ENTERPRISE

Identity on Cisco Firewalls : Administrative Access Control on ASA

2/22/2015 8:51:19 PM

The previous section presented in great level of detail the theory of operations of a flexible and scalable access control architecture that leverages some characteristics of the TACACS+ protocol design and the maturity of Cisco Secure ACS product.

The concepts previously discussed for IOS are still valid for ASA, but some configuration and implementation details are different. The examples analyzed in this section point out the relevant distinctions.

 Example 1 reminds you that individual command authorization is not supported by RADIUS.

Example 1. Individual Command Authorization Is Not Supported by RADIUS
! Verifying the available arguments for the command "aaa authorization command"

ASA1(config)# aaa authorization command ?
configure mode commands/options:
  LOCAL  Predefined server tag for AAA protocol 'local'
  WORD   Specify the name of a TACACS+ aaa-server group to be used for command authorization

Example 2 shows the baseline configuration for enabling command authorization and accounting on ASA.

Example 2. Basic Configuration for ASA Command Authorization and Accounting
! Defining an AAA server-group called TACACS1

aaa-server TACACS1 protocol tacacs+
aaa-server TACACS1 (dmz) host 172.21.21.250
 key cisco123
!
! Defining the LOGIN authentication method for the console line

aaa authentication serial console LOCAL
!
! Defining TACACS+ as the method for Telnet Authentication

aaa authentication telnet console TACACS1
!
! Defining TACACS+ as the method for Enable Authentication

aaa authentication enable console TACACS1
!
! Defining EXEC session authorization (does not include console line)

aaa authorization exec authentication-server
!
! Accounting, for all the configured forms of access, uses TACACS+

aaa accounting telnet console TACACS1
aaa accounting serial console TACACS1
!
! Defining TACACS+ as the method for command authorization

aaa authorization command TACACS1
!
! Defining TACACS+ as the method for command accounting

aaa accounting command TACACS1

Note

In IOS, you can assign a value of “15” to the user privilege level (priv-lvl=15) during EXEC authorization. This approach makes it possible for IOS to eliminate the enable authentication process and rely on shell command authorization sets for authorizing commands of any level. ASA does not enable the priv-lvl to be directly assigned and does requires the aaa authentication enable console command .


Example 3 depicts a command authorization failure for ASA. Authorization failures do not generate accounting records because accounting, strictly speaking, is associated with successful operations (authentication or authorization). Refer to Figure 1, which shows a sample log of Failed Attepts of command execution in CS-ACS (Reports and Activity session).

Figure 1. Sample ASA Command Authorization Failures in CS-ACS (“Failed Attempts”)

Example 3. User Issues Command not allowed by Shell Command Set
! Command "show route" not authorized

mk_pkt - type: 0x2, session_id: 417
mkpkt - authorize user: user2
cmd=show
cmd-arg=route Tacacs packet sent
Sending TACACS Authorization message. Session id: 417, seq no:1
Received TACACS packet. Session id:1761304772  seq no:2
tacp_procpkt_author: FAIL
TACACS Session finished. Session id: 417, seq no: 1

Examples 4 and 5 contrast ASA behavior about command accounting when a show command is issued. Although the show command is individually authorized, ASA does not send an accounting message registering it.

Figure 2 displays some examples of command accounting for the ASA. Notice the absence of show commands in the CS-ACS report.

Figure 2. Sample ASA Command Accounting in CS-ACS (“TACACS+ Administration”)

Example 4. User Issues an Authorized “show” Command
! Command "show uauth" is authorized. No accounting happens for "show commands"

mk_pkt - type: 0x2, session_id: 421
mkpkt - authorize user: user2
cmd=show
cmd-arg=uauth Tacacs packet sent
Sending TACACS Authorization message. Session id: 421, seq no:1
Received TACACS packet. Session id:1409549404  seq no:2
tacp_procpkt_author: PASS_ADD
tacp_procpkt_author: PASS_REPL
TACACS Session finished. Session id: 421, seq no: 1

Example 5. User Issues Authorized Command (not a “show” command)
! User issues "ping 172.21.21.1" (successful authorization and accounting)

mk_pkt - type: 0x2, session_id: 419
mkpkt - authorize user: user2
cmd=ping
cmd-arg=172.21.21.1 Tacacs packet sent
Sending TACACS Authorization message. Session id: 419, seq no:1
Received TACACS packet. Session id:998474355  seq no:2
tacp_procpkt_author: PASS_ADD
tacp_procpkt_author: PASS_REPL
TACACS Session finished. Session id: 419, seq no: 1
!
mk_pkt - type: 0x3, session_id: 420
mkpkt - accounting username: user2
remote ip : 172.21.21.101 task_id=40
 Tacacs packet sent
Sending TACACS Accounting message. Session id: 420, seq no:1
Received TACACS packet. Session id:15914798  seq no:2
TACACS Session finished. Session id: 420, seq no: 1
Other  
  •  Identity on Cisco Firewalls : Administrative Access Control on IOS
    •
  •  Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 3) - Integrating Auth-Proxy and the ZFW
    •
  •  Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 2) - Establishing user-group Membership Awareness in IOS - Method 2
    •
  •  Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 1) - Establishing user-group Membership Awareness in IOS - Method 1
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
    •
     
    Video tutorials
    - How To Install Windows 8 On VMware Workstation 9

    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Disable Windows 8 Metro UI

    - How To Change Account Picture In Windows 8

    - How To Unlock Administrator Account in Windows 8

    - How To Restart, Log Off And Shutdown Windows 8

    - How To Login To Skype Using A Microsoft Account

    - How To Enable Aero Glass Effect In Windows 8

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen
    programming4us programming4us
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    Popular Tags
    Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Exchange Server Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe Photoshop CorelDRAW X5 CorelDraw 10 windows Phone 7 windows Phone 8 Iphone