Section 5-4. Configuring AAA to Manage Administrative Users

team bbl


5-4. Configuring AAA to Manage Administrative Users

You can use external AAA servers to manage users who connect to the firewall for administrative purposes. Usernames and passwords are created or deleted on one or more centralized AAA servers. The firewall can query the servers when users connect and need to be authenticated. Firewall com-mand authorization can also be used when various users must be limited to specific privilege levels and sets of commands. A firewall can also generate user accounting information that is collected by the external servers.

You can use the configuration steps covered in the following sections to set up AAA for admin-istrative user management.

Enabling AAA User Authentication

Follow these steps to configure administrative user authentication with AAA servers:

1.

Authenticate with a AAA server group:

 Firewall(config)# aaa authentication {serial | telnet | ssh | http} console   server_tag [LOCAL] 

The AAA server group named server_tag is used to handle authentication requests. The server group must be configured as a separate step, as described in section 5-3, "Defining AAA Servers for User Management." Each server defined in the group is tried in succession in case some are unreachable or unavailable.

If all the servers in the group are down or the firewall can't reach any of them because of networking issues, the user authentication fails. This means that you can effectively be locked out of the firewall, unable to make any configuration changes or execute any commands.

As a fallback measure, you can add the LOCAL keyword to make the firewall use local authentication after trying the AAA server group. Even if the network is down, the local user database always is available as a way to authenticate with and connect to the firewall. You should define some administrative users on the firewall with the username command. You don't need to duplicate the entire set of users defined on the AAA servers. Just define enough usernames to allow you and your staff to connect.

2.

(Optional) Authenticate users for enable mode:

 Firewall(config)# aaa authentication enable console server_tag [LOCAL] 

By default, privilege level 15 is defined with the enable password configuration command. Any user who can successfully authenticate with the firewall can also use the enable command to move to level 15, regardless of the privilege level set for the username. As well, all users share the same password for privilege level 15.

You can configure enable authentication so that each user must enter an independent enable password to reach a higher privilege level. With a AAA server group, you can define a unique enable password for each user.

After a user is authenticated with his or her enable password, the privilege level is changed to the level configured for the username. In other words, the privileged EXEC level is set on a per-user basis; not every user automatically arrives at level 15.

TIP

Enable authentication is fully functional with TACACS+ servers, because they support per-user enable passwords and enable privilege level settings. You can also use RADIUS servers for this, but each user's enable password is always identical to his or her RADIUS password. As well, RADIUS doesn't directly support enable privilege levels for users.

Figure 5-1 shows an example of the User Setup configuration for a user in CiscoACS. Under Advanced TACACS+ Settings, the user's maximum privilege level is set to 15 for any AAA client accessible to the user. The per-user enable password has also been configured in the TACACS+ Enable Password section as a separate password maintained in the CiscoACS database.

Figure 5-1. Enabling Authentication Configuration on a CiscoACS Server


With CiscoACS, make sure the enable authentication options are made available in the user or group setup screens. In the Interface Configuration, go to Advanced Options and make sure the Per-User TACACS+/RADIUS Attributes option is checked. You should also go to Interface Configuration and select TACACS+(Cisco IOS); make sure the Advanced TACACS+ Features option is checked.

For example, suppose a firewall needs to be configured to use a farm of five RADIUS servers for administrative user authentication. The server has IP addresses 192.168.100.10 through 14, all located on the inside firewall interface. These servers authenticate users connecting to the console port, Telnet, SSH, and web-based management applications. As a fallback, local authentication is used to support a single user ID, admin, in case none of the RADIUS servers can be reached.

The following configuration commands can be used to complete the scenario:

 Firewall(config)# aaa-server RADIUS_FARM protocol radius Firewall(config)# aaa-server RADIUS_FARM (inside) host 192.168.100.10 key   Server1Key Firewall(config)# aaa-server RADIUS_FARM (inside) host 192.168.100.11 key   Server2Key Firewall(config)# aaa-server RADIUS_FARM (inside) host 192.168.100.12 key   Server3Key Firewall(config)# aaa-server RADIUS_FARM (inside) host 192.168.100.13 key   Server4Key Firewall(config)# aaa-server RADIUS_FARM (inside) host 192.168.100.14 key   Server5Key Firewall(config)# aaa authentication serial console RADIUS_FARM LOCAL Firewall(config)# aaa authentication telnet console RADIUS_FARM LOCAL Firewall(config)# aaa authentication ssh console RADIUS_FARM LOCAL Firewall(config)# aaa authentication http console RADIUS_FARM LOCAL Firewall(config)# aaa authentication enable console RADIUS_FARM LOCAL Firewall(config)# username admin password AdminPW privilege 15 

Enabling AAA Command Authorization

If you are using external TACACS+ servers, you can configure command authorization with the following configuration command:

 Firewall(config)# aaa authorization command server_tag [LOCAL] 

Beginning with PIX 7.x, you can add the LOCAL keyword to allow a fallback method of local command authorization in case none of the TACACS+ servers can be reached.

