Cisco ASA supports authentication of administrative sessions using a local user database, a RADIUS server, or a TACACS+ server. An administrator can connect to the Cisco ASA via
If connecting via Telnet or SSH, the user can retry authentication three times in case of user error. After the third time, the authentication session and connection to the Cisco ASA are closed. Authentication sessions via the console prompt the user continuously until the correct username and password are entered.
Before you start the configuration, you must decide which user database you will use (local or external AAA server). If you are using an external AAA server, configure the AAA server group and host, as covered in the previous section. You can use the aaa authentication command to require authentication verification when accessing Cisco ASA for administration. This section teaches you how to configure authentication for each type of connection.
Authenticating Telnet Connections
You can enable Telnet access to the Cisco ASA to any internal interface or to the outside (if an IPSec connection is established). Telnet sessions are allowed to the outside interface only over an IPSec connection. Example 7-9 includes the commands necessary to configure Telnet access using a local username and password.
Example 7-9. Authenticating Telnet Connections
Chicago# configure terminal Chicago(config)# username admin password cisco Chicago(config)# aaa authentication telnet console LOCAL Chicago(config)# telnet 192.168.10.0 255.255.255.0 inside Chicago(config)# exit
In Example 7-9, a user called admin will be able to be successfully authenticated when connecting via Telnet to the inside interface only from network 192.168.10.0/24. The keyword LOCAL can be used specify that the local user database on the Cisco ASA is used. This keyword can also be used to enable fallback to the local database if the configured authentication server is unavailable.
administrative sessions:Telnet:authenticating;authentication:of Telnet administrative sessions;Telnet connections:authentication Do not confuse the keyword console with the serial console on the Cisco ASA. This keyword is used to force the Cisco ASA to require AAA authentication for any client trying to connect to it via Telnet, serial console, HTTP, or SSH. Telnet is used in Example 7-9.
Authenticating SSH Connections
To enable SSH on Cisco ASA, you configure a host name and domain name before generating the RSA key pair used by SSH. Example 7-10 shows how to generate the RSA key pair and enable SSH version 2 connections from any systems on the inside interface.
Example 7-10. Generating RSA Key Pair and Enabling SSH Version 2
Chicago# configure terminal Chicago(config)# hostname ASA Chicago(config)# domain-name cisco.com Chicago(config)# crypto key generate rsa modulus 2048 INFO: The name for the keys will be: ASA.cisco.com Keypair generation process begin. Chicago(config)# ssh 0.0.0.0 0.0.0.0 inside Chicago(config)# ssh version 2
After the RSA key pair has been generated and SSH has been enabled, complete your AAA server group and host configuration. In this example, a CiscoSecure ACS server (configured for TACACS+) is used for authentication. Enable SSH authentication as shown in Example 7-11.
Example 7-11. Configuring SSH Authentication to a TACACS+ Server
Chicago# configure terminal Chicago(config)# aaa-server mygroup protocol tacacs+ Chicago(config-aaa-server)# max-failed-attempts 2 Chicago(config-aaa-server)# reactivation-mode timed Chicago(config-aaa-server)# exit Chicago(config)# aaa-server mygroup host 172.18.173.109 Chicago(config-aaa-server)# key cisco123 Chicago(config-aaa-server)# exit Chicago(config)# aaa authentication ssh console mygroup Chicago(config)# exit
In Example 7-11, the AAA server group is labeled as mygroup. The TACACS+ server's IP address is 172.18.173.109 and is configured with a shared secret of cisco123.
Complete the following steps to add Cisco ASA as a NAS in the CiscoSecure ACS:
Log into the CiscoSecure ACS administration console.
Click the Network Configuration tab from the navigation bar.
Under AAA Clients, click Add Entry.
Enter the Cisco ASA information as shown in Figure 7-4.
Figure 7-4. Adding Cisco ASA as a NAS in ACS
The AAA Client Hostname is the name given to the AAA client. The IP address of the interface that the Cisco ASA will source the TACACS+ packet (172.18.173.8) is entered under the AAA Client IP Address section. The Key is the shared secret that the Cisco ASA and CiscoSecure ACS use to encrypt their communication.
The shared key must be configured identically in both devices (key is case sensitive).
Authenticating Serial Console Connections
To configure authentication of serial console connections, use the aaa authentication serial console command. Be aware that you can get locked out of the Cisco ASA easily with any misconfiguration. Example 7-12 demonstrates how to configure serial console authentication using the AAA server group previously configured.
Example 7-12. Configuring Serial Console Authentication
Chicago(config)# aaa authentication serial console mygroup
Establishing two separate sessions to the Cisco ASA is always recommended when configuring AAA authentication. The purpose of this procedure is to avoid getting locked out of the CLI. Open one session using a Telnet or SSH connection and connect to the serial console of the Cisco ASA. One of the sessions can be disconnected once the configuration is verified and tested.
If the administrator is locked out of the security appliance, follow the password recovery procedure discussed in Chapter 4, "Initial Setup and System Maintenance."
Authenticating Cisco ASDM Connections
The aaa authentication http console command can be configured to require authentication for Cisco ASDM users. Example 7-13 demonstrates how to configure ASDM authentication using the AAA server group previously configured.
Example 7-13. Configuring HTTP Authentication for ASDM Users
Chicago(config)# aaa authentication http console mygroup
If this command is not configured, Cisco ASDM users can gain access to the ASA by entering only the enable password, and no username, at the authentication prompt.