Configuring Accounting

Table of contents:

Deployment Scenarios

This section demonstrates how SecureMe Company deploys TACACS+ authentication, authorization, and accounting for administrative sessions connecting to its ASA. It also shows how cut-through proxy authentication is configured for all clients at a remote branch.

Deploying Authentication, Command Authorization, and Accounting for Administrative Sessions

The security administrator for SecureMe configures the Chicago ASA to perform authentication, command authorization, and accounting for all administrative sessions using TACACS+. Figure 7-8 illustrates the Chicago network topology. A TACACS+ server (172.18.124.101) and a management workstation (172.18.124.159) are configured in the management subnet (172.18.124.0/24). The Cisco ASA management interface is 172.18.124.205.

Figure 7-8. Chicago Network Topology

The goal is to configure two users. The first user, User1, has the ability to configure anything on the Cisco ASA. The second user, User2, is only allowed to add routes to the Cisco ASA. Accounting is configured for audit and monitoring purposes. Example 7-19 shows the Chicago ASA configuration.

Example 7-19. AAA: Chicago ASA Configuration

!outside interface configuration

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.200.225 255.255.255.0

!

!inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.10.1 255.255.255.0

!

!

!management interface configuration

interface Management0/0

 nameif management

 security-level 50

 ip address 172.18.124.205 255.255.255.0

 management-only

!

!AAA server group configuration. A server group called mytacacs is configured. The

!172.18.124.101 TACACS+ server is added .

aaa-server mytacacs protocol tacacs+

aaa-server mytacacs (management) host 172.18.124.101

 key cisco123

!TACACS authentication for telnet, ssh, secure-http-client, and serial console

aaa authentication telnet console mytacacs

aaa authentication serial mytacacs

aaa authentication ssh mytacacs

aaa authentication secure-http-client mytacacs

!TACACS authorization is configured

aaa authorization command mytacacs

!TACACS accounting is enabled

aaa accounting command mytacacs

Figure 7-9 illustrates how the Cisco ASA is added as a AAA client in the TACACS+ server (CiscoSecure ACS).

Figure 7-9. AAA Client Configuration in ACS

User1 belongs to Group 1 in the ACS server. User2 belongs to Group 2. Group level authorization is configured in the ACS server. Privilege level 15 is configured in Group 1 to allow User1 to freely modify the configuration of the Cisco ASA. Figure 7-10 illustrates how the CiscoSecure ACS group is configured.

Figure 7-10. Privilege Level 15 Group Configuration in ACS

Group 2 is configured for privilege level 8, allowing User2 only to configure route statements on the ASA. Figure 7-11 illustrates how the CiscoSecure ACS is configured.

Figure 7-11. Command Authorization

 

Deploying Cut-Through Proxy Authentication

A Cisco ASA at a branch office in Las Vegas, Nevada is configured to perform cut-through proxy. The ASA is configured to require authentication for network access to any protocol or services. Users can authenticate directly with HTTP(S), Telnet, or FTP only. However, they must first authenticate with one of these services before the Cisco ASA allows other traffic to pass through the appliance.

Figure 7-12 illustrates how an internal user (client1) attempts a connection to a server (209.165.201.2) on the outside, but first the ASA will prompt for authentication.

Figure 7-12. Las Vegas Network Topology

The Cisco ASA is configured to authenticate all internal users using its local database. Example 7-20 shows the Las Vegas ASA configuration.

Example 7-20. AAA: Las Vegas ASA Configuration

!outside interface configuration

interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 209.165.201.1 255.255.255.224

!

!inside interface configuration

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 10.100.100.1 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 209.165.201.2 1

!user client1 is added to the local database

username client1 password W.a6bMRKDh/sWvbI encrypted

!access-list and aaa authentication match command are configured to require all

users in !the inside to be authenticated .

access-list 100 extended permit ip any any

aaa authentication match 100 inside LOCAL


Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies



Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net