Section 5-2. Managing Users with a Local Database

team bbl


5-2. Managing Users with a Local Database

You can configure a firewall to control user access by defining users in its local database. This approach assigns usernames and passwords to each end user, allowing access rights and accounting trails to be granular and specific.

Each user must use a unique username when accessing or passing through the firewall. For administrative users, privilege levels can be defined to authorize their ability to access firewall commands. User activity can also be tracked and identified by the unique usernames.

You can define usernames locally on the firewall if external user management servers (RADIUS, TACACS+, and so on) are unavailable or impractical. However, local user management does have some limitations. For example, each user's password must be configured and updated on the firewall. Usernames must be added or deleted as users come and go from the enterprise. If a consistent user management framework must be used across the network, each user's credentials and access rights must be maintained at every location.

Without a central point of management, local user databases don't scale very well and can become difficult to administer. Best practice is to use external user management servers first and then fall back on a local user database as a last resort.

Authenticating with Local Usernames

You can use the following configuration steps to define usernames locally on the firewall.

1.

Define each firewall user:

 Firewall(config)# username username [{nopassword | password password}   [encrypted]] privilege level 

The user identified as username (a text string of up to 15 characters) can have a password configured with the password keyword. After password is entered, it is encrypted automatically so that the cleartext string is never displayed in the configuration. If this command is copied and pasted from one firewall to another, the encrypted keyword specifies that the password string is already encrypted before the command is executed.

If you choose to configure the user with no password, using the nopassword option, the blank password is still displayed as an encrypted string. However, you should carefully consider this, because anyone will be able to log in to the firewall (and potentially make configuration changes) by knowing only the username.

A privilege level must be given as level (1 to 15), where 15 is the highest level the user is allowed to reach. This limit applies only when enable authentication is configured. (See Step 3.)

Privilege level 1 is the lowest and offers the user the least capability. At level 15, the user can access and use any command on the firewall platform. All users begin at level 1 when they successfully authenticate. To move to a higher privilege level, users must issue the enable command.

2.

Enable local user authentication:

 Firewall(config)# aaa authentication {serial | telnet | ssh | http} console LOCAL 

You can enable user authentication locally on the firewall for any of the following access methods:

- serial (console connection)

- telnet (Telnet)

- ssh (SSH sessions)

- http (Web-based management with PDM or ASDM)

You can repeat this command to define local authentication for more than one connection type.

You must always use the console keyword, indicating that firewall management sessions are being authenticated. The LOCAL keyword causes the firewall's local username database to be used for authentication.

TIP

It might seem odd to use the aaa command here, even though external AAA servers are not used for the local user database. The firewall processes all user management functions involving usernames as AAA functions. A predefined AAA server group called LOCAL uses the LOCAL "protocol," as if the following command were used:

 Firewall(config)# aaa-server LOCAL protocol local 

Requests that would go out to an external AAA server are intercepted and handled internally according to the local username database.

3.

(Optional) Authenticate users for enable mode:

 Firewall(config)# aaa authentication enable console LOCAL 

By default, privilege level 15 is defined with the enable password configuration command. Any user who can successfully authenticate with the firewall can also use the enable command to move to level 15regardless of the privilege level set for the username. As well, all users share the same password for privilege level 15.

You can configure enable authentication so that each user must enter an independent enable password to reach a higher privilege level. With local authentication, the enable password is the same as the username password for each user.

After a user is authenticated with his or her enable password, the privilege level is changed to the level configured for the username. In other words, the privileged EXEC level is set on a per-user basis; not every user automatically arrives at level 15.

For example, suppose the username userjoe is created with a privilege level limit of 15. A second user, userbob, has a privilege level limit of 5. Local authentication is used for SSH sessions. Enable authentication is configured locally so that each user can enter his or her password to move into the respective privilege level, as demonstrated with the following commands:

 Firewall(config)# username userjoe password joespasswd privilege 15 Firewall(config)# username userbob password bobspasswd privilege 5 Firewall(config)# aaa authentication ssh console LOCAL Firewall(config)# aaa authentication enable console LOCAL 

User userjoe logs in to the firewall and moves into his privileged EXEC level (15). Each time, userjoe's username password is used for authentication. The show curpriv command verifies the user's current identity and privilege level, as shown in the following output:

 login as: userjoe userjoe@192.168.77.14's password: Type help or '?' for a list of available commands. Firewall> show curpriv Username : userjoe Current privilege level : 1 Current Mode/s : P_UNPR Firewall> enable Password: ******** Firewall# show curpriv Username : userjoe Current privilege level : 15 Current Mode/s : P_PRIV Firewall# 

Authorizing Users to Access Firewall Commands

Users are authorized to execute firewall commands based on a comparison of their current privilege level and each command's privilege level. If the user's level is greater than or equal to the command's level, the user is allowed to use the command. If not, an error is returned.

By default, only a simple authorization test is used. Users at privilege level 1 can use only commands that are set at level 1. If a user can move to any level greater than 1, he or she can access any other commandeven commands set for level 15.

You can use local command authorization to achieve more granularity. When it is enabled, strict privilege level comparisons are done for each command that is entered. Users who have privilege levels lower than the commands they try to use are rejected.

Each firewall command has a privilege level associated with it. Some command keywords can be used in several different modes, such as show (as in show pager), clear (as in clear pager), and configure (as in pager 24 in configuration mode). Each of these is considered a separate command, having a unique privilege level. Therefore, the privilege levels are assigned according to the command keyword and the mode in which it is used. EXEC mode commands that can be run without the show or clear keywords are referenced in configure mode. An example is the help command.

By default, the commands shown in Table 5-1 are accessed with privilege level 0; all other commands default to level 15.

Table 5-1. Commands Accessed with Privilege Level 0

Command

PIX 6.x

PIX 7.x

Firewall> enable

Yes

Yes

Firewall> exit

Yes

Yes

Firewall> quit

Yes

Yes

Firewall> help

Yes

Yes[*]

Firewall> login

Yes

Yes

Firewall> logout

Yes

Yes

Firewall> pager

Firewall> clear pager

Firewall> show pager

Yes

No

Firewall> ping

No

Yes

Firewall> show checksum

Yes

Yes[*]

Firewall> show curpriv

Yes

Yes[*]

Firewall> show history

Yes

Yes[*]

Firewall> show version

Yes

Yes[*]

Firewall> show flash:

No

Yes

Firewall> show debug

No

Yes[*]


[*] Beginning with PIX 7.x, these commands have a default privilege level of 1. Users at the lowest privilege level (1) can still access and use these commands.

Local user authorization is configured using the following steps:

1.

(Optional) Display the current privilege levels for commands:

FWSM 2.x

Firewall# show privilege {all | command command | level level}

PIX 6.x

Firewall# show privilege {all | command command | level level}

PIX 7.x

Firewall# show run all privilege {all | command command | level level}


You can see the current privilege level configured for all possible firewall commands, or for only a single command command (only the first keyword). You can also see all the commands available to a user at a given privilege level level (0 to 15). (The default privilege levels are not shown in the configuration file. Beginning with PIX 7.x, you can see default settings for any command with the show run all command.)

2.

Set a command's privilege level:

FWSM 2.x

Firewall# show privilege {all | command command | level level}

PIX 6.x

Firewall(config)# privilege {show | clear | configure} level level [mode {enable | configure}] command command

PIX 7.x

Firewall(config)# privilege [show | clear | cmd] level level [mode mode] command command


For the mode (show, clear, or configure) of the command keyword command, a new privilege level (0 to 15) is assigned. Beginning with PIX 7.x, the configure mode is known only as cmd mode.

Some commands can also be used in several submodes within a single mode. In PIX 6.3, for example, the clear logging command can be run from enable mode or configure mode. In either case, the contents of the logging buffer are cleared, but you might want to restrict that command when a user is in one mode versus another.

Beginning with PIX 7.x, you can set command privilege levels with a greater granularity. You can use the mode keyword to identify a specific mode or submode where the command keyword is used. The mode parameter can be given as any one of the keywords shown in Table 5-2, usually shown in the firewall configuration mode prompt.

Table 5-2. PIX 7.x Privileged Command Mode Values

mode Keyword

Mode Description

aaa-server-group

AAA server group configuration mode

aaa-server-host

AAA server host configuration mode

config-group-webvpn

group-policy webvpn configuration mode

config-username-webvpn

username webvpn configuration mode

configure

Global configuration mode

context

Context configuration mode

crypto-ca-cert-chain

Crypto certificate entry mode

crypto-ca-cert-map

Certificate map entry mode

crypto-ca-crl

Certificate authority trustpoint CRL entry mode

crypto-ca-trustpoint

Certificate authority trustpoint entry mode

crypto-pubkey

Crypto subsystem public key entry mode

enable

EXEC mode (the keyword is converted to exec)

exec

EXEC mode

fover_group

Failover user group configuration mode

ftp-map

ftp-map configuration mode

group-policy

group-policy attribute configuration mode

gtpmap

GTP class map configuration mode

http-map

http-map configuration mode

icmp-object-group

ICMPtype object group configuration mode

imaps

imap4s configuration mode

interface

Interface configuration mode

mgcp-map

mgcp-map configuration mode

network-object-group

Network object group configuration mode

pop3s

pop3s configuration mode

priority-queue

priority-queue configuration mode

protocol-object-group

Protocol object group configuration mode

qosclassmap

QoS class map configuration mode

qospolicymap

QoS policy map configuration mode

qospolicymapclass

QoS policy map class configuration mode

route-map

Route map configuration mode

router

Router configuration mode

routing

Routing configuration mode

service-object-group

Service object group configuration mode

smtps

smtps configuration mode

snmp-map

snmp-map configuration mode

subinterface

Subinterface configuration mode

tcp-map

tcp-map configuration mode

trange

time-range configuration mode

tunnel-group-general

tunnel-group general attribute configuration mode

tunnel-group-ipsec

tunnel-group IPSec attribute configuration mode

tunnel-group-ppp

tunnel-group PPP attribute configuration mode

username

username attribute configuration mode

vpn-load-balancing

Configure VPN load balancing

webvpn

WebVPN configuration mode


For example, users at or above level 8 can be allowed to show the connection table entries:

 Firewall(config)# privilege show level 8 command conn 

PIX 7.x can also accept this command as

 Firewall(config)# privilege show level 8 mode exec command conn 

3.

Enable local command authorization:

 Firewall(config)# aaa authorization command LOCAL 

Each time a user attempts to use a firewall command, the firewall authorizes the user based on the local privilege configuration commands.

Accounting of Local User Activity

With local user authentication and authorization, user accounting can be performed only through the logging function. You should make sure that the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses:

  • 611101 (6) Successful user authentication

  • 611102 (6) Failed user authentication

  • 502103 (5) User changed privilege levels

  • 111008 (5) User executed the command text

  • 111009 (7) User executed the command show text

  • 611103 (5) User logged out

For example, suppose someone managed to log in to a firewall, clear its configuration, and reload it. If Syslog were configured on the firewall, you might be able to find an audit trail with clues as to who took those actions. In the following output, a user named userjane has authenticated, used the enable command to move into privilege level 15, cleared the configuration, and reloaded the firewall:

 %ASA-6-109005: Authentication succeeded for user 'userjane' from 172.28.4.41/0 to   10.1.1.10/24 on interface outside %ASA-6-611101: User authentication succeeded: Uname: userjane %ASA-5-502103: User priv level changed: Uname: userjane From: 1 To: 15 %ASA-5-111008: User 'userjane' executed the 'enable' command. %ASA-7-111009: User 'userjane' executed cmd: show clock %ASA-5-111008: User 'userjane' executed the 'write erase' command. %ASA-5-111008: User 'userjane' executed the 'reload' command. 

    team bbl



    Cisco ASA and PIX Firewall Handbook
    CCNP BCMSN Exam Certification Guide (3rd Edition)
    ISBN: 1587051583
    EAN: 2147483647
    Year: 2003
    Pages: 120
    Authors: David Hucaby

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net