Sunday, June 22, 2014

Auth proxy - ASA

I studied some methods of auth proxy on ASA and ACS. Below you can find few examples:

1) Method no 1

We can match traffic passing through the firewall:
 
access-list TELNET-TRAFFIC extended permit tcp any any eq telnet
aaa authentication match TELNET-TRAFFIC inside TACACS

Once we initiate traffic we will be asked for authentication:
 
[hzw@zeus ~]$ telnet 7.7.7.7
Trying 7.7.7.7...
Connected to 7.7.7.7.
Escape character is '^]'.

Username: user1

Password:



User Access Verification

Password:
R3>

As we see above, first we were asked for ASA proxy authentication and then for telnet password set up on R3.

Let’s check the uauth table:
 
ciscoasa(config)# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'test1' at 192.168.157.130, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
ciscoasa(config)# 

The main problem with this method is very limited list of supported protocols/applications: http, https and telnet. If we need to authenticate applications not listed here or applications mentioned earlier but with non default ports we have to use the method no 2.

2) Method no 2

In this example we allow on icmp traffic through the firewall only after authentication:
 
access-list ICMP-TRAFFIC extended permit icmp any any
access-list ICMP-TRAFFIC extended permit tcp any host 192.168.157.135 eq telnet
aaa authentication match ICMP-TRAFFIC inside TACACS

virtual telnet 192.168.157.135

As we see below the ping is not allowed until we telnet on ASA (virtual telnet) and authenticate:
 
[hzw@zeus ~]$ ping 7.7.7.7
PING 7.7.7.7 (7.7.7.7) 56(84) bytes of data.
^C
--- 7.7.7.7 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5441ms

[hzw@zeus ~]$ telnet 192.168.157.135
Trying 192.168.157.135...
Connected to 192.168.157.135.

Escape character is '^]'.

LOGIN Authentication

Username: test1

Password:


Authentication Successful


Connection closed by foreign host.
[hzw@zeus ~]$ ping 7.7.7.7
PING 7.7.7.7 (7.7.7.7) 56(84) bytes of data.
64 bytes from 7.7.7.7: icmp_seq=1 ttl=255 time=29.4 ms
64 bytes from 7.7.7.7: icmp_seq=2 ttl=255 time=28.7 ms
64 bytes from 7.7.7.7: icmp_seq=3 ttl=255 time=37.9 ms
^C
--- 7.7.7.7 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2838ms
rtt min/avg/max/mdev = 28.708/32.023/37.915/4.181 ms
[hzw@zeus ~]$

Let’s check the uauth table:
 
ciscoasa# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'test1' at 192.168.157.130, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
ciscoasa# 

3) Method no 3

The next method works as the previous one but it is based on HTTP:
 
access-list HTTP-TRAFFIC permit tcp any any eq 80
aaa authentication match HTTP-TRAFFIC inside TACACS

Once we initiate http traffic to R3 we have to first authenticate against proxy before we see prompt for username and password from R3.

4) Method no 4

We can also enable listener using any port on the firewall interface:
 
aaa authentication listener http inside port 1234

access-list ICMP-TRAFFIC extended permit icmp any any
access-list ICMP-TRAFFIC extended permit tcp any host 192.168.157.134 eq 1234
aaa authentication match ICMP-TRAFFIC inside TACACS

5) Method no 5

In above examples we defined the ACL on ASA. With ACS, the ACL can be downloaded from ACS after authentication.
 
virtual telnet 192.168.157.135

access-list INS permit tcp any host 192.168.157.135 eq telnet
access-group INS in interface inside per-user-override

access-list PROXY permit tcp any host 192.168.157.135 eq telnet

aaa authentication match PROXY inside RADIUS

Now I will add user ‘test1’ and then I have to add ‘Downloadable ACL’: Policy Elements->Authorization and Permissions->Named Permission Objects->Downloadable ACLs. Then the ACL should be attached to ‘Authorization Profiles’: Policy Elements->Authorization and Permissions->Network Access->Authorization Profiles, tab ‘Common Tasks’.

Let’s test it:
 
[hzw@zeus ~]$ telnet 7.7.7.7
Trying 7.7.7.7...
telnet: connect to address 7.7.7.7: Connection refused
[hzw@zeus ~]$

As we see the connection is refused.
 
%ASA-4-106023: Deny tcp src inside:192.168.157.130/34776 dst outside:7.7.7.7/23 by access-group "INS" [0x0, 0x0]

Now, I’m going to telnet on the virtual telnet server:
 
[hzw@zeus ~]$ telnet 192.168.157.135
Trying 192.168.157.135...
Connected to 192.168.157.135.
Escape character is '^]'.

LOGIN Authentication

Username: test1

Password:



Error:  acl authorization denied

Connection closed by foreign host.
[hzw@zeus ~]$

The above error message is caused by lack of ACE for telnet session for virtual telnet IP, but it doesn’t have any impact.

