programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire
2/21/2015 8:20:21 PM

Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries

This is completely analogous to what was done for ASA in Scenario 2 of the “ASA User-Level Control with Cut-Through Proxy” section.

Example 4 illustrates Auth-proxy performing the interception and interacting with the RADIUS server, whereas Example 5 shows the authentication and authorization results.

Example 3. Defining Individual ACEs on CS-ACS for IOS Auth-Proxy
ACS/Group Settings : GROUP1
[009\001] cisco-av-pair
priv-lvl=15
proxyacl#1=permit tcp any any eq 22
proxyacl#2=permit tcp any any eq 23

Example 4. Telnet Session Intercepted by Auth-Proxy
! Telnet Session is intercepted by Auth-Proxy process (before reaching interface ACL)
AUTH-PROXY creates info:
cliaddr - 172.21.21.101, cliport - 1562
seraddr - 172.16.201.2, serport - 23
ip-srcaddr 172.21.21.101
pak-srcaddr 0.0.0.0

! NAS sends request to CS-ACS and receives individual ACEs (proxyacl)

RADIUS(0000000C): Send Access-Request to 172.21.21.250:1812 id 1645/12, len 104
RADIUS: authenticator 73 DC D7 7B 91 B4 61 38 - 4E 65 CB A5 B3 4F AD 9D
RADIUS: User-Name [1] 7 "user1"
[output suppressed]
RADIUS: Received from id 1645/12 172.21.21.250:1812, Access-Accept, len 148
RADIUS: authenticator ED 65 FB F6 64 B9 33 6D - A3 5E B8 5F 14 36 D4 21
RADIUS: Vendor, Cisco [26] 19
RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22"
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "proxyacl#2=permit tcp any any eq 23"
[output suppressed]


Example 5. Verifying Authenticated Users and Downloaded ACEs
DMZ# show ip auth-proxy cache
Authentication Proxy Cache
Client Name user1, Client IP 172.21.21.101, Port 1562, timeout 60, Time Remaining 60, state INTERCEPT
!
! Details about the current Auth-Proxy session

DMZ# show epm session ip 172.21.21.101
Admission feature : Authproxy
AAA Policies :
Proxy ACL : permit tcp any any eq 22
Proxy ACL : permit tcp any any eq 23

!
! Viewing Dynamic Entries (for host 172.21.21.101) added to the interface ACL

DMZ# show access-list
Extended IP access list 100
permit tcp host 172.21.21.101 any eq 22 (18 matches)
permit tcp host 172.21.21.101 any eq telnet (70 matches)
10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (1 match)
20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (1 match)
30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet


Other  
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
  •  
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us