Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries

Scenario 1: IOS Auth-Proxy with Downloadable Access Control Entries

This is completely analogous to what was done for ASA in Scenario 2 of the “ASA User-Level Control with Cut-Through Proxy” section.

Example 4 illustrates Auth-proxy performing the interception and interacting with the RADIUS server, whereas Example 5 shows the authentication and authorization results.

Example 3. Defining Individual ACEs on CS-ACS for IOS Auth-Proxy

ACS/Group Settings : GROUP1
[009\001] cisco-av-pair
  priv-lvl=15
  proxyacl#1=permit tcp any any eq 22
  proxyacl#2=permit tcp any any eq 23

Example 4. Telnet Session Intercepted by Auth-Proxy

! Telnet Session is intercepted by Auth-Proxy process (before reaching interface ACL)
AUTH-PROXY creates info:
         cliaddr - 172.21.21.101, cliport - 1562
         seraddr - 172.16.201.2, serport - 23
                 ip-srcaddr 172.21.21.101
                 pak-srcaddr 0.0.0.0

! NAS sends request to CS-ACS and receives individual ACEs (proxyacl)

RADIUS(0000000C): Send Access-Request to 172.21.21.250:1812 id 1645/12, len 104
RADIUS:  authenticator 73 DC D7 7B 91 B4 61 38 - 4E 65 CB A5 B3 4F AD 9D
RADIUS:  User-Name           [1]   7   "user1"
[output suppressed]
RADIUS: Received from id 1645/12 172.21.21.250:1812, Access-Accept, len 148
RADIUS:  authenticator ED 65 FB F6 64 B9 33 6D - A3 5E B8 5F 14 36 D4 21
RADIUS:  Vendor, Cisco       [26]  19
RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"
RADIUS:  Vendor, Cisco       [26]  43
RADIUS:   Cisco AVpair       [1]   37  "proxyacl#1=permit tcp any any eq 22"
RADIUS:  Vendor, Cisco       [26]  43
RADIUS:   Cisco AVpair       [1]   37  "proxyacl#2=permit tcp any any eq 23"
[output suppressed]

Example 5. Verifying Authenticated Users and Downloaded ACEs

DMZ# show ip auth-proxy cache
Authentication Proxy Cache
Client Name user1, Client IP 172.21.21.101, Port 1562, timeout 60, Time Remaining 60, state INTERCEPT
!
! Details about the current Auth-Proxy session

DMZ# show epm session ip 172.21.21.101
Admission feature       : Authproxy
AAA Policies            :
Proxy ACL               : permit tcp any any eq 22
Proxy ACL               : permit tcp any any eq 23

!
! Viewing Dynamic Entries (for host 172.21.21.101) added to the interface ACL

DMZ# show access-list
Extended IP access list 100
     permit tcp host 172.21.21.101 any eq 22 (18 matches)
     permit tcp host 172.21.21.101 any eq telnet (70 matches)
    10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (1 match)
    20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (1 match)
    30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs

Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)

Other

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy

Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)

Identity on Cisco Firewalls : Selecting the Authentication Protocol

Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification

Commercial Backup Utilities : Ease of Administration, Security

Commercial Backup Utilities : Support of a Standard or Custom Backup Format