ENTERPRISE

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)

2/21/2015 8:18:42 PM

The previous section presented a thorough analysis of the Cut-Through Proxy operation on the ASA family. In the current one a similar IOS mechanism called Auth-Proxy is covered in detail. Although the conception and purpose of the features are similar, they have some distinct operational behaviors. The differences that deserve special mention follow:

  • Although the dynamic permissions created by Cut-Through Proxy are natively stateful, IOS Auth-Proxy permissions are originally stateless. Nevertheless, after being combined with CBAC or Zone Policy Firewall, the Auth-Proxy permissions will undergo stateful inspection and behave much like as ASA’s.

  • In ASA, inbound Interface ACLs initially have precedence over Cut-Through Proxy derived permissions . It is therefore necessary to explicitly allow the application protocol in this ACL before the interception can take place. If the per-user-override option is enabled and a DACL is downloaded, the dynamic permissions take precedence over the static ones.

  • In IOS, the Auth-Proxy intercepts the application protocol that triggers authentication before it reaches the inbound interface ACL. You can see how this works through the analysis of some usage scenarios. 

  • Although IOS uses the proxyacl RADIUS VSA to download individual ACEs to the NAS, ASA uses the ip:inacl VSA to accomplish this task.

  • The RADIUS server can send the IETF Filter-ID attribute pointing to an ASA locally defined ACL. The activation of such an ACL in IOS currently requires the usage of the tag-name VSA. 

After this brief introduction, you can now get back to a set of practical usage scenarios that serve to emphasize the potential of the Auth-Proxy feature.

For the following examples Telnet is chosen as the triggering protocol because its connections are long living compared to HTTP. This makes life easier when dealing with debug commands and viewing established sessions. After becoming familiar with Auth-Proxy concepts, you are greatly encouraged to proceed an equivalent analysis using HTTP (or even better, HTTPS) as the triggering protocol.

Figure 1 shows the reference topology used for the Auth-Proxy scenarios that follow.

Figure 1. Network Topology for the Auth-Proxy Usage Scenarios




Example 1 shows the relevant AAA commands for the Auth-Proxy scenarios. Example 2 complements the previous one, by including the necessary commands to enable Auth-Proxy for Telnet interception.

Example 1. Baseline AAA Configuration for Auth-Proxy Scenarios
aaa new-model
!
! Instructing the NAS to receive, send and process Vendor Specific Attributes (VSAs)
radius-server vsa send accounting
radius-server vsa send authentication
!
! Instructing NAS to send the IETF "Service Type" attribute to the RADIUS Server

radius-server attribute 6 on-for-login-auth
!
! Defining the source interface for RADIUS packets

ip radius source-interface Vlan21
!
! Defining an AAA server-group called "RADIUS1"

aaa group server radius RADIUS1
 server 172.21.21.250 auth-port 1812 acct-port 1813
 server-private 172.21.21.250 auth-port 1812 acct-port 1813 key 7 13061E010803557878
!
! This method list will be applied to the console and VTY lines

aaa authentication login CONSOLE none
!
! Auth-Proxy service uses the AAA server-group "RADIUS1" previously defined

aaa authentication login default group RADIUS1
aaa authorization network default group RADIUS1
aaa authorization auth-proxy default group RADIUS1
aaa accounting auth-proxy default  start-stop  group RADIUS1
!
! Excluding console and VTY lines from the "default" login method (that uses RADIUS)
line con 0
login authentication CONSOLE
line vty 0 4
 login authentication CONSOLE
 transport input telnet ssh

Example 2. Baseline Auth-Proxy Configuration
! Defining an ACL to be applied to the same interface as Auth-Proxy

access-list 100 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1
access-list 100 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1
access-list 100 permit tcp any 172.16.201.0 0.0.0.255 eq telnet

! Defining the Auth-Proxy policy to intercept Telnet traffic

ip admission name ADMISSION1 proxy telnet
!
! Applying the Auth-Proxy policy to interface Vlan21 (Auth-Proxy incoming interface)
interface Vlan21
 description *** INSIDE interface ***
 ip address 172.21.21.1 255.255.255.0
 ip access-group 100 in
 ip admission ADMISSION1

Other  
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
    •
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
    •
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
    •
  •  Commercial Backup Utilities : Ease of Administration, Security
    •
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    •
     
    Most View
    Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
    The Cyber-athletic Revolution – E-sports’ Era (Part 1)
    Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Two Is Better Than One - WD My Cloud Mirror
    Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
    Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
    Canon PowerShot SX240 HS - A Powerful Perfection
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs