Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs

Scenario 2: Cut-Through Proxy with Downloadable ACEs

Example 3 introduces the usage of the per-user-override option when defining an access-group. This instructs the ASA to prefer any kind of dynamic authorization attributes (individual ACEs, local ACL, and Downloadable ACL) over an existent static ACL.

Example 4 summarizes the relevant user group parameters that need to be configured in CS-ACS so that individual ACEs can be downloaded after authentication.

Example 3. Instructing the ASA to Prefer Dynamic ACEs

!Instructing ASA to prefer downloaded Access Control Entries over static ones. access-group DMZ in interface dmz per-user-override

Example 4. Defining Individual ACEs on CS-ACS for Cut-Through Proxy

ACS/Group Settings : GROUP1 [009\001] cisco-av-pair ip:inacl#1=permit tcp any any eq 80 ip:inacl#2=permit tcp any any eq 23

Example 5 illustrates how CS-ACS partners with ASA to deliver and enforce individual ACEs after the Cut-Through Proxy feature comes into play. Notice the Cisco-AV-pairs (ip:inacl) in the RADIUS Response message. Example 6 shows how to verify the downloaded attributes.

Example 5. RADIUS Server Downloads Individual ACEs to ASA

! ASA receives individual ACEs from the RADIUS server RADIUS packet decode (response) [output suppressed] Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 43 (0x2B) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 37 (0x25) Radius: Value (String) = 69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69 | ip:inacl#1=permi 74 20 74 63 70 20 61 6e 79 20 61 6e 79 20 65 71 | t tcp any any eq 20 38 30 | 80 Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 43 (0x2B) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 37 (0x25) Radius: Value (String) = 69 70 3a 69 6e 61 63 6c 23 32 3d 70 65 72 6d 69 | ip:inacl#2=permi 74 20 74 63 70 20 61 6e 79 20 61 6e 79 20 65 71 | t tcp any any eq 20 32 33 | 23

Example 6. Verifying Downloaded ACEs for an Authorized User

! Displaying the downloaded access-list for user1 ASA1# show uauth user1 user 'user1' at 172.21.21.101, authenticated access-list AAA-user-user1-E3040000 (*) absolute timeout: 0:05:00 inactivity timeout: 0:00:00 ! ! Displaying the details of the downloaded access-list ASA1# show access-list AAA-user-user1-E3040000 access-list AAA-user-user1-E3040000; 2 elements; name hash: 0x3dbead96 (dynamic) access-list AAA-user-user1-E3040000 line 1 extended permit tcp any any eq www (hitcnt=2) 0xf104c9e5 access-list AAA-user-user1-E3040000 line 2 extended permit tcp any any eq telnet (hitcnt=0) 0x6d5c94fc

Example 7 characterizes the precedence of dynamic permissions over the static ones, as a consequence of the per-user-override option (Example 3). Refer to Example 6 to verify that the dynamic ACEs just downloaded do not permit HTTPS, as opposed to the DMZ static access-list configured in Example 1. Telnet is now allowed through, despite not being part of the original interface ACL.

Example 7. Authorization ACL Takes Precedence over Interface ACL

! HTTPS, not allowed on donwloaded ACEs, gets blocked

%ASA-6-109025: Authorization denied (acl=AAA-user-user1-E3040000) for user 'user1' from
172.21.21.101/1229 to 172.16.200.200/443 on interface dmz using TCP

! Telnet, not originally allowed on static ACL, gets through the ASA

%ASA-6-302013: Built outbound TCP connection 86 for outside:172.16.200.200/23 (172.16.200.200/23)
 to dmz:172.21.21.101/1230 (172.21.21.101/1230) (user1)