IP Assignment and Downloadable ACLs

Certain network configurations are best kept on the network devices. Many agree, however, that from the network management standpoint, it is extremely beneficial to place as much configuration as possible in a central location. This eases the time taken to manage equipment as well as eases in disaster recovery procedures. In this section, we look at two more aspects of ACS that can both be maintained on ACS.

Address Assignment

Address assignment is a very simple configuration that allows you, the administrator, to control the IP assignment of the users of this group. Beginning with the first option in the IP assignment section of the Group Setup, you can opt to not assign IP addresses. You might also want to allow the dial-in client to specify the IP assignment. In either case, the configuration on your part is minimal.

Note that if you choose to assign an IP address from a pool that is configured on the AAA client, ensure that you have configured that pool on the AAA client and reference the name of that pool in ACS. The format for creating this type of pool on a Cisco PIX Firewall is demonstrated in Example 8-1.

Example 8-1. Configuring an IP Pool on a Cisco PIX Firewall

 ip local pool bigpool 192.168.1.1-192.168.1.254

In the configuration of ACS, the pool named bigpool would be referenced. This pool can be seen in Figure 8-10. Notice that the name referenced matches the name defined in the pool in Example 8-1.

Figure 8-10. Assignment of IP from AAA Client Pool

While this configuration works well, you must keep in mind that it is not as easy to manage the range of the pool or pool configuration because it is actually configured on another device. You must also select Submit + Restart for your changes to take effect.

For ease of management, you have the ability to configure the pool value on the ACS itself. For this configuration, you must follow these steps:

Step 1.	Select the System Configuration button in the left frame menu.
Step 2.	In the System Configuration select screen, choose the IP Pools Server link. NOTE If this option does not appear in your ACS interface, you need to enable IP Pools in Interface Configuration.
Step 3.	Select the Add Entry button.
Step 4.	In the New Pool screen, enter the information pertaining to your pool. A sample of this configuration is seen in Figure 8-11. Figure 8-11. Configuring an IP Pool in ACS
Step 5.	Select Submit.

Now that the pool has been configured on the ACS server, return to the group configuration to apply this pool to the group. The following steps detail the configuration process in the Group Setup page:

Step 1.	Select IP Address Assignment in the Jump To at the top of the Group Setup frame.
Step 2.	Select the radio button labeled Assigned from AAA server pool.
Step 3.	From the Available Pools list, select the bigger_pool and choose the right arrow button. NOTE This places the bigger_pool in the Selected Pools list on the right. You do have the ability to assign multiple pools, in which case the pool at the top of the list would be the first pool of addresses served to users. You cannot change the order that the pools are used in; it is always top to bottom. However, you can change the order of the pools in the list with the up and down buttons.
Step 4.	Select Submit + Restart for your changes to take effect.

Now, you are all set to assign IP addresses from ACS.

Downloadable IP ACLs

The downloadable IP ACL is a fairly new configuration option in the ACS device. It was specifically designed to work with the PIX Firewalls; however, in ACS 3.2, it works with VPN 3000 series concentrators. In ACS 3.1, you see it in the interface as downloadable PIX ACLs, and in version 3.2, it has been renamed to downloadable IP ACLs.

To use the downloadable PIX ACL, you must use the RADIUS protocol in communication between the PIX and ACS and have authorization configured. This allows an ACL to be downloaded to any PIX Firewall in the network. This is more efficient from a network management standpoint. In this manner, you do not need to configure ACLs within the command line of each PIX Firewall. When a user makes an outbound connection attempt and is authenticated and authorized, the ACL is downloaded. You still need to configure an ACL on outside interfaces to allow inbound connectivity through your firewalls. It is sometimes easier to understand if you see it step by step. Figure 8-12 shows a PIX Firewall and downloadable ACLs. This process is broken out into the following steps:

Step 1.	A request to the Internet server from the AAA user is intercepted by the PIX Firewall.
Step 2.	An authentication request is sent to the AAA server.
Step 3.	An authentication response containing the ACL name and time and date stamp from AAA server is sent back to the PIX Firewall.
Step 4.	The PIX Firewall checks to see if the AAA user's ACL is already present in its configuration and looks at the time and date stamp to ensure the ACL, if already present, is current.
Step 5.	If the PIX Firewall does not find the ACL present, it requests the ACL from the AAA server.
Step 6.	The AAA server sends the ACL to the PIX Firewall.
Step 7.	The request from the AAA user to the Internet server matches a permit in the ACL, and the request is forwarded to the Internet server.

Figure 8-12. Downloadable IP ACLs

Next, explore the actual configuration of an ACL using the network displayed in Figure 8-13.

Figure 8-13. Downloadable IP ACL Examples

Assume that the user at 10.0.7.11 wants to access the HTTP server at 192.168.100.1. If you were to configure an access list on the PIX Firewall itself, it would look something like the following:

 access-list inside_out permit tcp host 10.0.7.11 host 192.168.100.1 eq www

You can further enhance this configuration with object grouping; however, object groups cannot be used when defining PIX ACLs in ACS. Therefore, you configure the ACL just as you would in the aforementioned example; however, you don't include the access list portion of the command, nor does the access list include a name in the configuration. An example of the access list configuration in shared profile components would be as follows:

 permit tcp host 10.0.7.11 host 192.168.100.1 eq 80 deny ip any any

This ACL configuration can be seen in Figure 8-14.

Figure 8-14. Configuring the Downloadable IP ACL

This takes care of the configuration on the ACS device. You can see the ACL being selected in the FirstUsers group configuration page in Figure 8-15.

Figure 8-15. Selecting the ACL for a Group

The final step of the configuration is to configure AAA authentication on the PIX Firewall. To configure the PIX Firewall for AAA, perform the following tasks:

Step 1.

Define the AAA server group and protocol.

NOTE

You must use RADIUS for downloadable ACLs.

Step 2.

Define the AAA server IP address and secret key.

Step 3.

Configure AAA authentication outbound.

A sample configuration of AAA for use with downloadable ACLS is seen in Example 8-2.

Example 8-2. Sample Configuration

 pixfirewall(config)#sh aaa aaa authentication match DOWNLIST inside MYRADIUS pixfirewall(config)#sh aaa-server aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server MYRADIUS protocol radius aaa-server MYRADIUS (inside) host 172.16.1.100 secretkey timeout 10 pixfirewall(config)#sh access-list pixfirewall(config)#access-list DOWNLIST permit ip any any

Keep in mind here that you do not need to configure authorization for the Downloadable PIX ACL. It occurs during the AAA authentication in RADIUS.