programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/20/2015 1:15:03 AM
Scenario 4: Cut-Through Proxy with Downloadable ACLs

Scenario 4 differs from Scenarios 2 and 3 because it uses another form of authorization ACL called Downloadable ACL (DACL). These are ACLs defined as Shared Profile Components in CS-ACS and can be later assigned to user groups. This is a flexible and scalable option for controlling authorization because changes can be centralized in one place and ACL definitions can be reused on several CS-ACS User Groups.

Example 12 summarizes the creation and assignment of a DACL in CS-ACS.

Example 12. Defining (and Assigning) a Downloadable ACL on CS-ACS
! Defining the contents of a Downloadable IP ACL

ACS/Shared Profile Components/Downloadable IP ACLs
Name : DACL1
ACL Contents : ACL1
permit tcp any any eq 80
permit icmp any any echo
!
! Assigning the DACL named "DACL1" to User Group "GROUP1"

ACS/Group Settings : GROUP1
Downloadable ACLs – Assign IP ACL: DACL1

Example 13 illustrates how CS-ACS delivers a DACL to ASA. There are two Authentication Request messages and two corresponding RADIUS Response messages. The first Request-Response pair is similar to what has been studied so far, with the distinction that only the name of the DACL is passed to the NAS in the form of a Cisco-AV-Pair (ACS:CiscoSecure-Defined-ACL). After receiving the name of the DACL to be applied, ASA sends a second Authentication-Request using the DACL name as username and a “NULL” value for the password. ASA also sends another Cisco-AV-Pair (aaa:event=acl-download) and receives as response the individual components of the DACL (ip:inacl attributes).

Example 13. CS-ACS Delivers a Downloadable ACL to ASA
! ASA sends regular Authentication Request for user "user1" to RADIUS Server

RADIUS packet decode (authentication request)
[output suppressed]
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31 | user1
[output suppressed]
!
! ASA receives firt RADIUS response containing the name of the DACL to be downloaded
RADIUS packet decode (response)
[output suppressed]
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 62 (0x3E)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 56 (0x38)
Radius: Value (String) =
41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS:CiscoSecure-
44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Defined-ACL=#ACS
41 43 4c 23 2d 49 50 2d 44 41 43 4c 31 2d 34 61 | ACL#-IP-DACL1-4a
61 63 36 31 38 64 | ac618d
[output suppressed]
!
! ASA sends new Authentication Request using the DACL name as username (null password)
RADIUS packet decode (authentication request)
[output suppressed]
Radius: Type = 1 (0x01) User-Name
Radius: Length = 28 (0x1C)
Radius: Value (String) =
23 41 43 53 41 43 4c 23 2d 49 50 2d 44 41 43 4c | #ACSACL#-IP-DACL
31 2d 34 61 61 63 36 31 38 64 | 1-4aac618d
[output suppressed]
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 23 (0x17)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 17 (0x11)
Radius: Value (String) =
61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e | aaa:service=vpn
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 30 (0x1E)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 24 (0x18)
Radius: Value (String) =
61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f | aaa:event=acl-do
77 6e 6c 6f 61 64 | wnload
[output suppressed]
!
! ACS sends a second Response detailing the DACL contents (as individual ACEs)

RADIUS packet decode (response)
[output suppressed]
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 43 (0x2B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 37 (0x25)
Radius: Value (String) =
69 70 3a 69 6e 61 63 6c 23 31 3d 70 65 72 6d 69 | ip:inacl#1=permi
74 20 74 63 70 20 61 6e 79 20 61 6e 79 20 65 71 | t tcp any any eq
20 38 30 | 80
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 43 (0x2B)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 37 (0x25)
Radius: Value (String) =
69 70 3a 69 6e 61 63 6c 23 32 3d 70 65 72 6d 69 | ip:inacl#2=permi
74 20 69 63 6d 70 20 61 6e 79 20 61 6e 79 20 65 | t icmp any any e
63 68 6f | cho
[output suppressed]


Example 14 displays the Downloadable ACL and illustrates the creation of an ICMP connection after authorization. It is interesting to observe ASA’s identity awareness in the Built Connection message.

Example 14. Verifying the Downloadable ACL Details
! Displaying the DACL assigned to user1

ASA1# show uauth user1
user 'user1' at 172.21.21.101, authenticated
access-list #ACSACL#-IP-DACL1-4aac618d (*)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
!
! User "user1" pings the address 172.16.200.200 (notice the identity-awareness)

%ASA-6-302020: Built outbound ICMP connection for faddr 172.16.200.200/0 gaddr 172.21.21.101/512
laddr 172.21.21.101/512 (user1)
!
! Verifying the DACL details (notice the hitcount in the ICMP entry)

ASA1# show access-list #ACSACL#-IP-DACL1-4aac618d
access-list #ACSACL#-IP-DACL1-4aac618d; 2 elements; name hash: 0x7df6ced9 (dynamic)
access-list #ACSACL#-IP-DACL1-4aac618d line 1 extended permit tcp any any eq www (hitcnt=2) 0x3bb3ba32
access-list #ACSACL#-IP-DACL1-4aac618d line 2 extended permit icmp any any echo (hitcnt=1) 0x003bbecc


Other  
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 4)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 3)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 2)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Examining discovery results (part 1)
  •  HP Network Node Manager 9 : Discovering and Monitoring Your Network - Limiting discovery with filters
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us