This section demonstrates how SecureMe Company deploys TACACS+ authentication, authorization, and accounting for administrative sessions connecting to its ASA. It also shows how cut-through proxy authentication is configured for all clients at a remote branch.
Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions
The security administrator for SecureMe configures the Chicago ASA to perform authentication, command authorization, and accounting for all administrative sessions using TACACS+. Figure 7-8 illustrates the Chicago network topology. A TACACS+ server (172.18.124.101) and a management workstation (172.18.124.159) are configured in the management subnet (172.18.124.0/24). The Cisco ASA management interface is 172.18.124.205.
Figure 7-8. Chicago Network Topology
The goal is to configure two users. The first user, User1, has the ability to configure anything on the Cisco ASA. The second user, User2, is only allowed to add routes to the Cisco ASA. Accounting is configured for audit and monitoring purposes. Example 7-19 shows the Chicago ASA configuration.
Example 7-19. AAA: Chicago ASA Configuration
!outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 220.127.116.11 255.255.255.0 ! !inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.10.1 255.255.255.0 ! ! !management interface configuration interface Management0/0 nameif management security-level 50 ip address 172.18.124.205 255.255.255.0 management-only ! !AAA server group configuration. A server group called mytacacs is configured. The !172.18.124.101 TACACS+ server is added . aaa-server mytacacs protocol tacacs+ aaa-server mytacacs (management) host 172.18.124.101 key cisco123 !TACACS authentication for telnet, ssh, secure-http-client, and serial console aaa authentication telnet console mytacacs aaa authentication serial mytacacs aaa authentication ssh mytacacs aaa authentication secure-http-client mytacacs !TACACS authorization is configured aaa authorization command mytacacs !TACACS accounting is enabled aaa accounting command mytacacs
Figure 7-9 illustrates how the Cisco ASA is added as a AAA client in the TACACS+ server (CiscoSecure ACS).
Figure 7-9. AAA Client Configuration in ACS
User1 belongs to Group 1 in the ACS server. User2 belongs to Group 2. Group level authorization is configured in the ACS server. Privilege level 15 is configured in Group 1 to allow User1 to freely modify the configuration of the Cisco ASA. Figure 7-10 illustrates how the CiscoSecure ACS group is configured.
Figure 7-10. Privilege Level 15 Group Configuration in ACS
Group 2 is configured for privilege level 8, allowing User2 only to configure route statements on the ASA. Figure 7-11 illustrates how the CiscoSecure ACS is configured.
Figure 7-11. Command Authorization
Deploying Cut-Through Proxy Authentication
A Cisco ASA at a branch office in Las Vegas, Nevada is configured to perform cut-through proxy. The ASA is configured to require authentication for network access to any protocol or services. Users can authenticate directly with HTTP(S), Telnet, or FTP only. However, they must first authenticate with one of these services before the Cisco ASA allows other traffic to pass through the appliance.
Figure 7-12 illustrates how an internal user (client1) attempts a connection to a server (18.104.22.168) on the outside, but first the ASA will prompt for authentication.
Figure 7-12. Las Vegas Network Topology
The Cisco ASA is configured to authenticate all internal users using its local database. Example 7-20 shows the Las Vegas ASA configuration.
Example 7-20. AAA: Las Vegas ASA Configuration
!outside interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 22.214.171.124 255.255.255.224 ! !inside interface configuration interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.100.100.1 255.255.255.0 ! route outside 0.0.0.0 0.0.0.0 126.96.36.199 1 !user client1 is added to the local database username client1 password W.a6bMRKDh/sWvbI encrypted !access-list and aaa authentication match command are configured to require all users in !the inside to be authenticated . access-list 100 extended permit ip any any aaa authentication match 100 inside LOCAL