So far we have had some discussions about both the Zone-based Policy Firewall (ZFW) and user-based access control (as powered by IOS Auth-proxy functionality). It is now time to mix these two technologies to render auth-proxy stateful and produce the so-called User-based ZFW behavior.
Figure 1 summarizes the relevant settings to build such a scenario:
- A Zone-based firewall policy is constructed using the classic ZFW building blocks. One noteworthy difference here is that the class-maps are also matching on the “user-group” parameter.
- This user information is obtained after the router receives the “supplicant-group” Vendor Specific Attribute (VSA) from the RADIUS server. (The router learned the user credentials using Auth-proxy, pretty much in the same way as already examined in previous posts).
- Figure 2 shows the details of Auth-proxy and RADIUS for this environment:
- Instead of an ACE (or a DACL), the router now receives the supplicant-group
- The router now has a local knowledge of user-to-group mappings
** Topics for Study:
Contrast the pure auth-proxy diagrams of previous articles with the current post: can you spot the differences ? (What about the similarities ?)
- Compare the RADIUS interactions between router (AAA client) and CS-ACS (AAA Server)
- Notice that one of the class-maps now includes a “police” action. What does that mean ?
** Related Posts:
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- Identity Series: https://alexandremspmoraes.wordpress.com/tag/identity/
- The following article describes the evolution of Identity capabilities on Firewalls: http://wp.me/p1loe7-l2