ENTERPRISE

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL

2/20/2015 1:13:46 AM
Scenario 3: Cut-Through Proxy with Locally Defined ACL

This scenario illustrates how CS-ACS can instruct the firewall (NAS) to assign a locally defined ACL as part of the authorization process. This may be interesting if the administrator does not want to download long ACLs but has the inconvenience that per-user ACLs need to be maintained in each NAS.

Example 8 defines a local ACL called GROUP2 referenced by the value of the IETF Filter-ID attribute, as shown in Example 9.

Example 8. Defining a Local ACL That Might Be Referenced by CS-ACS
access-list GROUP2 extended permit tcp any any eq www
access-list GROUP2 extended permit tcp any any eq ssh

Example 9. Assigning the “Filter-ID” Attribute to a User Group on CS-ACS
ACS/Group Settings : GROUP2
IETF RADIUS Attributes
[011] Filter-Id
  GROUP2

Example 10 illustrates the delivery of the Filter-ID attribute on the RADIUS Response message, whereas Example 11 demonstrates how to verify the association of the local ACL (GROUP2) to the authenticated user user2(a member of GROUP2). To better differentiate what is going on in each scenario, it is interesting to compare the user-related information in Examples 11 and 6.

Example 10. ASA Receives “Filter-ID” from the RADIUS Server
RADIUS packet decode (response)
[output suppressed]
Radius: Type = 11 (0x0B) Filter-Id
Radius: Length = 8 (0x08)
Radius: Value (String) =
47 52 4f 55 50 32                                  |  GROUP2
[output suppressed]

Example 11. Verifying the Dynamic ACL Assigned via “Filter-ID” Attribute
! Displaying the dynamic ACL assigned to user2

ASA1# show uauth user2
user 'user2' at 172.21.21.101, authenticated
   access-list GROUP2 (*)
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
!
! Displaying the details of the dynamic access-list

ASA1# show access-list GROUP2
access-list GROUP2; 2 elements; name hash: 0xd5211e1e
access-list GROUP2 line 1 extended permit tcp any any eq www (hitcnt=2) 0x64e09b05
access-list GROUP2 line 2 extended permit tcp any any eq ssh (hitcnt=1) 0x37d057b3
!

! dynamic ACL takes precedence over static interface ACL

%ASA-6-109025: Authorization denied (acl=GROUP2) for user 'user2' from
172.21.21.101/1236 to 172.16.200.200/23 on interface dmz using TCP

Other  
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
    •
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
    •
  •  Commercial Backup Utilities : Ease of Administration, Security
    •
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 3)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 2)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 1)
    •
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Limiting discovery with filters
    •
     
    Most View
    Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
    The Cyber-athletic Revolution – E-sports’ Era (Part 1)
    Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Two Is Better Than One - WD My Cloud Mirror
    Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
    Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
    Canon PowerShot SX240 HS - A Powerful Perfection
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs