Tag Archives: radius

The Evolution of Identity Services on Firewalls

The IP address is a basic attribute related to computer systems that rely on the TCP/IP protocol stack to establish network connectivity. As a result, the vast majority of access control rules deployed on Stateful Firewalls are based upon parameters present, for instance, in the IP,TCP,UDP and HTTP headers. Although this protocol-based approach has demonstrated to be powerful, the need for networks that are flexible enough to accommodate multiple classes of users (employees, contractors, guests) along with the increasing need for network mobility, has motivated the search for alternative ways of implementing access control. 

This article briefly examines the creation of firewall rules that include some sort of Identity-based information for the users initiating connection requests. As we will see later, in some scenarios identity information may also be associated with the servers.

The first generation is centered on the captive portal paradigm, mainly relying on downloadable ACLs to differentiate among users that are connecting through the firewall. The second, normally referred to as the ID Firewall, allows the creation of permissions based on MS AD user/group domain information. The third generation, known as the SGT Firewall, represents a true evolution because it provides integration not only between the firewall with the edge devices (such as wireless APs and LAN switches), which are the main source of user information, but also between the firewall with the switches that reside on the server side (as shown in the figure below).Image

To read the complete article, follow the link to the Cisco Support Community.


** Additional Reading

  1. A more detailed description of the first generation (https://alexandremspmoraes.wordpress.com/2012/01/27/cisco-firewalls-and-user-based-access-control/)
  2. Illustrating the use of RADIUS Authorization Profiles on Cisco IOS  (https://alexandremspmoraes.wordpress.com/2012/02/02/cisco-ios-authentication-proxy-and-radius-authorization-profiles/)


Leave a comment

Filed under English, Firewalls, Identity, Security

User-based Access Control with the Cisco IOS Zone-based Policy Firewall

So far we have had some discussions about both the Zone-based Policy Firewall (ZFW) and user-based access control (as powered by IOS Auth-proxy functionality). It is now time to mix these two technologies to render auth-proxy stateful and produce the so-called User-based ZFW behavior.

Figure 1 summarizes the relevant settings to build such a scenario:

  • A Zone-based firewall policy is constructed using the classic ZFW building blocks. One noteworthy difference here is that the class-maps are also matching on the “user-group” parameter.
  • This user information is obtained after the router receives the “supplicant-group” Vendor Specific Attribute (VSA) from the RADIUS server. (The router learned the user credentials using Auth-proxy, pretty much in the same way as already examined in previous posts).

Figure 1: Combining the Cisco IOS Zone-based Policy Firewall with Auth-proxy

Figure 2 shows the details of Auth-proxy and RADIUS for this environment:
  • Instead of an ACE (or a DACL), the router now receives the supplicant-group
  • The router now has a local knowledge of user-to-group mappings

Figure 2: Auth-proxy and RADIUS information in the user-based ZFW scenario

** Topics for Study:

  • Contrast the pure auth-proxy diagrams of previous articles with the current post: can you spot the differences ? (What about the similarities ?)
  • Compare the RADIUS interactions between router (AAA client) and CS-ACS (AAA Server)
  • Notice that one of the class-maps now includes a “police” action. What does that mean ?

** Related Posts:


Filed under English, Firewalls, Identity, Security