We have seen,
in my last article, the
Cisco ASA identity firewall in action, and its fundamental capabilities. We were
able to successfully deploy the AD agent, and have the ASA integrated with both
Active Directory (for user group download), and AD agent (for user-to-IP
mapping). At the end of the lab, I was still uncertain on how well it will
perform in a production environment and whether there might be more
caveats in a deployment, at least in the current version of code 8.4(2). In an
effort to answer these questions, I went back to the ASA configuration guide and
came up with a few more lab
scenarios.
This
article is a continuation of Cisco ASA Identify Firewall (Part
1: Introduction). We will be exploring some of the more
advanced features, evaluating, and trying to identify any caveats during our
labs. The lab setup is based on our previous lab with slight modifications (see
lab diagram below). The following are lab scenarios.
1. Combined user/user group and subnet in
ACL
2. Loss of
connectivity to AD
agent
3. VPN user
authentication
Prerequisites:
- Please refer to Cisco
ASA Identify Firewall (Part 1: Introduction)
Lab
Diagram:
Lab
Parameters:
Domain: CISCOLAB.COM
AD User1: user1
AD User2: neteng
AD User Group: Network Admin (member =
neteng)
Domain Test
PC: TESTPC1
(Inside)
TESTPC2
(Inside)
TESTPC3
(Outside)
**************************************************************
Scenario 1 - Combined user and subnet in
ACL
**************************************************************
In this lab scenario, we will attempt to restrict network access using both user
identity and location (ie. source
IP).
Requirements:
- User under Admin group can only telnet to the DMZ host from TESTPC1
(192.168.32.10)
- User1 can only ping the DMZ host from TESTPC2
(192.168.32.11)
ACL Configurations:
!
object-group user USER
user
CISCOLAB\user1
object-group user ADMIN
user-group
"CISCOLAB\\Network Admin"
!
name 192.168.32.10 TESTPC1
name
192.168.32.11 TESTPC2
!
access-list FROM_INSIDE permit tcp
object-group-user ADMIN host 192.168.32.10 any eq 23
access-list
FROM_INSIDE permit icmp object-group-user USER host 192.168.32.11
any
access-list FROM_INSIDE deny ip any any log
!
access-group
FROM_INSIDE in inter
INSIDE
!
Test
Results:
1. neteng on TESTPC1 ping to
192.168.30.4
Result =
Failed
2. neteng on TESTPC1 telnet to
192.168.30.4
Result =
Succeeded
3. neteng on TESTPC2 telnet to
192.168.30.4
Result =
Failed
4. user1 on TESTPC2 ping to
192.168.30.4
Result =
Succeeded
5. user1 on TESTPC1 ping to
192.168.30.4
Result = Failed
LAB-INET-FW# sh access-l
FROM_INSIDE
access-list FROM_INSIDE; 3 elements; name hash: 0xc8b16e9e
access-list
FROM_INSIDE line 1 extended permit tcp object-group-user ADMIN host
192.168.32.10 any eq telnet (hitcnt=1) 0xdf2c337c
access-list FROM_INSIDE
line 2 extended permit icmp object-group-user USER host 192.168.32.11 any
(hitcnt=4) 0x8aff6ad7
access-list FROM_INSIDE line 3 extended deny ip any
any log informational interval 300 (hitcnt=28) 0xbfc4303a
!
******************************************************************
Scenario
2 – Loss of Connectivity to AD
Agent
******************************************************************
In this lab scenario, we will shutdown the AD agent service to emulate loss of
connectivity and observe the change in ACL
enforcement.
LAB-INET-FW# sh
user-identity ad-ag
Primary AD Agent:
Status
down
Mode:
full-download
IP
address:
192.168.32.100
Authentication port:
udp/1645
Accounting
port:
udp/1646
ASA listening port:
udp/3799
Interface:
INSIDE
Up
time:
N/A
Average
RTT:
0 msec
Test
Results:
An active user with command “user-identity action ad-agent-down
disable-user-identity-rule” will bypass all of the identity ACL rules and
evaluated against only the traditional ACL rules, which in this case is
deny-all.
!
1. neteng on TESTPC1 telnet to
192.168.30.4
Result = Failed
An
active user with command “no user-identity action ad-agent-down
disable-user-identity-rule” will continued to be evaluated by the identity ACL
rules.
!
1. neteng on TESTPC1 telnet to
192.168.30.4
Result = Succeeded
An
inactive user, regardless of the command “user-identity action ad-agent-down
disable-user-identity-rule” and the state of the AD agent, will only be
evaluated by the traditional ACL
rules.
!
1. neteng on TESTPC1 telnet to
192.168.30.4
Result =
Failed
!
*********************************************
Scenario
3 - VPN User
Authentication
*********************************************
In this lab scenario, we will attempt to implement identity rule under
group-profile tunnel ACL using SSL VPN.
