Hardening Your Network with Authorization

Authorization is the second step in AAA, and it is the natural progression from authentication. Authorization allows you to define what commands and processes the user is authorized to run and perform, giving you granular control over your network devices. For example, you can authorize certain users to be able to run commands in the user and privileged modes but prevent them from making any configuration changes, while granting other users full unrestricted access.

Authorization on IOS-Based Devices

AAA authorization can be configured for the following methods :

auth-proxy	Allows you to control what traffic can pass through the router by configuring the router to authenticate the user when she attempts to pass certain traffic
commands	Allows you to authorize commands that are associated with a given privilege mode
configuration	Can be used to download the configuration from the AAA server
exec	Used to authorize the execution of an EXEC shell

Before you can configure authorization, you must first enable AAA on the device, configure AAA authentication, and configure the RADIUS or TACACS+ server with the appropriate users or groups as previously detailed. Let s look at how to perform EXEC and command authorization.

EXEC Authorization

EXEC authorization is the most common method of authorization. If you recall when you configured your RADIUS remote access policy and your TACACS+ group settings, you specified the privilege level. This is used during EXEC authorization to define the EXEC shell that the user is authorized to run. So if you have configured some users at privilege level 1 and others at privilege level 15, you can run the following commands to authorize their ability to start the appropriate EXEC:

 local-rtr(config)#aaa authorization exec default group tacacs+  if-authenticated local-rtr(config)#privilege exec level 2 enable

The first command specifies that AAA authorization should occur and defines TACACS+ as the AAA mechanism to use. If you wanted to use RADIUS, you would type radius instead of tacacs+ . The second command ensures that you must be in EXEC mode with a privilege of at least 2 to run the enable command. This is an important step, because if you do not do this, a user that is authorized at privilege level 1 can run the enable command and attempt to brute force or guess the enable secret password and thus gain access to the privileged mode of execution.

Commands Authorization

Commands authorization allows you to be even more granular than EXEC authorization by configuring the router to authorize all commands that are being run at the specified privilege level. You can define the commands that belong to a certain privilege level by running the privilege exec level < priv lvl > < command > command. For example, if you wanted to allow certain users who are configured through the AAA server to run at privilege 7 to be able to run the show interface and show version commands, you would run the following commands at the CLI:

 local-rtr(config)# privilege exec level 7 show interface local-rtr(config)# privilege exec level 7 show version

The users will be able to run all of the privilege level 7 commands, as well as the two commands that you specified.

 local-rtr(config)#aaa authorization commands 15 default group tacacs+  if-authenticated

Heads Up

Command authorization is much easier to implement when using TACACS+; therefore, I recommend that you use TACACS+ instead of RADIUS if you want to do AAA command authorization. If you have to use RADIUS authorization, use the command aaa authorization commands 15 default if-authenticated .

Authorization on PIX Firewalls

You can configure authorization on your PIX firewalls for the same reasons and benefits as configuring authorization on your IOS-based devices. One benefit to configuring authorization on the PIX is that it uses a much more robust command set. For example, you can view what privilege level all commands run at by running the following command:

 firewall# show privilege all

Most of the commands are set to privilege level 15, though some are set at privilege level 0.

Note	RADIUS authorization is not supported on PIX firewalls. Instead, you must use TACACS+ for authorization

Like your IOS-based devices, the prerequisites for authorization on the PIX are that you must enable AAA on the device, configure AAA authentication, configure AAA enable authentication, and configure the TACACS+ server with the appropriate user or group settings as previously detailed.

Command Authorization on PIX Firewalls

Command authorization for the PIX is actually configured as a property of the user or group in the Cisco Secure ACS server. To configure command authorization, perform the following steps:

Verify that the Shell (exec) TACACS+ Service has been enabled by clicking Interface Configuration in the navigation bar and then clicking TACACS+ (Cisco IOS). Verify that Shell (exec) is checked in the TACACS+ Services table, as shown here. When you are finished, click Submit.

Heads Up
If you are going to implement command authorization, it is a good idea to ensure that at least one user is configured to permit unmatched Cisco IOS commands. This allows at least one user to be able to run all commands.
Click Group Setup in the navigation bar. Select the group that you want to configure and click Edit Settings.
Scroll down to the Shell Command Authorization Set settings and select Per Group Command Authorization.
If you want this user to be able to run all commands, select Permit under Unmatched Cisco IOS Commands:
Two methods can be used for determining how to perform the command authorization. The first method is to select the option in step 4 that will permit all commands and then specify the commands that you want to deny. The other method is to deny all the commands and then specify the commands that you want to permit. This latter method is a more secure method and is the method detailed next .
Under Unmatched Cisco IOS Commands, select Deny.
Check the Command button and enter the command that you want to permit. In the Arguments field, enter the command arguments that you want to permit (for example, running-config for the show command).
Under Unlisted Arguments, select Permit. This will authorize the user to be able to run the command that you defined as well as permit unlisted arguments. If you do not want to authorize running unlisted arguments (for example, you want the user to be able to run the commands show version and show interface but no other show commands), select Deny under Unlisted Arguments. The following shows a configuration that permits the user to run the commands enable , show interface , show version , and exit (not shown) while denying them the ability to run any other commands.
To enter additional commands, click Submit and then return to this screen. You can check a new command entry to repeat the process. When you are finished with all of your configurations, click Submit + Restart.
The last step is to enable AAA command authorization on the PIX by running the following command:
```
 firewall(config)# aaa authorization command TACACS+ 
```
When you are finished, make sure that you save your configuration.

Authorization of Users Through the PIX

While authorization of users, for example to control what websites users access, is certainly able to be implemented, due to the nature of HTTP and the fact that it uses multiple connection for a single website request, in addition to the fact that a single website might have multiple IP addresses it is probably a much more feasible solution to implement content filtering, as discussed in Chapter 7. You can configure authorization (for example, for HTTP traffic) by running the following command:

 firewall(config)# aaa authorization include HTTP inside 0 0 0 0 TACACS+