Tuesday, June 30, 2020

Propagating session information between two firewalls to control access

Suppose I have a simple network like this:

Supplicant - FW1 - Server

Upon authenticating to the network, FW1 uses some magic to apply an ACL to the supplicant's IP, and access to Server is permitted and everything's good in the neighborhood.

Now suppose I need to throw in another firewall for whatever reason, so now we have:

Supplicant - FW1 - FW2 - Server

Provided everyone's talking Cisco and there's ISE or whatever, the authenticator can inject SGT into the supp's frame and I think everything would Just Work.

However, suppose not everyone's talking Cisco. Is there some way to inject SGT tags into a frame (or something equivalent) with RADIUS? Some other vendor-agnostic way to pass session information around for this purpose?

(ORRRRR is this unnecessary and should we just control access using FW1, which is closest to the source of the traffic?)



No comments:

Post a Comment