ASA5505 - Identity Firewall, Problem z User Identity w ACL

Problemy z zakresu security (VPN, firewall, IDS/IPS itp.)

Moderatorzy: mikrobi, garfield, gangrena, Seba, aron, PatrykW

Wiadomość
Autor
dawid.mitura
wannabe
wannabe
Posty: 266
Rejestracja: 03 mar 2008, 12:10

ASA5505 - Identity Firewall, Problem z User Identity w ACL

#1

#1 Post autor: dawid.mitura »

Jesli bylo, polaczcie prosze temat.

Dostalem nowe zadanie. Mam ASA (nie wiem jeszcze jaki model, po poludniu dostane dostep) + AD (nie wiem co za domena, co za Windows, dostep rowniez dostane po poludniu). Pytaja mnie, czy moga zintegrowac ASA z AD tak, aby w zaleznosci od grupy w AD, uzytkownik mial dostep w Interface ACL do jakis zasobow sieciowych (inna siec, internet itp). Czy to jest do zrobienia? Jesli tak, jakim tematem powinienien sie dokladnie zainteresowac?

Dzieki za odp!

UPDATE:
Zmienilem temat, jako ze mam juz konkretna konfiguracje i bledy w logach.
Ostatnio zmieniony 24 wrz 2015, 15:34 przez dawid.mitura, łącznie zmieniany 1 raz.

doxer
member
member
Posty: 31
Rejestracja: 25 lut 2009, 07:09

#2

#2 Post autor: doxer »

Myślę, że chodzi o ASA IDFW (Identity Firewall)

mihu
wannabe
wannabe
Posty: 762
Rejestracja: 10 kwie 2006, 10:37
Lokalizacja: Kraina Deszczowcow

#3

#3 Post autor: mihu »

doxer pisze:Myślę, że chodzi o ASA IDFW (Identity Firewall)
zgadza sie, tu jest dobry step-by-step. Będziesz musiał zainstalować agenta po stronie windy, sprawdź tylko ograniczenia co może ASA i jakie są wymogi co do Windowsa.
ML
-------------------------------------------------------------------------------------
"Minds are like parachutes, they work best when they are open"

Awatar użytkownika
borostfor
wannabe
wannabe
Posty: 99
Rejestracja: 01 sie 2009, 23:20
Lokalizacja: Festung Breslau

#4

#4 Post autor: borostfor »

Lub DAP w przypadku VPN.

/b

eljot
wannabe
wannabe
Posty: 67
Rejestracja: 27 sty 2012, 12:37

#5

#5 Post autor: eljot »

Agent jest passe. Trzeba instalować CDA

dorvin
CCIE
CCIE
Posty: 1688
Rejestracja: 21 sty 2008, 13:21
Lokalizacja: Wrocław
Kontakt:

#6

#6 Post autor: dorvin »

A nie lepiej byłoby zasugerować komuś 802.1X? Do takich właśnie rzeczy zostało to wymyślone. Na firewallu można, ale filtrowanie jest ograniczone do ruchu przez firewall, więc jakby trochę mniej elastycznie.

dawid.mitura
wannabe
wannabe
Posty: 266
Rejestracja: 03 mar 2008, 12:10

#7

#7 Post autor: dawid.mitura »

Bomba, dzieki za info, przyjrze sie obu tematom.

dawid.mitura
wannabe
wannabe
Posty: 266
Rejestracja: 03 mar 2008, 12:10

#8

#8 Post autor: dawid.mitura »

Skonfigurowalem to wg instrukcji z https://supportforums.cisco.com/documen ... figuration
Stanalem w punkcie 5: https://supportforums.cisco.com/documen ... on_the_ASA._
------
------
Moj config ASA:

Kod: Zaznacz cały

ASA5505(config)# sh run aaa-server 
aaa-server MIX-VSRV-001 protocol ldap
aaa-server MIX-VSRV-001 (INTERNAL) host 10.1.169.1
 server-port 389
 ldap-base-dn DC=dm,DC=local
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password *****
 ldap-login-dn CN=Service LDAP,CN=Users,DC=dm,DC=local
 server-type microsoft
aaa-server AD-AGENT protocol radius
 ad-agent-mode
aaa-server AD-AGENT (INTERNAL) host 10.1.169.1
 key *****

Kod: Zaznacz cały

ASA5505(config)# test aaa-server ad-agent AD-AGENT
Server IP Address or name: 10.1.169.1
INFO: Attempting Ad-agent test to IP address <10.1.169.1> (timeout: 12 seconds)
INFO: Ad-agent Successful

Kod: Zaznacz cały

ASA5505(config)# test aaa-server authentication MIX-VSRV-001 ho
ASA5505(config)# test aaa-server authentication MIX-VSRV-001 host 10.1.169.1
Username: user1
Password: ********
INFO: Attempting Authentication test to IP address <10.1.169.1> (timeout: 12 seconds)
INFO: Authentication Successful
i dalej:

