ENTERPRISE

Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 2) - Establishing user-group Membership Awareness in IOS - Method 2

2/21/2015 8:27:45 PM

Establishing user-group Membership Awareness in IOS - Method 2

This is the second method to provide IOS with user-group membership visibility. This second technique uses a lot of indirect references, which brings more complexity.

Example 3 shows how to assign the tag-name attribute in CS-ACS Group Settings. In this particular scenario, the value for the attribute was not simply GROUP2 but GROUP2-TAG instead. The reason for this choice is to clearly define each match operation executed in Example 4.

 The summary of operations is basically the following:

  • Auth-Proxy intercepts the Telnet traffic and receives authorization information from the RADIUS server, containing a value for the tag-name attribute. This value is matched by a control tag class-map, which is used to define an Identity policy.

  • The Identity policy just born enables the specification of a local user-group and an associated ACL.

  • The user-group can be later matched to decide which security policy is enforced. 

Example 3. Assigning the tag-name AV Pair to a user-group in CS-ACS
ACS/Group Settings : GROUP2
[009\001] cisco-av-pair
priv-lvl=15
tag-name=GROUP2-TAG

Example 4. New Auth-Proxy Configuration Matching the tag-name AV-Pair
! Defining a local ACL that will be assigned by the Identity policy
ip access-list extended ACL2
permit tcp any 172.16.0.0 0.0.255.255 eq telnet
!
! Defining a class-map that matches the tag-name AV-Pair (control tag)

class-map type control tag match-all GROUP2-CLASS
match tag GROUP2-TAG
!
! The Identity policy receives tag-name and assigns local user-group and ACL

identity policy GROUP2-TAG
access-group ACL2
user-group GROUP2
!
! This control tag policy-map is evoked by the new Auth-Proxy (IP Admission) policy
policy-map type control tag TAG-NAME
class type control tag GROUP2-CLASS
identity policy GROUP2-TAG
!
! Defining the Auth-Proxy policy to intercept Telnet traffic

ip admission name ADMISSION2 proxy telnet service-policy type tag TAG-NAME
!
! Assigning the Auth-Proxy policy to the input interface

interface Vlan21
ip address 172.21.21.1 255.255.255.0
ip access-group 100 in
ip admission ADMISSION2


Example 5 documents the delivery of the tag-name attribute to IOS, in the conventional RADIUS authorization fashion. After that, you can see how the Tag and Template process matches the received value inside the control tag policy-map.

Example 6 details the user-group information just obtained. To establish a clear distinction between the two methods just discussed. Example 6 also makes the dynamic opening, based on ACL2, immediately noticeable on access-list 100.

Example 5. CS-ACS Delivers the tag-name AV-Pair to the NAS
AUTH-PROXY creates info:
cliaddr - 172.21.21.250, cliport - 4575
seraddr - 172.16.201.2, serport - 23
ip-srcaddr 172.21.21.250
pak-srcaddr 0.0.0.0
AUTH-PROXY: Allocate Unique_id 18

RADIUS(00000018): Send Access-Request to 172.21.21.250:1812 id 1645/23, len 104
RADIUS: authenticator 0D 38 6E 4E DB 64 F8 EF - EB 55 0B BD E9 13 E8 B2
RADIUS: User-Name [1] 7 "user2"
[output suppressed]
RADIUS: Received from id 1645/23 172.21.21.250:1812, Access-Accept, len 89
RADIUS: authenticator 60 9A AB D3 40 F8 34 AC - B8 B9 84 FA 05 22 AE 97
RADIUS: Vendor, Cisco [26] 19
RADIUS: Cisco AVpair [1] 13 "priv-lvl=15"
RADIUS: Vendor, Cisco [26] 27
RADIUS: Cisco AVpair [1] 21 "tag-name=GROUP2-TAG"
[output suppressed]
!
! Tag and Template process matches the tag-name attribute

TT_EVE_DEB:Set the tag filter type value GROUP2-TAG
TT_EVE_DEB:Filter head 84775414 filter head new 8472C04C
TT_EVE_DEB:In function tt_client_tag_query
TT_EVE_DEB:Verifying the match parameters for policy-map TAG-NAME
TT_EVE_DEB:In function tt_is_match_valid
TT_EVE_DEB:Match tag filter
TT_EVE_DEB:Comparing tag : GROUP2-TAG to GROUP2-TAG


Example 6. Verifying User Group Membership on the NAS
DMZ# show ip auth-proxy cache
Authentication Proxy Cache
Client Name user2, Client IP 172.21.21.250, Port 4575, timeout 60, Time Remaining 60, state INTERCEPT
!
! Information about the indirect model used (class-map and policy-map)

DMZ# show epm session ip 172.21.21.250
Admission feature : Authproxy
Tag Received : GROUP2-TAG
Policy map used : TAG-NAME
Class map matched : GROUP2-CLASS
!
DMZ# show user-group
Usergroup : GROUP2
-----------------------------------------------------------------------
Name Type Interface Learn Age (min)
-----------------------------------------------------------------------
172.21.21.250 IPv4 Vlan21 Dynamic 0
!
! A dynamic entry is created on ACL 100 using the definitions of ACL2

DMZ# show access-list
Extended IP access list 100
permit tcp host 172.21.21.250 172.16.0.0 0.0.255.255 eq telnet (34 matches)
10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (1 match)
20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (1 match)
30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet
Extended IP access list ACL2
10 permit tcp any 172.16.0.0 0.0.255.255 eq telnet

Other  
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
  •  
    Most View
    IMac 21.5 Inch And 27 Inch (Late 2013) Review (Part 2)
    How To Make A Massive Synth Bass Sound (Part 3) : Nasty Reese bass with Predator
    Xyfi Wi-Fi And 3G Router
    The Great Software Payola (Part 3)
    iRig Keys - Mini Keyboard MIDI Controller
    Windows 8 Hardware (Part 4) : Logitech Wireless Rechargeable Touchpad T650, Logitech T620, Microsoft Sculpt Comport Keyboard
    ASP.NET 4 in VB 2010 : Reading and Writing with Streams (part 2) - Shortcuts for Reading and Writing Files, A Simple Guest Book
    Just Your Type? (Part 2) : Corsair Vengeance K90, Rosewill Rk-9100 Mechanical Gaming Keyboard, Roccat Isku
    10 Things To Try Right Now (Part 4)
    DirectX 10 Game Programming : 3D Introduction - Drawing a Triangle
    Popular Tags
    Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
    Top 10
    Silverlight Recipes : Controls - Creating a Custom Layout Container (part 3)
    Silverlight Recipes : Controls - Creating a Custom Layout Container (part 2)
    Silverlight Recipes : Controls - Creating a Custom Layout Container (part 1)
    The BMW X4 – Strong Performance (Part 3)
    The BMW X4 – Strong Performance (Part 2)
    The BMW X4 – Strong Performance (Part 1)
    The BMW X5 25d – Top Truck
    The Champion – Widebody Gc8 Built For All The Right Reasons (Part 2)
    The FPV GT-F – This Is The End (Part 2)
    The FPV GT-F – This Is The End (Part 1)