User-based Access Control with the Cisco IOS Zone-based Policy Firewall

So far we have had some discussions about both the Zone-based Policy Firewall (ZFW) and user-based access control (as powered by IOS Auth-proxy functionality). It is now time to mix these two technologies to render auth-proxy stateful and produce the so-called User-based ZFW behavior.

Figure 1 summarizes the relevant settings to build such a scenario:

  • A Zone-based firewall policy is constructed using the classic ZFW building blocks. One noteworthy difference here is that the class-maps are also matching on the “user-group” parameter.
  • This user information is obtained after the router receives the “supplicant-group” Vendor Specific Attribute (VSA) from the RADIUS server. (The router learned the user credentials using Auth-proxy, pretty much in the same way as already examined in previous posts).

Figure 1: Combining the Cisco IOS Zone-based Policy Firewall with Auth-proxy

Figure 2 shows the details of Auth-proxy and RADIUS for this environment:
  • Instead of an ACE (or a DACL), the router now receives the supplicant-group
  • The router now has a local knowledge of user-to-group mappings

Figure 2: Auth-proxy and RADIUS information in the user-based ZFW scenario

** Topics for Study:

  • Contrast the pure auth-proxy diagrams of previous articles with the current post: can you spot the differences ? (What about the similarities ?)
  • Compare the RADIUS interactions between router (AAA client) and CS-ACS (AAA Server)
  • Notice that one of the class-maps now includes a “police” action. What does that mean ?

** Related Posts:


Filed under English, Firewalls, Identity, Security