Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs

Scenario 4: Cut-Through Proxy with Downloadable ACLs

Scenario 4 differs from Scenarios 2 and 3 because it uses another form of authorization ACL called Downloadable ACL (DACL). These are ACLs defined as Shared Profile Components in CS-ACS and can be later assigned to user groups. This is a flexible and scalable option for controlling authorization because changes can be centralized in one place and ACL definitions can be reused on several CS-ACS User Groups.

Example 12 summarizes the creation and assignment of a DACL in CS-ACS.

Example 12. Defining (and Assigning) a Downloadable ACL on CS-ACS

! Defining the contents of a Downloadable IP ACL ACS/Shared Profile Components/Downloadable IP ACLs Name : DACL1 ACL Contents : ACL1 permit tcp any any eq 80 permit icmp any any echo ! ! Assigning the DACL named "DACL1" to User Group "GROUP1" ACS/Group Settings : GROUP1 Downloadable ACLs – Assign IP ACL: DACL1

Example 13 illustrates how CS-ACS delivers a DACL to ASA. There are two Authentication Request messages and two corresponding RADIUS Response messages. The first Request-Response pair is similar to what has been studied so far, with the distinction that only the name of the DACL is passed to the NAS in the form of a Cisco-AV-Pair (ACS:CiscoSecure-Defined-ACL). After receiving the name of the DACL to be applied, ASA sends a second Authentication-Request using the DACL name as username and a “NULL” value for the password. ASA also sends another Cisco-AV-Pair (aaa:event=acl-download) and receives as response the individual components of the DACL (ip:inacl attributes).

Example 13. CS-ACS Delivers a Downloadable ACL to ASA

! ASA sends regular Authentication Request for user "user1" to RADIUS Server RADIUS packet decode (authentication request) [output suppressed] Radius: Type = 1 (0x01) User-Name Radius: Length = 7 (0x07) Radius: Value (String) = 75 73 65 72 31 | user1 [output suppressed] ! ! ASA receives firt RADIUS response containing the name of the DACL to be downloaded RADIUS packet decode (response) [output suppressed] Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 62 (0x3E) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 56 (0x38) Radius: Value (String) = 41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS:CiscoSecure- 44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Defined-ACL=#ACS 41 43 4c 23 2d 49 50 2d 44 41 43 4c 31 2d 34 61 | ACL#-IP-DACL1-4a 61 63 36 31 38 64 | ac618d [output suppressed] ! ! ASA sends new Authentication Request using the DACL name as username (null password) RADIUS packet decode (authentication request) [output suppressed] Radius: Type = 1 (0x01) User-Name Radius: Length = 28 (0x1C) Radius: Value (String) = 23 41 43 53 41 43 4c 23 2d 49 50 2d 44 41 43 4c | #ACSACL#-IP-DACL 31 2d 34 61 61 63 36 31 38 64 | 1-4aac618d [output suppressed] Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 23 (0x17) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 17 (0x11) Radius: Value (String) = 61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e | aaa:service=vpn Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 30 (0x1E) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 24 (0x18) Radius: Value (String) = 61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f | aaa:event=acl-do 77 6e 6c 6f 61 64 | wnload [output suppressed] ! ! ACS sends a second Response detailing the DACL contents (as individual ACEs) RADIUS packet decode (response) [output suppressed] Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 43 (0x2B) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 37 (0x25) Radius: Value (String) = 69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69 | ip:inacl#1=permi 74 20 74 63 70 20 61 6e 79 20 61 6e 79 20 65 71 | t tcp any any eq 20 38 30 | 80 Radius: Type = 26 (0x1A) Vendor-Specific Radius: Length = 43 (0x2B) Radius: Vendor ID = 9 (0x00000009) Radius: Type = 1 (0x01) Cisco-AV-pair Radius: Length = 37 (0x25) Radius: Value (String) = 69 70 3a 69 6e 61 63 6c 23 32 3d 70 65 72 6d 69 | ip:inacl#2=permi 74 20 69 63 6d 70 20 61 6e 79 20 61 6e 79 20 65 | t icmp any any e 63 68 6f | cho [output suppressed]

Example 14 displays the Downloadable ACL and illustrates the creation of an ICMP connection after authorization. It is interesting to observe ASA’s identity awareness in the Built Connection message.

Example 14. Verifying the Downloadable ACL Details

! Displaying the DACL assigned to user1 ASA1# show uauth user1 user 'user1' at 172.21.21.101, authenticated access-list #ACSACL#-IP-DACL1-4aac618d (*) absolute timeout: 0:05:00 inactivity timeout: 0:00:00 ! ! User "user1" pings the address 172.16.200.200 (notice the identity-awareness) %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.200.200/0 gaddr 172.21.21.101/512 laddr 172.21.21.101/512 (user1) ! ! Verifying the DACL details (notice the hitcount in the ICMP entry) ASA1# show access-list #ACSACL#-IP-DACL1-4aac618d access-list #ACSACL#-IP-DACL1-4aac618d; 2 elements; name hash: 0x7df6ced9 (dynamic) access-list #ACSACL#-IP-DACL1-4aac618d line 1 extended permit tcp any any eq www (hitcnt=2) 0x3bb3ba32 access-list #ACSACL#-IP-DACL1-4aac618d line 2 extended permit icmp any any echo (hitcnt=1) 0x003bbecc