Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 3) - Integrating Auth-Proxy and the ZFW

Integrating Auth-Proxy and the ZFW

The previous sections detailed two methods of associating users to local groups in IOS. The acquired user-to-group mapping information will now be applied to create distinct ZFW policies.

Example 7 summarizes ACS settings for GROUP1 and GROUP2, which respectively include user1 and user2. Notice that the group definitions use method 1.

Example 7. CS-ACS Settings for Scenario 3

! Members of GROUP1 are assigned a DACL after authentication ACS/Group Settings : GROUP1 Downloadable ACLs – Assign IP ACL: DACL1 permit tcp any any eq 80 permit icmp any any echo [009\001] cisco-av-pair priv-lvl=15 supplicant-group=GROUP1 ! Members of GROUP2 are assigned an individual ACE after authentication ACS/Group Settings : GROUP2 [009\001] cisco-av-pair priv-lvl=15 supplicant-group=GROUP2 proxyacl#1=permit tcp any any eq 22

Example 8 shows a set of commands used to created a zone-pair security policy that takes into account the local user-group associations.

Example 8. Baseline Configuration for ZFW and Auth-Proxy Integration

! Defining inspect class-maps that match local user-group information class-map type inspect match-all CLASS11 match user-group GROUP1 match protocol tcp class-map type inspect match-all CLASS12 match user-group GROUP1 match protocol icmp class-map type inspect match-all CLASS21 match user-group GROUP2 match protocol tcp ! ! Defining a policy-map for inspection policy-map type inspect IN-OUT class type inspect CLASS11 inspect class type inspect CLASS12 inspect police rate 16000 burst 3000 class type inspect CLASS21 inspect class class-default drop log ! ! Defining zones and zone-pairs zone security INSIDE zone security OUTSIDE zone-pair security OUTBOUND source INSIDE destination OUTSIDE service-policy type inspect IN-OUT ! ! Defining an Auth-Proxy policy to intercept Telnet traffic ip admission name ADMISSION proxy telnet inactivity-time 60 ! ! Assigning interfaces to zones and applying the Auth-Proxy policy to VLAN21 interface Vlan21 ip admission ADMISSION zone-member security INSIDE ! interface FastEthernet4.201 zone-member security OUTSIDE

Example 9 displays the following processes for user2, a member of GROUP2:

• Auth-Proxy intercepting Telnet traffic

• Supplicant-group=GROUP2 AV-Pair being assigned to IOS

• The original Telnet session being created by the ZFW

• A new SSH session controlled only by ZFW.

Example 9. Auth-Proxy and Zone Firewall in Action

AUTH-PROXY creates info: cliaddr - 172.21.21.250, cliport - 1496 seraddr - 172.16.201.2, serport - 23 ip-srcaddr 172.21.21.250 pak-srcaddr 172.21.21.101 AUTH-PROXY: Allocate Unique_id 1E RADIUS(0000001E): Send Access-Request to 172.21.21.250:1812 id 1645/27, len 104 RADIUS: authenticator BD B2 75 D4 36 9A FE CF - D4 D5 D4 ED 43 A8 4A 34 RADIUS: User-Name [1] 7 "user2" [ output suppressed] RADIUS: Received from id 1645/27 172.21.21.250:1812, Access-Accept, len 136 RADIUS: authenticator F3 CD C1 47 F2 76 FB 1B - D5 4C 58 44 07 19 15 DD RADIUS: Vendor, Cisco [26] 19 RADIUS: Cisco AVpair [1] 13 "priv-lvl=15" RADIUS: Vendor, Cisco [26] 31 RADIUS: Cisco AVpair [1] 25 "supplicant-group=GROUP2" RADIUS: Vendor, Cisco [26] 43 RADIUS: Cisco AVpair [1] 37 "proxyacl#1=permit tcp any any eq 22" [ output suppressed] FIREWALL sis 84668480: Session Created FIREWALL sis 84668480: Pak 84184CC4 init_addr (172.21.21.250:1496) resp_addr (172.16.201.2:23) init_alt_addr (172.21.21.250:1496) resp_alt_addr (172.16.201.2:23) ! User "user2" starts SSH session after Auth-Proxy (ZFW inspection comes into play) FIREWALL* sis 84668680: Session Created FIREWALL* sis 84668680: Pak 83D1D13C init_addr (172.21.21.250:1500) resp_addr (172.16.200.200:22)  init_alt_addr (172.21.21.250:1500) resp_alt_addr (172.16.200.200:22) ! Displaying ZFW sessions DMZ# show policy-map type inspect zone-pair sessions | include Session Number of Established Sessions = 2 Established Sessions Session 84668480 (172.21.21.250:1496)=>(172.16.201.2:23) tcp SIS_OPEN Session 84668680 (172.21.21.250:1500)=>(172.16.200.200:22) tcp SIS_OPEN

Example 10 summarizes user-group information for GROUP1 and GROUP2.

Example 10. Displaying User Group Information

! 02 users connected with 02 different authorization parameters (DACL and AV-Pair)
DMZ# show user-group
Usergroup : GROUP1
---------------------------------------------------------------------------
User Name       Type     Interface              Learn         Age (min)
---------------------------------------------------------------------------
172.21.21.101   IPv4     Vlan21                 Dynamic         8

Usergroup : GROUP2
---------------------------------------------------------------------------
User Name       Type     Interface              Learn         Age (min)
---------------------------------------------------------------------------
172.21.21.250   IPv4     Vlan21                 Dynamic         10
!
DMZ# show epm session ip 172.21.21.250
Admission feature       : Authproxy
AAA Policies            :
Supplicant-Group        : GROUP2
Proxy ACL               : permit tcp any any eq 22
!
DMZ# show epm session ip 172.21.21.101
Admission feature       : Authproxy
AAA Policies            :
ACS ACL                 : xACSACLx-IP-DACL1-4aac618d
Supplicant-Group        : GROUP1
!
DMZ# show access-list xACSACLx-IP-DACL1-4aac618d
Extended IP access list xACSACLx-IP-DACL1-4aac618d (per-user)
    10 permit tcp any any eq www
    20 permit icmp any any echo