Kod: Zaznacz cały

user-identity domain DM aaa-server MIX-VSRV-001
user-identity default-domain DM
user-identity ad-agent aaa-server AD-AGENT

Kod: Zaznacz cały

ASA5505(config)# sh running-config access-group 
access-group IACL-INTERNAL-IN in interface INTERNAL
access-group IACL-EXTERNAL-IN in interface EXTERNAL

Kod: Zaznacz cały

access-list IACL-INTERNAL-IN extended permit ip user DM\user1 any host 1.1.1.2
Moj Windows to 2012 R2.
- adacfg dc list pokazuje mi domene DM i status UP
- adacfg client list pokazuje mi mja ASA
- adacfg client status nic nie pokazuje
- adactrl show running pokazuje mi dzialajace radiusServer.bat oraz adObserver.bat

------
------

A teraz problem. Nie dziala. Gdy aktywuje IACL na ASA, jako user1 z Win7 (domain member) nie moge np. pingowac 1.1.1.2. Wylacze ACL, oczywiscie dziala.

LOG z adObserver:

Kod: Zaznacz cały

Thu Sep 24 15:09:20 2015: ~~~~  Logger Started! 	 Logging Level: LOG_DEBUG  ~~~~
Thu Sep 24 15:09:20 2015: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32.1, build 598) started ------------
Thu Sep 24 15:09:20 2015: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)
Thu Sep 24 15:09:20 2015: DEBUG: Initializing Winsock
Thu Sep 24 15:09:20 2015: DEBUG: Winsock Initialized
Thu Sep 24 15:09:20 2015: DEBUG: Found local machine FQDN: MIX-VSRV-001.dm.local
Thu Sep 24 15:09:21 2015: ERROR: ADOBserver::Starting: could not send adoStarted syslog to runtime server 127.0.0.1/pip. returned error: Couldn't connect to server
Thu Sep 24 15:09:21 2015: INFO: Connecting to configuration server
Thu Sep 24 15:09:22 2015: EXCEPTION OCCURED: .\ADObserverConfig.cpp:85	loadOptions: could not connect to configuration server: 127.0.0.1/pip. returned error: Couldn't connect to server
Thu Sep 24 15:09:22 2015: WARN: Error loading configuration from server.  Retry in 20 seconds....
Thu Sep 24 15:09:42 2015: INFO: Configuration loaded successfully from server
Thu Sep 24 15:09:42 2015: DEBUG: EventCallback and DcStatusCallback initialized successfully
Thu Sep 24 15:09:43 2015: DEBUG: Notifier Thread: thread message queue initiated successfully
Thu Sep 24 15:09:43 2015: DEBUG: Notifier thread started successfully
Thu Sep 24 15:09:43 2015: INFO: adding dc: MIX-VSRV-001 with guid: 1443093549-1-142669888
Thu Sep 24 15:09:43 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:09:43 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:09:43 2015: INFO: New DC : MIX-VSRV-001 added successfully (from configuration server)...
Thu Sep 24 15:09:43 2015: INFO: History Thread: NEW_DC: getting messages from DC: MIX-VSRV-001
Thu Sep 24 15:09:43 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:09:45 2015: INFO: NEW_DC in EventSink Thread: DC added successfully to EventSink: MIX-VSRV-001
Thu Sep 24 15:09:53 2015: INFO: History Thread: NEW_DC: done with previous messages from DC: MIX-VSRV-001
Thu Sep 24 15:10:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:10:47 2015: ~~~~  Logger Started! 	 Logging Level: LOG_DEBUG  ~~~~
Thu Sep 24 15:10:47 2015: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32.1, build 598) started ------------
Thu Sep 24 15:10:47 2015: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)
Thu Sep 24 15:10:47 2015: DEBUG: Initializing Winsock
Thu Sep 24 15:10:47 2015: DEBUG: Winsock Initialized
Thu Sep 24 15:10:47 2015: DEBUG: Found local machine FQDN: MIX-VSRV-001.dm.local
Thu Sep 24 15:10:47 2015: INFO: Connecting to configuration server
Thu Sep 24 15:10:47 2015: INFO: Configuration loaded successfully from server
Thu Sep 24 15:10:47 2015: DEBUG: EventCallback and DcStatusCallback initialized successfully
Thu Sep 24 15:10:47 2015: DEBUG: Notifier Thread: thread message queue initiated successfully
Thu Sep 24 15:10:47 2015: DEBUG: Notifier thread started successfully
Thu Sep 24 15:10:47 2015: INFO: adding dc: MIX-VSRV-001 with guid: 1443093549-1-142669888
Thu Sep 24 15:10:48 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:10:49 2015: INFO: New DC : MIX-VSRV-001 added successfully (from configuration server)...
Thu Sep 24 15:10:49 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:10:49 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:10:49 2015: INFO: History Thread: NEW_DC: getting messages from DC: MIX-VSRV-001
Thu Sep 24 15:10:49 2015: INFO: NEW_DC in EventSink Thread: DC added successfully to EventSink: MIX-VSRV-001
Thu Sep 24 15:11:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:11:44 2015: ~~~~  Logger Started! 	 Logging Level: LOG_DEBUG  ~~~~
Thu Sep 24 15:11:44 2015: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32.1, build 598) started ------------
Thu Sep 24 15:11:44 2015: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)
Thu Sep 24 15:11:44 2015: DEBUG: Initializing Winsock
Thu Sep 24 15:11:44 2015: DEBUG: Winsock Initialized
Thu Sep 24 15:11:44 2015: DEBUG: Found local machine FQDN: MIX-VSRV-001.dm.local
Thu Sep 24 15:11:44 2015: INFO: Connecting to configuration server
Thu Sep 24 15:11:44 2015: INFO: Configuration loaded successfully from server
Thu Sep 24 15:11:44 2015: DEBUG: EventCallback and DcStatusCallback initialized successfully
Thu Sep 24 15:11:44 2015: DEBUG: Notifier Thread: thread message queue initiated successfully
Thu Sep 24 15:11:44 2015: DEBUG: Notifier thread started successfully
Thu Sep 24 15:11:44 2015: INFO: adding dc: MIX-VSRV-001 with guid: 1443093549-1-142669888
Thu Sep 24 15:11:44 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:11:44 2015: INFO: New DC : MIX-VSRV-001 added successfully (from configuration server)...
Thu Sep 24 15:11:44 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:11:44 2015: INFO: History Thread: NEW_DC: getting messages from DC: MIX-VSRV-001
Thu Sep 24 15:11:44 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:11:44 2015: INFO: NEW_DC in EventSink Thread: DC added successfully to EventSink: MIX-VSRV-001
Thu Sep 24 15:12:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:13:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:14:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:15:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:16:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:17:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:18:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:19:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:20:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:21:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:22:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:23:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:24:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:25:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:26:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:27:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
LOG z ASA:

