programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/20/2015 1:12:11 AM
Scenario 2: Cut-Through Proxy with Downloadable ACEs

Example 3 introduces the usage of the per-user-override option when defining an access-group. This instructs the ASA to prefer any kind of dynamic authorization attributes (individual ACEs, local ACL, and Downloadable ACL) over an existent static ACL.

Example 4 summarizes the relevant user group parameters that need to be configured in CS-ACS so that individual ACEs can be downloaded after authentication.

Example 3. Instructing the ASA to Prefer Dynamic ACEs
!Instructing ASA to prefer downloaded Access Control Entries over static ones.
access-group DMZ in interface dmz per-user-override


Example 4. Defining Individual ACEs on CS-ACS for Cut-Through Proxy
ACS/Group Settings : GROUP1
[009\001] cisco-av-pair
ip:inacl#1=permit tcp any any eq 80
ip:inacl#2=permit tcp any any eq 23

Example 5 illustrates how CS-ACS partners with ASA to deliver and enforce individual ACEs after the Cut-Through Proxy feature comes into play. Notice the Cisco-AV-pairs (ip:inacl) in the RADIUS Response message. Example 6 shows how to verify the downloaded attributes.

Example 5. RADIUS Server Downloads Individual ACEs to ASA
! ASA receives individual ACEs from the RADIUS server

RADIUS packet decode (response)
[output suppressed]
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 43 (0x2B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 37 (0x25)
Radius: Value (String) =
69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69 | ip:inacl#1=permi
74 20 74 63 70 20 61 6e 79 20 61 6e 79 20 65 71 | t tcp any any eq
20 38 30 | 80
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 43 (0x2B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 37 (0x25)
Radius: Value (String) =
69 70 3a 69 6e 61 63 6c 23 32 3d 70 65 72 6d 69 | ip:inacl#2=permi
74 20 74 63 70 20 61 6e 79 20 61 6e 79 20 65 71 | t tcp any any eq
20 32 33 | 23

Example 6. Verifying Downloaded ACEs for an Authorized User
! Displaying the downloaded access-list for user1

ASA1# show uauth user1
user 'user1' at 172.21.21.101, authenticated
access-list AAA-user-user1-E3040000 (*)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
!
! Displaying the details of the downloaded access-list

ASA1# show access-list AAA-user-user1-E3040000
access-list AAA-user-user1-E3040000; 2 elements; name hash: 0x3dbead96 (dynamic)
access-list AAA-user-user1-E3040000 line 1 extended permit tcp any any eq www (hitcnt=2) 0xf104c9e5
access-list AAA-user-user1-E3040000 line 2 extended permit tcp any any eq telnet (hitcnt=0) 0x6d5c94fc


Example 7 characterizes the precedence of dynamic permissions over the static ones, as a consequence of the per-user-override option (Example 3). Refer to Example 6 to verify that the dynamic ACEs just downloaded do not permit HTTPS, as opposed to the DMZ static access-list configured in Example 1. Telnet is now allowed through, despite not being part of the original interface ACL.

Example 7. Authorization ACL Takes Precedence over Interface ACL
! HTTPS, not allowed on donwloaded ACEs, gets blocked

%ASA-6-109025: Authorization denied (acl=AAA-user-user1-E3040000) for user 'user1' from
172.21.21.101/1229 to 172.16.200.200/443 on interface dmz using TCP

! Telnet, not originally allowed on static ACL, gets through the ASA

%ASA-6-302013: Built outbound TCP connection 86 for outside:172.16.200.200/23 (172.16.200.200/23)
 to dmz:172.21.21.101/1230 (172.21.21.101/1230) (user1)

Other  
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 3)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 2)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 1)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Limiting discovery with filters
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us