Thursday, March 20, 2014

Guest network with authentication on a Cisco ASA 5505

In case you need to set up an isolated network gut guest access on an ASA, here is a quick guide how to do that. The goal is to have HTTP authentication on the ASA itself before any network traffic is allowed and to isolate the guest-network from any other networks.

First we create a new VLAN. In this example it'll be vlan 42. The new guest-network will be, with the ASA being
interface Vlan 42
 description my guest network

 nameif guest-network
 security-level 0
 ip address
mtu guest-network 1500
 Add it to a trunk interface of your choosing. Let's assume Ethernet0/2.
interface Ethernet0/2
 switchport trunk allowed vlan x,y,z,42
 switchport trunk native vlan x
 switchport mode trunk
Let's configure a DHCP server, too.

dhcpd address guest-network
dhcpd dns interface guest-network
dhcpd enable guest-network

So much for the basic setup.
Of course we want to NAT traffic from the guest-network on the outside interface. On any standard setup you'll have a global pool in place already.
nat (guest-network) 1
To actually allow traffic across interfaces with the same security level you also have to specify this.
same-security-traffic permit inter-interface

Because the ASA injects its own authentication into HTTP(S) requests, we want the client to be able to use DNS without authentication. Then when HTTP is used the authentication form will pop up.
First, let's create a new local user on the ASA called guest-network.
username guest-network password 12345678 privilege 1
username guest-network attributes
 service-type remote-access
Of course you are not limited to local users. You could use any AAA mechanism that's supported. For simplicity's sake let's stick to a single local user account here.

Next let's set up the authentication rules.
aaa authentication match guest-network_authentication guest-network LOCAL

access-list guest-network_authentication extended deny udp any any eq domain
access-list guest-network_authentication extended permit ip any any

The ACL might seem backward, because it denies DNS and permits everything else. What it does is actually deny authentication for DNS, meaning access without authentication is granted.

The only thing left is to adjust the authentication timeout. The default timeout is 5 minutes. Unless you want whoever is on the guest-network tu re-authenticate every 5 minutes, adjust it like this:

tiemout uauth 3:00:00 absolute
The uauth timeout cannot be greater than the xlate timeout, which defaults to 3 hours. If that's not enough you have to increase the xlate timeout. Make sure you understand the implications of this parameter before changing!

Admittedly, firmware v8.2 is not current, but the steps should work on 9.1 just as well. Keep in mind that the ACL syntax has changed in 8.3.

No comments: