Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

The previous section presented a thorough analysis of the Cut-Through Proxy operation on the ASA family. In the current one a similar IOS mechanism called Auth-Proxy is covered in detail. Although the conception and purpose of the features are similar, they have some distinct operational behaviors. The differences that deserve special mention follow:

  • Although the dynamic permissions created by Cut-Through Proxy are natively stateful, IOS Auth-Proxy permissions are originally stateless. Nevertheless, after being combined with CBAC or Zone Policy Firewall, the Auth-Proxy permissions will undergo stateful inspection and behave much like as ASA’s.

  • In ASA, inbound Interface ACLs initially have precedence over Cut-Through Proxy derived permissions . It is therefore necessary to explicitly allow the application protocol in this ACL before the interception can take place. If the per-user-override option is enabled and a DACL is downloaded, the dynamic permissions take precedence over the static ones.

  • In IOS, the Auth-Proxy intercepts the application protocol that triggers authentication before it reaches the inbound interface ACL. You can see how this works through the analysis of some usage scenarios. 

  • Although IOS uses the proxyacl RADIUS VSA to download individual ACEs to the NAS, ASA uses the ip:inacl VSA to accomplish this task.

  • The RADIUS server can send the IETF Filter-ID attribute pointing to an ASA locally defined ACL. The activation of such an ACL in IOS currently requires the usage of the tag-name VSA. 

After this brief introduction, you can now get back to a set of practical usage scenarios that serve to emphasize the potential of the Auth-Proxy feature.

For the following examples Telnet is chosen as the triggering protocol because its connections are long living compared to HTTP. This makes life easier when dealing with debug commands and viewing established sessions. After becoming familiar with Auth-Proxy concepts, you are greatly encouraged to proceed an equivalent analysis using HTTP (or even better, HTTPS) as the triggering protocol.

Figure 1 shows the reference topology used for the Auth-Proxy scenarios that follow.

Figure 1. Network Topology for the Auth-Proxy Usage Scenarios

Example 1 shows the relevant AAA commands for the Auth-Proxy scenarios. Example 2 complements the previous one, by including the necessary commands to enable Auth-Proxy for Telnet interception.

Example 1. Baseline AAA Configuration for Auth-Proxy Scenarios
aaa new-model
! Instructing the NAS to receive, send and process Vendor Specific Attributes (VSAs)
radius-server vsa send accounting
radius-server vsa send authentication
! Instructing NAS to send the IETF "Service Type" attribute to the RADIUS Server

radius-server attribute 6 on-for-login-auth
! Defining the source interface for RADIUS packets

ip radius source-interface Vlan21
! Defining an AAA server-group called "RADIUS1"

aaa group server radius RADIUS1
server auth-port 1812 acct-port 1813
server-private auth-port 1812 acct-port 1813 key 7 13061E010803557878
! This method list will be applied to the console and VTY lines

aaa authentication login CONSOLE none
! Auth-Proxy service uses the AAA server-group "RADIUS1" previously defined

aaa authentication login default group RADIUS1
aaa authorization network default group RADIUS1
aaa authorization auth-proxy default group RADIUS1
aaa accounting auth-proxy default start-stop group RADIUS1
! Excluding console and VTY lines from the "default" login method (that uses RADIUS)
line con 0
login authentication CONSOLE
line vty 0 4
login authentication CONSOLE
transport input telnet ssh

Example 2. Baseline Auth-Proxy Configuration
! Defining an ACL to be applied to the same interface as Auth-Proxy

access-list 100 permit udp host eq 1812 host
access-list 100 permit udp host eq 1813 host
access-list 100 permit tcp any eq telnet

! Defining the Auth-Proxy policy to intercept Telnet traffic

ip admission name ADMISSION1 proxy telnet
! Applying the Auth-Proxy policy to interface Vlan21 (Auth-Proxy incoming interface)
interface Vlan21
description *** INSIDE interface ***
ip address
ip access-group 100 in
ip admission ADMISSION1

  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 4) - Cut-Through Proxy with Locally Defined ACL
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 3) - Cut-Through Proxy with Downloadable ACEs
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 2) - Simple Cut-Through Proxy
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 1)
  •  Identity on Cisco Firewalls : Selecting the Authentication Protocol
  •  Commercial Backup Utilities : Ease of Recovery, Robustness, Automation, Volume Verification
  •  Commercial Backup Utilities : Ease of Administration, Security
  •  Commercial Backup Utilities : Support of a Standard or Custom Backup Format
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us