Windows – techbloc.net

Testing at the moment identity firewalling with a Cisco ASA for a new office network infrastructure.

From the configuration everything is straight forward and easy to set-up:

1. Configure AAA LDAP Server

aaa-server addomain.net protocol ldap
aaa-server addomain.net (INSIDE) host 10.1.0.1
    ldap-base-dn DC=addomain,DC=net
    ldap-group-base-dn DC=addomin,DC=net
    ldap-scope subtree
    server-type microsoft
    server-port 389 
    ldap-login-dn *username*
    ldap-login-password *password*
    exit

If you use ldap over SSL you need to enable it and change the server port!

2. Configure Windows Cisco AD Agent

Install the Cisco AD Agent on one of your Windows Servers, not the Domain Controller if you also want to use NPS!

adacfg client create –name ASA5515 –ip 10.1.0.250/32 –secret secretpresharedkey 
adacfg dc create -name DC01 -host DC01.addomain.net -domain addomain.net -user Administrator -password *password*

2.1 Check Windows AD Agent Configuration

C:\IBF\CLI\adactrl.exe show running
C:\IBF\CLI\adacfg.exe client list
C:\IBF\CLI\adacfg.exe dc list

3 Configure AG Agent on the ASA

aaa-server adagent protocol radius
    ad-agent-mode

aaa-server adagent (INSIDE) host 10.1.0.2
    key secretpresharedkey
    user-identity ad-agent aaa-server adagent

4. Configure Identity option on the ASA

user-identity domain ADDOMAIN aaa-server addomain.net
user-identity default-domain ADDOMAIN

5. Example Object and Access List Configuration

object-group user USERNAME
    user ADDOMAIN\user1
    exit

object-group user GROUPNAME
    user-group ADDOMAIN\IT-ADMINs
    exit

access-list INSIDE-IN extended permit ip user ADDOMAIN\user1 any host 10.1.1.1
access-list INSIDE-IN extended permit ip user-group ADDOMAIN\\ADMINs any host 10.1.1.1
access-list INSIDE-IN extended permit ip object-group-user GROUPNAME any host 20.1.1.1

More information about how to configure identity firewalling you find here: Configuring the Identity Firewall

That’s maybe not interesting for everybody but when you use Windows Network Load Balancing in your network you should definitively configure static CAM table entries otherwise your VLAN will be flood with multicast traffic. You can create different VLANs for your Windows NLB instances to separate the traffic but that’s more an work around and with static CAM entries nicer from the design.

The static CAM table entries just restrict the multicast traffic to specific ports on your switch where your Servers are located and keep otherwise the network free.

On your router you will have an entry like that:

arp 10.0.0.100 0300.5e11.1111

An static ARP entry with an multicast MAC address

Now to restrict the multicast traffic you use the following command:

mac-address-table static 0300.5e11.1111 vlan 100 interface gi0/10 gi0/11

Which just means that the multicast traffic for VLAN 100 will be flood through the interfaces Gi0/10 and Gi0/11 and all other interfaces will not see the multicast traffic. Its a bit an administrative overhead and you have to think a little bit about that before you can implement but an clean traffic flow within your network.

If you want to read more about it have a look here: Catalyst Switches for Microsoft Network Load Balancing Configuration Example

Tag: Windows

Cisco Catalyst static CAM table entries