LISP integration, the ASA cluster members can inspect LISP traffic passing between the first hop router and the ETR or ITR,Īnd can then change the flow owner to be at the new site.Ĭluster flow mobility includes several inter-related configurations: The ASA inspects LISP traffic for location changes and then uses this information for seamless clustering operation. Specify the LISP pre-shared key so the ASA can read LISP message contents.Ībout LISP Inspection for Cluster Flow Mobility Specify the pre-shared key for LISP messages. To remove the key, use the no form of this command. You can access the parameters configuration mode by first entering the policy-map type inspect lisp command. To specify the pre-shared key for LISP messages, use the validate-keycommand in parameters configuration mode. Shows information about the Kerberos keytab file. Imports a Kerberos keytab file that was exported from a Kerberos Key Distribution Center (KDC)Ĭlears the imported Kerberos keytab file. Cisco asa anyconnect vpn show commands how to#The following example shows how to import a keytab named new.keytab that resides on an FTP server, and enable KDC validationĬiscoasa(config)# aaa kerberos import-keytab Ĭiscoasa(config)# aaa-server svrgrp1 protocol kerberosĬiscoasa(config-aaa-server-group)# validate-kdc Related Commands The validate-kdc command will be ignored if the server group is used for KCD. You cannot use KDC validation in conjunction with Kerberos Constrained Delegation (KCD). The keytab file is used only by server groups that contain this command. (On the ASA.) Add the validate-kdc command to the Kerberos AAA server group configuration. (On the ASA.) Import the keytab (in this example, new.keytab) to the ASA using the aaa kerberos import-keytab command. (On the KDC.) Create a keytab file for the ASA (line feeds added for clarity):Ĭ:\Users\Administrator> ktpass /out new.keytab rndPass /princ /mapuser /ptype KRB5_NT_SRV_HST /mapop set (On the KDC.) Create a host service principal name (SPN) for the ASA using the FQDN and user account:Ĭ:> setspn -A HOST/ asahost For example, if the fully-qualified domain name (FQDN) of the ASA is, create a user named asahost. (On the KDC.) Create a user account in the Microsoft Active Directory for the ASA (go to Start > Programs > Administrative Tools > Active Directory Users and Computers). To accomplish KDC authentication, you must do the following: If KDC authentication fails, the server is considered untrusted That you generated from the KDC and then uploaded to the ASA. The system then validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file Requests a service ticket on behalf of the user for host/ ASA_hostname. When you enable KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, the system also By validating the KDC, you can prevent an attack where the attacker spoofs the KDC so that user credentialsĪre authenticated against the attacker’s Kerberos server. To accomplish the authentication, you must also import a keytab file that you exported from the Kerberos Key DistributionĬenter (KDC). You can configure a Kerberos AAA server group to authenticate the servers in the group using the validate-kdc command. To disable KDC authentication, use the no form of this command. To enable the authentication of the Kerberos Key Distribution Center (KDC) using an uploaded keytab file, use the validate-kdccommand in aaa-server group mode. Sets parameters for an inspection policy map. The following example shows how to enable RADIUS accounting for the user name RADIUS attribute:Ĭiscoasa(config)# policy-map type inspect radius-accounting raĬiscoasa(config-pmap-p)# validate-attribute 1 Related Commands You can find a list of RADIUS attribute types here: Multiple instances of this command are allowed. When this command is configured, the security appliance will also do a match on these attributes in addition to the Framed Radius-accounting parameter configuration The following table shows the modes in which you can enter the command: Vendor Specific Attributes are not supported. The RADIUS attribute to be validated with RADIUS accounting. To validate RADIUS attributes when using RADIUS accounting, use the validate-attributecommand in radius-accounting parameter configuration mode, which is accessed by using the inspect radius-accountingcommand.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |