Router ACL to match user againt AD

Hi Experts

I am wondering if there is a way in which I can configure a Cisco Router Access Lists which will basically match user againt AD instead of traditional way IP and Port.

I am up against a challenge on a remote site which needs to be tackled in the above way rather then just allowing access to certain stations inside the remote LAN side based on source IP and Port.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gareth GudgerSolution ArchitectCommented:
Not that I am aware of. What are you trying to accomplish? Maybe there is another solution that can accomplish your end goal.
lomareeAuthor Commented:
That's what I think too

Basically what the plan is that, we have two subnets or vlans on the remote site , one being the corporate data (vlan 10) and other being used for specific applications (vlan 20)

initially the request is that from the HO if certain important users access the specific application network (vlan 20) then based on the ACL on the source host IP Address I was able to control the access i.e. how can come in and out. easy enough

now they are asking that what if they want to provide the access to vlan 20 to certain contractors or outsiders as well as if the HO office users change the station meaning change in IP Address then can I still control the access in and out.

let me know if that make sense ... thanks
Cyclops3590Sr Software EngineerCommented:
first off these are just my thoughts based on what you've described so far so I can't say for sure they'd work in your environment.

There are few options I would research

1) 802.1x approach.

I would create a PKI environment with Windows IAS (or some AAA system) that was certificate based.  I would then enable 802.1x on my switches and APs to put the ones that pass into vlan 30 (create a new vlan for them).  Then just put in the firewall vlan 30 can access vlan 20 and vlan 10.

The positive of this approach is that you can keep a group membership up to date in AAA pretty easy to add/remove as needed.  However setting up everything to support this option is difficult and most likely overkill.

2) vpn approach.

make vlan 20 accessible only via vpn and give credentials only to those that need access.

While this is easier to setup and maintain, it's not as transparent to the users and can be a pain sometimes.  depending on what you have you might be able to get the vpn to dynamically create itself if necessary, but then its more complexity.

3) dhcp reservation based on mac

only allow certain IPs to access vlan 20 and put in dhcp reservations for anyone that needs access.  however to protect vlan 20 a little more you'd need to put mac-to-ip mappings in the arp cache of the firewall as well so someone can't just statically assign an allowed IP to gain access.

This provides transparency to the user, and a simply network implementation, but can be a laborious maintenance.

4) Reverse Proxy (Load Balancer) approach

setup a reverse proxy and only grant that server access to vlan 20.  push all users thru that and configure it to authenticate users and only those that pass can send requests thru the proxy.  

While this ensures authentication better than other methods and can provide reasonable security and user transparency, it again overcomplicates the network configuration as now you have to still have a group membership to maintain and possibly a AAA system as well as the proxy configuration so that requests get forwarded to the correct vlan 20 systems.

5) app security approach

this really depends on what systems you have in vlan 20.  but you could just add user authentication to those systems and let that take care of it but without knowing what is there its hard to say if this is possible.

Like I said these are just thoughts based on what you've mentioned so far.  It's hard to do a good recommendation though without knowing a couple of things
1) what applications are in vlan 20 that you are trying to secure
2) what application layer security features are available
basically, do you really need to firewall based on IPs or can you just allow anyone and then provide application layer authentication instead.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cyclops3590Sr Software EngineerCommented:
Just for future reference.  If you're going to give a less than 'A' grade, it would be nice if you reply to the comments then if you need further clarification.  Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.