Cisco ASA Identity Firewall (Part 1: Introduction)

          Last week, I had an opportunity to sit in a Security presentation given by Cisco at PBM. There was a mention on the recent release of 8.4(2) code, and one of the features that caught my attention was Identity Firewall. This is something that other firewall vendors like Palo Alto has already been doing so I was curious to see how it works on the Cisco ASA.
          This article demonstrates, through a lab setup, the basic concept of identity-based Access Control List (ACL) introduced in Cisco ASA 8.4(2).  In addition to the traditional method of using source IP address to restrict network access, identity-based ACL allows the flexibility of enforcing security policy based on Active Directory domain username and user group. The new type of object-group (object-group user) is also introduced as part of this feature.

Prerequisites:
          - ASA 8.4(2)
          - Active Directory on Windows 2003 (non-R2), 2008, and 2008 R2 server
          - AD agent installed on Windows 2003 (non-R2), 2008, and 2008 R2 server

Lab Diagram:
 


Lab Parameters:
          Domain: CISCOLAB.COM
          AD User1: user1 (allowed ping only)
          AD User2: neteng (allowed telnet only)
          AD User Group: Network Admin (member = neteng)
          Domain Test PC: TESTPC1

Configuration Steps:
           1. Create AD user for ASA and AD Agent
           2. Create desired AD User/Group
           3. Install/Configure AD Agent
           4. Configure AD Domain on ASA
           5. Configure AD Agent on ASA
           6. Configure Identity Options
           7. Configure Identity-Based ACL
 
ACL Configurations:

Test Results:

          Test#1 - user1 ping 192.168.30.4
                    Result = Succeeded
          Test#2 - user1 telnet to 192.168.30.4
                    Result = Failed
          Test#3 - neteng1 ping 192.168.30.4
                    Result =  Failed
          Test#4 - neteng1 telnet 192.168.30.4
                    Result =  Succeeded

LAB-INET-FW# sh access-l FROM_INSIDE
access-list FROM_INSIDE; 3 elements; name hash: 0xc8b16e9e
access-list FROM_INSIDE line 1 extended permit tcp object-group-user ADMIN any any eq telnet (hitcnt=1) 0x81ac885d
access-list FROM_INSIDE line 2 extended permit icmp object-group-user USER any any (hitcnt=88) 0x577e075f
access-list FROM_INSIDE line 3 extended deny ip any any log informational interval 300 (hitcnt=223) 0xbfc4303a
!

Show Command Outputs:

! List of AD users
LAB-INET-FW# sh user-identity ad-users CISCOLAB

Domain:CISCOLAB AAA Server Group: AD_PRIMARY
User list retrieved successfully
Number of Active Directory Users: 8
dn: CN=Administrator,CN=Users,DC=CISCOLAB,DC=COM
sAMAccountName: Administrator
dn: CN=Guest,CN=Users,DC=CISCOLAB,DC=COM
sAMAccountName: Guest
dn: CN=krbtgt,CN=Users,DC=CISCOLAB,DC=COM
sAMAccountName: krbtgt
dn: CN=ASALDAP,OU=CISCOLAB,DC=CISCOLAB,DC=COM
sAMAccountName: ASALDAP
dn: CN=neteng,OU=CISCOLAB,DC=CISCOLAB,DC=COM
sAMAccountName: neteng
dn: CN=IBF_SERVICE_USER,CN=Users,DC=CISCOLAB,DC=COM
sAMAccountName: IBF_SERVICE_USER
dn: CN=ADAGENT,OU=CISCOLAB,DC=CISCOLAB,DC=COM
sAMAccountName: ADAGENT
dn: CN=user1,OU=CISCOLAB,DC=CISCOLAB,DC=COM
sAMAccountName: user1

! Status of AD Agent
LAB-INET-FW# sh user-identity ad-agent
Primary AD Agent:
 Status                    up (registered)
 Mode:                     full-download
 IP address:               192.168.32.100
 Authentication port:      udp/1645
 Accounting port:          udp/1646
 ASA listening port:       udp/3799
 Interface:                INSIDE
 Up time:                  44 mins 11 secs
 Average RTT:              0 msec

AD Domain Status:
 Domain CISCOLAB:          up

! List of member users of an AD group
LAB-INET-FW# sh user-identity ad-group-members "CISCOLAB\\Network Admin"
Domain:CISCOLAB AAA Server Group: AD_PRIMARY
Group Member List Retrieved Successfully
Number of Members in AD Group Network Admin     1
dn: CN=neteng,OU=CISCOLAB,DC=CISCOLAB,DC=COM

! AD Username-to-IP mapping
LAB-INET-FW# sh user-identity ip-of-user CISCOLAB\neteng
CISCOLAB\192.168.32.34 (Login)
LAB-INET-FW# sh user-identity ip-of-user CISCOLAB\user1 
CISCOLAB\192.168.32.33 (Login)

! Status cache AD users
LAB-INET-FW# sh user-identity user all list
Total users: 4  Total IP addresses: 2
  CISCOLAB\Administrator: 0 active conns
  CISCOLAB\ADAGENT: 0 active conns; idle 0 mins
  CISCOLAB\user1: 0 active conns
  CISCOLAB\neteng: 0 active conns; idle 0 mins
!

Conclusion:
          We were able to restrict user access to the lab telnet server based on both the AD username and user group. The ASA was able to correctly obtain the username-to-IP mapping information from the AD agent, and utilize them in the ACL.

Caveat:  Username-to-IP mapping does not get updated when the IP on a user computer is changed while the user is logged in to the domain. This causes the user IP information on the ASA to become inaccurate, and potentially results in an incorrect ACL being applied to user traffic. This is due to the fact that the AD agent creates the username-to-IP mapping table by monitoring user logon/logoff activities, hence uninformed of the IP change after the user has already logged in.

Additional Resources:
            Cisco ASA 5500 Series Configuration Guide using the CLI

Author: Metha Chiewanichakorn , CCIE#23585 (R&S/Security/Service Provider)