Cisco ACS 5.x Use Case: Download Access Control Lists With Anyconnect

In this ACS lab we will expand our small talks to the Download Access Control Lists or DACLs with ASA and Anyconnect. Let us recall our topology:

ucase6-1

This is the scenario: two groups of users are connecting to the ASA box with Anyconnect VPN client. They are authenticated against the Active Directory or AD. After they successfully log in, they will receive a dynamic access control list defined on the ACS server, depending on the group membership. Junior admins are forbidden to ping the domain controller and senior admins have no restrictions, but are still assigned a DACL for future eventual restrictions.

We saw in previous blog posts how to configure Identity Store Sequences, authenticate users against the AD and other basic tasks we are going to perform here.

Let’s create our DACLs. For juniors:

ucase6-2

For seniors:

ucase6-3

Again, this list is not mandatory for seniors, because they are allowed to do anything. It’s just here so we could deny something in the future.

Now let’s check our Authorization Profiles. We should have two of them. One for juniors and one for seniors. We will call upon these profiles in our Access Services. The authorization profile for juniors:

ucase6-4

For seniors:

ucase6-5

Now we verify our access service for network access – Default Network Access. For identity:

ucase6-6

And for authorization:

ucase6-7

Here we can see that if a user is a member of Junior Admins he/she will be assigned the JUNIOR_AUTHOR authorization profile and hence JUNIORS_ACL access control list. Same goes for Senior Admins group. Our users are created localy on the ACS:

ucase6-8

but they are actually authenticated against the active directory as per our identity sequence store.

Before we test this scenario, let’s check on our ASA configuration:

!
hostname ASA1
domain-name popravak.local
enable password OQqIVoru9GknndSk encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0
nameif outside
security-level 0
ip address 11.11.11.10 255.255.255.0
!
interface GigabitEthernet1
nameif inside
security-level 100
ip address 192.168.168.10 255.255.255.0
!
interface GigabitEthernet2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet5
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name popravak.local
access-list OUTSIDE_IN extended permit tcp 11.11.11.0 255.255.255.0 host 192.168.168.12 eq https
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool ANYPOOL1 192.168.169.1-192.168.169.254 mask255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ACS_RAD protocol radius
aaa-server ACS_RAD (inside) host 192.168.168.12
 key spop123
aaa-server ACS_TAC protocol tacacs+
aaa-server ACS_TAC (inside) host 192.168.168.12
key spop123
user-identity default-domain LOCAL
aaa authentication telnet console ACS_TAC
aaa authentication ssh console ACS_TAC
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet 0.0.0.0 0.0.0.0 outside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes256-sha1
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-3.1.04059-k9.pkg 1
 anyconnect enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ssl-client
username spop password oTVh.WsU/kcpagMM encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool ANYPOOL1
 authentication-server-group ACS_RAD
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
crashinfo save disable

Now, let’s connect with a junior account and verify on the ASA:

ASA1#
ASA1# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : slavisa                Index        : 1
Assigned IP  : 192.168.169.1          Public IP    : 11.11.11.2
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AES256                 Hashing      : none SHA1
Bytes Tx     : 9858                   Bytes Rx     : 12286
Pkts Tx      : 8                      Pkts Rx      : 105
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 12:46:02 UTC Sun Jan 19 2014
Duration     : 0h:00m:38s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID    : 1.1
Public IP    : 11.11.11.2
Encryption   : none                   TCP Src Port : 49214
TCP Dst Port : 443                    Auth Mode    : userPassword
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Client Type  : AnyConnect
Client Ver   : 3.1.04059
Bytes Tx     : 4929                   Bytes Rx     : 766
Pkts Tx      : 4                      Pkts Rx      : 1
Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID    : 1.2
Assigned IP  : 192.168.169.1          Public IP    : 11.11.11.2
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: TLSv1.0                TCP Src Port : 49217
TCP Dst Port : 443                    Auth Mode    : userPassword
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Client Type  : SSL VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Windows 3.1.04059
Bytes Tx     : 4929                   Bytes Rx     : 11692
Pkts Tx      : 4                      Pkts Rx      : 106
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Filter Name  : #ACSACL#-IP-JUNIORS_ACL-52da5aad

