ASA5505 - Identity Firewall, Problem z User Identity w ACL
-
- wannabe
- Posty: 266
- Rejestracja: 03 mar 2008, 12:10
ASA5505 - Identity Firewall, Problem z User Identity w ACL
Jesli bylo, polaczcie prosze temat.
Dostalem nowe zadanie. Mam ASA (nie wiem jeszcze jaki model, po poludniu dostane dostep) + AD (nie wiem co za domena, co za Windows, dostep rowniez dostane po poludniu). Pytaja mnie, czy moga zintegrowac ASA z AD tak, aby w zaleznosci od grupy w AD, uzytkownik mial dostep w Interface ACL do jakis zasobow sieciowych (inna siec, internet itp). Czy to jest do zrobienia? Jesli tak, jakim tematem powinienien sie dokladnie zainteresowac?
Dzieki za odp!
UPDATE:
Zmienilem temat, jako ze mam juz konkretna konfiguracje i bledy w logach.
Dostalem nowe zadanie. Mam ASA (nie wiem jeszcze jaki model, po poludniu dostane dostep) + AD (nie wiem co za domena, co za Windows, dostep rowniez dostane po poludniu). Pytaja mnie, czy moga zintegrowac ASA z AD tak, aby w zaleznosci od grupy w AD, uzytkownik mial dostep w Interface ACL do jakis zasobow sieciowych (inna siec, internet itp). Czy to jest do zrobienia? Jesli tak, jakim tematem powinienien sie dokladnie zainteresowac?
Dzieki za odp!
UPDATE:
Zmienilem temat, jako ze mam juz konkretna konfiguracje i bledy w logach.
Ostatnio zmieniony 24 wrz 2015, 15:34 przez dawid.mitura, łącznie zmieniany 1 raz.
zgadza sie, tu jest dobry step-by-step. Będziesz musiał zainstalować agenta po stronie windy, sprawdź tylko ograniczenia co może ASA i jakie są wymogi co do Windowsa.doxer pisze:Myślę, że chodzi o ASA IDFW (Identity Firewall)
ML
-------------------------------------------------------------------------------------
"Minds are like parachutes, they work best when they are open"
-------------------------------------------------------------------------------------
"Minds are like parachutes, they work best when they are open"
-
- wannabe
- Posty: 266
- Rejestracja: 03 mar 2008, 12:10
-
- wannabe
- Posty: 266
- Rejestracja: 03 mar 2008, 12:10
Skonfigurowalem to wg instrukcji z https://supportforums.cisco.com/documen ... figuration
Stanalem w punkcie 5: https://supportforums.cisco.com/documen ... on_the_ASA._
------
------
Moj config ASA:
i dalej:
Moj Windows to 2012 R2.
- adacfg dc list pokazuje mi domene DM i status UP
- adacfg client list pokazuje mi mja ASA
- adacfg client status nic nie pokazuje
- adactrl show running pokazuje mi dzialajace radiusServer.bat oraz adObserver.bat
------
------
A teraz problem. Nie dziala. Gdy aktywuje IACL na ASA, jako user1 z Win7 (domain member) nie moge np. pingowac 1.1.1.2. Wylacze ACL, oczywiscie dziala.
LOG z adObserver:
LOG z ASA:
Zaraz zaczne googlowac i zerkne na dokumentacje z 9.4.2. W czym moze tkwic prolem. Dlaczego mam [ADAGENT] query 10.1.169.11 failed: RADIUS_REJECT (22)?
Stanalem w punkcie 5: https://supportforums.cisco.com/documen ... on_the_ASA._
------
------
Moj config ASA:
Kod: Zaznacz cały
ASA5505(config)# sh run aaa-server
aaa-server MIX-VSRV-001 protocol ldap
aaa-server MIX-VSRV-001 (INTERNAL) host 10.1.169.1
server-port 389
ldap-base-dn DC=dm,DC=local
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn CN=Service LDAP,CN=Users,DC=dm,DC=local
server-type microsoft
aaa-server AD-AGENT protocol radius
ad-agent-mode
aaa-server AD-AGENT (INTERNAL) host 10.1.169.1
key *****
Kod: Zaznacz cały
ASA5505(config)# test aaa-server ad-agent AD-AGENT
Server IP Address or name: 10.1.169.1
INFO: Attempting Ad-agent test to IP address <10.1.169.1> (timeout: 12 seconds)
INFO: Ad-agent Successful
Kod: Zaznacz cały
ASA5505(config)# test aaa-server authentication MIX-VSRV-001 ho
ASA5505(config)# test aaa-server authentication MIX-VSRV-001 host 10.1.169.1
Username: user1
Password: ********
INFO: Attempting Authentication test to IP address <10.1.169.1> (timeout: 12 seconds)
INFO: Authentication Successful
Kod: Zaznacz cały
user-identity domain DM aaa-server MIX-VSRV-001
user-identity default-domain DM
user-identity ad-agent aaa-server AD-AGENT
Kod: Zaznacz cały
ASA5505(config)# sh running-config access-group
access-group IACL-INTERNAL-IN in interface INTERNAL
access-group IACL-EXTERNAL-IN in interface EXTERNAL
Kod: Zaznacz cały
access-list IACL-INTERNAL-IN extended permit ip user DM\user1 any host 1.1.1.2
- adacfg dc list pokazuje mi domene DM i status UP
- adacfg client list pokazuje mi mja ASA
- adacfg client status nic nie pokazuje
- adactrl show running pokazuje mi dzialajace radiusServer.bat oraz adObserver.bat
------
------
A teraz problem. Nie dziala. Gdy aktywuje IACL na ASA, jako user1 z Win7 (domain member) nie moge np. pingowac 1.1.1.2. Wylacze ACL, oczywiscie dziala.
LOG z adObserver:
Kod: Zaznacz cały
Thu Sep 24 15:09:20 2015: ~~~~ Logger Started! Logging Level: LOG_DEBUG ~~~~
Thu Sep 24 15:09:20 2015: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32.1, build 598) started ------------
Thu Sep 24 15:09:20 2015: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)
Thu Sep 24 15:09:20 2015: DEBUG: Initializing Winsock
Thu Sep 24 15:09:20 2015: DEBUG: Winsock Initialized
Thu Sep 24 15:09:20 2015: DEBUG: Found local machine FQDN: MIX-VSRV-001.dm.local
Thu Sep 24 15:09:21 2015: ERROR: ADOBserver::Starting: could not send adoStarted syslog to runtime server 127.0.0.1/pip. returned error: Couldn't connect to server
Thu Sep 24 15:09:21 2015: INFO: Connecting to configuration server
Thu Sep 24 15:09:22 2015: EXCEPTION OCCURED: .\ADObserverConfig.cpp:85 loadOptions: could not connect to configuration server: 127.0.0.1/pip. returned error: Couldn't connect to server
Thu Sep 24 15:09:22 2015: WARN: Error loading configuration from server. Retry in 20 seconds....
Thu Sep 24 15:09:42 2015: INFO: Configuration loaded successfully from server
Thu Sep 24 15:09:42 2015: DEBUG: EventCallback and DcStatusCallback initialized successfully
Thu Sep 24 15:09:43 2015: DEBUG: Notifier Thread: thread message queue initiated successfully
Thu Sep 24 15:09:43 2015: DEBUG: Notifier thread started successfully
Thu Sep 24 15:09:43 2015: INFO: adding dc: MIX-VSRV-001 with guid: 1443093549-1-142669888
Thu Sep 24 15:09:43 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:09:43 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:09:43 2015: INFO: New DC : MIX-VSRV-001 added successfully (from configuration server)...
Thu Sep 24 15:09:43 2015: INFO: History Thread: NEW_DC: getting messages from DC: MIX-VSRV-001
Thu Sep 24 15:09:43 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:09:45 2015: INFO: NEW_DC in EventSink Thread: DC added successfully to EventSink: MIX-VSRV-001
Thu Sep 24 15:09:53 2015: INFO: History Thread: NEW_DC: done with previous messages from DC: MIX-VSRV-001
Thu Sep 24 15:10:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:10:47 2015: ~~~~ Logger Started! Logging Level: LOG_DEBUG ~~~~
Thu Sep 24 15:10:47 2015: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32.1, build 598) started ------------
Thu Sep 24 15:10:47 2015: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)
Thu Sep 24 15:10:47 2015: DEBUG: Initializing Winsock
Thu Sep 24 15:10:47 2015: DEBUG: Winsock Initialized
Thu Sep 24 15:10:47 2015: DEBUG: Found local machine FQDN: MIX-VSRV-001.dm.local
Thu Sep 24 15:10:47 2015: INFO: Connecting to configuration server
Thu Sep 24 15:10:47 2015: INFO: Configuration loaded successfully from server
Thu Sep 24 15:10:47 2015: DEBUG: EventCallback and DcStatusCallback initialized successfully
Thu Sep 24 15:10:47 2015: DEBUG: Notifier Thread: thread message queue initiated successfully
Thu Sep 24 15:10:47 2015: DEBUG: Notifier thread started successfully
Thu Sep 24 15:10:47 2015: INFO: adding dc: MIX-VSRV-001 with guid: 1443093549-1-142669888
Thu Sep 24 15:10:48 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:10:49 2015: INFO: New DC : MIX-VSRV-001 added successfully (from configuration server)...
