Certain network configurations are best kept on the network devices. Many agree, however, that from the network management standpoint, it is extremely beneficial to place as much configuration as possible in a central location. This eases the time taken to manage equipment as well as eases in disaster recovery procedures. In this section, we look at two more aspects of ACS that can both be maintained on ACS. Address AssignmentAddress assignment is a very simple configuration that allows you, the administrator, to control the IP assignment of the users of this group. Beginning with the first option in the IP assignment section of the Group Setup, you can opt to not assign IP addresses. You might also want to allow the dial-in client to specify the IP assignment. In either case, the configuration on your part is minimal. Note that if you choose to assign an IP address from a pool that is configured on the AAA client, ensure that you have configured that pool on the AAA client and reference the name of that pool in ACS. The format for creating this type of pool on a Cisco PIX Firewall is demonstrated in Example 8-1. Example 8-1. Configuring an IP Pool on a Cisco PIX Firewall ip local pool bigpool 192.168.1.1-192.168.1.254 In the configuration of ACS, the pool named bigpool would be referenced. This pool can be seen in Figure 8-10. Notice that the name referenced matches the name defined in the pool in Example 8-1. Figure 8-10. Assignment of IP from AAA Client PoolWhile this configuration works well, you must keep in mind that it is not as easy to manage the range of the pool or pool configuration because it is actually configured on another device. You must also select Submit + Restart for your changes to take effect. For ease of management, you have the ability to configure the pool value on the ACS itself. For this configuration, you must follow these steps:
Now that the pool has been configured on the ACS server, return to the group configuration to apply this pool to the group. The following steps detail the configuration process in the Group Setup page:
Now, you are all set to assign IP addresses from ACS. Downloadable IP ACLsThe downloadable IP ACL is a fairly new configuration option in the ACS device. It was specifically designed to work with the PIX Firewalls; however, in ACS 3.2, it works with VPN 3000 series concentrators. In ACS 3.1, you see it in the interface as downloadable PIX ACLs, and in version 3.2, it has been renamed to downloadable IP ACLs. To use the downloadable PIX ACL, you must use the RADIUS protocol in communication between the PIX and ACS and have authorization configured. This allows an ACL to be downloaded to any PIX Firewall in the network. This is more efficient from a network management standpoint. In this manner, you do not need to configure ACLs within the command line of each PIX Firewall. When a user makes an outbound connection attempt and is authenticated and authorized, the ACL is downloaded. You still need to configure an ACL on outside interfaces to allow inbound connectivity through your firewalls. It is sometimes easier to understand if you see it step by step. Figure 8-12 shows a PIX Firewall and downloadable ACLs. This process is broken out into the following steps:
Figure 8-12. Downloadable IP ACLsNext, explore the actual configuration of an ACL using the network displayed in Figure 8-13. Figure 8-13. Downloadable IP ACL ExamplesAssume that the user at 10.0.7.11 wants to access the HTTP server at 192.168.100.1. If you were to configure an access list on the PIX Firewall itself, it would look something like the following: access-list inside_out permit tcp host 10.0.7.11 host 192.168.100.1 eq www You can further enhance this configuration with object grouping; however, object groups cannot be used when defining PIX ACLs in ACS. Therefore, you configure the ACL just as you would in the aforementioned example; however, you don't include the access list portion of the command, nor does the access list include a name in the configuration. An example of the access list configuration in shared profile components would be as follows: permit tcp host 10.0.7.11 host 192.168.100.1 eq 80 deny ip any any This ACL configuration can be seen in Figure 8-14. Figure 8-14. Configuring the Downloadable IP ACLThis takes care of the configuration on the ACS device. You can see the ACL being selected in the FirstUsers group configuration page in Figure 8-15. Figure 8-15. Selecting the ACL for a GroupThe final step of the configuration is to configure AAA authentication on the PIX Firewall. To configure the PIX Firewall for AAA, perform the following tasks:
A sample configuration of AAA for use with downloadable ACLS is seen in Example 8-2. Example 8-2. Sample Configurationpixfirewall(config)#sh aaa aaa authentication match DOWNLIST inside MYRADIUS pixfirewall(config)#sh aaa-server aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa-server MYRADIUS protocol radius aaa-server MYRADIUS (inside) host 172.16.1.100 secretkey timeout 10 pixfirewall(config)#sh access-list pixfirewall(config)#access-list DOWNLIST permit ip any any Keep in mind here that you do not need to configure authorization for the Downloadable PIX ACL. It occurs during the AAA authentication in RADIUS. |