Configurations (Partial):
!
object-group network VPN_NET
network-object
192.168.253.0 255.255.255.0
!
ip local pool VPN_POOL
192.168.253.32-192.168.253.224 mask 255.255.255.0
!
object-group
user ADMIN
user LOCAL\neteng
!
access-list
FROM_VPN_SSL permit tcp object-group-user
ADMIN any any eq 23
access-list FROM_VPN_SSL
deny ip any any
!
access-list ADMIN_ST stand permit 192.168.32.0
255.255.255.0
!
tunnel-group ADMIN type
remote-access
tunnel-group ADMIN
general-attributes
address-pool
VPN_POOL
authentication-server-group
RADIUS
default-group-policy ADMIN
!
group-policy ADMIN
internal
group-policy ADMIN attributes
dns-server value
192.168.32.100
vpn-filter value
FROM_VPN_SSL
vpn-tunnel-protocol ssl-client
ssl-clientless
split-tunnel-policy
tunnelspecified
split-tunnel-network-list value
ADMIN_ST
default-domain value
CISCOLAB.COM
!
Test Results:
After connecting to
SSL VPN from
TESTPC3
1. neteng on TESTPC3 ping to
192.168.30.4
Result =
Failed
2. neteng on TESTPC3 telnet to
192.168.30.4
Result = Succeeded
! VPN user shows up as in LOCAL
group
LAB-INET-FW# sh user-identity user all li
Total users:
6 Total IP addresses: 2
<omitted>
LOCAL\neteng: 0 active conns; idle 0 mins
LAB-INET-FW# sh user-identity ip-of-user
LOCAL\neteng
LOCAL\192.168.253.32
(Login)
LAB-INET-FW#sh access-l
FROM_VPN_SSL
access-list FROM_VPN_SSL; 1 elements; name hash: 0xac479031
access-list
FROM_VPN_SSL line 1 extended permit tcp object-group-user ADMIN any any eq
telnet (hitcnt=1) 0x6709158e
Observations and
Caveats:
- Inactive and stale user IP mapping entries seem to remain on the ASA
unless being cleared
manually
- Once a user becomes inactive (ie. idle timer expired), he will not be
evaluated by any identity ACL rules, during which time he may be denied by
subsequent ACL rules, until his next domain re-login, or a manual user-to-IP
mapping table update is
performed.
- User-to-IP mapping table on the ASA is not automatically updated after
the connection to AD agent is recovered. The ASA is not informed of any
user logging into the domain during the down time. Manual update by command
“user-identity update active-user-database” is
required.
- VPN users will always appear as members of LOCAL group. There seems to be
no way to make VPN users be members of different
groups.
Conclusion:
Based on our observations, deploying identity firewall requires careful design
of ACL and extensive testing to make sure an AD agent outage will not neither
cause user traffic to be blocked nor accidently allow an unauthorized access.
Idle timer may also need to be adjusted to prevent deny-access due to users
prematurely becoming inactive while they are still logged in to the domain. In
addition, there is a chance that the ASA user-to-IP mapping table becomes
out-of-sync from the AD agent. Although we can manually force update, this
certainly is not practical.
This concludes my review on the ASA identity
firewall. I hope both of my articles will help you decide whether deploying
identity firewall is the right choice in your production environment.
Additional
Resources:
Cisco
ASA 5500 Series Configuration Guide using the
CLI
Author: Metha Chiewanichakorn , CCIE#23585
(R&S/Security/Service Provider)
Inactive
Why is necessary the option inactive user? A lot of problems with this, i don't know why, ASA doesn't get the new status of user after logon, my users away stay inactive.
And the logLevel INFO is it important? I put WARN and reduced the size of the log files folder.
A quick question
Hi guys, I have a problem ...
Let's say user1 logs on from 192.168.1.10.
securitybox(config)# sh user-identity ip-of-user homelab\user1
homelab\192.168.1.10 (Login)
If I log out, the state remains to (Login). It doesn't become Inactive. Is it normal ? Should it change immediately or I'm supposed to configure the "user-identity logout-probe netbios local-system" command ?
Thanks in advance.
Once the user logged out from
Once the user logged out from the domain, the AD agent should inform the firewall to remove the username/IP mapping from the table. A user will only become inactive when the firewall do not see traffic from that user within the idle timeout period, for instance, after a user suddenly disconnect from the network.
Hope this helps.
More than one DC?
If the AD agent looks in the DC's event log to read user logon/off activity, how does it register users logging into another DC?
On the same domain, it should
On the same domain, it should not matter which DC server the user is logged into, the AD agent should still have visibility to the login information. Beside, when you configure the AD agent, you can only specify the domain name and not any particular DC server.
Metha
Metha - thanks for these,
Metha - thanks for these, can't wait to try it out.
Thanks for reading. Feel free
Thanks for reading. Feel free to share your experience when you try it.
Cisco ASA Identity Firewall (Part 2: Advance)
Methachiew, am I understanding you correctly with this new IDENTITY feature there is no need for Cisco ACS server to connect and Authenticate to windows AD?
How about if your VPN/RAS user are in a separate ASA entirely; how you try that scenario?
Authentication and
Authentication and username-to-IP mapping are totally two different processes. When building an ACL for normal traffic, there is no network authentication so ACS server is not involved. The ASA just utilizes the user-to-IP mapping information provided by AD to enforce the traffic policy.
VPN, on the other hand, is kind of a reverse process. An ACS server is still required to authenticate user, but instead of relying on the AD user-to-IP mapping, the ASA creates its own mapping based on the VPN username and the IP it hands out, and update the AD agent with that information.
To answer your second question, I have not tried it but per Cisco documentation, an AD agent uses the user-to-IP mapping reported by one ASA and distributes them to other ASA so should a VPN user traffic needs to traverse another ASA, that ASA should have full knowledge of the username, hence IP, and enforce policy accordingly.