5-3. Defining AAA Servers for User Management A firewall can interface with external user management servers to offload any authentication, authorization, or accounting (AAA) functions. This provides a very scalable solution, because all user identities, privileges, and activity logs can be centralized. You can use the following steps to configure AAA servers and server groups for all AAA-related firewall functions: 1. | Define the AAA server group and protocol:
FWSM 2.x | Firewall(config)# aaa-server server_tag protocol {tacacs+ | radius} | PIX 6.x | Firewall(config)# aaa-server server_tag protocol {tacacs+ | radius} | PIX 7.x | Firewall(config)# aaa-server server_tag protocol {tacacs+ | radius | kerberos | ldap | nt | sdi} |
A group of servers is named server_tag (an arbitrary string without white space) using a common AAA protocol. All firewall platforms support the tacacs+ or radius protocol. In fact, FWSM and PIX 6.x have the following three predefined server groups:
aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local
Beginning with PIX 7.x, only the LOCAL group is predefined. You can also use other AAA protocols if they exist in your network. Specific protocol parameters are configured on a per-server basis in Step 2.
TIP You can define multiple AAA servers in a single group. Table 5-3 lists the maximum number of server groups and servers per group. Table 5-3. AAA Server Limits by Security PlatformPlatform | Server Groups | Servers Per Group |
|---|
FWSM 2.x | 14 | 14 | PIX 6.x | 14 | 14 | PIX 7.x single context | 18 | 16 | PIX 7.x multiple context | 7 | 4 |
The firewall sends requests to the first server configured in the group. If that server doesn't answer within a configurable time, the other servers in the group are tried in succession. (Optional) Set the server failure threshold: FWSM 2.x | Firewall(config)# aaa-server server_tag max-attempts number | PIX 6.x | Firewall(config)# aaa-server server_tag max-failed-attempts number | PIX 7.x | Firewall(config-aaa-server-group)# max-failed-attempts number |
If a AAA server is unreachable, the firewall retries its request. After number (1 to 5; the default is 3) failed attempts, the firewall declares that server dead and moves on to the next server in the group. (Optional) Define a server reactivation policy: FWSM 2.x | Firewall(config)# aaa-server server_tag deadtime minutes | PIX 6.x | Firewall(config)# aaa-server server_tag deadtime minutes | PIX 7.x | Firewall(config-aaa-server-group)# reactivation-mode {depletion [deadtime minutes] | timed} |
By default, any server that is considered deactivated remains deactivated until no more usable servers remain in the group. This is called depletion mode. If only one server group is configured for a AAA function, all servers are immediately reactivated after depletion so that they can be tried again. If multiple server groups are configured for a AAA function, a depleted group is skipped so that the next server group can be used. The depleted group is declared dead for the duration of the deadtime timer, configured as minutes (1 to 1440; the default is 10 minutes). After that time, the failed servers are reactivated in the group, and that group is eligible for new AAA requests. Beginning in PIX 7.x, you can use an alternative policy called timed reactivation. Here, any failed or deactivated server is automatically reactivated after 30 seconds. (Optional) Define an accounting policy: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-group)# accounting-mode {single | simultaneous} |
If you are using AAA accounting, you can specify how the accounting information will be sent. With the single keyword, accounting messages are sent to only the active server. The firewall can also send the accounting messages to every server in the group if the simultaneous keyword is used.
| 2. | Add a server to the group.
Identify the server: FWSM 2.x | Firewall(config)# aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds | PIX 6.x | Firewall(config)# aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds] | PIX 7.x | Firewall(config)# aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds] |
The server located on the firewall interface named (if_name) (be sure to include the parentheses) at IP address server_ip is added to the server_tag group. If you do not specify the interface, the outside interface is assumed. The firewall can use the string key (a text string of up to 127 characters without spaces) for all exchanges with the server. Therefore, you must configure the same key on the server and the firewall. If a response is not received from the server within a timeout period of seconds (the default is 5 seconds), the firewall sends the same request to the next server in the group. (Optional) Set the server deactivation timer: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# timeout seconds |
The firewall continues to retry requests for a timeout period of seconds (1 to 60; the default is 10 seconds) before it declares the server dead. After that point, the next server in a server group is tried. (Optional) Use one common port for all server protocols: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# server-port port |
Each AAA protocol uses a different default port for its services. For example, TACACS uses port 49, Kerberos uses 88, Lightweight Directory Access Protocol (LDAP) uses 389, NT uses 139, and Security Dynamics Incorporated (SDI) uses 5500. You can configure the firewall to use one port (1 to 65535) for any protocol used on the server, as long as the server is also configured to use the same port. Although it isn't necessary, using one common port for any AAA protocol can simplify the types of traffic passing between the firewall and the server. This in turn might simplify any firewall or router access lists that need to permit the AAA traffic.
| 3. | (Optional) Adjust RADIUS server parameters.
(Optional) Adjust the RADIUS port numbers: FWSM 2.x | Firewall(config)# aaa-server {radius-authport | radius-acctport} [port] | PIX 6.x | Firewall(config)# aaa-server {radius-authport | radius-acctport} [port] | PIX 7.x | [View full width] Firewall(config-aaa-server-host)#  authentication-port port Firewall(config-aaa-server-host)# accounting-port port
|
By default, a firewall uses UDP/TCP port 1645 for RADIUS authentication and port 1646 for accounting. TIP You should confirm that your RADIUS server uses matching port numbers. If it doesn't, you can configure the authentication port (radius-authport) or the accounting port (radius-acctport) to port. Some RADIUS servers use legacy values of 1812 for authentication and 1813 for accounting. Set the RADIUS key: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# key key |
Beginning with PIX 7.x, the RADIUS key (a text string of up to 127 characters without spaces) should be configured as a host parameter. You must configure the same key on the firewall and the RADIUS server. (Optional) Set the retry interval: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# retry-interval seconds |
If the server doesn't answer a RADIUS request, the firewall retries it after seconds (1 to 10; the default is 10 seconds) has elapsed. (Optional) Use one common password for server requests: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# radius-common-pw string |
You can configure a common password that the firewall will use for all RADIUS authorization requests. The password is given as string (up to 127 characters).
| 4. | (Optional) Adjust Kerberos server parameters.
Define the Kerberos realm name: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# kerberos-realm string |
The Kerberos realm name defined on the server is string (up to 64 characters with no spaces). (Optional) Set the retry interval: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# retry-interval seconds |
If the server doesn't answer a RADIUS request, the firewall retries it after seconds (1 to 10; the default is 10 seconds) has elapsed.
| 5. | (Optional) Adjust LDAP server parameters.
Set the starting point in the LDAP hierarchy: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# ldap-base-dn string |
To process a AAA request, the LDAP server should begin its search at the distinguished name (DN) given by string (up to 128 characters). A DN has the form XX=xxxx,YY=yyyy,... where XX and YY are abbreviations for parameters within the hierarchy, and xxxx and yyyy are strings. For example, a DN string can be o=MyCompany.com or o=MyCompany.com,ou= Engineering. Limit the scope of an LDAP search: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# ldap-scope {onelevel | subtree} |
By default, the LDAP server is asked to search only one tree level (onelevel) below the base DN. If your LDAP hierarchy is structured such that there are many levels below the base, you can use the subtree keyword to force a search of the entire subtree. Define the relative DN attributes to search: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# ldap-naming-att string |
When a user is authenticated or authorized, the firewall can pass only the username and password to the LDAP server. The firewall must also inform the LDAP server which DN attributes are necessary to uniquely identify a user during a search. These are given as string (up to 128 characters). For example, if usernames are referenced in the Common Name attribute (the CN field of a DN), the following command would be used: Firewall(config-aaa-server-host)# ldap-naming-att cn
Authenticate the firewall: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | [View full width] Firewall(config-aaa-server-host)# ldap-login-dn string Firewall(config-aaa-server-host)# ldap-login-password string
|
The firewall must authenticate itself with the LDAP server when AAA requests are sent. This is done with a DN and a password, which are strings of up to 128 and 64 characters, respectively. For example, a firewall might authenticate itself with the following DN and password commands: Firewall(config-aaa-server-host)# ldap-login-dn cn=firewall, o=mycompany.com,ou=networking Firewall(config-aaa-server-host)# ldap-login-password mysecretpassword
| 6. | (Optional) Identify the NT domain controller:
FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# nt-auth-domain-controller string |
The name of the Windows NT Primary Domain Controller (PDC) is defined as string (up to 16 characters).
| 7. | (Optional) Adjust SDI SecureID server parameters.
Define the SDI protocol version: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# sdi-version {sdi-pre-5 | sdi-5} |
The SDI version should be set to reflect the version used on the server: sdi-pre-5 (releases before 5.0) or sdi-5 (release 5.0 or later). (Optional) Set the retry interval: FWSM 2.x |
| PIX 6.x |
| PIX 7.x | Firewall(config-aaa-server-host)# retry-interval seconds |
If the server doesn't answer an SDI request, the firewall retries it after seconds (1 to 10; the default is 10 seconds) has elapsed.
|
|
