MATCHING CISCO ASA IP/CONNECTION TO CISCO ISE USERNAME USING REST API

At CDA we love automation. It is an efficient way to perform. Especially those we can incorporate into a DevOps CI/CD pipeline. Many of our customers have deployed both Cisco ASA and Cisco ISE appliances in production. If you are not familiar with these technologies, that’s OK. This approach works with most firewalls and other network access control devices from other vendors if they have a REST API available with their appliances. If they do not, “get rid of them” just kidding! We work with many customers with the following business challenges:

  • Legacy opposed to “Next Generation” Firewall: Tend to neglect the need to identify the user accessing the internet and consuming bandwidth. There is no username to IP connection mapping.

  • Network Access Control (NAC): Many customers have implemented industry standard network access control solutions that do provide visibility into the devices and users connected to the network. I will discuss how we integrate the two solutions (Legacy Firewall and NAC) to provide visibility into the user’s identity.

  • Which user/users are hogging up my bandwidth? With the number of years I have been working in this industry, I am still puzzled how long it takes to figure out who or what is consuming all the corporate internet bandwidth. I will not be focusing on this challenge however; I will provide you with the framework to answer this question with some basic modifications to the script.

  • Who in my organization is connected to which external IP address? Is it a known malicious site? It is not uncommon to have the enterprise security team identify suspicious traffic or web traffic via threat intelligence feeds. However, it is not always easy to figure out who or which systems are accessing the suspicious sites. With the solution I am presenting, you could use the output to enrich the threat hunting process, especially when coupled with other services including your SIEM.

  • Enriched Incident Response Data: There is often a need to enrich incident response data and rarely an easy way to correlate the traffic without the proper integration and tooling. I will present a solution to help enrich the data when necessary.

QUICK BACKGROUND

Chances are, if you are reading this, you know what ASA and ISE acronyms mean. If not, you can research the basics here.

  • Cisco ASA: What is Cisco Adaptive Security Appliance (ASA)? It’s one of the most widely deployed Layer 4 firewalls in corporate America. It is considered legacy and not the best/first choice with the advent of “Next Generation” firewalls like Cisco Firepower. Read more on the value here:

- Cisco Product Information: https://www.cisco.com/c/en/us/products/security/adaptive-security-appliance-asa-software/index.html

  • Cisco ISE: What is Cisco Identity Services Engine (ISE)? This is an enterprise class security solution that provides network access control and identity at the switch port level. ISE does a lot more than this, for more information, visit the Cisco website:

- Cisco Product Information: https://www.cisco.com/c/en/us/products/security/identity-services-engine/index.html

USE CASE

The game plan for building this solution is based on this simple use case. The solution must allow for automated mapping between username and IP address. This information can be used for other use cases. For example, we could use this data to refine remediation during a malicious attack or for security incident response processes. This should be relatively simple since we know the data we need exist on Cisco ISE and Cisco ASA systems in our “production” environment.


To prove the concept requested in the use case, I want to verify the data I need is where I think it should be on the ASA and the ISE appliances. When a user is connected to the outside world via the Cisco ASA firewall, I can see the following information when typing the “show conn” command:


Verify Cisco ASA data exists via the command line.

ASA-Temp# show conn
2 in use, 2 most used
UDP outside  8.8.8.8:53 inside  10.0.100.101:61422, idle 0:00:00, bytes 44, flags - 
TCP outside  198.148.79.55:443 inside  10.0.100.200:50460, idle 0:00:00, bytes 0, flags saA

Table 1 Output from “show conn” command on Cisco ASA

The use case calls for automation, so I need to make sure I can get the same output from the Cisco ASA REST API. The image below represents the necessary information from the “/doc/” site on the Cisco ASA. The “/doc/” site is the REST API client and documentation. If the REST API is not setup in your environment, you can find steps to automate the deployment using Ansible here: https://www.criticaldesign.net/post/automating-the-deployment-of-the-cisco-asa-rest-api

The screenshot below shows one of the examples from the “/doc/” site. It appears that I can use the “/api/monitoring/connections” endpoint for our HTTP requests. This will return the following values for each connection in JSON format. I will use the “sourceIP” value to match on the ISE output to find the user for each connection:

  • Protocol

  • Source IP

  • Source Port

  • Destination Security Tag

  • Destination IP

  • Destination Port

  • Duration

  • Bytes Sent

Validate Cisco ASA REST API data is available.

My direct test to the “/api/monitoring/connections” endpoint via the browser yielded satisfactory results in JSON format as depicted in the image below.


As per the use case I want to verify the data we need to map the username and IP is readily available in the Cisco ISE console and REST API. To verify this information, I need to make sure the REST API is enabled on the Cisco ISE appliance.

This screenshot below represents the necessary and minimal configuration parameters for Cisco ISE to enable ERS (“External RESTful Services”).


Validate Cisco ISE ERS is enabled

Table 4 Output from "show conn" command on Cisco ASA


Then I need to verify the data exists in the ISE ERS (REST API). I can do this with the browser pointed to the “/admin/API/mnt/Session/ActiveList” endpoint for ERS. After I authenticate, I get the following response. For fun 😊 Cisco gave me a JSON response on the Cisco ASA and on Cisco ISE they gave me an XML response. We will need to account for the different response formats in the script we used to automate the use case. We will need to support HTTP requests, authentication to Cisco ISE, Cisco ASA, and be able to handle XML and JSON responses.


Table 5 Cisco ISE REST API test for connections data


I have verified all the necessary data via the API to match an IP address on the Cisco ASA to the username in the output from the Cisco ISE.


LAB INFRASTRUCTURE OVERVIEW

Next, I’ll give you a quick tour of the lab I used to build this solution. The environment is on VMWare ESXi with EVE-NG installed.


Special Note: Thank you, Kevin Rodgers and Christian Myers for setting up the lab environment to build this script.

My EVE-NG Lab

The image below and subsequent bullet points represent the lab:

The virtual lab consists of the following components in EVE-NG

  • Workstations: Two workstations represent user connections to both Cisco ISE for NAC and Cisco ASA for internet connectivity and perimeter security. (HQ-PC, Satellite-PC)

  • Access Switches: Two access layer switches were provisioned with 802.1x authentication to Cisco ISE. One switch is provided for each segment with one test workstation.

  • Core Switching: Core switching was provisioned to support connectivity between the remote locations, the pseudo data center, servers, and Internet connectivity.

  • Cisco ASA to Internet: The Cisco ASA is provisioned as the gateway to access all external connections.

  • Cisco ISE: The ISE appliance is hosted in the Servers segment as a separate virtual machine on VMWare ESXi.

DEVELOPMENT PROCESS OVERVIEW

To address this use case, I took the approach to build a solution that will allow for an automated and scheduled process to map Cisco ASA connections to the corresponding username. This gives us a better understanding of who is using the internet on the internal network. The steps are simple:

  • Understand Business/Use Case

  • Build Use Case/Pseudo Code

- Connect to Cisco ASA REST API

- Authenticate

- Connect to Cisco ISE REST API

- Authenticate

- Capture JSON and XML request/response data in variables.

- Parse the variables for interesting data and

match the IP to the corresponding user identity (username).

- Print the output

  • Design and setup the lab for testing

  • Explore Cisco ASA and ISE REST APIs

  • Test Cisco ASA and ISE REST API with browser

  • Build the script

  • Test the script

  • Document and post the script

The table below gives you a general idea of what the minimal configuration should be on each firewall. Each of the Cisco ASAv in my lab have the following configuration with some minor differences such as IP Address and Host Name.

Cisco ASA-V + Configuration (Base Example)

enable password $sha512$5000$... == pbkdf2
passwd Uzp6JyHt8i6QEG34 encrypted
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address <Your IP Here> 255.255.255.0

logging enable
logging timestamp
logging facility 23
logging device-id context-name
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 inside
http 172.16.0.0 255.255.0.0 inside
ssh scopy enable
ssh stricthostkeycheck
ssh 172.16.0.0 255.255.0.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
management-access inside
rest-api image disk0:/asa-restapi-7141-lfbff-k8.SPA
rest-api agent

SCRIPTED WORKFLOW OVERVIEW

Now that I have dissected and tested the REST API for my purposes, it’s time to build something useful to automate the process. The process is simple and documented in the table below:

  • Connect ASA

  • Authenticate

  • Connect ISE

  • Authenticate

  • Make REST API Request for Cisco ASA on endpoint “/”

  • Make REST API Request for Cisco ISE on endpoint “/”

  • Parse Cisco ASA response text for IP addresses

  • Parse Cisco ISE response for IP addresses found in Cisco ASA response and return the corresponding username for each IP connection.

  • Print output to the screen. This could go to syslog, log file, or any other output facility you like

NOTE: In the script below you will notice that I have staged some JSON and XML responses for demo purposes. Cisco ASA and ISE REST API Match Firewall IP to Username

import random
import sys
import string
import requests
import urllib3
from pprint import pprint
import json
import getpass
import xml.etree.ElementTree as ET
from ipwhois import IPWhois
from ipwhois.utils import get_countries
from ipwhois import __version__

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

asa_headers = {'Content-Type': 'application/json', 'User-Agent':'REST API Agent'}
ise_headers = {'Content-Type': 'application/xml', 'User-Agent':'REST API Agent'}
asa_uri = "/api/monitoring/connections"
ise_uri = "/admin/API/mnt/Session/ActiveList"
asa_host="172.16.122.10"
ise_host="172.16.122.250"
asaurl="https://"+asa_host+asa_uri
print(asaurl)
iseurl="https://"+ise_host+ise_uri
print(iseurl)
asa_user=input("ASA Username: ")
ise_user=input("ISE Username: ")

try:
    asa_pwd=getpass.getpass(prompt='ASA Password: ', stream=None)
    ise_pwd=getpass.getpass(prompt='ISE Password: ', stream=None)
except Exception as error:
    print ('ERROR',error)

asareq=requests.get(asaurl,auth=(asa_user, asa_pwd),headers=asa_headers,verify=False)
print(asareq)
print("==================")
print(asareq.text)
print("==================")
isereq=requests.get(iseurl,auth=(ise_user, ise_pwd),headers=ise_headers,verify=False)
print(isereq)
print("==================")
print(isereq.text)
print("==================")


#Sample JSON from ASA Rest API for testing
asa_json=r"""{
  "kind": "collection#ConnectionDetails",
  "selfLink": "https://192.168.0.102/api/monitoring/connections",
  "rangeInfo": {
    "offset": 0,
    "limit": 1,
    "total": 3
  },
  "items": [
    {
      "protocol": "TCP",
      "sourceSecurityTag": "",
      "sourceIp": "192.168.0.60",
      "sourcePort": "9338",
      "destinationSecurityTag": "",
      "destinationIp": "192.168.0.102",
      "destinationPort": "443",
      "duration": "0:00:00",
      "bytesSent": "0 KB"
    },
    {
      "protocol": "TCP",
      "sourceSecurityTag": "",
      "sourceIp": "192.168.0.61",
      "sourcePort": "9438",
      "destinationSecurityTag": "",
      "destinationIp": "192.168.0.102",
      "destinationPort": "443",
      "duration": "0:00:00",
      "bytesSent": "0 KB"
    },
    {
      "protocol": "TCP",
      "sourceSecurityTag": "",
      "sourceIp": "192.168.0.62",
      "sourcePort": "9538",
      "destinationSecurityTag": "",
      "destinationIp": "192.168.0.102",
      "destinationPort": "443",
      "duration": "0:00:00",
      "bytesSent": "0 KB"
    }
  ]
}"""

#Sample JSON from ISE Rest API for testing
ise_xml="""
<activeList noOfActiveSession="3">
	<activeSession>
		<user_name>test_user1</user_name>
		<calling_station_id>50:00:00:01:00:00</calling_station_id>
		<nas_ip_address>192.168.0.60</nas_ip_address>
		<acct_session_id>00000001</acct_session_id>
		<audit_session_id>0A00640100000011000DE3E9</audit_session_id>
		<server>ISE</server>
		<framed_ip_address>10.0.10.20</framed_ip_address>
		<</