Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Router ACL to match user againt AD

Posted on 2014-01-08
Medium Priority
Last Modified: 2014-01-29
Hi Experts

I am wondering if there is a way in which I can configure a Cisco Router Access Lists which will basically match user againt AD instead of traditional way IP and Port.

I am up against a challenge on a remote site which needs to be tackled in the above way rather then just allowing access to certain stations inside the remote LAN side based on source IP and Port.

Question by:lomaree
  • 2
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39766907
Not that I am aware of. What are you trying to accomplish? Maybe there is another solution that can accomplish your end goal.

Author Comment

ID: 39768687
That's what I think too

Basically what the plan is that, we have two subnets or vlans on the remote site , one being the corporate data (vlan 10) and other being used for specific applications (vlan 20)

initially the request is that from the HO if certain important users access the specific application network (vlan 20) then based on the ACL on the source host IP Address I was able to control the access i.e. how can come in and out. easy enough

now they are asking that what if they want to provide the access to vlan 20 to certain contractors or outsiders as well as if the HO office users change the station meaning change in IP Address then can I still control the access in and out.

let me know if that make sense ... thanks
LVL 25

Accepted Solution

Cyclops3590 earned 1000 total points
ID: 39768872
first off these are just my thoughts based on what you've described so far so I can't say for sure they'd work in your environment.

There are few options I would research

1) 802.1x approach.

I would create a PKI environment with Windows IAS (or some AAA system) that was certificate based.  I would then enable 802.1x on my switches and APs to put the ones that pass into vlan 30 (create a new vlan for them).  Then just put in the firewall vlan 30 can access vlan 20 and vlan 10.

The positive of this approach is that you can keep a group membership up to date in AAA pretty easy to add/remove as needed.  However setting up everything to support this option is difficult and most likely overkill.

2) vpn approach.

make vlan 20 accessible only via vpn and give credentials only to those that need access.

While this is easier to setup and maintain, it's not as transparent to the users and can be a pain sometimes.  depending on what you have you might be able to get the vpn to dynamically create itself if necessary, but then its more complexity.

3) dhcp reservation based on mac

only allow certain IPs to access vlan 20 and put in dhcp reservations for anyone that needs access.  however to protect vlan 20 a little more you'd need to put mac-to-ip mappings in the arp cache of the firewall as well so someone can't just statically assign an allowed IP to gain access.

This provides transparency to the user, and a simply network implementation, but can be a laborious maintenance.

4) Reverse Proxy (Load Balancer) approach

setup a reverse proxy and only grant that server access to vlan 20.  push all users thru that and configure it to authenticate users and only those that pass can send requests thru the proxy.  

While this ensures authentication better than other methods and can provide reasonable security and user transparency, it again overcomplicates the network configuration as now you have to still have a group membership to maintain and possibly a AAA system as well as the proxy configuration so that requests get forwarded to the correct vlan 20 systems.

5) app security approach

this really depends on what systems you have in vlan 20.  but you could just add user authentication to those systems and let that take care of it but without knowing what is there its hard to say if this is possible.

Like I said these are just thoughts based on what you've mentioned so far.  It's hard to do a good recommendation though without knowing a couple of things
1) what applications are in vlan 20 that you are trying to secure
2) what application layer security features are available
basically, do you really need to firewall based on IPs or can you just allow anyone and then provide application layer authentication instead.
LVL 25

Expert Comment

ID: 39817549
Just for future reference.  If you're going to give a less than 'A' grade, it would be nice if you reply to the comments then if you need further clarification.  Thanks

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
How to fix a SonicWall Gateway Anti-Virus firewall blocking automatic updates to apps like Windows, Adobe, Symantec, etc.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question