2010年10月1日 星期五

ASA – CTP(Cut-Through Proxy) with AAA

 

In some circumstance, using ACL to control the access is still not enough:

For example, you have tow user groups – Finance & HR. You also have two server groups – Finance and HR. You want to have Finance group access to Finance servers but not HR servers. Vice versa, HR users can access to only HR servers but not Finance servers. And if they are in a dhcp environment, how can you enforce the restriction?

The solution is CTP with AAA. It looks like you add an extra lock for the servers and the key is username/password. After passing the Interface ACL, ASA will send prompt to authenticate user if CTP is enabled.

CTP - Authentication

  • CTP supports ftp, telnet, ftp & http/https protocol.
  • CTP supports multiple proxy connection and can be limited with ‘aaa proxy-limit’ cmd.
  • Authentication prompt can be customized by ‘auth-prompt {accept | reject | prompt } prompt_string’ cmd.
  • Authentication timeouts can be controlled by ‘timeout uauth hh:mm:ss [absolute | inactivity]’ cmd.
  • CTP auth in HTTP protocol
    1. Basic Auth (HTTP/HTTPs): Ideal if then destination web server also request Basic Auth and if id/pw are identical. You only need to enter id/pw once.
    2. Internal Web (HTTP/HTTPs):
  • Two ways to configure CTP authenticatoin
    1. aaa authentication {include | exclude}
    2. aaa authentication match (preferred method)
  • To control access for non-supported applicatons
    1. virtual telnet
    2. virtual http

 

CTP – Authorization

There are two main problems with CTP authentication:

  • Users need to access multiple internal devices, but with CTP authentication, the user would have to authenticate to each individual device.
  • CTP authentication is global: once a user authenticates, he can access all the requested service; in other words, you can’t control who accesses what service.

 

CTP authorization options

  • Classic method
    • Only supports TACACS+ with ACS.
    • Disadvantage: each connection the authenticated user opens will incur an initial delay will the policy lookup occurs.
    • Advantage: Policy change on AAA server is in immediate effect.
  • Downloadable ACLs (newer & preferred)
    • AAA authenticates user, if authenticated ACS send the name of ACL to appliance.
    • Appliance check if the ACL was already downloaded, either use it or download from ACS.
    • the ACL is used to determine what the user can access, interface ACL is ignored.

 

Reference:

http://www.amazon.com/Cisco-Configuration-Networking-Professionals-Library/dp/0071622691/ref=sr_1_2?ie=UTF8&s=books&qid=1285924140&sr=8-2-spell

沒有留言: