Table Of Contents

User-Based Firewall Support

Contents

Prerequisites for User-Based Firewall Support

Hardware Requirements

Software Requirements

Restrictions for User-Based Firewall Support

Information About User-Based Firewall Support

Feature Design of User-Based Firewall Support

Firewall Support

Authentication Proxy

Zone-Based Policy Firewall

Tag and Template

Access Control List Overview

How to Configure User-Based Firewall Support

Configuring Access Control Lists

Configuring the Identity Policy for Tag and Template

Configuring Control Type Tag Class-Maps or Policy-Maps for Tag and Template

Configuring Supplicant-Group Attribute on the ACS

Configuring Firewall Class-Maps and Policy-Maps

Configuring Firewall Zone Security and Zone-Pair

Configuring ACLs for Authentication Proxy

Configuring Authentication Proxy

Configuring AAA and RADIUS

Troubleshooting Tips

Examples

Configuration Examples for User-Based Firewall Support

Cisco IOS Authentication Proxy Mapping: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

Feature Information for User-Based Firewall Support

User-Based Firewall Support

---

First Published: July 11, 2008

Last Updated: July 11, 2008

Firewalls traditionally apply rules based on source and destination IP addresses. In the new, highly dynamic mobile world, IP addresses of end systems constantly change. Therefore it becomes increasingly difficult to have a particular user group function assigned to a particular block of IP addresses. It is also difficult to apply firewall policies for a user group that is the source of the traffic. This feature allows source IP addresses to be associated with user groups. Network administrators can apply firewall policies based on user-groups, and the infrastructure can seamlessly apply these security policies.

Finding Feature Information in This Module

Your Cisco IOS software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for User-Based Firewall Support" section.

Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

•Prerequisites for User-Based Firewall Support

•Restrictions for User-Based Firewall Support

•Information About User-Based Firewall Support

•How to Configure User-Based Firewall Support

•Configuration Examples for User-Based Firewall Support

•Additional References

•Command Reference

•Feature Information for User-Based Firewall Support

Prerequisites for User-Based Firewall Support

The following prerequisites apply to the configuration of User-Based Firewall Support.

Hardware Requirements

•Access Control Server

•Cisco Network Access Device, which can be any of the following:

–Cisco 7200 router

–Cisco 1800 router

–Cisco 2800 router

–Cisco 3800 router

Software Requirements

•Cisco IOS Release 12.4(20)T or a later release

•An Ingress Security feature that uses the Identity Policy infrastructure for policy application

Restrictions for User-Based Firewall Support

User-group mapping is based on the end-host's source IPv4 address. The "user-group" match criterion is supported for inspect class-maps.

Authentication Proxy and IP Admission

Authentication Proxy and IP Admission is an input only feature that should be configured on all the interfaces of the source zone. The Authentication Proxy and IP Admission feature is not virtual routing and forwarding (VRF) aware; therefore, user-group Zone Policy Firewall policies cannot be applied on a per VRF basis.

Information About User-Based Firewall Support

To configure the User-Based Firewall Support feature, you should understand the following concepts:

•Feature Design of User-Based Firewall Support

•Firewall Support

•Authentication Proxy

•Zone-Based Policy Firewall

•Tag and Template

•Access Control List Overview

Feature Design of User-Based Firewall Support

The User-Based Firewall Support feature was designed to provide identity or user-group based security that provides differentiated access for different classes of users. Classification can be provided on the basis of user identity, device type (for example, IP phones), location (for example, building) and role (for example, engineer). Because of the dynamic nature of end-host access, where every user is different and the resource he or she accesses is different, it is important to associate end-user's identity, role, or location with security policies. This association prevents the need for administrators to constantly update policy filters, a cumbersome task. The end-user identity can be derived through a variety of different mechanisms. Once a user's identity is established, security policies will be aware of the user's identity, not just the source address. Individual policies can be enforced allowing for greater control.

Cisco IOS supports several features that offer dynamic, per-user authentication and authorization of network access connections. These features include 802.1X, IKE, Authentication Proxy, Network Admission Control (NAC), and so on. These features allow network administrators to enforce security policies on per-user basis. By integrating authentication features with Cisco Policy Language based features such as Zone Based Firewall, Quality of Service (QoS), and so on, the combination can provide a transparent, reliable, ease to manage and deploy security solution to dynamically authenticate and enforce polices on a per user basis.

Cisco IOS User-Based Firewall Support leverages existing authentication and validation methods to associate each source IP address to a user-group. User-group association can be achieved using two methods. The first method (Tag and Template) uses locally defined policies to achieve the association, while the second method obtains the user-group information from the access control server (ACS) and requires no further configuration on the network access device (NAD).

The User-Based Firewall Support feature leverages the Tag and Template concept where the authenticating server returns a tag-name on validating the user credentials. This tag received on the authentication device is mapped to a template. The template is a control plane policy map that refers to an identity policy configured on the device. The identity policy contains the access policies that are to be applied for the corresponding tag-name. The identity policy defines one or more user-groups to which the source IP would be associated. This mapping provides administrators with flexibility to associate the end-host with multiple user-group memberships. The scope of the user-group defined in the identity policy is local to the device. Once the end-host's user-group membership has been established, other Cisco IOS policy language based features can enforce security policies on a per user-group basis.

Match Criterion

The match user-group criterion in the inspect type class map configuration can be used to enforce security policies on a per user-group basis. The match criterion filters the traffic stream based on the client's source IP address in the specified user-group, making it independent of the authentication method that established the group membership. The match criterion in the inspect type class map enables inspection for any ingress traffic and for any protocol, thereby enabling inspection for all traffic.

Firewall Support

Cisco IOS Firewall includes multiple security features. Cisco IOS Firewall stateful packet inspection provides true firewall capabilities to protect networks against unauthorized traffic and control legitimate business-critical data. Authentication proxy controls access to hosts or networks based on user credentials stored in an authentication, authorization, and accounting (AAA) server. Multi-VRF firewall offers firewall services on virtual routers with VRF, accommodating overlapping address space to provide multiple isolated private route spaces with a full range of security services. Transparent firewall adds stateful inspection without time-consuming, disruptive IP addressing modifications. Application inspection controls application activity to provide granular policy enforcement of application usage, protecting legitimate application protocols from rogue applications and malicious activity. For more information on firewall support see the Cisco IOS Firewall Design Guide.

Authentication Proxy

The Cisco IOS Firewall Authentication Proxy feature provides dynamic, per-user authentication and authorization, authenticating users against industry standard TACACS+ and RADIUS authentication protocols. Authenticating and authorizing connections by users provides more robust protection against network attacks. See the Authentication Proxy document for more information about this feature.

Zone-Based Policy Firewall

Cisco IOS Zone-Based Policy Firewall can be used to deploy security policies by assigning interfaces to different zones and configuring a policy to inspect the traffic moving between these zones. The policy specifies a set of actions to be applied on the defined traffic class. For more information see the document Zone-Based Firewall.

Tag and Template

The Tag and Template feature allows network administrators to define enforcement policies on a local device and have a RADIUS server specify the policy selector to be enforced. This feature can be applied to a NAC architecture. See the Tag and Template feature guide for more information about this feature.

Network Admission Control

In a typical Network Admission Control deployment, an ACS or a RADIUS server is used for validating the user posture information and for applying the policies on the NAD. A centralized ACS can be used to support multiple NADs. This solution has inherent problems associated with it, namely:

•Version control of policies. Typically, a specific NAD that is running a Cisco IOS image may support some access control lists (ACLs), and another NAD may support a different version. Managing different versions can be a problem.

•Users connect on different interfaces to the NAD, and on the basis of the interface type, the policies that can be applied to the user can change, and the NAD can determine the policies to be applied. In the current architecture, the ACS sends the same set of policies to all the NADs when a profile is matched, which does not give enough control to the administrator to configure the polices on the basis of the NAD configuration.

Configuring the Tag and Template feature allows the ACS to map users to specific groups and associate a tag with them. For example, the Usergroup1 user group may have a tag with the name "usergroup1." When the NAD queries the ACS for the policies, the ACS can return the tag that is associated with the user group. When this tag is received at the NAD, the NAD can map the tag to a specific template that can have a set of policies that are associated with the user group. This mapping provides administrators with the flexibility to configure the template on a NAD basis, and the policies can change from NAD to NAD even though the tag is the same.

In summary, a template must be configured on the NAD, and the template must be associated with a tag. When the ACS sends the policies back to the NAD, the template that matches the tag that was received from the ACS is used.

Access Control List Overview

Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router. You can configure access lists at your router to control access to a network. Access lists can prevent certain traffic from entering or exiting a network.

How to Configure User-Based Firewall Support

Perform the following tasks to configure User-Based Firewall Support:

•Configuring Access Control Lists

•Configuring the Identity Policy for Tag and Template

•Configuring Control Type Tag Class-Maps or Policy-Maps for Tag and Template

•Configuring Supplicant-Group Attribute on the ACS

•Configuring Firewall Class-Maps and Policy-Maps

•Configuring Firewall Zone Security and Zone-Pair

•Configuring ACLs for Authentication Proxy

•Configuring Authentication Proxy

•Configuring AAA and RADIUS

Configuring Access Control Lists

To configure ACLs, perform the steps in this section. Policy specific ACLs are defined under the identity policy.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list extended access-list-name

4. permit protocol any host ip-address

5. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip access-list extended access-list-name Example: Router(config)# ip access-list extended auth_proxy_acl	Defines an IP access list and enters extended named access list configuration mode.
Step 4	permit protocol any host ip-address Example: Router(config-ext-nacl)# permit tcp any host 192.168.104.136	Sets the permission for an access list using TCP.
Step 5	end Example: Router(config-ext-nacl)# end	Exits extended named access list configuration mode.

Configuring the Identity Policy for Tag and Template

To configure the identity policy for Tag and Template, perform the steps in this section. Usergroup support is achieved by configuring the usergroup that is to be associated with the IP address on the NAD itself using a locally defined identity policy. A tag is received from the ACS that matches a template (identity policy) on the NAD. The user-group associated with the IP address is obtained from the NAD.

SUMMARY STEPS

1. enable

2. configure terminal

3. identity policy policy-name

4. user-group group-name

5. access-group group-name

6. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	identity policy policy-name Example: Router(config)# identity policy auth_proxy_ip	Creates an identity policy and enters identity policy configuration mode.
Step 4	user-group group-name Example: Router(config-identity-policy)# user-group auth_proxy_ug	Establishes a user-group.
Step 5	access-group group-name Example: Router(config-identity-policy)# access-group auth_proxy_acl	Specifies the access-group to be applied to the identity policy.
Step 6	end Example: Router(config-identity-policy)# end	Exits identity policy configuration mode.

Configuring Control Type Tag Class-Maps or Policy-Maps for Tag and Template

To configure control type tag class-maps or policy-maps for Tag and Template, perform the steps in this section. Tag names are received from the AAA server as authorization data and are matched with their respective class-maps. The security policies that are associated with the identity policies are applied to the host. In this way host IP addresses gain membership of user-groups.

SUMMARY STEPS

1. enable

2. configure terminal

3. policy-map type control tag policy-map-name

4. class type control tag control-class-name

5. identity policy policy-name

6. exit

7. configure terminal

8. class-map type control tag match-all class-map-name

9. match tag tag-name

10. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	policy-map type control tag policy-map-name Example: Router(config)# policy-map type control tag all_tag_cm_pm	Creates a control policy map and enters policy-map configuration mode.
Step 4	class type control tag control-class-name Example: Router(config-pmap)# class type control tag auth_proxy_tag_cm	Creates a control class and enters policy-map-class configuration mode.
Step 5	identity policy policy-name Example: Router(config-pmap-c)# identity policy auth_proxy_ip	Creates an identity policy.
Step 6	exit Example: Router(config-pmap-c)# exit	Exits policy-map-class configuration mode.
Step 7	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 8	class-map type control tag match-all class-map-name Example: Router(config)# class-map type control tag match-all auth_proxy_tag_cm	Creates a control class map and enters class-map configuration mode.
Step 9	match tag tag-name Example: Router(config-cmap)# match tag auth_proxy_tag	Specifies the tag to be matched for a tag type of class map.
Step 10	end Example: Router(config-cmap)# end	Exits class-map configuration mode.

Configuring Supplicant-Group Attribute on the ACS

The supplicant group attribute needs to be configured as a Cisco attribute value (AV) Pair on the ACS for user based firewall support. To configure the supplicant-group attribute on the ACS, perform the steps in this section. The supplicant-group attribute is defined in the RADIUS authorization group attributes from where all authorization data pertaining to the client resides. The user-group information is obtained from the ACS and no further user-group specific configuration is required on the NAD.

SUMMARY STEPS

1. Cisco:Avpair=supplicant-group=group-name

DETAILED STEPS

Step 1 Cisco:Avpair=supplicant-group=eng

Defines the supplicant-group attribute.

---

Configuring Firewall Class-Maps and Policy-Maps

To configure firewall class-maps and policy-maps, perform the steps in this section. User-groups are configured and attached to policy-maps by using the inspect command with each class-map.

SUMMARY STEPS

1. enable

2. configure terminal

3. class-map type inspect match-all class-map-name

4. match protocol protocol-name

5. match user-group group-name

6. exit

7. configure terminal

8. policy-map type inspect policy-map-name

9. class type inspect class-map-name

10. inspect

11. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	class-map type inspect match-all class-map-name Example: Router(config)# class-map type inspect match-all auth_proxy_ins_cm	Creates an inspect type class map and enters class-map configuration mode.
Step 4	match protocol protocol-name Example: Router(config-cmap)# match protocol telnet	Configures the match criterion for the class map on the basis of the specified protocol.
Step 5	match user-group group-name Example: Router(config-cmap)# match user-group auth_proxy_ug	Configures the match criterion for the class map on the basis of the specified user-group.
Step 6	exit Example: Router(config-cmap)# exit	Exits class-map configuration mode.
Step 7	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 8	policy-map type inspect policy-map-name Example: Router(config)# policy-map type inspect all_ins_cm_pm	Creates an inspect type policy map and enters policy-map configuration mode.
Step 9	class type inspect class-map-name Example: Router(config-pmap)# class type inspect auth_proxy_ins_cm	Specifies the traffic (class) on which an action is to be performed.
Step 10	inspect Example: Router(config-pmap)# inspect	Enables Cisco IOS stateful packet inspection.
Step 11	end Example: Router(config-pmap)# end	Exits policy-map configuration mode.

Configuring Firewall Zone Security and Zone-Pair

To configure firewall zone security and zone -pair, perform the steps in this section. Security zones are configured for untrustworthy (outside) and trustworthy (inside) networks or interfaces. Zone-pairs are configured where the source zone is untrustworthy and the destination zone is trustworthy.

SUMMARY STEPS

1. enable

2. configure terminal

3. zone security zone-name

4. end

5. configure terminal

6. zone-pair security zone-pair-name source source-zone-name destination destination-zone-name

7. service-policy type inspect policy-map-name

8. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	zone security zone-name Example: Router(config)# zone security out_sec_zone	Creates a security zone, and enters security zone configuration mode.
Step 4	end Example: Router(config-sec-zone)# end	Exits security zone configuration mode.
Step 5	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 6	zone-pair security zone-pair-name source source-zone-name destination destination-zone-name Example: Router(config)# zone-pair security out_in source out_sec_zone destination in_sec_zone	Creates a zone-pair and enters security zone-pair configuration mode.
Step 7	service-policy type inspect policy-map-name Example: Router(config-sec-zone-pair)# service-policy type inspect all_ins_cm_pm	Attaches a firewall policy map to the zone-pair.
Step 8	end Example: Router(config-sec-zone-pair)# end	Exits security zone-pair configuration mode.

Configuring ACLs for Authentication Proxy

To configure ACLs for authentication proxy, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip access-list extended access-list-name

4. permit protocol any source-ip-address destination-ip-address

5. permit protocol any host destination-ip-address

6. permit protocol any any eq bootps

7. permit protocol any any eq domain

8. end

9. configure terminal

10. ip access-list extended access-list-name

11. permit protocol any host destination-ip-address

12. permit protocol any host destination-ip-address eq domain

13. permit protocol any host destination-ip-address eq www

14. permit protocol any host destination-ip-address eq port

15. end

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip access-list extended access-list-name Example: Router(config)# ip access-list extended 102	Defines an IP access list and enters extended named access list configuration mode.
Step 4	permit protocol any source-ip-address destination-ip-address Example: Router(config-ext-nacl)# permit ip any 192.168.100.0 10.0.0.255	Sets the permission for an access list using IP.
Step 5	permit protocol any host destination-ip-address Example: Router(config-ext-nacl)# permit ip any host 192.168.104.136	Sets the permission for an access list using IP.
Step 6	permit protocol any any eq bootps Example: Router(config-ext-nacl)# permit ip any any eq bootps	Sets the permission for an access list using IP.
Step 7	permit protocol any any eq domain Example: Router(config-ext-nacl)# permit ip any any eq domain	Sets the permission for an access list using IP.
Step 8	end Example: Router(config-ext-nacl)# end	Exits extended named access list configuration mode.
Step 9	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 10	ip access-list extended access-list-name Example: Router(config)# ip access-list extended 103	Defines an IP access list and enters extended named access list configuration mode.
Step 11	permit protocol any host destination-ip-address Example: Router(config-ext-nacl)# permit ip any host 192.168.104.136	Sets the permission for an access list using IP.
Step 12	permit protocol any host destination-ip-address eq domain Example: Router(config-ext-nacl)# permit udp any host 192.168.104.136 eq domain	Sets the permission for an access list using user datagram protocol (UDP).
Step 13	permit protocol any host destination-ip-address eq www Example: Router(config-ext-nacl)# permit tcp any host 192.168.104.136 eq www	Sets the permission for an access list using TCP.
Step 14	permit protocol any host destination-ip-address eq port Example: Router(config-ext-nacl)# permit udp any host 192.168.104.136 eq 443	Sets the permission for an access list using UDP.
Step 15	end Example: Router(config-ext-nacl)# end	Exits extended named access list configuration mode.

Configuring Authentication Proxy

To configure authentication proxy default IP admissions, perform the steps in this section.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip admission auth-proxy-banner http c Auth-Proxy-Banner-Text c

4. ip admission watch-list expiry-time expiry-minutes

5. ip admission max-login-attempts attempt-number

6. ip admission inactivity-timer timeout-minutes

7. ip admission absolute-timer timeout-minutes

8. ip admission init-state-timer timeout-minutes

9. ip admission auth-proxy-audit

10. ip admission watch-list enable

11. ip admission ratelimit limit

12. ip admission name admission-name proxy http list acl

13. ip admission name admission-name proxy telnet list acl

14. ip admission name admission-name proxy http list acl service-policy type tag service-policy-name

15. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip admission auth-proxy-banner http c Auth-Proxy-Banner-Text c Example: Router(config)# ip admission auth-proxy-banner http c Auth-Proxy-Banner-Text c	Creates a network admission control rule with an authentication proxy banner to be applied to the interface.
Step 4	ip admission watch-list expiry-time expiry-minutes Example: Router(config)# ip admission watch-list expiry-time 50	Creates a network admission control rule with a watch-list to be applied to the interface.
Step 5	ip admission max-login-attempts attempt-number Example: Router(config)# ip admission max-login-attempts 10	Creates a network admission control rule with a specified maximum login attempts per user number to be applied to the interface.
Step 6	ip admission inactivity-timer timeout-minutes Example: Router(config)# ip admission inactivity-timer 205	Creates a network admission control rule with a specified inactivity timeout to be applied to the interface.
Step 7	ip admission absolute-timer timeout-minutes Example: Router(config)# ip admission absolute-timer 305	Creates a network admission control rule with a specified absolute timeout to be applied to the interface.
Step 8	ip admission init-state-timer timeout-minutes Example: Router(config)# ip admission init-state-timer 15	Creates a network admission control rule with a specified init-state timeout to be applied to the interface.
Step 9	ip admission auth-proxy-audit Example: Router(config)# ip admission auth-proxy-audit	Creates a network admission control rule with authentication proxy auditing to be applied to the interface.
Step 10	ip admission watch-list enable Example: Router(config)# ip admission watch-list enable	Creates a network admission control rule with a watch-list to be applied to the interface.
Step 11	ip admission ratelimit limit Example: Router(config)# ip admission ratelimit 100	Creates a network admission control rule with a specified session rate limit to be applied to the interface.
Step 12	ip admission name admission-name proxy http list acl Example: Router(config)# ip admission name auth_rule proxy http list 103	Creates an IP network admission control rule. •Telnet, HTTP, or both can be configured.
Step 13	ip admission name admission-name proxy telnet list acl Example: Router(config)# ip admission name auth_rule proxy telnet list 103	Creates an IP network admission control rule. •Telnet, HTTP, or both can be configured.
Step 14	ip admission name admission-name proxy http list acl service-policy type tag service-policy-name Example: Router(config)# ip admission name auth_rule proxy http list 103 service-policy type tag all_tag_cm_pm	(Optional) Creates an IP network admission control rule. •Configures a control plane service policy when the Tag & Template method of user-group association is used. •Control plane tag service policy that is configured using the policy-map type control tag {policy name} command, keyword, and argument. This policy map is used to apply the actions on the host when a tag is received.
Step 15	exit Example: Router(config)# exit	Exits global configuration mode.

Configuring AAA and RADIUS

To configure AAA and RADIUS servers, perform the steps in this section.

SUMMARY STEPSs

1. enable

2. configure terminal

3. aaa new-model

4. aaa authentication login default group radius

5. aaa authentication login list-name none

6. aaa authentication eou default enable group radius

7. aaa authorization network default group radius local

8. aaa authorization list-name default group radius

9. aaa accounting auth-proxy default start-stop group group-name

10. aaa accounting system default start-stop group group-name

11. aaa session-id common

12. radius-server attribute 6 on-for-login-auth

13. radius-server attribute 8 include-in-access-req

14. radius-server attribute 25 access-request include

15. radius-server configure-nas

16. radius-server host ip-address auth-port port-number acct-port port-number key string

17. radius-server host ip-address auth-port port-number acct-port port-number key string

18. radius-server source-ports extended

19. radius-server vsa send authentication

20. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	aaa new-model Example: Router(config)# aaa new-model	Enables the AAA access control model.
Step 4	aaa authentication login default group radius Example: Router(config)# aaa authentication login default group radius	Sets AAA authentication at login using the group radius method.
Step 5	aaa authentication login list-name none Example: Router(config)# aaa authentication login noAAA none	Sets AAA authentication at login and ensures that the authentication succeeds even if all methods of authentication return an error.
Step 6	aaa authentication eou default enable group radius Example: Router(config)# aaa authentication eou default enable group radius	Sets authentication lists for Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP).
Step 7	aaa authorization network default group radius local Example: Router(config)# aaa authorization network default group radius local	Sets parameters that restrict user access to a network using the group radius and local methods. •The group radius method uses the list of all RADIUS servers for authentication. •The local method uses the local database for authorization.
Step 8	aaa authorization list-name default group radius Example: Router(config)# aaa authorization auth-proxy default group radius	Sets parameters that restrict user access to a network using the group radius method.
Step 9	aaa accounting auth-proxy default start-stop group group-name Example: Router(config)# aaa accounting auth-proxy default start-stop group radius	Creates a method list to provide information about all authenticated-proxy user events. •Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process.
Step 10	aaa accounting system default start-stop group group-name Example: Router(config)# aaa accounting system default start-stop group radius	Creates a method list to provide accounting for all system-level events not associated with users. •Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process.
Step 11	aaa session-id common Example: Router(config)# aaa session-id common	Specifies that the same ID will be assigned for each AAA accounting service type within a call.
Step 12	radius-server attribute 6 on-for-login-auth Example: Router(config)# radius-server attribute 6 on-for-login-auth	Sends the Service-Type attribute in the authentication packets.
Step 13	radius-server attribute 8 include-in-access-req Example: Router(config)# radius-server attribute 8 include-in-access-req	Sends the IP address of a user to the RADIUS server in the access request.
Step 14	radius-server attribute 25 access-request include Example: Router(config)# radius-server attribute 25 access-request include	Sends an arbitrary value that the network access server includes in all accounting packets for the user if supplied by the RADIUS server.
Step 15	radius-server configure-nas Example: Router(config)# radius-server configure-nas	Configures the Cisco router or access server to query the vendor-proprietary RADIUS server for the static routes and IP pool definitions used throughout its domain when the device starts up.
Step 16	radius-server host ip-address auth-port port-number acct-port port-number key string Example: Router(config)# radius-server host 192.168.104.131 auth-port 1645 acct-port 1646 key string1	Specifies a RADIUS server host. •Specifies the UDP destination port for authentication requests. •Specifies the UDP destination port for accounting requests.
Step 17	radius-server host ip-address auth-port port-number acct-port port-number key string Example: Router(config)# radius-server host 192.168.104.132 auth-port 1645 acct-port 1646 key string2	Specifies a RADIUS server host. •Specifies the UDP destination port for authentication requests. •Specifies the UDP destination port for accounting requests.
Step 18	radius-server source-ports extended Example: Router(config)# radius-server source-ports extended	Enables 200 ports in the range from 21645 to 21844 to be used as the source ports for sending out RADIUS requests. •Ports 1645 and 1646 are used as the source ports for RADIUS requests.
Step 19	radius-server vsa send authentication Example: Router(config)# radius-server vsa send authentication	Configures the network access server (NAS) to recognize and use vendor-specific attributes (VSAs).
Step 20	exit Example: Router(config)# exit	Exits global configuration mode.

Troubleshooting Tips

The following commands can be used to troubleshoot User-Based Firewall Support:

•clear ip admission cache

•debug user-group

•show debugging

•show epm session ip

•show ip access-lists

•show ip admission

•show logging

•show policy-map type inspect zone-pair

•show user-group

Examples

show epm session ip

The following example shows sample output of the show epm session command when the summary keyword is used.

Router# show epm session ip summary

EPM Session Information

------------------------------

Total sessions seen so far: 8

Total Active sessions: 1

Session IP Address:

------------------------------

192.168.101.131

The following example shows sample output of the show epm session command when the ip-address argument is specified. The output below is displayed if a locally defined user-group association (Tag and Template method) is used.

Router# show epm session ip 192.168.101.131

Admission feature: Authproxy

Tag Received: eng_group_tag

Policy map used: all_tag_cm_pm

Class map matched: eng_tag_cm

The following example shows sample output of the show epm session command when the ip-address argument is specified. The output below is displayed if ACS defined (supplicant-group attribute configured on the ACS) user-group association is used.

Router# show epm session ip 192.168.101.131

Admission feature: Authproxy

AAA policies:

ACS ACL: xACSACLx-IP-TEST_ACL-47dfc392

Supplicant-Group: eng

Supplicant-Group: mgr

Proxy ACl: permit udp any any

Router#

show ip access-lists

The following example shows sample output of the show ip access-lists command.

Router# show ip access-lists

Extended IP access list 102

	permit icmp host 192.168.101.131 host 192.168.104.136	Auth-Proxy ACE downloaded from 
AAA

	permit udp host 192.168.101.131 host 192.168.104.136	Auth-Proxy ACE downloaded from AAA

	permit tcp host 192.168.101.131 host 192.168.104.136	Auth-Proxy ACE downloaded from AAA

10 permit ip any 192.168.100.0 10.0.0.255 (956 matches)

	20 permit ip any 192.168.101.0 10.0.0.255 (9 matches)

	30 permit ip any host 192.168.104.136 (20 matches)

	40 permit udp any any eq bootps

	50 permit udp any any eq domain

Extended IP access list 103

	10 permit ip any host 192.168.104.136 (3 matches)

	20 permit udp any host 192.168.104.136 eq domain

	30 permit tcp any host 192.168.104.136 eq www

	40 permit udp any host 192.168.104.136 eq 443

	50 permit tcp any host 192.168.104.136 eq 443

Extended IP access list vendor_group_acl

	10 permit ip any host 192.168.104.136

Extended IP access list auth_proxy_acl

	10 permit tcp any host 192.168.104.136

	20 permit udp any host 192.168.104.136

	30 permit icmp any host 192.168.104.136

Extended IP access list sales_group_acl

	10 permit ip any host 192.168.104.131

Extended IP access list eng_group_acl

	10 permit ip any host 192.168.100.132

Extended IP access list manager_group_acl

	10 permit ip any host 192.168.104.128

Router#

show ip admission

The following example shows sample output of the show ip admission command when the configuration keyword is used.

Router# show ip admission configuration

Authentication Proxy Banner

	HTTP Protocol Banner: Auth-Proxy-Banner-Text

Authentication global cache time is 205 minutes

Authentication global absolute time is 305 minutes

Authentication global init state time is 15 minutes

Authentication Proxy Session ratelimit is 100

Authentication Proxy Session Watch-list is enabled

Watch-list expiry timeout is 50 minutes

Authentication Proxy Auditing is enabled

Max Login attempts per user is 10

Authentication Proxy Rule Configuration

Auth-proxy name auth_rule

 http list 103 inactivity-timer 205 minutes

Router#

The following example shows sample output of the show ip admission command when the cache keyword is used. After a successful Telnet/HTTP-proxy session, from a Cisco Trust Agent (CTA) client to an Audit Server, is established, logs are displayed.

Router# show ip admission cache

Authentication Proxy Cache

Client Name aaatestuser, Client IP 192.168.101.131, Port 1870, timeout 205, Time Remaining 
205, state ESTAB

show logging

The following example shows sample output of the show logging command.

Router# show logging

Log Buffer (65000 bytes):

*Jul 3 05:33:13:935: %SYS-5-CONFIG_I: Configured from console by console

*Jul 3 05:33:18.471: USRGRP-API: [Type=IPv4 Val=192.168.101.131 Group-h_ug]: Usergroup 
opcode entry deletion.

*Jul 3 05:33:18.471: %UG-6-MEMBERSHIP: IP=192.168.101.131| INTERFACE=Vlan| 
USERGROUP=eng_group_ug| STATUS-REMOVED

*Jul 3 05:33:18.471: USRGRP-ENTRY: [Type=IPv4 Val=192.168.101.131 :: Group=eng_group_ug 
Count=0]:Usergroup entry deleted

*Jul 3 05:33:18.471: USRGRP-ENTRY: [Type=IPv4 Val=192.168.101.131 :: Group=eng_group_ug 
Count=0]:Usergroup entry clean up and free

*Jul 3 05:33:18.471: USRGRP-DB: Group=h_ug Count=0: Usergroup is empty. Destroy Group.

*Jul 3 05:33:18.471: USRGRP-DB: Group=h_ug Count=0: Clean up and free usergroup db.

*Jul 3 05:33:22.383: USRGRP-API: [Type=IPv4 Val=192.168.101.131 Group=eng_group_ug]: 
Usergroup opcode entry addition.

*Jul 3 05:33:22.383: USRGRP-DB: Group=h_ug Count=0 New usergroup db created.

*Jul 3 05:33:22.383: %UG-6-MEMBERSHIP: IP=192.168.101.131| INTERFACE=Vlan333| 
USERGROUP=eng_group_ug| STATUS=ESTABLISHED

*Jul 3 05:33:22.383: USRGRP-ENTRY: [Type=IPv4 Val=192.168.101.131 :: Group=eng_group_ug 
Count=1]: Usergroup entry added

*Jul 3 05:33:41.239: USRGRP-API: [Type=IPv4 Val=192.168.101.131 Group=eng_group_ug]: 
Usergroup opcode entry deletion.

*Jul 3 05:33:41.239: %UG-6-MEMBERSHIP: IP=192.168.101.131| INTERFACE=Vlan333| 
USERGROUP=eng_group_ug| STATUS=REMOVED

*Jul 3 05:33:41.239: USRGRP-ENTRY: [Type=IPv4 Val=192.168.101.131 :: Group=eng_group_ug 
Count=0]: Usergroup entry deleted

*Jul 3 05:33:41.239: USRGRP-ENTRY: [Type=IPv4 Val=192.168.101.131 :: Group=eng_group_ug 
Count=0]: Usergroup entry clean up and free

*Jul 3 05:33:41.239: USRGRP-DB: Group=eng_group_ug Count=0: Usergroup is empty. Destroy 
group.

*Jul 3 05:33:41.239: USRGRP-DB: Group=eng_group_ug Count=0: Clean up and free usergroup 
db.

*Jul 3 05:33:50.687: USRGRP-API: {Type=IPv4 Val=192.168.101.131 Group=eng_group_ug]: 
Usergroup opcode entry addition.

*Jul 3 05:33:50.687: USRGRP-DB: Group=eng_group_ug Count=0: New usergroup db created.

*Jul 3 05:33:50.687: %UG-6-MEMBERSHIP: IP=192.168.101.131| INTERFACE=Vlan333| 
USERGROUP=eng_group_ug| STATUS=ESTABLISHED

*Jul 3 05:33:50.687: USRGRP-ENTRY: [Type=IPv4 Val=192.168.101.131 :: Group=eng_group_ug 
Count=1]: Usergroup entry added

show policy-map type inspect zone-pair

The following example shows sample output of the show policy-map type inspect zone-pair command when the sessions keyword is used.

Router# show policy-map type inspect zone-pair sessions

policy exists on zp out_in

 Zone-pair: out_in

  Service-policy inspect: all_ins_cm_pm

   Class-map: vendor_group_ins_cm (match-all)

    Match: user-group vendor_group_ug

   Class-map: manager_group_ins_cm (match-all)

    Match: protocol telnet

    Match: user-group manager_group_ug

   Class-map: auth_proxy_ins_cm (match-all)

    Match: user-group auth_proxy_ug

    Match: protocol telnet

    Number of Established Sessions = 1

    Established Sessions

     Session 49D12BE0 (192.168.101.131:1872)=>(192.168.104.136:23) telnet:tcp SIS_OPEN

      Created 00:00:15, Last heard 00:00:09

      Bytes sent (initiator:responder) [171:249]

   Class-map: eng_group_ins_cm (match-all)

    Match: user-group eng_group_ug

    Match: protocol ftp

    Number of Established Sessions = 1

    Established Sessions

     Session 49D12E20 (192.168.101.131:1874)=>(192.168.104.136:21) ftp:tcp SIS_OPEN

      Created 00:00:12, Last heard 00:00:06

      Bytes sent (initiator:responder) [45:137]

   Class-map: sales_group_ins_cm (match-all)

    Match: protocol ftp

    Match: user-group sales_group_ug

   Class-map: class-default (match-any)

    Match: any

show user-group

The following example shows sample output of the show user-group command when the configuration keyword is used.

Router# show user-group

Usergroup: auth_proxy_ug

----------------------------------------------------------

User Name				Type		Interface			Learn		Age (min)

----------------------------------------------------------

192.168.101.131	IPv4					Vlan333			Dynamic		0

Usergroup: eng_group_ug

----------------------------------------------------------

User Name				Type		Interface			Learn		Age (min)

----------------------------------------------------------

192.168.101.131	IPv4					Vlan333			Dynamic		0

The following example shows sample output of the show user-group command when the group-name argument is used.

Router# show user-group auth_proxy_ug

Usergroup: auth_proxy_ug

----------------------------------------------------------

User Name				Type		Interface			Learn		Age (min)

----------------------------------------------------------

192.168.101.131	IPv4					Vlan333			Dynamic		0

The following example shows sample output of the show user-group command when the count keyword is used.

Router# show user-group count

Total Usergroup: 2

----------------------------------------------------------

User Group				Members

----------------------------------------------------------

auth_proxy_ug				1

eng_proxy_ug				1

Configuration Examples for User-Based Firewall Support

This section contains the following example:

•Cisco IOS Authentication Proxy Mapping: Example

Cisco IOS Authentication Proxy Mapping: Example

The following example shows how to configure User-Based Firewall Support. The Cisco IOS Authentication Proxy maps two users to different user-groups. Zone Policy Firewall policies are configured on a per user-group basis.

!IP Admission configuration

Configure the rule for HTTP based proxy authentication and associate the control plane tag 
service policy.

!

configure terminal

ip admission name auth-http proxy http service-policy type tag global-policy

ip http server

ip http secure-server

!AAA configuration

!

aaa new-model

!

aaa authentication login default group radius

aaa authentication login noAAA none

aaa authentication eou default group radius

aaa authorization network default group radius local

aaa authorization auth-proxy default group radius

aaa accounting auth-proxy default start-stop group radius

aaa accounting system default start-stop group radius

aaa session-id common

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server configure-nas

radius-server host 192.168.104.131 auth-port 1645 acct-port 1646 key cisco

radius-server host 192.168.104.132 auth-port 1645 acct-port 1646 key cisco

radius-server source-ports extended 

radius-server vsa send authentication

!

!Tag and Template configuration.

Configuration policy attributes for the engineer.

!

identity policy engineer-policy

 access-group engineer-acl

 user-group group-engineer

identity policy manager-policy

 access-group manager-acl

 user-group group-manager

!Define type control tag class-maps

! 

class-map type control tag match-all auth_proxy_tag_cm 

match tag auth_proxy_tag 

class-map type control tag match-all eng_tag_cm 

match tag eng_group_tag 

class-map type control tag match-all manager_tag_cm 

match tag manager_group_tag 

! 

!Define the control plane tag policy map.

!

policy-map type tag control tag global-policy

 class engineer-class

  identity policy engineer-policy

 class manager-class

  identity policy manager-policy

!Define per-user group traffic classification based on membership of the source IP address 
in the specified user-group.

!

class-map type inspect match-all engineer-insp-cmap

 match user-group group-engineer

 match protocol tcp

 match protocol udp

class-map type inspect match-all manager-insp-cmap

 match user-group group-manager

 match protocol http

!Zone Policy Firewall configuration.

Configure zones z1 and z2.

!

zone security z1

zone security z2

!Configure the policy map to inspect traffic between z1 and z2.

!

policy-map type inspect z1-z2-policy

 class type inspect engineer-insp-cmap

  inspect

 class type inspect manager-insp-cmap

  inspect

!Configure interfaces to their respective zones and apply the ip admission rule on the 
source zone member(s).

!

interface e0

 ip admission auth-http

 zone-member security z1

interface e1

 zone-member security z2

!Configure the zone-pair and apply the appropriate policy-map.

!

zone-pair security z1-z2 source z1 destination z2

 service-policy type inspect z1-z2-policy

Additional References

The following sections provide references related to the User-Based Firewall Support feature.

Related Documents

Related Topic	Document Title
Cisco IOS Firewall Design	The Cisco IOS Firewall Design Guide
Cisco IOS firewall commands	Cisco IOS Security Command Reference
Cisco IOS Tag and Template Feature	"Tag and Template"
Cisco IOS Zone-Based Policy Firewall Feature	"Zone-Based Policy Firewall"
Cisco IOS Authentication Proxy Feature	"Authentication Proxy"

Standards

Standard	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIB	MIBs Link
None	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFC	Title
None	—

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport

Command Reference

The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or the Cisco IOS Master Command List, All Releases, at http://www.cisco.com/en/US/docs/ios/mcl/allreleasemcl/all_book.html.

•debug user-group

•match user-group

•show debugging

•show user-group

•user-group

•user-group logging

Feature Information for User-Based Firewall Support

Table 1 lists the release history for this feature.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

---

Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

---

Table 1 Feature Information for User-Based Firewall Support

Feature Name	Releases	Feature Information
User-Based Firewall Support	12.4(20)T	This feature provides the option for configuring a security solution to dynamically authenticate and enforce policies on a per user basis in Cisco IOS software for Release 12.4(20)T and later releases. In Release 12.4(20)T, this feature was introduced on the Cisco 7200, Cisco 1800, Cisco 2800, and Cisco 3800 routers. The following commands were introduced or modified: debug user-group, match user-group, show debugging, show user-group, user-group, user-group logging.

CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco StadiumVision, Cisco TelePresence, Cisco WebEx, DCE, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn and Cisco Store are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0812R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2008 Cisco Systems, Inc. All rights reserved.