topic ASA Identity Firewall in Network Access Control

ASA Identity Firewall

ashley_dew — Mon, 11 Mar 2019 02:28:17 GMT

Hi,

I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.

I have installed the ADAgent on a domain member Win2008 and configured as follows:

aaa-server ADAGENT_SERVER protocol radius

ad-agent-mode

aaa-server ADAGENT_SERVER (VPN) host 172.17.v.x key *****

I have configured the LDAP connection to the DC as follows:

aaa-server DOMAIN_SERVER protocol ldap

aaa-server DOMAIN_SERVER (VPN) host 172.17.v.z

ldap-base-dn DC=YYY,DC=local

ldap-scope subtree

ldap-login-password *****

ldap-login-dn vvvvv

server-type microsoft

The identity config is as follows:

user-identity domain YYY aaa-server DOMAIN_SERVER

user-identity default-domain YYY

user-identity action netbios-response-fail remove-user-ip

user-identity logout-probe netbios local-system

user-identity ad-agent aaa-server ADAGENT_SERVER

user-identity user-not-found enable

access-list 122 extended permit ip user YYY\ashdew any any

where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.

The ADagent has been properly tested and ASA can register to it.

The ASA can connect to AD DC controller and query user database.

I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.

The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity

Do I need to add extra rules in the access-list 122 to permit trafic to DC?

Can I check on the AD Agent if it can retrieve the user to ip mapping ?

Thanks

Ashley

ASA Identity Firewall

Karsten Iwen — Tue, 28 Aug 2012 06:33:31 GMT

The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity

When the Domain-Controller doesn't see the authentication of the user, the ASA can never know that the user has a particular IP to allow the traffic. The Identity Firewall needs that Domain-Login-information to work,

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA Identity Firewall

ashley_dew — Tue, 28 Aug 2012 06:42:39 GMT

Hi Karsten,

Thanks for the advise,

So do I need to allow flows from the laptop to the DC,DNS for authentication ?

So, my access-list should include at least where 172.17.x.y is the DC.

access-list 122 extended permit ip user YYY\ashdew any any

access-list 122 extended permit ip 172.17.137.0 255.255.255.0 172.17.x.y

Is the sequencing ok? Or do I need to allow traffic to the DC first?

Thanks,

Ashley

ASA Identity Firewall

ashley_dew — Tue, 28 Aug 2012 07:03:26 GMT

Hi,

Please note that our user ADAgent User IP mapping cache remains 0 but the AD agent DC list status is up on the ASA.

Thanks

Ashley

ASA Identity Firewall

Karsten Iwen — Tue, 28 Aug 2012 07:14:29 GMT

To use the identity-firewall the user needs to authenticate to the domain. So the user needs the right to reach a domain-controller. This has to be configured with the IP-addresses in the ACL. After the user authenticates, the AD-Agent can see the successfull login on the DC-log and add the IP of the user to the mapping cache.

Depending on the systems you have on your DMZ it could be the wrong way to do that. If a system in the DMZ gets compromized, it can attack your domain-controller, so your DMZ not really is one.

In that solution the usage of the old and unloved cut-through-proxy could be the better way to achieve your goal.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

ASA Identity Firewall

ashley_dew — Tue, 28 Aug 2012 07:32:28 GMT

Thanks Karsten,

Great its clear now. I know the DMZ seems a bit odd. Actually, the DMZ is only accessible through the any-connect VPN.

In the DMZ, we will have a citrix farm to access internal resources through identity management.

We are testing with a laptop in the first place.

Now, we have allowed in the acl to access AD, the laptop authenticates in the domain but then all connections are refused since the AD Agent is not retrieving the mapping.

Is there a way to check if the ADAgent is properly retrieved the mapping. We suspect the problem is here.

We did a capture on the ASA and we have found that the ASA contact the ADAgent when the user authenticates but then ADAgent does not return any ip mapping. The ASA sees the user as ip as user-not -found .

Thanks again for your help,

Ashley

ASA Identity Firewall

eshabat — Tue, 28 Aug 2012 08:43:13 GMT

Hi Ashley,

You need to make sure the domain controller is configured appropriately, please follow the instructions mentioned here:

http://www.cisco.com/en/US/docs/security/ibf/setup_guide/ibf10_install.html#wp1058066 (Configuring AD Agent to Obtain Information from AD Domain Controllers)

I suggest to first verify login events are generated in the security event log of the domain controller. In Windows 2008 you will need to see event with ID number 4768. If they are not, you will need to change the audit policy as described in the link above.