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 39 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

ASA1#

And ACS logs:

ucase6-9

We can see that the user is authenticated and assigned the DACL:

#ACSACL#-IP-JUNIORS_ACL-52da5aad

Now let’s see the ASA one more time:

ASA1#
ASA1# show access-l | i JUNIORS
access-list #ACSACL#-IP-JUNIORS_ACL-52da5aad; 2 elements; name hash: 0xcc9fe64b (dynamic)
access-list #ACSACL#-IP-JUNIORS_ACL-52da5aad line 1 extended deny icmp 192.168.169.0 255.255.255.0 host 192.168.168.11 echo (hitcnt=0) 0xc4f17435
access-list #ACSACL#-IP-JUNIORS_ACL-52da5aad line 2 extended permit ip any any (hitcnt=15) 0x4df9433f
ASA1#

We can see that this DACL now has now hit counts for pinging the domain controller. Let’s change that. From W7 test PC:

ucase6-10

We can see that pinging the DC is failing but pinging the ACS is a success. Now let’s check the DACL on the ASA:

ASA1#
ASA1# show access-l | i JUNIORS
access-list #ACSACL#-IP-JUNIORS_ACL-52da5aad; 2 elements; name hash: 0xcc9fe64b (dynamic)
access-list #ACSACL#-IP-JUNIORS_ACL-52da5aad line 1 extended deny icmp 192.168.169.0 255.255.255.0 host 192.168.168.11 echo (hitcnt=1) 0xc4f17435
access-list #ACSACL#-IP-JUNIORS_ACL-52da5aad line 2 extended permit ip any any (hitcnt=16) 0x4df9433f
ASA1#

So our ping is blocked by the DACL. Now let’s see for senior user. First the ASA:

ASA1#
ASA1# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username     : sasa                   Index        : 2
Assigned IP  : 192.168.169.1          Public IP    : 11.11.11.2
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium
Encryption   : AES256                 Hashing      : none SHA1
Bytes Tx     : 1586720                Bytes Rx     : 183003
Pkts Tx      : 1262                   Pkts Rx      : 901
Pkts Tx Drop : 27                     Pkts Rx Drop : 0
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 13:00:53 UTC Sun Jan 19 2014
Duration     : 0h:00m:30s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID    : 2.1
Public IP    : 11.11.11.2
Encryption   : none                   TCP Src Port : 49236
TCP Dst Port : 443                    Auth Mode    : userPassword
Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
Client Type  : AnyConnect
Client Ver   : 3.1.04059
Bytes Tx     : 4929                   Bytes Rx     : 766
Pkts Tx      : 4                      Pkts Rx      : 1
Pkts Tx Drop : 0                      Pkts Rx Drop : 0

SSL-Tunnel:
Tunnel ID    : 2.2
Assigned IP  : 192.168.169.1          Public IP    : 11.11.11.2
Encryption   : AES256                 Hashing      : SHA1
Encapsulation: TLSv1.0                TCP Src Port : 49239
TCP Dst Port : 443                    Auth Mode    : userPassword
Idle Time Out: 30 Minutes             Idle TO Left : 30 Minutes
Client Type  : SSL VPN Client
Client Ver   : Cisco AnyConnect VPN Agent for Windows 3.1.04059
Bytes Tx     : 1581791                Bytes Rx     : 182591
Pkts Tx      : 1258                   Pkts Rx      : 904
Pkts Tx Drop : 27                     Pkts Rx Drop : 0
Filter Name  : #ACSACL#-IP-SENIORS_ACL-52da5aa0

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 31 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :

ASA1#

On the ACS:

ucase6-11

We can see that the different DACL is applied. Let’s try our ping again:

ucase6-12

So, our scenario works 🙂

Thanks for reading!

Advertisements
This entry was posted in AAA, ACS 5.x, ACS/RADIUS/TACACS, ASA, Cisco, Security, WebVPN and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s