Gain per-user control and auditing on who uses your Cisco site-site VPN tunnels

Wouldn’t it be nice to be able to control and audit access to your VPN tunnels using usernames and per-user security policies? Putting the typical tunnel Access-list protection in place is great 'an all but per user control is really where it’s at! To that end, Cisco has a nice feature that allows you to authenticate, authorize, and account any user who tries to access a site-site vpn tunnel. Most site-site VPNs rely on an access-list that determines what IPs and Ports can be used across a tunnel. But this feature, Authentication proxy, allows you to limit and audit the VPN tunnel access using usernames and passwords as well. Even OTP devices are supported. And yes, you can make authentication exceptions for non-authenticating devices like printers, servers, etc.

Here’s the nuts and bolts of how it works:

A) A user comes onto the network at a remote VPN site. They bring up a web browser and point it at any resource accessed through the VPN tunnel.

B) The local VPN spoke router intercepts the http request and issues an http redirect to a VPN tunnel login page. This page is usually located on the Cisco IOS router.

C) The user inputs their username and password (or OTP) and clicks OK. The spoke router then verifies the credentials with a AAA radius server like Cisco ACS.

D) If valid, the user’s authorization profile is retrieved from the AAA server. The profile can be based on a group profile, a per-user profile, or a combination of the two. This profile contains Access Control Entries (ACE) that the router will then dynamically add to its existing interface ACL. These ACEs control what this particular user is authorized to do across the tunnel.

E) The authenticating user’s source IP (as seen by the authentication router) is now written into the SRC IP of the ACL rules downloaded from the AAA server for that user. This is how it makes the rules specific to a particular user at a particular location.

F) When the user’s idle timeout expires the router will automatically remove the dynamic ACEs for that user.

Authentication proxy is supported on IOS since 12.2 but is also available on the PIX and ASA platforms as well. I show it here being used to protect a VPN tunnel, but it can also be used to authenticate anyone who wants to pass through a firewall as well. That could be a IOS FW on a router or a PIX or ASA box.

Users also have the option of using https, telnet or ftp to authenticate to the router instead of http. It works about the same way as I outlined above, except the user would use a telnet or ftp client instead of a web browser to authenticate.

Here are the steps to configure it:

1) First configure AAA on the router:

aaa new-model
aaa authentication login default group radius
! Set up the aaa new model to use the authentication proxy.
aaa authorization auth-proxy default group radius
! Define the AAA servers used by the router.
aaa accounting auth-proxy default start-stop group radius
! Set up authentication proxy with accounting.
radius-server host 192.168.1.110
radius-server key cisco123

2) Next configure http and https on the router

ip http server
ip http authentication aaa
ip http secure-trustpoint netCA
!points to your CA server cert
ip http secure-server
!turns on https
! Define access list 50 to deny any host.
access-list 50 deny any
! Use ACL 50 to deny connections from any host to the HTTP server. This locks down the server so it is only used by auth-proxy users.
ip http access-class 61

3) Now configure auth-proxy globally

ip auth-proxy auth-proxy-banner
ip auth-proxy auth-cache-time 3
ip auth-proxy name authme http

4) Configure the ACL for the inside interface, allow necessary traffic and deny everything else. This ACL will block user access until they authenticate so only allow what is absolutely necessary and rely on the downloaded per-user ACEs from the AAA server for the rest.

Access-list 105 permit tcp any any eq 53
Access-list 105 permit udp any any eq 53
access-list 105 deny ip any any

Interface ethernet0/0
ip access-group 105 in

You’re done! Here are a few show commands to use for monitoring.
sh ip auth-proxy cache (shows you whos online)
Sh ip auth-proxy config (show you the auth-proxy configuration settings)
Debug ip auth-proxy detailed (turns on debugging)

For additional information see here:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008017b2a4.shtml or just search Cisco.com for auth-proxy and you’ll see several of hits.

The opinions and information presented here are my personal views and not those of my employer.