- Also covered in CCIE R&S, so I consider this a refresher
- You can map a global port to a specific host with an access-list
- ip port-map http port 21 list 99
- CBAC works for any protocol
- Only supported mode is watch as opposed to tcp intercept
- Limited by two basic line-rating features
- Total half-open session
- one-minute half-open session rate
- High and low limits for both
- TCP has additional parameters
- Connection establishment/inactivity/teardown timers
- per-host limits and block time
- You can specify UDP sessions timeout and DNS timeout separately
- CBAC typically used to protect servers
- CBAC Tuning
- Try to make the hashtable size the same as the number of average concurrent connections
- By default, CBAC generates alerts when it finds inconsistencies in protocol tracking. You should disable alerts globally or per protocol to improve performance.
- Session audit can also be enabled globally or per protocol.
Authentication proxy
- Download per-user ACLs and merge with interface access-group
- To authenticate, a HTTP session is intercepted and authentication is performed by the router
- You have to enable user-level RADIUS/TACACS attributes, then you need to set what attributes are available through the interface configuration in ACS
- Always remember that if you have to create an ACL, it may not always be as specific as it needs to be. For example, if your ACS is on that interface, you need to enable RADIUS/TACACS traffic in that ACL.
- Be sure that your av-pair definition is correct. Debugs only kind of helped here, but I defined auth-proxy:prive-lvl=15 instead of the correct auth-proxy:priv-lvl=15. I was given the error Auth Fail! and the debug were not real clear.
- Is there a list of Cisco AV Pairs on the Cisco site? Namely the cisco-av-pair valid attributes? If anyone knows, I would love the URL!
- The priv-lvl=15 is necessary for all users
- More Information - Authentication Proxy Configuration
No comments:
Post a Comment