User Group Firewall is a mechanism to authenticate each user and provide access privileges based on the type of user being authenticated. The authentication is done by a RADIUS server. The user initially has limited or no access to the protected network. When the user is authenticated, access privileges are established for the IP address from which the user is accessing the network. The access privileges depend on which user group the user belongs to on the RADIUS server.
教主配置实例介绍:
**********************任务目标***************************
user1-----usergroup1-----过滤URL""
user2-----usergroup2-----过滤URL""**********************基本配置***************************
enable
config ter hostname FW interface FastEthernet0/0ip address 202.100.1.10 255.255.255.0no shut interface FastEthernet1/0ip address 10.1.1.10 255.255.255.0no shut**********************************************************
%%%%%%%%%%%%%%基本AAA%%%%%%%%%%%%%%%%%%%%%%%%% enable config ter aaa new aaa authentication login noacs line none line con 0login authentication noacs line aux 0login authentication noacs line vty 0 15login authentication noacs radius-server host 202.100.1.100 key cisco radius-server vsa send 注意test %%%%%%%%%%%%%auth-proxy部分%%%%%%%%%%%%%%%%%%%%% -------------------匹配用户组------------------------ identity policy usergroup-policy1user-group usergroup1 identity policy usergroup-policy2user-group usergroup2 -------------------匹配ACS返回的tag------------------ class-map type control tag match-all class-usergroup2match tag tag-usergroup2 class-map type control tag match-all class-usergroup1match tag tag-usergroup1 -------------------把tag影射到用户组----------------- policy-map type control tag tag.policyclass type control tag class-usergroup1identity policy usergroup-policy1class type control tag class-usergroup2identity policy usergroup-policy2 --------------------启用auth-proxy------------------- aaa authentication login default group radius aaa authorization auth-proxy default group radius ip admission name auth proxy http service-policy type tag tag.policy --------------------运用auth-proxy------------------- interface FastEthernet1/0ip admission auth --------------------启用http服务--------------------- ip http server ip http authentication aaa%%%%%%%%%%%%%%%%%%%%配置ZBFW%%%%%%%%%%%%%%%%%%%%%%%%%
--------------------匹配正则表达式--------------------------------- parameter-map type regex user1.regexpattern sh/run parameter-map type regex user2.regexpattern sh/ip/inter/brie--------------------通过class-map type http匹配URI-----------------
class-map type inspect http match-any user1.classmatch request uri regex user1.regex class-map type inspect http match-any user2.classmatch request uri regex user2.regex--------------------通过policy-map typ http丢弃适当URI-------------
policy-map type inspect http user2.httpclass type inspect http user2.classreset policy-map type inspect http user1.httpclass type inspect http user1.classreset-------------------通过class-map type inspect匹配usergroup1的http流量--------
class-map type inspect match-all usergroup1-inspectmatch user-group usergroup1match protocol http-------------------通过class-map type inspect匹配usergroup2的http流量--------
class-map type inspect match-all usergroup2-inspectmatch user-group usergroup2match protocol http-------------------通过policy-map type inspect配置zone-pair间策略------------
policy-map type inspect in-to-outclass type inspect usergroup1-inspectinspectservice-policy http user1.httpclass type inspect usergroup2-inspectinspectservice-policy http user2.http-------------------配置ZBFW---------------------------------------------------
zone security out zone security ininterface FastEthernet0/0
zone-member security out interface FastEthernet1/0zone-member security inzone-pair security in-to-out source in destination out
service-policy type inspect in-to-out******************************ACS配置**************************************
传统方法:
RAC配置方法: