programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/20/2015 1:13:46 AM
Scenario 3: Cut-Through Proxy with Locally Defined ACL

This scenario illustrates how CS-ACS can instruct the firewall (NAS) to assign a locally defined ACL as part of the authorization process. This may be interesting if the administrator does not want to download long ACLs but has the inconvenience that per-user ACLs need to be maintained in each NAS.

Example 8 defines a local ACL called GROUP2 referenced by the value of the IETF Filter-ID attribute, as shown in Example 9.

Example 8. Defining a Local ACL That Might Be Referenced by CS-ACS
access-list GROUP2 extended permit tcp any any eq www
access-list GROUP2 extended permit tcp any any eq ssh

Example 9. Assigning the “Filter-ID” Attribute to a User Group on CS-ACS
ACS/Group Settings : GROUP2
IETF RADIUS Attributes
[011] Filter-Id
GROUP2

Example 10 illustrates the delivery of the Filter-ID attribute on the RADIUS Response message, whereas Example 11 demonstrates how to verify the association of the local ACL (GROUP2) to the authenticated user user2(a member of GROUP2). To better differentiate what is going on in each scenario, it is interesting to compare the user-related information in Examples 11 and 6.

Example 10. ASA Receives “Filter-ID” from the RADIUS Server
RADIUS packet decode (response)
[output suppressed]
Radius: Type = 11 (0x0B) Filter-Id
Radius: Length = 8 (0x08)
Radius: Value (String) =
47 52 4f 55 50 32 | GROUP2
[output suppressed]

Example 11. Verifying the Dynamic ACL Assigned via “Filter-ID” Attribute
! Displaying the dynamic ACL assigned to user2

ASA1# show uauth user2
user 'user2' at 172.21.21.101, authenticated
access-list GROUP2 (*)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
!
! Displaying the details of the dynamic access-list

ASA1# show access-list GROUP2
access-list GROUP2; 2 elements; name hash: 0xd5211e1e
access-list GROUP2 line 1 extended permit tcp any any eq www (hitcnt=2) 0x64e09b05
access-list GROUP2 line 2 extended permit tcp any any eq ssh (hitcnt=1) 0x37d057b3
!

! dynamic ACL takes precedence over static interface ACL

%ASA-6-109025: Authorization denied (acl=GROUP2) for user 'user2' from
172.21.21.101/1236 to 172.16.200.200/23 on interface dmz using TCP


Other  
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 3)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 2)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 1)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Limiting discovery with filters
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us