Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 2) - Establishing user-group Membership Awareness in IOS - Method 2

Establishing user-group Membership Awareness in IOS - Method 2

This is the second method to provide IOS with user-group membership visibility. This second technique uses a lot of indirect references, which brings more complexity.

Example 3 shows how to assign the tag-name attribute in CS-ACS Group Settings. In this particular scenario, the value for the attribute was not simply GROUP2 but GROUP2-TAG instead. The reason for this choice is to clearly define each match operation executed in Example 4.

 The summary of operations is basically the following:

• Auth-Proxy intercepts the Telnet traffic and receives authorization information from the RADIUS server, containing a value for the tag-name attribute. This value is matched by a control tag class-map, which is used to define an Identity policy.

• The Identity policy just born enables the specification of a local user-group and an associated ACL.

• The user-group can be later matched to decide which security policy is enforced. 

Example 3. Assigning the tag-name AV Pair to a user-group in CS-ACS

ACS/Group Settings : GROUP2 [009\001] cisco-av-pair priv-lvl=15 tag-name=GROUP2-TAG

Example 4. New Auth-Proxy Configuration Matching the tag-name AV-Pair

! Defining a local ACL that will be assigned by the Identity policy ip access-list extended ACL2 permit tcp any 172.16.0.0 0.0.255.255 eq telnet ! ! Defining a class-map that matches the tag-name AV-Pair (control tag) class-map type control tag match-all GROUP2-CLASS match tag GROUP2-TAG ! ! The Identity policy receives tag-name and assigns local user-group and ACL identity policy GROUP2-TAG access-group ACL2 user-group GROUP2 ! ! This control tag policy-map is evoked by the new Auth-Proxy (IP Admission) policy policy-map type control tag TAG-NAME class type control tag GROUP2-CLASS identity policy GROUP2-TAG ! ! Defining the Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION2 proxy telnet service-policy type tag TAG-NAME ! ! Assigning the Auth-Proxy policy to the input interface interface Vlan21 ip address 172.21.21.1 255.255.255.0 ip access-group 100 in ip admission ADMISSION2

Example 5 documents the delivery of the tag-name attribute to IOS, in the conventional RADIUS authorization fashion. After that, you can see how the Tag and Template process matches the received value inside the control tag policy-map.

Example 6 details the user-group information just obtained. To establish a clear distinction between the two methods just discussed. Example 6 also makes the dynamic opening, based on ACL2, immediately noticeable on access-list 100.

Example 5. CS-ACS Delivers the tag-name AV-Pair to the NAS

AUTH-PROXY creates info: cliaddr - 172.21.21.250, cliport - 4575 seraddr - 172.16.201.2, serport - 23 ip-srcaddr 172.21.21.250 pak-srcaddr 0.0.0.0 AUTH-PROXY: Allocate Unique_id 18 RADIUS(00000018): Send Access-Request to 172.21.21.250:1812 id 1645/23, len 104 RADIUS: authenticator 0D 38 6E 4E DB 64 F8 EF - EB 55 0B BD E9 13 E8 B2 RADIUS: User-Name [1] 7 "user2" [output suppressed] RADIUS: Received from id 1645/23 172.21.21.250:1812, Access-Accept, len 89 RADIUS: authenticator 60 9A AB D3 40 F8 34 AC - B8 B9 84 FA 05 22 AE 97 RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 27 RADIUS: Cisco AVpair [1] 21 "tag-name=GROUP2-TAG" [output suppressed] ! ! Tag and Template process matches the tag-name attribute TT_EVE_DEB:Set the tag filter type value GROUP2-TAG TT_EVE_DEB:Filter head 84775414 filter head new 8472C04C TT_EVE_DEB:In function tt_client_tag_query TT_EVE_DEB:Verifying the match parameters for policy-map TAG-NAME TT_EVE_DEB:In function tt_is_match_valid TT_EVE_DEB:Match tag filter TT_EVE_DEB:Comparing tag : GROUP2-TAG to GROUP2-TAG

Example 6. Verifying User Group Membership on the NAS

DMZ# show ip auth-proxy cache Authentication Proxy Cache Client Name user2, Client IP 172.21.21.250, Port 4575, timeout 60, Time Remaining 60, state INTERCEPT ! ! Information about the indirect model used (class-map and policy-map) DMZ# show epm session ip 172.21.21.250 Admission feature : Authproxy Tag Received : GROUP2-TAG Policy map used : TAG-NAME Class map matched : GROUP2-CLASS ! DMZ# show user-group Usergroup : GROUP2 ----------------------------------------------------------------------- Name Type Interface Learn Age (min) ----------------------------------------------------------------------- 172.21.21.250 IPv4 Vlan21 Dynamic 0 ! ! A dynamic entry is created on ACL 100 using the definitions of ACL2 DMZ# show access-list Extended IP access list 100 permit tcp host 172.21.21.250 172.16.0.0 0.0.255.255 eq telnet (34 matches) 10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (1 match) 20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (1 match) 30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet Extended IP access list ACL2 10 permit tcp any 172.16.0.0 0.0.255.255 eq telnet