Scenario 2: IOS Auth-Proxy with Downloadable ACLs
This
is completely analogous to what was done for ASA in Scenario 4 of the
Cut-Through Proxy analysis.
Example 6. Assigning a Downloadable ACL to a User Group on CS-ACS
ACS/Group Settings : GROUP1
Downloadable ACLs – Assign IP ACL: DACL1
permit tcp any any eq 80
permit icmp any any echo
[009\001] cisco-av-pair
priv-lvl=15
|
Example 7 details the delivery of the DACL to IOS. There are two Access-Request (Authentication Request) messages and two RADIUS Access-Accept (Response) messages. The first Request-Accept pair shows the ACS:CiscoSecure-Defined-ACL
Cisco AV-Pair, which contains the name of the DACL to be assigned. The
second Access-Request uses the DACL name as username and a “NULL” value
for the password. IOS also sends another Cisco-AV-Pair (aaa:event=acl-download) and receives as response the individual components of the DACL (ip:inacl attributes).
Before sending the Cisco AV-Pair aaa:event=acl-download, ASA sends the Cisco AV-Pair aaa:service=vpn. IOS, in contrast, sends the AV-Pair aaa:service=ip_admission before the AV-Pair aaa:event=acl-download.
Example 8 displays the details of the user session created in Example 7.
IOS clearly identifies the DACL as a “per-user” ACL and inserts its
entries in the static interface ACL (before the original ACEs). Figure 2 shows a sample Passed Authentications log on CS-ACS, including the DACL assigned to the user.
Example 7. CS-ACS Delivers Downloadable ACL to IOS
AUTH-PROXY creates info:
cliaddr - 172.21.21.101, cliport - 1085
seraddr - 172.16.201.2, serport - 23
ip-srcaddr 172.21.21.101
pak-srcaddr 0.0.0.0
!
! NAS sends Access Request to CS-ACS and receives name of the DACL to be applied
RADIUS(00000006): Send Access-Request to 172.21.21.250:1812 id 1645/4, len 104
RADIUS: authenticator 67 06 F7 BB F1 81 BE 96 - 29 2D C9 24 89 00 2B 31
RADIUS: User-Name [1] 7 "user1"
!
[output suppressed]
RADIUS: Received from id 1645/4 172.21.21.250:1812, Access-Accept, len 124
RADIUS: authenticator 6D 19 94 84 EF C0 28 C3 - EF AB 8E FE 1F E9 7B 28
RADIUS: Vendor, Cisco [26] 19
RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
RADIUS: Vendor, Cisco [26] 62
RADIUS: Cisco AVpair [1] 56 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-DACL1-4aac618d"
[output suppressed]
!
! NAS sends second Access Request using DACL name as username (null password)
RADIUS(00000000): Send Access-Request to 172.21.21.250:1812 id 1645/5, len 134
RADIUS: authenticator 94 3C 9D F1 C1 93 25 2A - F3 9E DA C9 B0 15 FC B2
RADIUS: NAS-IP-Address [4] 6 172.21.21.1
RADIUS: User-Name [1] 28 "#ACSACL#-IP-DACL1-4aac618d"
RADIUS: Vendor, Cisco [26] 32
RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
RADIUS: Vendor, Cisco [26] 30
RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
!
! ACS sends second Response detailing the DACL contents (as individual ACEs)
RADIUS: Received from id 1645/5 172.21.21.250:1812, Access-Accept, len 179
RADIUS: authenticator 69 A2 A7 BB 15 AF 3C EB - A3 D7 12 F0 F5 04 54 F2
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80"
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "ip:inacl#2=permit icmp any any echo"
[output suppressed]
|
Example 8. Verifying the Downloadable ACL Details
DMZ#show ip auth-proxy cache
Authentication Proxy Cache
Client Name user1, Client IP 172.21.21.101, Port 1085, timeout 60, Time Remaining 60, state INTERCEPT
!
DMZ# show epm session ip 172.21.21.101
Admission feature : Authproxy
AAA Policies :
ACS ACL : xACSACLx-IP-DACL1-4aac618d
!
! After Auth-Proxy "user1" pings 172.16.201.2 and opens the page http://172.16.200.200
DMZ# show access-list
Extended IP access list 100
permit tcp host 172.21.21.101 any eq www (12 matches)
permit icmp host 172.21.21.101 any echo (4 matches)
10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (2 matches)
20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (2 matches)
30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet (31 matches)
Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user)
10 permit tcp any any eq www
20 permit icmp any any echo
|
