programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/21/2015 8:18:42 PM

The previous section presented a thorough analysis of the Cut-Through Proxy operation on the ASA family. In the current one a similar IOS mechanism called Auth-Proxy is covered in detail. Although the conception and purpose of the features are similar, they have some distinct operational behaviors. The differences that deserve special mention follow:

  • Although the dynamic permissions created by Cut-Through Proxy are natively stateful, IOS Auth-Proxy permissions are originally stateless. Nevertheless, after being combined with CBAC or Zone Policy Firewall, the Auth-Proxy permissions will undergo stateful inspection and behave much like as ASA’s.

  • In ASA, inbound Interface ACLs initially have precedence over Cut-Through Proxy derived permissions . It is therefore necessary to explicitly allow the application protocol in this ACL before the interception can take place. If the per-user-override option is enabled and a DACL is downloaded, the dynamic permissions take precedence over the static ones.

  • In IOS, the Auth-Proxy intercepts the application protocol that triggers authentication before it reaches the inbound interface ACL. You can see how this works through the analysis of some usage scenarios. 

  • Although IOS uses the proxyacl RADIUS VSA to download individual ACEs to the NAS, ASA uses the ip:inacl VSA to accomplish this task.

  • The RADIUS server can send the IETF Filter-ID attribute pointing to an ASA locally defined ACL. The activation of such an ACL in IOS currently requires the usage of the tag-name VSA. 

After this brief introduction, you can now get back to a set of practical usage scenarios that serve to emphasize the potential of the Auth-Proxy feature.

For the following examples Telnet is chosen as the triggering protocol because its connections are long living compared to HTTP. This makes life easier when dealing with debug commands and viewing established sessions. After becoming familiar with Auth-Proxy concepts, you are greatly encouraged to proceed an equivalent analysis using HTTP (or even better, HTTPS) as the triggering protocol.

Figure 1 shows the reference topology used for the Auth-Proxy scenarios that follow.

Figure 1. Network Topology for the Auth-Proxy Usage Scenarios




Example 1 shows the relevant AAA commands for the Auth-Proxy scenarios. Example 2 complements the previous one, by including the necessary commands to enable Auth-Proxy for Telnet interception.

Example 1. Baseline AAA Configuration for Auth-Proxy Scenarios
aaa new-model
!
! Instructing the NAS to receive, send and process Vendor Specific Attributes (VSAs)
radius-server vsa send accounting
radius-server vsa send authentication
!
! Instructing NAS to send the IETF "Service Type" attribute to the RADIUS Server

radius-server attribute 6 on-for-login-auth
!
! Defining the source interface for RADIUS packets

ip radius source-interface Vlan21
!
! Defining an AAA server-group called "RADIUS1"

aaa group server radius RADIUS1
server 172.21.21.250 auth-port 1812 acct-port 1813
server-private 172.21.21.250 auth-port 1812 acct-port 1813 key 7 13061E010803557878
!
! This method list will be applied to the console and VTY lines

aaa authentication login CONSOLE none
!
! Auth-Proxy service uses the AAA server-group "RADIUS1" previously defined

aaa authentication login default group RADIUS1
aaa authorization network default group RADIUS1
aaa authorization auth-proxy default group RADIUS1
aaa accounting auth-proxy default start-stop group RADIUS1
!
! Excluding console and VTY lines from the "default" login method (that uses RADIUS)
line con 0
login authentication CONSOLE
line vty 0 4
login authentication CONSOLE
transport input telnet ssh


Example 2. Baseline Auth-Proxy Configuration
! Defining an ACL to be applied to the same interface as Auth-Proxy

access-list 100 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1
access-list 100 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1
access-list 100 permit tcp any 172.16.201.0 0.0.0.255 eq telnet

! Defining the Auth-Proxy policy to intercept Telnet traffic

ip admission name ADMISSION1 proxy telnet
!
! Applying the Auth-Proxy policy to interface Vlan21 (Auth-Proxy incoming interface)
interface Vlan21
description *** INSIDE interface ***
ip address 172.21.21.1 255.255.255.0
ip access-group 100 in
ip admission ADMISSION1

Other  
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us