Cisco ISE ACL Converter

Update 02/11/2015 : Une mise à jour a été mise en ligne (version 1.0.2)
Elle améliore notamment la génération des ACL WLC FlexConnect.
 
An update was released (version 1.0.2)
It improves the WLC FlexConnect ACL generation.
 
Update 26/10/2014 : Une mise à jour a été mise en ligne (version 1.0.1)
Un bug a été détecté dans le générateur des ACL pour le WLC : le protocole pour les lignes « IP » est faux.
config acl rule protocol ACL_CaptivePortal_REDIRECT 6 0
Devient :
config acl rule protocol ACL_CaptivePortal_REDIRECT 6 any
 
An update was released (version 1.0.1).
A bug was detected in the WLC ACL generator : the protocol for lines with « IP » is wrong.
config acl rule protocol ACL_CaptivePortal_REDIRECT 6 0
Becomes:
config acl rule protocol ACL_CaptivePortal_REDIRECT 6 any
 

 
If you don’t speak french, an english translation is available below !

French version

Bonjour à tous,

Cela fait un moment que je n’ai pas écrit de billet sur mon blog ! Il faut dire que j’étais pas mal occupé ces derniers temps (achat d’un appartement à rénover intégralement, le boulot, etc…) Mais bref !

J’intègre depuis un moment pour plusieurs clients la solution Cisco ISE. C’est une solution NAC très avancée. Donc le contenu de ce billet s’adresse tout particulièrement aux ingénieurs sécurité utilisant cette solution.

ISE s’appuie énormément sur les ACL pour les différents mécanismes (portail captif, BYOD, contrôle de posture, …). Cependant, entre un contrôleur WLC et un switch Catalyst, les ACL ne s’écrivent pas de la même façon. Qui plus est, sur un WLC, il faut faire les ACL en interface graphique, ce qui devient vite ingérable !

J’ai donc développé un outil permettant de pallier à cela. Cet outil se nomme « ACL_Converter », et permet de convertir une matrice au format CSV vers un ensemble de commandes « copiables collables » sur un contrôleur WLC ou sur un switch Catalyst.

Il permet :

  • L’écriture des ACL au format Catalyst
  • L’écriture des ACL au format WLC
  • L’écriture des ACL au format WLC FlexConnect

Il dispose également de quelques fonctions comme :

  • Le « redirect », qui permet d’écrire les ACL au format « redirect ACL »
  • Le mode « lazy », qui permet d’écrire les commandes d’effacement des ACL avant de les intégrer. Pratique quand on fait des tests !

Ci-dessous le résultat de l’aide :

Usage: acl_converter_1.0.0.exe -in <file.csv> -format <xxx> [-aclname <ACL name>
] [-out <file.txt>] [-redirect] [-lazy]
       acl_converter_1.0.0.exe -generatecsv <file>
       acl_converter_1.0.0.exe -checkupdate

 -in <file.csv>         Input file, in CSV (Excel format, with ";" as a column
                        separator).
 -format                Select the ACL format. Supported formats are "wlc",
                        "wlcflex" and "switch".
 -aclname <ACL name>    Define the name of the ACL. If ommited, the name of the
                        input file will be used.
 -out <file.txt>        Output file, in text format. If ommited, the standard
                        output will be used (and also can be used with standard
                        output redirect).
 -redirect              Consider that the flow matrix will be used for web
                        redirection (captive portal). In the flow matrix,
                        permit means "traffic not redirected". Deny means
                        "traffic redirected". The generated ACL will be written
                        according to Catalyst Switches or WLC specifications.
 -lazy                  Prepend the ACL creation with a messy deletion process.
 -generatecsv <file>    Generate an empty CSV template (Excel Format).
 -checkupdate           Check if an update is available.

Exemple

Voici le CSV « ACL_CaptivePortal_REDIRECT.csv » (il s’agit d’une ACL pour rediriger les utilisateurs vers le portail captif de l’ISE). J’ai volontairement ajouté une règle autorisant le traffic à destination de 10.0.0.0/8.

src_ip src_mask dst_ip dst_mask proto dst_port_start dst_port_end action
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 udp 53 53 Permit
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 udp 67 67 Permit
0.0.0.0 0.0.0.0 172.20.42.11 255.255.255.255 tcp 8443 8443 Permit
0.0.0.0 0.0.0.0 172.20.42.12 255.255.255.255 tcp 8443 8443 Permit
0.0.0.0 0.0.0.0 10.0.0.0 255.0.0.0 ip 0 65535 Permit
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ip 0 65535 Deny

Une fois converti, avec la commande acl_converter_1.0.0.exe -in ACL_CaptivePortal_REDIRECT.csv -out ACL_CaptivePortal_REDIRECT.txt -format switch -redirect, nous obtenons :

ip access-list extended ACL_CaptivePortal_REDIRECT
 deny udp any any eq 53
 deny udp any any eq 67
 deny tcp any host 172.20.42.11 eq 8443
 deny tcp any host 172.20.42.12 eq 8443
 deny ip any 10.0.0.0 0.255.255.255
 permit ip any any
Pour rappel, sur une ACL de redirection catalyst, deny = ne pas rediriger et permit = rediriger

Au format wlc, nous obtenons :

config acl create ACL_CaptivePortal_REDIRECT
config acl rule add ACL_CaptivePortal_REDIRECT 1
config acl rule direction ACL_CaptivePortal_REDIRECT 1 Out
config acl rule protocol ACL_CaptivePortal_REDIRECT 1 any
config acl rule source address ACL_CaptivePortal_REDIRECT 1 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 1 0.0.0.0 0.0.0.0
config acl rule action ACL_CaptivePortal_REDIRECT 1 permit
config acl rule add ACL_CaptivePortal_REDIRECT 2
config acl rule direction ACL_CaptivePortal_REDIRECT 2 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 2 17
config acl rule source address ACL_CaptivePortal_REDIRECT 2 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 2 0.0.0.0 0.0.0.0
config acl rule source port range ACL_CaptivePortal_REDIRECT 2 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 2 53 53
config acl rule action ACL_CaptivePortal_REDIRECT 2 permit
config acl rule add ACL_CaptivePortal_REDIRECT 3
config acl rule direction ACL_CaptivePortal_REDIRECT 3 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 3 17
config acl rule source address ACL_CaptivePortal_REDIRECT 3 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 3 0.0.0.0 0.0.0.0
config acl rule source port range ACL_CaptivePortal_REDIRECT 3 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 3 67 67
config acl rule action ACL_CaptivePortal_REDIRECT 3 permit
config acl rule add ACL_CaptivePortal_REDIRECT 4
config acl rule direction ACL_CaptivePortal_REDIRECT 4 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 4 6
config acl rule source address ACL_CaptivePortal_REDIRECT 4 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 4 172.20.42.11 255.255.255.255
config acl rule source port range ACL_CaptivePortal_REDIRECT 4 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 4 8443 8443
config acl rule action ACL_CaptivePortal_REDIRECT 4 permit
config acl rule add ACL_CaptivePortal_REDIRECT 5
config acl rule direction ACL_CaptivePortal_REDIRECT 5 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 5 6
config acl rule source address ACL_CaptivePortal_REDIRECT 5 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 5 172.20.42.12 255.255.255.255
config acl rule source port range ACL_CaptivePortal_REDIRECT 5 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 5 8443 8443
config acl rule action ACL_CaptivePortal_REDIRECT 5 permit
config acl rule add ACL_CaptivePortal_REDIRECT 6
config acl rule direction ACL_CaptivePortal_REDIRECT 6 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 6 0
config acl rule source address ACL_CaptivePortal_REDIRECT 6 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 6 10.0.0.0 255.0.0.0
config acl rule action ACL_CaptivePortal_REDIRECT 6 permit
config acl rule add ACL_CaptivePortal_REDIRECT 7
config acl rule direction ACL_CaptivePortal_REDIRECT 7 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 7 0
config acl rule source address ACL_CaptivePortal_REDIRECT 7 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 7 0.0.0.0 0.0.0.0
config acl rule action ACL_CaptivePortal_REDIRECT 7 deny
config acl apply ACL_CaptivePortal_REDIRECT

Téléchargement

Si cet outil vous intéresse, il est téléchargeable ici ! (version 1.0.2 – 02/11/2015)

 

English version :

Hello everyone,

I integrate for a while for several clients Cisco ISE solution. This is a very advanced NAC solution. So the content of this post is specifically for security engineers using this solution.

ISE relies heavily on ACL for different mechanisms (captive portal, BYOD, check posture, …). However, between a controller and a WLC Catalyst switch, ACLs are not written in the same way. Moreover, on a WLC, we must make the ACL on the GUI interface, which quickly becomes unmanageable!

So I developed a tool to overcome this. This tool is called « ACL_Converter » and will convert a CSV flow matrix to a set of commands « copy-pasteable » on a WLC controller or a switch Catalyst.

It allows:

  • Writing ACLs in Catalyst format
  • Writing ACLs in WLC format
  • Writing ACL in WLC FlexConnect format

Also it has some features like:

  • The « redirect », which allows to write the ACL format « redirect ACL« 
  • The « lazy » mode, which allows you to write the delete ACLs before integrating. Practice when making tests!

See below the help menu :

Usage: acl_converter_1.0.0.exe -in <file.csv> -format <xxx> [-aclname <ACL name>
] [-out <file.txt>] [-redirect] [-lazy]
       acl_converter_1.0.0.exe -generatecsv <file>
       acl_converter_1.0.0.exe -checkupdate

 -in <file.csv>         Input file, in CSV (Excel format, with ";" as a column
                        separator).
 -format                Select the ACL format. Supported formats are "wlc",
                        "wlcflex" and "switch".
 -aclname <ACL name>    Define the name of the ACL. If ommited, the name of the
                        input file will be used.
 -out <file.txt>        Output file, in text format. If ommited, the standard
                        output will be used (and also can be used with standard
                        output redirect).
 -redirect              Consider that the flow matrix will be used for web
                        redirection (captive portal). In the flow matrix,
                        permit means "traffic not redirected". Deny means
                        "traffic redirected". The generated ACL will be written
                        according to Catalyst Switches or WLC specifications.
 -lazy                  Prepend the ACL creation with a messy deletion process.
 -generatecsv <file>    Generate an empty CSV template (Excel Format).
 -checkupdate           Check if an update is available.

Example

Here is the CSV « ACL_CaptivePortal_REDIRECT.csv » (it is a Redirect ACL for the captive portal). For the example, I added a line that do not redirect the traffic destinated to the 10.0.0.0/8 subnet.

src_ip src_mask dst_ip dst_mask proto dst_port_start dst_port_end action
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 udp 53 53 Permit
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 udp 67 67 Permit
0.0.0.0 0.0.0.0 172.20.42.11 255.255.255.255 tcp 8443 8443 Permit
0.0.0.0 0.0.0.0 172.20.42.12 255.255.255.255 tcp 8443 8443 Permit
0.0.0.0 0.0.0.0 10.0.0.0 255.0.0.0 ip 0 65535 Permit
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 ip 0 65535 Deny

After the conversion, with the command acl_converter_1.0.0.exe -in ACL_CaptivePortal_REDIRECT.csv -out ACL_CaptivePortal_REDIRECT.txt -format switch -redirect, we obtain :

ip access-list extended ACL_CaptivePortal_REDIRECT
 deny udp any any eq 53
 deny udp any any eq 67
 deny tcp any host 172.20.42.11 eq 8443
 deny tcp any host 172.20.42.12 eq 8443
 deny ip any 10.0.0.0 0.255.255.255
 permit ip any any
Remember, for a redirect ACL on Catalyst, deny = do not redirect, and permit = redirect

In wlc format, we obtain :

config acl create ACL_CaptivePortal_REDIRECT
config acl rule add ACL_CaptivePortal_REDIRECT 1
config acl rule direction ACL_CaptivePortal_REDIRECT 1 Out
config acl rule protocol ACL_CaptivePortal_REDIRECT 1 any
config acl rule source address ACL_CaptivePortal_REDIRECT 1 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 1 0.0.0.0 0.0.0.0
config acl rule action ACL_CaptivePortal_REDIRECT 1 permit
config acl rule add ACL_CaptivePortal_REDIRECT 2
config acl rule direction ACL_CaptivePortal_REDIRECT 2 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 2 17
config acl rule source address ACL_CaptivePortal_REDIRECT 2 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 2 0.0.0.0 0.0.0.0
config acl rule source port range ACL_CaptivePortal_REDIRECT 2 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 2 53 53
config acl rule action ACL_CaptivePortal_REDIRECT 2 permit
config acl rule add ACL_CaptivePortal_REDIRECT 3
config acl rule direction ACL_CaptivePortal_REDIRECT 3 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 3 17
config acl rule source address ACL_CaptivePortal_REDIRECT 3 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 3 0.0.0.0 0.0.0.0
config acl rule source port range ACL_CaptivePortal_REDIRECT 3 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 3 67 67
config acl rule action ACL_CaptivePortal_REDIRECT 3 permit
config acl rule add ACL_CaptivePortal_REDIRECT 4
config acl rule direction ACL_CaptivePortal_REDIRECT 4 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 4 6
config acl rule source address ACL_CaptivePortal_REDIRECT 4 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 4 172.20.42.11 255.255.255.255
config acl rule source port range ACL_CaptivePortal_REDIRECT 4 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 4 8443 8443
config acl rule action ACL_CaptivePortal_REDIRECT 4 permit
config acl rule add ACL_CaptivePortal_REDIRECT 5
config acl rule direction ACL_CaptivePortal_REDIRECT 5 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 5 6
config acl rule source address ACL_CaptivePortal_REDIRECT 5 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 5 172.20.42.12 255.255.255.255
config acl rule source port range ACL_CaptivePortal_REDIRECT 5 0 65535
config acl rule destination port range ACL_CaptivePortal_REDIRECT 5 8443 8443
config acl rule action ACL_CaptivePortal_REDIRECT 5 permit
config acl rule add ACL_CaptivePortal_REDIRECT 6
config acl rule direction ACL_CaptivePortal_REDIRECT 6 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 6 0
config acl rule source address ACL_CaptivePortal_REDIRECT 6 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 6 10.0.0.0 255.0.0.0
config acl rule action ACL_CaptivePortal_REDIRECT 6 permit
config acl rule add ACL_CaptivePortal_REDIRECT 7
config acl rule direction ACL_CaptivePortal_REDIRECT 7 In
config acl rule protocol ACL_CaptivePortal_REDIRECT 7 0
config acl rule source address ACL_CaptivePortal_REDIRECT 7 0.0.0.0 0.0.0.0
config acl rule destination address ACL_CaptivePortal_REDIRECT 7 0.0.0.0 0.0.0.0
config acl rule action ACL_CaptivePortal_REDIRECT 7 deny
config acl apply ACL_CaptivePortal_REDIRECT

Download

If you are interested by this tool, you can download it here ! (version 1.0.2 – 02/11/2015)

2 commentaires:

  1. Merci Federico 🙂 Pour info j’ai publié une petite mise à jour 1.0.1 qui corrige un bug détecté sur la génération des ACL WLC.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *