The previous section examined in detail the
operation of the IOS Auth-Proxy feature and how it may be integrated
with CBAC to create dynamic stateful permissions before allowing
traffic to cross the firewall.
The current section initially analyzes two
techniques that leverage Auth-Proxy to bring user-group membership
awareness in the IOS device. This concept of membership
means that after successful user authentication and authorization, IOS
will have local knowledge of the group to which the user belongs.
Later in the section zone-based policies that use as
an additional criterion the membership data previously obtained are
A question might arise at this point. “What is meant by this membership concept?” (In all the previous discussions, the users were always members of some user group.)
What has changed? Well, it is true that the
membership information was already in there, but it was on the CS-ACS
side only. There was no visibility on the NAS. This is the difference
that is explored next.
Establishing user-group Membership Awareness in IOS - Method 1
The method relies on a Cisco AV-Pair called supplicant-group, which directly corresponds to the user-group to which the user should be assigned. This is the simplest way to establish user-group membership visibility on the NAS side.
Example 1 displays the CS-ACS Group settings that enables the supplicant-group AV-Pair to be sent to IOS. Example 2
depicts the delivery of this information to the NAS, by means of the
authorization process that the reader has already gotten acquainted
Example 1. Assigning the supplicant-group AV Pair to a user-group in CS-ACS
ACS/Group Settings : GROUP1
Example 2. ACS Delivers supplicant-group Attribute to NAS After Auth-Proxy
AUTH-PROXY creates info:
cliaddr - 172.21.21.101, cliport - 1108
seraddr - 172.16.201.2, serport - 23
RADIUS(00000015): Send Access-Request to 172.21.21.250:1812 id 1645/21, len 104
RADIUS: authenticator 61 3B 1D 21 54 8A C5 3C - 14 6F C7 5E 73 E9 72 36
RADIUS: User-Name  7 "user1"
RADIUS: Received from id 1645/21 172.21.21.250:1812, Access-Accept, len 93
RADIUS: authenticator 43 A9 2F 23 EC 7F 7B 19 - B5 AF 6D 1B 40 81 85 25
RADIUS: Vendor, Cisco  19
RADIUS: Cisco AVpair  13 "priv-lvl=15"
RADIUS: Vendor, Cisco  31
RADIUS: Cisco AVpair  25 "supplicant-group=GROUP1"
! Visualizing user to group association in the NAS
DMZ# show ip auth-proxy cache
Authentication Proxy Cache
Client Name user1, Client IP 172.21.21.101, Port 1108, timeout 60, Time Remaining 60, state INTERCEPT
DMZ# show epm session ip 172.21.21.101
Admission feature : Authproxy
AAA Policies :
Supplicant-Group : GROUP1
DMZ# show user-group
Usergroup : GROUP1
User Name Type Interface Learn Age (min)
172.21.21.101 IPv4 Vlan21 Dynamic 0