Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 1) - Establishing user-group Membership Awareness in IOS - Method 1

The previous section examined in detail the operation of the IOS Auth-Proxy feature and how it may be integrated with CBAC to create dynamic stateful permissions before allowing traffic to cross the firewall.

The current section initially analyzes two techniques that leverage Auth-Proxy to bring user-group membership awareness in the IOS device. This concept of membership means that after successful user authentication and authorization, IOS will have local knowledge of the group to which the user belongs.

Later in the section zone-based policies that use as an additional criterion the membership data previously obtained are created. 

Note

A question might arise at this point. “What is meant by this membership concept?” (In all the previous discussions, the users were always members of some user group.)

What has changed? Well, it is true that the membership information was already in there, but it was on the CS-ACS side only. There was no visibility on the NAS. This is the difference that is explored next.

Establishing user-group Membership Awareness in IOS - Method 1

The method relies on a Cisco AV-Pair called supplicant-group, which directly corresponds to the user-group to which the user should be assigned. This is the simplest way to establish user-group membership visibility on the NAS side.

Example 1 displays the CS-ACS Group settings that enables the supplicant-group AV-Pair to be sent to IOS. Example 2 depicts the delivery of this information to the NAS, by means of the authorization process that the reader has already gotten acquainted with.

Example 1. Assigning the supplicant-group AV Pair to a user-group in CS-ACS

ACS/Group Settings : GROUP1 [009\001] cisco-av-pair priv-lvl=15 supplicant-group=GROUP1

Example 2. ACS Delivers supplicant-group Attribute to NAS After Auth-Proxy

AUTH-PROXY creates info: cliaddr - 172.21.21.101, cliport - 1108 seraddr - 172.16.201.2, serport - 23 ip-srcaddr 172.21.21.101 pak-srcaddr 0.0.0.0 RADIUS(00000015): Send Access-Request to 172.21.21.250:1812 id 1645/21, len 104 RADIUS: authenticator 61 3B 1D 21 54 8A C5 3C - 14 6F C7 5E 73 E9 72 36 RADIUS: User-Name [1] 7 "user1" [output suppressed] RADIUS: Received from id 1645/21 172.21.21.250:1812, Access-Accept, len 93 RADIUS: authenticator 43 A9 2F 23 EC 7F 7B 19 - B5 AF 6D 1B 40 81 85 25 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 31 RADIUS: Cisco AVpair [1] 25 "supplicant-group=GROUP1" ! Visualizing user to group association in the NAS DMZ# show ip auth-proxy cache Authentication Proxy Cache Client Name user1, Client IP 172.21.21.101, Port 1108, timeout 60, Time Remaining 60, state INTERCEPT ! DMZ# show epm session ip 172.21.21.101 Admission feature : Authproxy AAA Policies : Supplicant-Group : GROUP1 ! DMZ# show user-group Usergroup : GROUP1 ———————————————————————————————————— User Name Type Interface Learn Age (min) ———————————————————————————————————— 172.21.21.101 IPv4 Vlan21 Dynamic 0