Thu Sep 24 15:10:49 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:10:49 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:10:49 2015: INFO: History Thread: NEW_DC: getting messages from DC: MIX-VSRV-001
Thu Sep 24 15:10:49 2015: INFO: NEW_DC in EventSink Thread: DC added successfully to EventSink: MIX-VSRV-001
Thu Sep 24 15:11:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:11:44 2015: ~~~~ Logger Started! Logging Level: LOG_DEBUG ~~~~
Thu Sep 24 15:11:44 2015: INFO: ------------ IBF PIP++ adObserver (version 1.0.0.32.1, build 598) started ------------
Thu Sep 24 15:11:44 2015: INFO: NOTE: Using real IPs (did not find ADO_RANDOM_IP in environment)
Thu Sep 24 15:11:44 2015: DEBUG: Initializing Winsock
Thu Sep 24 15:11:44 2015: DEBUG: Winsock Initialized
Thu Sep 24 15:11:44 2015: DEBUG: Found local machine FQDN: MIX-VSRV-001.dm.local
Thu Sep 24 15:11:44 2015: INFO: Connecting to configuration server
Thu Sep 24 15:11:44 2015: INFO: Configuration loaded successfully from server
Thu Sep 24 15:11:44 2015: DEBUG: EventCallback and DcStatusCallback initialized successfully
Thu Sep 24 15:11:44 2015: DEBUG: Notifier Thread: thread message queue initiated successfully
Thu Sep 24 15:11:44 2015: DEBUG: Notifier thread started successfully
Thu Sep 24 15:11:44 2015: INFO: adding dc: MIX-VSRV-001 with guid: 1443093549-1-142669888
Thu Sep 24 15:11:44 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:11:44 2015: INFO: New DC : MIX-VSRV-001 added successfully (from configuration server)...
Thu Sep 24 15:11:44 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:11:44 2015: INFO: History Thread: NEW_DC: getting messages from DC: MIX-VSRV-001
Thu Sep 24 15:11:44 2015: ~~~~~ LOCAL CONNECTION TO DC ~~~~~
Thu Sep 24 15:11:44 2015: INFO: NEW_DC in EventSink Thread: DC added successfully to EventSink: MIX-VSRV-001
Thu Sep 24 15:12:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:13:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:14:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:15:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:16:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:17:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:18:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:19:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:20:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:21:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:22:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:23:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:24:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:25:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:26:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Thu Sep 24 15:27:43 2015: INFO: EventSink thread: sending DC status to server for DC:MIX-VSRV-001 current status: up
Kod: Zaznacz cały
idfw_proc[0]: request radius exec spent 0 msec
idfw_proc[0]: radius pending
idfw_proc[0]: processing radius query: 0x085d8860
idfw_proc[0]: [ADAGENT] send DEREGISTER to 10.1.169.1
idfw_proc[0]: request radius exec spent 0 msec
idfw_proc[0]: radius pending
idfw_proc[0]: processing radius2 query: 0x085d8860
idfw_proc[0]: [ADAGENT] send QUERY(0.0.0.0/1) to 10.1.169.1
idfw_proc[0]: request radius2 exec spent 0 msec
idfw_proc[0]: radius2 pending
radius_rcv_auth[0]: [ADAGENT] DM status 00000002/00:00:00 UTC Thu Jan 1 1970
idfw_proc[0]: request 1436 released
idfw_proc[0]: radius query result OK(0), notify caller
idfw_proc[0]: [ADAGENT] radius request STATUS succeeded
idfw_proc[0]: request radius notify spent 0 msec
idfw_proc[0]: request 1437 released
idfw_proc[0]: radius query result OK(0), notify caller
idfw_proc[0]: [ADAGENT] radius request DEREGISTER succeeded
idfw_proc[0]: [ADAGENT] deregistered from 10.1.169.1
idfw_proc[0]: request radius notify spent 0 msec
radius_rcv_auth[0]: [ADAGENT] CMD 6 response -1, 1, 0
idfw_proc[0]: request 1438 released
idfw_proc[0]: radius2 query result RADIUS_REJECT(22), notify caller
idfw_proc[0]: [ADAGENT] radius request QUERY failed: RADIUS_REJECT(22)
idfw_proc[0]: request radius2 notify spent 0 msec
idfw_adagent[0]: [ADAGENT] ondemand query notification
idfw_proc[0]: processing radius2 query: 0x085d8860
idfw_proc[0]: [ADAGENT] send QUERY(10.1.169.11/1) to 10.1.169.1
idfw_proc[0]: request radius2 exec spent 0 msec
idfw_proc[0]: radius2 pending
radius_rcv_auth[0]: [ADAGENT] CMD 6 response -1, 1, 0
idfw_proc[0]: request 1439 released
idfw_proc[0]: radius2 query result RADIUS_REJECT(22), notify caller
idfw_proc[0]: [ADAGENT] radius request QUERY failed: RADIUS_REJECT(22)
idfw_proc[0]: [ADAGENT] query 10.1.169.11 failed: RADIUS_REJECT (22)
idfw_proc[0]: request radius2 notify spent 0 msec
idfw_adagent[0]: [ADAGENT] ondemand query periodic work
idfw_service[0]: executing AD-Agent monitor service callback