Name

ooba-acs — uses Cisco ACS log to update out of band authentication user list

Synopsis

ooba-acs [-v] [-p pidfile] [-s] [-a ca] [-c cert] [-k key] host:port

Description

Script ooba-acs provides communication between Cisco ACS log and a http-proxy(8) acting as an out of band (OOB) authentication server. The script reads and parses the log of Cisco ACS (expected in STDIN) and passes the information about the logged users the http-proxy. This way, users declared to be authenticated in the Cisco ASA log are seen as authenticated by proxies that use OOB authentication.

For each Accounting log message, the appropriate update request is sent to the http-proxy. At most one user can be bounded to certain IP address at a time. The newer record remains.

The following accounting messages are recoginezed:

Acct-Status-Type=Start, Acct-Status-Type=Interim-Update

The user is bounded to the IP address.

Acct-Status-Type=Stop

The user is unbounded from the IP address.

IP address is taken from field Framed-IP-Address.

The user name is taken from field User-Name. The following special forms of file name are expected:

ANY\\USERNAME, ANY\USERNAME, ANY/USERNAME

The USERNAME is used as User Name. The ANY part is ignored.

USERNAME@DOMAIN

The USERNAME is used as User Name. The DOMAIN part is ignored.

UNRESPONSIVE

The special User Name, that is completely ignored. No update is sent to the http-proxy in this case.

USERNAME

If not any of the preceeding options, the username is used as is.

Options

-v

Increases the verbosity level. Logs a message about every event sent to the http-proxy.

-p pidfile

Writes process id into pidfile.

-s

Use a secure connection (SSL/TLS) for communication with the OOB authentication server.

-a ca

A file containing a certificate of a trusted certification authority for verification of OOB authentication server certificate

-c cert

A file containing a certificate used for communication with the OOB authentication server

-k key

A file containing a private key for the certificate cert

host

Address of the OOB authentication server

port

Port of the OOB authentication server

Configuration of http-proxy

The http-proxy must be configured as an OOB authentication server using ext-mod method of authentication:

  • A section aproxy must exist, contain item oob-auth, and be referenced by a session-acl.

  • The section http-proxy must contain item oob-auth-srv that references a section oob-auth with method ext-mod.

  • If oob-auth.method.ldap is set, http-proxy looks for group membership information in an LDAP database.

  • If oob-auth.method.even-no-group is set, the user is treated as being authenticated, even though ldap check for the user failed.

  • It is recommended to use SSL/TLS for communication between ooba-samba and the OOB authentication server.

See Also

http-proxy(8), http-proxy(5), http-proxy.cfg(5), auth(7)

Samba documentation at http://www.samba.org

Authors

This man page is a part of Kernun Firewall.
Copyright © 2000–2023 Trusted Network Solutions, a. s.
All rights reserved.