User Group Firewall is a mechanism to authenticate each user and provide access privileges based on the type of user being authenticated. The authentication is done by a RADIUS server. The user initially has limited or no access to the protected network. When the user is authenticated, access privileges are established for the IP address from which the user is accessing the network. The access privileges depend on which user group the user belongs to on the RADIUS server.

 

教主配置实例介绍:
 

**********************任务目标***************************

user1-----usergroup1-----过滤URL"http://202.100.1.1/level/15/exec/-/sh/run/CR"
user2-----usergroup2-----过滤URL"http://202.100.1.1/level/15/exec/-/sh/ip/inter/brie/CR"

**********************基本配置***************************

enable
config ter
hostname FW
interface FastEthernet0/0
ip address 202.100.1.10 255.255.255.0
no shut
interface FastEthernet1/0
ip address 10.1.1.10 255.255.255.0
no shut

**********************************************************
%%%%%%%%%%%%%%基本AAA%%%%%%%%%%%%%%%%%%%%%%%%%
enable
config ter
aaa new
aaa authentication login noacs line none
line con 0
login authentication noacs
line aux 0
login authentication noacs
line vty 0 15
login authentication noacs
radius-server host 202.100.1.100 key cisco
radius-server vsa send
注意test
%%%%%%%%%%%%%auth-proxy部分%%%%%%%%%%%%%%%%%%%%%
-------------------匹配用户组------------------------
identity policy usergroup-policy1
user-group usergroup1
identity policy usergroup-policy2
user-group usergroup2
-------------------匹配ACS返回的tag------------------
class-map type control tag match-all class-usergroup2
match tag tag-usergroup2
class-map type control tag match-all class-usergroup1
match tag tag-usergroup1
-------------------把tag影射到用户组-----------------
policy-map type control tag tag.policy
class type control tag class-usergroup1
identity policy usergroup-policy1
class type control tag class-usergroup2
identity policy usergroup-policy2
--------------------启用auth-proxy-------------------
aaa authentication login default group radius
aaa authorization auth-proxy default group radius
ip admission name auth proxy http service-policy type tag tag.policy
--------------------运用auth-proxy-------------------
interface FastEthernet1/0
ip admission auth
--------------------启用http服务---------------------
ip http server
ip http authentication aaa

%%%%%%%%%%%%%%%%%%%%配置ZBFW%%%%%%%%%%%%%%%%%%%%%%%%%
--------------------匹配正则表达式---------------------------------
parameter-map type regex user1.regex
pattern sh/run
parameter-map type regex user2.regex
pattern sh/ip/inter/brie

--------------------通过class-map type http匹配URI-----------------
class-map type inspect http match-any user1.class
match request uri regex user1.regex
class-map type inspect http match-any user2.class
match request uri regex user2.regex

--------------------通过policy-map typ http丢弃适当URI-------------
policy-map type inspect http user2.http
class type inspect http user2.class
reset
policy-map type inspect http user1.http
class type inspect http user1.class
reset

-------------------通过class-map type inspect匹配usergroup1的http流量--------
class-map type inspect match-all usergroup1-inspect
match user-group usergroup1
match protocol http

-------------------通过class-map type inspect匹配usergroup2的http流量--------
class-map type inspect match-all usergroup2-inspect
match user-group usergroup2
match protocol http

-------------------通过policy-map type inspect配置zone-pair间策略------------
policy-map type inspect in-to-out
class type inspect usergroup1-inspect
inspect
service-policy http user1.http
class type inspect usergroup2-inspect
inspect
service-policy http user2.http

-------------------配置ZBFW---------------------------------------------------
zone security out
zone security in

interface FastEthernet0/0
zone-member security out

interface FastEthernet1/0
zone-member security in

zone-pair security in-to-out source in destination out
service-policy type inspect in-to-out

******************************ACS配置**************************************

传统方法:
 

 RAC配置方法: