX coud not find acl 'acl=100', so I changed the attribute filter-id from 'acl=100' to '100'. The error from syslog disappeared but still no result. Finally, reading again the pix documentation I found 'per-user-override' magic word to add to the access-group and finally it worked fine.
So, here are my advices:
-remove every Remote Access Policy which is not needed by IAS
-in the Remote Access Policy you configure on IAS write the acl ID directly in the filter-id attribute and forget what the Pix documentation says
- don't forget to add the 'per-user-override' magic word if you use access-group.
Enjoy !
Bye
Filippo
Then I noticed that the user was authenticated by a default Remote Access Policy and not the one I created which had a modified profile to include the acl. So I removed all the Remote Access Policies from IAS except the one I needed and changed what was wrong with it.
My Pix already had some acl named '100' which were not associated to an access-group and were there to be applied only to vpn users.
I tried again writing the acl ID as stated in the PIX documentation, 'acl=100' but I got no results. Fortunately from the syslog I learnt that the PIX coud not find acl 'acl=100', so I changed the attribute filter-id from 'acl=100' to '100'. The error from syslog disappeared but still no result. Finally, reading again the pix documentation I found 'per-user-override' magic word to add to the access-group and finally it worked fine.
So, here are my advices:
-remove every Remote Access Policy which is not needed by IAS
-in the Remote Access Policy you configure on IAS write the acl ID directly in the filter-id attribute and forget what the Pix documentation says
- don't forget to add the 'per-user-override' magic word if you use access-group.
Enjoy !
Bye
Filippo