Kod: Zaznacz cały

idfw_proc[0]: request radius exec spent 0 msec
idfw_proc[0]: radius pending
idfw_proc[0]: processing radius query: 0x085d8860
idfw_proc[0]: [ADAGENT] send DEREGISTER to 10.1.169.1
idfw_proc[0]: request radius exec spent 0 msec
idfw_proc[0]: radius pending
idfw_proc[0]: processing radius2 query: 0x085d8860
idfw_proc[0]: [ADAGENT] send QUERY(0.0.0.0/1) to 10.1.169.1
idfw_proc[0]: request radius2 exec spent 0 msec
idfw_proc[0]: radius2 pending
radius_rcv_auth[0]: [ADAGENT] DM status 00000002/00:00:00 UTC Thu Jan 1 1970
idfw_proc[0]: request 1436 released
idfw_proc[0]: radius query result OK(0), notify caller
idfw_proc[0]: [ADAGENT] radius request STATUS succeeded
idfw_proc[0]: request radius notify spent 0 msec
idfw_proc[0]: request 1437 released
idfw_proc[0]: radius query result OK(0), notify caller
idfw_proc[0]: [ADAGENT] radius request DEREGISTER succeeded
idfw_proc[0]: [ADAGENT] deregistered from 10.1.169.1
idfw_proc[0]: request radius notify spent 0 msec
radius_rcv_auth[0]: [ADAGENT] CMD 6 response -1, 1, 0
idfw_proc[0]: request 1438 released
idfw_proc[0]: radius2 query result RADIUS_REJECT(22), notify caller
idfw_proc[0]: [ADAGENT] radius request QUERY failed: RADIUS_REJECT(22)
idfw_proc[0]: request radius2 notify spent 0 msec
idfw_adagent[0]: [ADAGENT] ondemand query notification
idfw_proc[0]: processing radius2 query: 0x085d8860
idfw_proc[0]: [ADAGENT] send QUERY(10.1.169.11/1) to 10.1.169.1
idfw_proc[0]: request radius2 exec spent 0 msec
idfw_proc[0]: radius2 pending
radius_rcv_auth[0]: [ADAGENT] CMD 6 response -1, 1, 0
idfw_proc[0]: request 1439 released
idfw_proc[0]: radius2 query result RADIUS_REJECT(22), notify caller
idfw_proc[0]: [ADAGENT] radius request QUERY failed: RADIUS_REJECT(22)
idfw_proc[0]: [ADAGENT] query 10.1.169.11 failed: RADIUS_REJECT (22)
idfw_proc[0]: request radius2 notify spent 0 msec
idfw_adagent[0]: [ADAGENT] ondemand query periodic work
idfw_service[0]: executing AD-Agent monitor service callback
Zaraz zaczne googlowac i zerkne na dokumentacje z 9.4.2. W czym moze tkwic prolem. Dlaczego mam [ADAGENT] query 10.1.169.11 failed: RADIUS_REJECT (22)?

ODPOWIEDZ