Let’s check the ASA:

%ASA-7-609001: Built local-host outside:192.168.157.135
%ASA-6-302013: Built outbound TCP connection 85 for outside:192.168.157.135/23 (192.168.157.135/23) to inside:192.168.157.130/59034 (192.168.157.130/59034)
%ASA-6-109001: Auth start for user '???' from 192.168.157.130/59034 to 192.168.157.135/23
%ASA-6-113004: AAA user authentication Successful : server =  192.168.157.100 : user = user1
%ASA-6-113008: AAA transaction status ACCEPT : user = user1
%ASA-7-734003: DAP: User user1, Addr 192.168.157.130: Session Attribute aaa.radius["1"]["1"] = user1
%ASA-7-734003: DAP: User user1, Addr 192.168.157.130: Session Attribute aaa.radius["25"]["1"] = CACS:acs54/192082462/478
%ASA-7-734003: DAP: User user1, Addr 192.168.157.130: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
%ASA-7-734003: DAP: User user1, Addr 192.168.157.130: Session Attribute aaa.cisco.username = user1
%ASA-7-734003: DAP: User user1, Addr 192.168.157.130: Session Attribute aaa.cisco.username1 = user1
%ASA-7-734003: DAP: User user1, Addr 192.168.157.130: Session Attribute aaa.cisco.username2 =
%ASA-6-734001: DAP: User user1, Addr 192.168.157.130, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy
 %ASA-7-746012: user-identity: Add IP-User mapping 192.168.157.130 - LOCAL\user1 Succeeded - Cut-through-proxy user
%ASA-2-109011: Authen Session Start: user 'user1', sid 6
%ASA-6-109005: Authentication succeeded for user 'user1' from 192.168.157.130/59034 to 192.168.157.135/23 on interface inside
%ASA-6-302014: Teardown TCP connection 85 for outside:192.168.157.135/23 to inside:192.168.157.130/59034(LOCAL\user1) duration 0:00:04 bytes 132 TCP FINs (user1)
%ASA-7-609002: Teardown local-host outside:192.168.157.135 duration 0:00:04

As we see the user is authenticated now and he should be able to telnet on R3:
 
ciscoasa# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'user1' at 192.168.157.130, authenticated
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
ciscoasa# 

[hzw@zeus ~]$ telnet 7.7.7.7
Trying 7.7.7.7...
Connected to 7.7.7.7.
Escape character is '^]'.


User Access Verification

Password:
R3>

We can also verify if the ACLs are downloaded on ASA:
 
access-list #ACSACL#-IP-test1-539c81be; 1 elements; name hash: 0x721aca2c (dynamic)
access-list #ACSACL#-IP-test1-539c81be line 1 extended permit tcp any host 7.7.7.7 (hitcnt=1) 0x1234415f

6) Method no 6

This way is very similar to above one with one difference. Instead of downloading the ACL from ACS we can call it by name set up in ‘Authorization Profile’. Sometimes it is much easier to manage ACLs on device.
On the ASA I add below ACE:
 
access-list test1-option6 extended permit tcp any host 7.7.7.7 eq telnet

and on ACS, ‘Authorization Profile’, ‘Common Tasks’ tab, I set above ACL: ‘Filter-ID ACL’ - value = ‘test1-option6’

Let’s test the proxy:
 
[hzw@zeus ~]$ telnet 192.168.157.135
Trying 192.168.157.135...
Connected to 192.168.157.135.
Escape character is '^]'.

LOGIN Authentication

Username: test1

Password:



Error:  acl authorization denied

Connection closed by foreign host.
[hzw@zeus ~]$

On ASA we can see:
 
%ASA-7-609001: Built local-host outside:192.168.157.135
%ASA-6-302013: Built outbound TCP connection 127 for outside:192.168.157.135/23 (192.168.157.135/23) to inside:192.168.157.130/59051 (192.168.157.130/59051)
%ASA-6-109001: Auth start for user '???' from 192.168.157.130/59051 to 192.168.157.135/23
%ASA-6-113004: AAA user authentication Successful : server =  192.168.157.100 : user = test1
%ASA-6-113008: AAA transaction status ACCEPT : user = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["1"]["1"] = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["6"]["1"] = 6
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["11"]["1"] = test1-option6
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["25"]["1"] = CACS:acs54/192082462/518
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["4316"]["1"] = 15
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.username = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.username1 = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.username2 =
%ASA-6-734001: DAP: User test1, Addr 192.168.157.130, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy
 %ASA-7-746012: user-identity: Add IP-User mapping 192.168.157.130 - LOCAL\test1 Succeeded - Cut-through-proxy user
%ASA-2-109011: Authen Session Start: user 'test1', sid 10
%ASA-6-109005: Authentication succeeded for user 'test1' from 192.168.157.130/59051 to 192.168.157.135/23 on interface inside
%ASA-6-109025: Authorization denied (acl=test1-option6) for user 'test1' from 192.168.157.130/59051 to 192.168.157.135/23 on interface inside using tcp
%ASA-6-302014: Teardown TCP connection 127 for outside:192.168.157.135/23 to inside:192.168.157.130/59051(LOCAL\test1) duration 0:00:04 bytes 139 TCP FINs (test1)
%ASA-7-609002: Teardown local-host outside:192.168.157.135 duration 0:00:04

[hzw@zeus ~]$ telnet 7.7.7.7
Trying 7.7.7.7...
Connected to 7.7.7.7.
Escape character is '^]'.


