Solved

Router ACL to match user againt AD

Posted on 2014-01-08
4
276 Views
Last Modified: 2014-01-29
Hi Experts

I am wondering if there is a way in which I can configure a Cisco Router Access Lists which will basically match user againt AD instead of traditional way IP and Port.

I am up against a challenge on a remote site which needs to be tackled in the above way rather then just allowing access to certain stations inside the remote LAN side based on source IP and Port.

Thanks
0
Comment
Question by:lomaree
  • 2
4 Comments
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 39766907
Not that I am aware of. What are you trying to accomplish? Maybe there is another solution that can accomplish your end goal.
0
 
LVL 1

Author Comment

by:lomaree
ID: 39768687
That's what I think too

Basically what the plan is that, we have two subnets or vlans on the remote site , one being the corporate data (vlan 10) and other being used for specific applications (vlan 20)

initially the request is that from the HO if certain important users access the specific application network (vlan 20) then based on the ACL on the source host IP Address I was able to control the access i.e. how can come in and out. easy enough

now they are asking that what if they want to provide the access to vlan 20 to certain contractors or outsiders as well as if the HO office users change the station meaning change in IP Address then can I still control the access in and out.

let me know if that make sense ... thanks
0
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39768872
first off these are just my thoughts based on what you've described so far so I can't say for sure they'd work in your environment.

There are few options I would research

1) 802.1x approach.

I would create a PKI environment with Windows IAS (or some AAA system) that was certificate based.  I would then enable 802.1x on my switches and APs to put the ones that pass into vlan 30 (create a new vlan for them).  Then just put in the firewall vlan 30 can access vlan 20 and vlan 10.

The positive of this approach is that you can keep a group membership up to date in AAA pretty easy to add/remove as needed.  However setting up everything to support this option is difficult and most likely overkill.

2) vpn approach.

make vlan 20 accessible only via vpn and give credentials only to those that need access.

While this is easier to setup and maintain, it's not as transparent to the users and can be a pain sometimes.  depending on what you have you might be able to get the vpn to dynamically create itself if necessary, but then its more complexity.

3) dhcp reservation based on mac

only allow certain IPs to access vlan 20 and put in dhcp reservations for anyone that needs access.  however to protect vlan 20 a little more you'd need to put mac-to-ip mappings in the arp cache of the firewall as well so someone can't just statically assign an allowed IP to gain access.

This provides transparency to the user, and a simply network implementation, but can be a laborious maintenance.

4) Reverse Proxy (Load Balancer) approach

setup a reverse proxy and only grant that server access to vlan 20.  push all users thru that and configure it to authenticate users and only those that pass can send requests thru the proxy.  

While this ensures authentication better than other methods and can provide reasonable security and user transparency, it again overcomplicates the network configuration as now you have to still have a group membership to maintain and possibly a AAA system as well as the proxy configuration so that requests get forwarded to the correct vlan 20 systems.

5) app security approach

this really depends on what systems you have in vlan 20.  but you could just add user authentication to those systems and let that take care of it but without knowing what is there its hard to say if this is possible.


Like I said these are just thoughts based on what you've mentioned so far.  It's hard to do a good recommendation though without knowing a couple of things
1) what applications are in vlan 20 that you are trying to secure
2) what application layer security features are available
   
basically, do you really need to firewall based on IPs or can you just allow anyone and then provide application layer authentication instead.
0
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 39817549
Just for future reference.  If you're going to give a less than 'A' grade, it would be nice if you reply to the comments then if you need further clarification.  Thanks
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now