Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs

2/21/2015 8:22:21 PM

Scenario 2: IOS Auth-Proxy with Downloadable ACLs

This is completely analogous to what was done for ASA in Scenario 4 of the Cut-Through Proxy analysis. 

Example 6. Assigning a Downloadable ACL to a User Group on CS-ACS
ACS/Group Settings : GROUP1
Downloadable ACLs – Assign IP ACL: DACL1
permit tcp any any eq 80
permit icmp any any echo
[009\001] cisco-av-pair

Example 7 details the delivery of the DACL to IOS. There are two Access-Request (Authentication Request) messages and two RADIUS Access-Accept (Response) messages. The first Request-Accept pair shows the ACS:CiscoSecure-Defined-ACL Cisco AV-Pair, which contains the name of the DACL to be assigned. The second Access-Request uses the DACL name as username and a “NULL” value for the password. IOS also sends another Cisco-AV-Pair (aaa:event=acl-download) and receives as response the individual components of the DACL (ip:inacl attributes).

Before sending the Cisco AV-Pair aaa:event=acl-download, ASA sends the Cisco AV-Pair aaa:service=vpn. IOS, in contrast, sends the AV-Pair aaa:service=ip_admission before the AV-Pair aaa:event=acl-download.

Example 8 displays the details of the user session created in Example 7. IOS clearly identifies the DACL as a “per-user” ACL and inserts its entries in the static interface ACL (before the original ACEs). Figure 2 shows a sample Passed Authentications log on CS-ACS, including the DACL assigned to the user.

Figure 2. Example of “Passed Authentications” Including DACL Assignment in CS-ACS

Example 7. CS-ACS Delivers Downloadable ACL to IOS
AUTH-PROXY creates info:
cliaddr -, cliport - 1085
seraddr -, serport - 23
! NAS sends Access Request to CS-ACS and receives name of the DACL to be applied

RADIUS(00000006): Send Access-Request to id 1645/4, len 104
RADIUS: authenticator 67 06 F7 BB F1 81 BE 96 - 29 2D C9 24 89 00 2B 31
RADIUS: User-Name [1] 7 "user1"
[output suppressed]
RADIUS: Received from id 1645/4, Access-Accept, len 124
RADIUS: authenticator 6D 19 94 84 EF C0 28 C3 - EF AB 8E FE 1F E9 7B 28
RADIUS: Vendor, Cisco [26] 19
RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
RADIUS: Vendor, Cisco [26] 62
RADIUS: Cisco AVpair [1] 56 "ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-DACL1-4aac618d"
[output suppressed]
! NAS sends second Access Request using DACL name as username (null password)

RADIUS(00000000): Send Access-Request to id 1645/5, len 134
RADIUS: authenticator 94 3C 9D F1 C1 93 25 2A - F3 9E DA C9 B0 15 FC B2
RADIUS: NAS-IP-Address [4] 6
RADIUS: User-Name [1] 28 "#ACSACL#-IP-DACL1-4aac618d"
RADIUS: Vendor, Cisco [26] 32
RADIUS: Cisco AVpair [1] 26 "aaa:service=ip_admission"
RADIUS: Vendor, Cisco [26] 30
RADIUS: Cisco AVpair [1] 24 "aaa:event=acl-download"
! ACS sends second Response detailing the DACL contents (as individual ACEs)

RADIUS: Received from id 1645/5, Access-Accept, len 179
RADIUS: authenticator 69 A2 A7 BB 15 AF 3C EB - A3 D7 12 F0 F5 04 54 F2
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "ip:inacl#1=permit tcp any any eq 80"
RADIUS: Vendor, Cisco [26] 43
RADIUS: Cisco AVpair [1] 37 "ip:inacl#2=permit icmp any any echo"
[output suppressed]

Example 8. Verifying the Downloadable ACL Details
DMZ#show ip auth-proxy cache
Authentication Proxy Cache
Client Name user1, Client IP, Port 1085, timeout 60, Time Remaining 60, state INTERCEPT
DMZ# show epm session ip
Admission feature : Authproxy
AAA Policies :
ACS ACL : xACSACLx-IP-DACL1-4aac618d
! After Auth-Proxy "user1" pings and opens the page
DMZ# show access-list
Extended IP access list 100
permit tcp host any eq www (12 matches)
permit icmp host any echo (4 matches)
10 permit udp host eq 1812 host (2 matches)
20 permit udp host eq 1813 host (2 matches)
30 permit tcp any eq telnet (31 matches)
Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user)
10 permit tcp any any eq www
20 permit icmp any any echo

  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    Most View
    Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
    The Cyber-athletic Revolution – E-sports’ Era (Part 1)
    Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
    Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
    Two Is Better Than One - WD My Cloud Mirror
    Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
    Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
    Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
    Canon PowerShot SX240 HS - A Powerful Perfection
    LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Review : Acer Aspire R13
    Review : Microsoft Lumia 535
    Review : Olympus OM-D E-M5 Mark II
    TomTom Runner + MultiSport Cardio
    Timex Ironman Run Trainer 2.0
    Suunto Ambit3 Peak Sapphire HR
    Polar M400
    Garmin Forerunner 920XT
    Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
    Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs