Cisco ASA 5510 Time of Day Based Policing

ciscocisco-asaqos

I have a Cisco ASA 5510 setup at a boarding school. I determined that many (most?) of the students were downloading files, watching movies, etc, during the day and this was causing the academic side of our network to suffer. The students should not even be in their rooms during the day, so I configured the ASA to police their network segment and limit their outbound bandwidth. This resolved all of our academic issues, and everyone was happy. Except the resident students.

I have been asked to change/remove the policing policy at the end of the day, to allow the residents access to the unused bandwidth at night. There's no reason to let bandwidth sit unused at night just because it would be abused during the day.

Is there a way to setup Time of Day based Policies on the ASA? Ideally I'd like to be able to open up the network at night and all day during weekends.

If I can't set Time based policies, is is possible to schedule the ASA to load a set of commands at a specific time?

I suppose I could just setup a scheduled task on one of our servers to log in and make the changes with a simple script, but this seems like a hack, and I'm hoping there is a better or more standard way to accomplish this.

Thanks.

Edit: If there is a totally different solution that would accomplish a similar goal, I'd be interested in that as well. Free/Cheap would be ideal, but if a separate internet connection is my only other option, it might be worth fighting for money for hardware or software to do this better or more efficiently.

Best Answer

The PIXOS feature you are looking for is called Time Based Access List. It is a two step approach

Create the time-range object
Attach the time-range object to a specific rule

The ASA will then only apply the targeted rule during that time-range. You should be able to get what you want with something like this

hostname(config)#time-range OffHours
hostname(config-time-range)#periodic weekdays 17:00 to 07:00
hostname(config)#access-list Residence line 1 extended permit ip any any time-range OffHours
hostname(config)#access-group Residence in interface inside

Full write-up at Cisco Command Reference

Related Solutions

Cisco ASA 5510 multiple time-range commands

It took some trial and error, but I found out how to make this work. I had to create a new class-map for the new access-lists, but once I did that, everything seemed to work fine.

Here's the relevant portions of the final config, for reference:

time-range Night_Weekend
 periodic weekdays 0:00 to 6:59
 periodic weekend 0:00 to 23:59
 periodic weekdays 19:00 to 23:59
!
time-range SchoolDay
 periodic weekdays 7:00 to 18:59

access-list Wireless-AL extended permit ip object-group Wireless any time-range SchoolDay
access-list Wireless-AL extended permit ip any object-group Wireless time-range SchoolDay

access-list WirelessNight-AL extended permit ip object-group Wireless any time-range Night_Weekend
access-list WirelessNight-AL extended permit ip any object-group Wireless time-range Night_Weekend

class-map Wireless-AL
 description Student's wireless network traffic
 match access-list GPREP-Wireless
class-map WirelessNight-AL
 description Student's wireless network traffic for Nights_Weekends
 match access-list WirelessNight-AL

policy-map WirelessLimit
 class Wireless-AL
  police input 1000000 187500
  police output 1000000 187500
 class WirelessNight-AL
  police input 3000000 562500
  police output 3000000 562500

Configuring Cisco Switch and ASA/VPN devices to authenticate with W2008R2 NPS RADIUS

You're going to want to stick with creating/ordering Network Policies to do what you're trying to do. Just use the one default Connection Request Policy that is wide open, and then secure via the NPs.

You can "divide the two" as you say, by limiting each Network Policy you've created with sufficient conditions, such that in combination, multiple conditions together achieve your objectives. It looks like you've specified only one condition on each policy - network group membership. As you've discovered, this won't work. When your RADIUS-enabled device asks your RADIUS server to authenticate your user, the RADIUS server forwards the users' credentials to AD, which successfully matches the credentials (cause they're vague at this point), and returns a positive to the RADIUS server, which in turn tells the device to allow the authentication. I'm forgetting all the proper RADIUS lingo here - but basically that's what's happening.

So, stack another condition (or more) onto your policy to get what you want. Sounds like you want the switch policy to work with users in the Domain\NetworkGroup, and only on your switches (these requests should never come from your ASA's IP, or some printer or user workstation or whatever). Under conditions, look under the RADIUS client section - ClientFriendlyName, or ClientIPv4Address, for example. If the conditions include that the request is coming only from one of your predefined switch IPs or names, it won't "authenticate" requests coming from your ASA IP.

Do the same for your vpn policy too. You should be good from there. You may want to start with clean Network Policies though. I don't think you're going to be able to use the settings to update non-compliant clients without some more work (and whole other policy type too).

Also, you can look at your RADIUS logs if you want more info on what its actually doing. I believe they're under system32\logfiles. You may have to enable it on your NPS server, if its not already. You can google for tools to help you read the log files, as they're not really user friendly. In a pinch, MS has an article that lists all the fields, in order. Look for the tools though (IASlogviewer? or something like that?).

Best Answer

Related Solutions

Cisco ASA 5510 multiple time-range commands

Configuring Cisco Switch and ASA/VPN devices to authenticate with W2008R2 NPS RADIUS

Related Topic