On a CiscoACS server, you can follow these steps to configure command authorization:

1.

In Interface Configuration, go to TACACS+(Cisco IOS). Under TACACS+ Services, check the Shell(exec) boxes for User or Group. This displays command authorization options in the user and/or group configuration pages.

2.

Select User Setup or Group Setup, depending on whether command authorization will be configured per user or per group. Select the appropriate user or group from the list.

3.

Under TACACS+ Settings, look for the Shell Command Authorization Set section. Select Per User (or Per Group) Command Authorization. You can configure specific commands to permit or deny for the user or group. For all other "unmatched" or unspecified Cisco IOS commands, choose whether the CiscoACS server will Permit or Deny them.

4.

To authorize a specific command, check the Command box and enter the first command keyword in the text box. You can also specify command arguments or keywords in the Arguments box. Under Unlisted arguments (arguments or keywords that you don't explicitly list for the command), select whether to Permit or Deny them.

The ACS page can display space for more than one command to be configured. You can enter an additional command in each section that begins with a "Command" checkbox. Click the Submit button at the bottom of the page when all the command arguments have been entered. You can add more commands to the list by selecting the user or group again. Each time you configure a command, it is appended to the list of commands and arguments on the configuration page.

Figure 5-2 shows an example of how a CiscoACS group has been configured so that enable and exit are permitted commands. All other commands are denied for the group.

Figure 5-2. CiscoACS TACACS+ Command Authorization


5.

You can also define lists of permitted firewall commands, which can be applied to users or groups in CiscoACS.

a. Go to Shared Profile Components, and select Shell Command Authorization Set.

Enter one command (only the first keyword) at a time in the text box, and click Add Command. If you need to specify keywords that can appear after the command keyword, enter those in the rightmost text box. Be sure to begin each line with permit or deny, followed by the command arguments and keywords.

Choose whether unmatched (unlisted) commands will be permitted or denied. Then click Submit.

In Figure 5-3, a shell command authorization set has been configured to allow a subset of users to display various firewall resources. With the show command, only specific keywords are permitted. Any other command that isn't listed is denied.

Figure 5-3. CiscoACS Command Authorization Set Configuration


b. After a command authorization set is configured, you can apply it in User Setup or Group Setup. Under the Shell Command Authorization Set section, you can select the set in the drop-down list. Figure 5-4 shows how the read-only-users command authorization set can be applied to any network device that CiscoACS makes available to a group.

Figure 5-4. Applying a CiscoACS Command Authorization Set


TIP

If you decide to enable command authorization, you should make sure you define an administrative user who can always access all firewall commands. In other words, disable command authorization for at least one administrative user so that you have a fallback plan. Otherwise, it is possible to misconfigure command authorization for users or groups such that you are effectively denied from making configuration changes on the firewall.


Enabling AAA Command Accounting

In releases before PIX 7.x, AAA command accounting can be performed only through the logging function. You should make sure the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses:

  • 611101 (6) Successful user authentication

  • 611102 (6) Failed user authentication

  • 502103 (5) User changed privilege levels

  • 111008 (5) User executed the command text

  • 111009 (7) User executed the command show text

  • 611103 (5) User logged out

Beginning with PIX 7.x, accounting records can be generated each time an administrative user executes a firewall command. These accounting records can be sent to one or more AAA RADIUS or TACACS+ accounting servers.

To enable command accounting, you can use the following configuration command:

 Firewall(config)# aaa accounting command [privilege level] server_tag 

Accounting records are generated only when users execute commands at or above the privilege level level (0 to 15; the default is 0). The accounting records are sent to the current active server in the server group configured as server_tag.

With CiscoACS, you can view accounting records by clicking the Reports and Activity button. Then click TACACS+ Accounting or RADIUS Accounting. All accounting reports are in comma-separated value (CSV) format and can be displayed in a web browser.

    team bbl



    Cisco ASA and PIX Firewall Handbook
    CCNP BCMSN Exam Certification Guide (3rd Edition)
    ISBN: 1587051583
    EAN: 2147483647
    Year: 2003
    Pages: 120
    Authors: David Hucaby

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net