programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 2) - Establishing user-group Membership Awareness in IOS - Method 2

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Establishing user-group Membership Awareness in IOS - Method 2

This is the second method to provide IOS with user-group membership visibility. This second technique uses a lot of indirect references, which brings more complexity.

Example 3 shows how to assign the tag-name attribute in CS-ACS Group Settings. In this particular scenario, the value for the attribute was not simply GROUP2 but GROUP2-TAG instead. The reason for this choice is to clearly define each match operation executed in Example 4.

 The summary of operations is basically the following:

  • Auth-Proxy intercepts the Telnet traffic and receives authorization information from the RADIUS server, containing a value for the tag-name attribute. This value is matched by a control tag class-map, which is used to define an Identity policy.

  • The Identity policy just born enables the specification of a local user-group and an associated ACL.

  • The user-group can be later matched to decide which security policy is enforced. 

Example 3. Assigning the tag-name AV Pair to a user-group in CS-ACS
ACS/Group Settings : GROUP2
 [009\001] cisco-av-pair
  priv-lvl=15
  tag-name=GROUP2-TAG

Example 4. New Auth-Proxy Configuration Matching the tag-name AV-Pair
! Defining a local ACL that will be assigned by the Identity policy
ip access-list extended ACL2
 permit tcp any 172.16.0.0 0.0.255.255 eq telnet
!
! Defining a class-map that matches the tag-name AV-Pair (control tag)

class-map type control tag match-all GROUP2-CLASS
 match tag GROUP2-TAG
!
! The Identity policy receives tag-name and assigns local user-group and ACL

identity policy GROUP2-TAG
 access-group ACL2
 user-group GROUP2
!
! This control tag policy-map is evoked by the new Auth-Proxy (IP Admission) policy
policy-map type control tag TAG-NAME
 class type control tag GROUP2-CLASS
  identity policy GROUP2-TAG
!
! Defining the Auth-Proxy policy to intercept Telnet traffic

ip admission name ADMISSION2 proxy telnet service-policy type tag TAG-NAME
!
! Assigning the Auth-Proxy policy to the input interface

interface Vlan21
ip address 172.21.21.1 255.255.255.0
 ip access-group 100 in
 ip admission ADMISSION2

Example 5 documents the delivery of the tag-name attribute to IOS, in the conventional RADIUS authorization fashion. After that, you can see how the Tag and Template process matches the received value inside the control tag policy-map.

Example 6 details the user-group information just obtained. To establish a clear distinction between the two methods just discussed. Example 6 also makes the dynamic opening, based on ACL2, immediately noticeable on access-list 100.

Example 5. CS-ACS Delivers the tag-name AV-Pair to the NAS
AUTH-PROXY creates info:
         cliaddr - 172.21.21.250, cliport - 4575
         seraddr - 172.16.201.2, serport - 23
                 ip-srcaddr 172.21.21.250
                 pak-srcaddr 0.0.0.0
AUTH-PROXY: Allocate Unique_id 18

RADIUS(00000018): Send Access-Request to 172.21.21.250:1812 id 1645/23, len 104
RADIUS:  authenticator 0D 38 6E 4E DB 64 F8 EF - EB 55 0B BD E9 13 E8 B2
RADIUS:  User-Name           [1]   7   "user2"
[output suppressed]
RADIUS: Received from id 1645/23 172.21.21.250:1812, Access-Accept, len 89
RADIUS:  authenticator 60 9A AB D3 40 F8 34 AC - B8 B9 84 FA 05 22 AE 97
RADIUS:  Vendor, Cisco       [26]  19
RADIUS:   Cisco AVpair       [1]   13  "priv-lvl=15"
RADIUS:  Vendor, Cisco       [26]  27
RADIUS:   Cisco AVpair       [1]   21  "tag-name=GROUP2-TAG"
[output suppressed]
!
! Tag and Template process matches the tag-name attribute

TT_EVE_DEB:Set the tag filter type value GROUP2-TAG
TT_EVE_DEB:Filter head 84775414 filter head new 8472C04C
TT_EVE_DEB:In function tt_client_tag_query
TT_EVE_DEB:Verifying the match parameters for policy-map TAG-NAME
TT_EVE_DEB:In function tt_is_match_valid
TT_EVE_DEB:Match tag filter
TT_EVE_DEB:Comparing tag : GROUP2-TAG to GROUP2-TAG

Example 6. Verifying User Group Membership on the NAS
DMZ# show ip auth-proxy cache
Authentication Proxy Cache
 Client Name user2, Client IP 172.21.21.250, Port 4575, timeout 60, Time Remaining 60, state INTERCEPT
!
! Information about the indirect model used (class-map and policy-map)

DMZ# show epm session ip 172.21.21.250
Admission feature       : Authproxy
Tag Received            : GROUP2-TAG
Policy map used         : TAG-NAME
Class map matched       : GROUP2-CLASS
!
DMZ# show user-group
Usergroup : GROUP2
-----------------------------------------------------------------------
 Name       Type     Interface              Learn         Age (min)
-----------------------------------------------------------------------
172.21.21.250   IPv4     Vlan21                 Dynamic         0
!
! A dynamic entry is created on ACL 100 using the definitions of ACL2

DMZ# show access-list
Extended IP access list 100
     permit tcp host 172.21.21.250 172.16.0.0 0.0.255.255 eq telnet (34 matches)
    10 permit udp host 172.21.21.250 eq 1812 host 172.21.21.1 (1 match)
    20 permit udp host 172.21.21.250 eq 1813 host 172.21.21.1 (1 match)
    30 permit tcp any 172.16.201.0 0.0.0.255 eq telnet
Extended IP access list ACL2
    10 permit tcp any 172.16.0.0 0.0.255.255 eq telnet

Other  
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
    •
     
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us
    programming4us
     
    		 
    		programming4us