User Access Verification

Password:
R3>

as we see the above telnet session was allowed by the new ACL:
 
access-list test1-option6; 1 elements; name hash: 0x57e96d62
access-list test1-option6 line 1 extended permit tcp any host 7.7.7.7 eq telnet (hitcnt=1) 0x615278b5
 
7) Method no 7

The next method will use cisco-av-pair attribute.
 
ip:inacl#=permit tcp any host 7.7.7.7
6ip:inacl#=permit tcp any host 192.166.157.135

[hzw@zeus ~]$ telnet 192.168.157.135
Trying 192.168.157.135...
Connected to 192.168.157.135.
Escape character is '^]'.

LOGIN Authentication

Username: test1

Password:



Authentication Successful

Connection closed by foreign host.
[hzw@zeus ~]$
 
ciscoasa(config)# %ASA-7-609001: Built local-host inside:192.168.157.130
%ASA-7-609001: Built local-host outside:192.168.157.135
%ASA-6-302013: Built outbound TCP connection 131 for outside:192.168.157.135/23 (192.168.157.135/23) to inside:192.168.157.130/59062 (192.168.157.130/59062)
%ASA-6-109001: Auth start for user '???' from 192.168.157.130/59062 to 192.168.157.135/23
%ASA-7-609001: Built local-host identity:192.168.157.134
%ASA-7-609001: Built local-host inside:192.168.157.100
%ASA-6-302015: Built outbound UDP connection 132 for inside:192.168.157.100/1645 (192.168.157.100/1645) to identity:192.168.157.134/1025 (192.168.157.134/1025)
%ASA-6-113004: AAA user authentication Successful : server =  192.168.157.100 : user = test1
%ASA-6-113008: AAA transaction status ACCEPT : user = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["1"]["1"] = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.radius["25"]["1"] = CACS:acs54/192082462/521
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.grouppolicy = DfltGrpPolicy
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.username = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.username1 = test1
%ASA-7-734003: DAP: User test1, Addr 192.168.157.130: Session Attribute aaa.cisco.username2 =
%ASA-6-734001: DAP: User test1, Addr 192.168.157.130, Connection Cut-Through-Proxy: The following DAP records were selected for this connection: DfltAccessPolicy
 %ASA-7-746012: user-identity: Add IP-User mapping 192.168.157.130 - LOCAL\test1 Succeeded - Cut-through-proxy user
%ASA-2-109011: Authen Session Start: user 'test1', sid 11
%ASA-6-109005: Authentication succeeded for user 'test1' from 192.168.157.130/59062 to 192.168.157.135/23 on interface inside
%ASA-6-302014: Teardown TCP connection 131 for outside:192.168.157.135/23 to inside:192.168.157.130/59062(LOCAL\test1) duration 0:00:04 bytes 139 TCP FINs (test1)
%ASA-7-609002: Teardown local-host outside:192.168.157.135 duration 0:00:04

once we telnet on R3 we see the ACL is working fine:
 
ciscoasa(config)# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'test1' at 192.168.157.130, authenticated
   access-list AAA-user-test1-65C10808 (*)
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
ciscoasa(config)#



access-list AAA-user-test1-65C10808; 2 elements; name hash: 0x8f7332c0 (dynamic)
access-list AAA-user-test1-65C10808 line 1 extended permit tcp any host 7.7.7.7 (hitcnt=1) 0x5c1a96f3
access-list AAA-user-test1-65C10808 line 2 extended permit tcp any host 192.168.157.135 (hitcnt=1) 0xc9600de4

You can also notice that the ACLs, which are downloaded from ACS, have different names depending on the method.

8) Method no 8

The last presented method uses TACACS protocol and user will be authenticated transparently.
 
access-list PROXY-AUTHE extended permit tcp any host 7.7.7.7 eq telnet
access-list PROXY-AUTHO extended permit tcp any host 7.7.7.7 eq telnet

aaa authentication match PROXY-AUTHE inside TACACS
aaa authorization match PROXY-AUTHO inside TACACS

On ACS we need user with ‘command set’ = ‘pemit telnet 7.7.7.7’ and shell profiles ‘permit access’ (default one).

Let’s test it:
I start telnet to R3 (7.7.7.7) and before I get R3 prompt I have to authorize on ASA:
 
[hzw@zeus ~]$
[hzw@zeus ~]$ telnet 7.7.7.7
Trying 7.7.7.7...
Connected to 7.7.7.7.
Escape character is '^]'.

Username: test1

Password:


User Access Verification

Password:
R5>

Let’s check ASA:
 
ciscoasa# sh uauth
                        Current    Most Seen
Authenticated Users       1          1
Authen In Progress        0          1
user 'test1' at 192.168.157.130, authorized to:
   port 7.7.7.7/telnet
   absolute   timeout: 0:05:00
   inactivity timeout: 0:00:00
ciscoasa#

As you see, there are plenty of different methods how to implement proxy on ASA. You should also remember that ASA is not a real proxy server. If you need more functionality you should try WSA (IronPort).

No comments:

Post a Comment