Configuring Authorization
Cisco ASA supports authorization services over TACACS+ for firewall cut-through proxy sessions. It also supports authorization services over TACACS+ and its internal user database for administrative sessions. RADIUS-downloadable ACLs are also supported by Cisco ASA.
Note
Command access is authorized by privilege level only when authorization is done against the local database.
Additionally, authorization over RADIUS, LDAP, and internal user databases is available for VPN user connections. This is used for mode-config attributes for remote-access VPN clients. Information about mode-config and its attributes is provided in Chapter 16.
The aaa authorization command enables authorization for firewall cut-through proxy and administrative sessions. The following is the syntax for this command to enable authorization for firewall cut-through proxy sessions:
aaa authorization include | exclude svc if_name l_ip l_mask [f_ip f_mask]server_tag
Table 7-7 lists its options.
|
Option |
Description |
|---|---|
|
include |
Use this option to include authorization services for a specific host or network. |
|
exclude |
Use this option to exclude authorization services for a specific host or network. |
|
svc |
Specifies the protocol and/or service used: telnet, ftp, http, https, tcp/port, and tcp/0. |
|
if_name |
Name of the interface on which authorized connections are originated. |
|
l_ip |
The address of the local host or network that requires authorization. |
|
l_mask |
The network mask of the local host or network that requires authorization. |
|
f_ip |
The address of the foreign host or network whose connections require authorization. |
|
f_mask |
The network mask of the foreign host or network whose connections require authorization. |
|
server_tag |
The name of the AAA server tag. For cut-through and command authorization, the server tag LOCAL can also be used. Only TACACS+ is supported for cut-through authorization. |
You can also use the aaa authorization match command to define a firewall cut-through proxy session:
aaa authorization match access_list_name if_name server_tag
The access_list_name option specifies the ACL name used to categorize which traffic requires authorization. Example 7-16 demonstrates how to use this command.
Example 7-16. Enabling Authorization Using an ACL to Define Interesting Traffic
access-list 100 extended permit ip 10.10.10.0 255.255.255.0 192.168.1.0 255.255.255.0 aaa-server mygroup protocol tacacs+ aaa-server mygroup host 10.10.10.100 key cisco123 aaa authorization match 100 inside mygroup
In Example 7-16, access list 100 defines that all IP traffic sourced from the 10.10.10.0/24 network destined to 192.168.1.0/24 requires authorization. This ACL is associated to the aaa authorization match command.
Command Authorization
To configure command authorization on the Cisco ASA, the following command is used:
aaa authorization command {LOCAL | tacacs_server_tag [LOCAL]}
The server tag LOCAL defines local command authorization. It can also be used as a fallback method in case the TACACS+ server is unreachable.
Tip
Establishing two separate sessions to the Cisco ASA is always recommended when configuring AAA authorization. The purpose of this procedure is to avoid getting locked out of the CLI. Open one session using a Telnet or SSH connection and connect to the serial console of the Cisco ASA. One of the sessions can be disconnected once the configuration is verified and tested.
When using authorization, the following attributes are passed to the TACACS+ server in the attribute payload of the authorization request message:
- cmd The command string to be authorized (used for authorization for administrative sessions only)
- cmd-arg The command arguments to be sent (used for authorization for administrative sessions only)
- service The type of service for which authorization is requested
The following attributes may be received from a TACACS+ server in an authorization response message:
- idletime Idle timeout value for firewall cut-through proxy sessions
- timeout Absolute timeout value for firewall cut-through proxy sessions
- acl The identifier of an ACL to be applied to a specific user
Configuring Downloadable ACLs
Cisco ASA provides support for a per-user ACL authorization by downloading an ACL from a RADIUS or TACACS+ server. This feature allows you to push an ACL to the Cisco ASA from a CiscoSecure ACS server. The downloadable ACL will work in combination with the ACLs configured in the ASA. The user traffic needs to be permitted by both ACLs in order for it to flow through the ASA. However, the per-user-override option can be configured at the end of the access-group command to bypass this requirement. The following is an example of applying the per-user-override option on an access-group command applied to the inside interface:
access-group 100 in interface inside per-user-override
All downloadable ACLs are applied to the interface from which the user is authenticated.
Figure 7-7 illustrates an example of how downloadable ACLs work.
Figure 7-7. Downloadable ACL Example
The following are the steps listed in Figure 7-7:
- A user initiates a web connection to Cisco.com.
- The Cisco ASA is configured to perform authentication (cut-through proxy) and prompts the user for authentication credentials.
- The user replies with his credentials.
- The Cisco ASA sends the RADIUS authentication request (Access-Accept) to the CiscoSecure ACS server.
- The CiscoSecure ACS server authenticates the user and sends a RADIUS response (Access-Accept) including an ACL name associated with the user.
- The Cisco ASA verifies whether it has an ACL named the same as the one downloaded from the CiscoSecure ACS server. There is no need to download a new ACL if there is an ACL identified with the same name.
You can configure downloadable ACLs in CiscoSecure ACS in a few different ways:
- Configure a Shared Profile Component (SPC), including both the ACL name and the actual ACL. This allows you to apply the ACL to any number of users within CiscoSecure ACS.
- Configure each ACL entry within a specific user profile.
- Configure the ACLs to be applied to a specific group.
These options are supported with Cisco ASA to better fit your security policies.
Part I: Product Overview
Introduction to Network Security
- Introduction to Network Security
- Firewall Technologies
- Intrusion Detection and Prevention Technologies
- Network-Based Attacks
- Virtual Private Networks
- Summary
Product History
- Product History
- Cisco Firewall Products
- Cisco IDS Products
- Cisco VPN Products
- Cisco ASA All-in-One Solution
- Summary
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
- Initial Setup and System Maintenance
- Accessing the Cisco ASA Appliances
- Managing Licenses
- Initial Setup
- IP Version 6
- Setting Up the System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Network Access Control
- Network Access Control
- Packet Filtering
- Advanced ACL Features
- Content and URL Filtering
- Deployment Scenarios Using ACLs
- Monitoring Network Access Control
- Understanding Address Translation
- DNS Doctoring
- Monitoring Address Translations
- Summary
IP Routing
Authentication, Authorization, and Accounting (AAA)
- Authentication, Authorization, and Accounting (AAA)
- AAA Protocols and Services Supported by Cisco ASA
- Defining an Authentication Server
- Configuring Authentication of Administrative Sessions
- Authenticating Firewall Sessions (Cut-Through Proxy Feature)
- Configuring Authorization
- Configuring Accounting
- Deployment Scenarios
- Troubleshooting AAA
- Summary
Application Inspection
- Application Inspection
- Enabling Application Inspection Using the Modular Policy Framework
- Selective Inspection
- Computer Telephony Interface Quick Buffer Encoding Inspection
- Domain Name System
- Extended Simple Mail Transfer Protocol
- File Transfer Protocol
- General Packet Radio Service Tunneling Protocol
- H.323
- HTTP
- ICMP
- ILS
- MGCP
- NetBIOS
- PPTP
- Sun RPC
- RSH
- RTSP
- SIP
- Skinny
- SNMP
- SQL*Net
- TFTP
- XDMCP
- Deployment Scenarios
- Summary
Security Contexts
- Security Contexts
- Architectural Overview
- Configuration of Security Contexts
- Deployment Scenarios
- Monitoring and Troubleshooting the Security Contexts
- Summary
Transparent Firewalls
- Transparent Firewalls
- Architectural Overview
- Transparent Firewalls and VPNs
- Configuration of Transparent Firewall
- Deployment Scenarios
- Monitoring and Troubleshooting the Transparent Firewall
- Summary
Failover and Redundancy
- Failover and Redundancy
- Architectural Overview
- Failover Configuration
- Deployment Scenarios
- Monitoring and Troubleshooting Failovers
- Summary
Quality of Service
- Quality of Service
- Architectural Overview
- Configuring Quality of Service
- QoS Deployment Scenarios
- Monitoring QoS
- Summary
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
- Intrusion Prevention System Integration
- Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)
- Directing Traffic to the AIP-SSM
- AIP-SSM Module Software Recovery
- Additional IPS Features
- Summary
Configuring and Troubleshooting Cisco IPS Software via CLI
- Configuring and Troubleshooting Cisco IPS Software via CLI
- Cisco IPS Software Architecture
- Introduction to the CIPS 5.x Command-Line Interface
- User Administration
- AIP-SSM Maintenance
- Advanced Features and Configuration
- Summary
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
- Site-to-Site IPSec VPNs
- Preconfiguration Checklist
- Configuration Steps
- Advanced Features
- Optional Commands
- Deployment Scenarios
- Monitoring and Troubleshooting Site-to-Site IPSec VPNs
- Summary
Remote Access VPN
- Remote Access VPN
- Cisco IPSec Remote Access VPN Solution
- Advanced Cisco IPSec VPN Features
- Deployment Scenarios of Cisco IPSec VPN
- Monitoring and Troubleshooting Cisco Remote Access VPN
- Cisco WebVPN Solution
- Advanced WebVPN Features
- Deployment Scenarios of WebVPN
- Monitoring and Troubleshooting WebVPN
- Summary
Public Key Infrastructure (PKI)
- Public Key Infrastructure (PKI)
- Introduction to PKI
- Enrolling the Cisco ASA to a CA Using SCEP
- Manual (Cut-and-Paste) Enrollment
- Configuring CRL Options
- Configuring IPSec Site-to-Site Tunnels Using Certificates
- Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
- Troubleshooting PKI
- Summary
Part V: Adaptive Security Device Manager
Introduction to ASDM
- Introduction to ASDM
- Setting Up ASDM
- Initial Setup
- Functional Screens
- Interface Management
- System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Firewall Management Using ASDM
- Firewall Management Using ASDM
- Access Control Lists
- Address Translation
- Routing Protocols
- AAA
- Application Inspection
- Security Contexts
- Transparent Firewalls
- Failover
- QoS
- Summary
IPS Management Using ASDM
- IPS Management Using ASDM
- Accessing the IPS Device Management Console from ASDM
- Configuring Basic AIP-SSM Settings
- Advanced IPS Configuration and Monitoring Using ASDM
- Summary
VPN Management Using ASDM
- VPN Management Using ASDM
- Site-to-Site VPN Setup Using Preshared Keys
- Site-to-Site VPN Setup Using PKI
- Cisco Remote-Access IPSec VPN Setup
- WebVPN
- VPN Monitoring
- Summary
Case Studies
EAN: 2147483647
Pages: 231
