Improve company productivity with a Business Account.Sign Up

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 322
  • Last Modified:

Router ACL to match user againt AD

Hi Experts

I am wondering if there is a way in which I can configure a Cisco Router Access Lists which will basically match user againt AD instead of traditional way IP and Port.

I am up against a challenge on a remote site which needs to be tackled in the above way rather then just allowing access to certain stations inside the remote LAN side based on source IP and Port.

  • 2
1 Solution
Gareth GudgerCommented:
Not that I am aware of. What are you trying to accomplish? Maybe there is another solution that can accomplish your end goal.
lomareeAuthor Commented:
That's what I think too

Basically what the plan is that, we have two subnets or vlans on the remote site , one being the corporate data (vlan 10) and other being used for specific applications (vlan 20)

initially the request is that from the HO if certain important users access the specific application network (vlan 20) then based on the ACL on the source host IP Address I was able to control the access i.e. how can come in and out. easy enough

now they are asking that what if they want to provide the access to vlan 20 to certain contractors or outsiders as well as if the HO office users change the station meaning change in IP Address then can I still control the access in and out.

let me know if that make sense ... thanks
first off these are just my thoughts based on what you've described so far so I can't say for sure they'd work in your environment.

There are few options I would research

1) 802.1x approach.

I would create a PKI environment with Windows IAS (or some AAA system) that was certificate based.  I would then enable 802.1x on my switches and APs to put the ones that pass into vlan 30 (create a new vlan for them).  Then just put in the firewall vlan 30 can access vlan 20 and vlan 10.

The positive of this approach is that you can keep a group membership up to date in AAA pretty easy to add/remove as needed.  However setting up everything to support this option is difficult and most likely overkill.

2) vpn approach.

make vlan 20 accessible only via vpn and give credentials only to those that need access.

While this is easier to setup and maintain, it's not as transparent to the users and can be a pain sometimes.  depending on what you have you might be able to get the vpn to dynamically create itself if necessary, but then its more complexity.

3) dhcp reservation based on mac

only allow certain IPs to access vlan 20 and put in dhcp reservations for anyone that needs access.  however to protect vlan 20 a little more you'd need to put mac-to-ip mappings in the arp cache of the firewall as well so someone can't just statically assign an allowed IP to gain access.

This provides transparency to the user, and a simply network implementation, but can be a laborious maintenance.

4) Reverse Proxy (Load Balancer) approach

setup a reverse proxy and only grant that server access to vlan 20.  push all users thru that and configure it to authenticate users and only those that pass can send requests thru the proxy.  

While this ensures authentication better than other methods and can provide reasonable security and user transparency, it again overcomplicates the network configuration as now you have to still have a group membership to maintain and possibly a AAA system as well as the proxy configuration so that requests get forwarded to the correct vlan 20 systems.

5) app security approach

this really depends on what systems you have in vlan 20.  but you could just add user authentication to those systems and let that take care of it but without knowing what is there its hard to say if this is possible.

Like I said these are just thoughts based on what you've mentioned so far.  It's hard to do a good recommendation though without knowing a couple of things
1) what applications are in vlan 20 that you are trying to secure
2) what application layer security features are available
basically, do you really need to firewall based on IPs or can you just allow anyone and then provide application layer authentication instead.
Just for future reference.  If you're going to give a less than 'A' grade, it would be nice if you reply to the comments then if you need further clarification.  Thanks
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now