© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Chapter 12 Authentication, Authorization, and Accounting
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this chapter, you will be able to perform the following tasks: Define authentication, authorization, and accounting. Describe the differences between authentication, authorization, and accounting. Describe how users authenticate to the PIX Firewall. Describe how cut-through proxy technology works. Name the AAA protocols supported by the PIX Firewall. Install and configure CSACS for Windows NT. Define and configure downloadable ACLs. Configure AAA on the PIX Firewall.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Introduction
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authentication, Authorization, and Accounting Authentication –Who you are –Can exist without authorization Authorization –What you can do –Requires authentication Accounting –What you did
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Telnet PIX Firewall: What the User Sees HTTP: Username: smith Password: 2bon2b Username: Password: Username: alex Password: v1v10k4 Server: FTP PIX Firewall:
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA If CSACS authenticates, the user is cut-through the PIX Firewall, and the local username and password are passed to the web server to authenticate. Cut-Through Proxy Operation CSACS Internet Intranet 1 The user makes a request to access the web server. The PIX Firewall queries CSACS for the remote username and password The user is prompted by the PIX Firewall. 4 Web server Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA RADIUS TACACS+ CSACS-UNIXCSACS-UNIXCSACS-NTCSACS-NT Supported AAA Servers TACACS + Freeware MeritMeritLivingstonLivingston CSACS-UNIXCSACS-UNIXCSACS-NTCSACS-NT
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Installation of CSACS for Windows NT
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Installation Wizard
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Basic Configuration Authenticate users using –TACACS+ (Cisco) –RADIUS (Cisco) Access server name –Enter the PIX Firewall name Access server IP address –Enter the PIX Firewall IP address Windows NT server IP address –Enter the AAA server IP address TACACS+ or RADIUS key –Enter a secret key –Must be the same in the PIX Firewall
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authentication Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA aaa-server group_tag protocol auth_protocol Specify AAA Servers Assigns a TACACS+ or RADIUS protocol to a group tag. Identifies the AAA server for a given group tag. pixfirewall (config)# pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host secretkey timeout 10 aaa-server group_tag (if_name) host server_ip key timeout seconds pixfirewall (config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Enable Authentication Defines traffic to be authenticated authen_service = any, ftp, http, or telnet any = all TCP traffic aaa authentication include|exclude authen_service inbound|outbound|if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa authentication include any inbound MYTACACS pixfirewall(config)# aaa authentication include telnet outbound MYTACACS pixfirewall(config)# aaa authentication include ftp dmz MYTACACS pixfirewall(config)# aaa authentication exclude any outbound MYTACACS
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA aaa authentication Example.42 pixfirewall(config)# nat (inside) pixfirewall(config)# aaa authentication include any outbound 0 0 MYTACACS pixfirewall(config)# aaa authentication exclude any outbound MYTACACS /24 AAA server / /
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA How to Add Users to CSACS-NT
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authentication of Non-Telnet, FTP, or HTTP Traffic Option 1Authenticate first by accessing a Telnet, FTP, or HTTP server before accessing other services. Option 2Authenticate to the PIX Firewall virtual Telnet service before accessing other services.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Virtual Telnet Example Backbone, web, FTP, and TFTP server PIX Firewall / C:\> telnet LOGIN Authentication Username: aaauser Password: aaapass Authentication Successful AAA server 1 pixfirewall(config)# virtual telnet pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host secretkey pixfirewall(config)# aaa authentication include any outbound MYTACACS 2 The PIX Firewall passes the username and password to the AAA server at for authentication. 3 If the AAA server verifies that the username and password are correct, the PIX Firewall caches the users authentication credentials for the duration of the uauth timeout \\Superserver /24 Superserver 4 The user is able to connect to super server on port 139 using the run command without being required to re-authenticate. Internet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA virtual telnet ip_address pixfirewall (config)# pixfirewall(config)# virtual telnet Configuration of Virtual Telnet Authentication Enables access to the PIX Firewalls virtual server. –The IP address must be an unused global address. –If the connection is started on either the outside or a perimeter interface, a static and access-list command pair must be configured for the fictitious address.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Virtual HTTP Virtual HTTP solves the problem of HTTP requests failing when web servers require credentials that differ from those required by the PIX Firewalls AAA server. When virtual HTTP is enabled, it redirects the browser to authenticate first to a virtual web server on the PIX Firewall. After authentication, the PIX Firewall forwards the web request to the intended web server. Virtual HTTP is transparent to the user.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuration of Virtual HTTP Authentication Enables access to the PIX Firewalls virtual server. –For inbound clients, the IP address must be an unused global address. –If the connection is started on either the outside or a perimeter interface, a static and access-list command pair must be configured for the fictitious address. virtual http ip_address [warn] pixfirewall (config)# pixfirewall(config)# virtual http
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authentication of Console Access Defines a console access method that requires authentication. aaa authentication [serial | enable | telnet | ssh | http] console group_tag pixfirewall (config)# pixfirewall(config)# aaa authentication serial console MYTACACS pixfirewall(config)# aaa authentication enable console MYTACACS pixfirewall(config)# aaa authentication telnet console MYTACACS pixfirewall(config)# aaa authentication ssh console MYTACACS pixfirewall(config)# aaa authentication http console MYTACACS
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA timeout uauth hh:mm:ss [absolute|inactivity] pixfirewall (config)# pixfirewall(config)# timeout uauth 3:00:00 absolute pixfirewall(config)# timeout uauth 0:30:00 inactivity How to Change the Authentication Timeouts Sets the time interval before users will be required to reauthenticate –AbsoluteTime interval starts at user login –InactivityTime interval for inactive sessions (no traffic)
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA auth-prompt [accept | reject | prompt] string pixfirewall (config)# pixfirewall(config)# auth-prompt prompt Please Authenticate to the Firewall pixfirewall(config)# auth-prompt reject Authentication Failed, Try Again pixfirewall(config)# auth-prompt accept Youve been Authenticated How to Change the Authentication Prompts Defines the prompt users see when authenticating Defines the message users get when they successfully or unsuccessfully authenticate By default, only the username and password prompts are seen
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authorization Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa authorization include ftp outbound MYTACACS pixfirewall(config)# aaa authorization exclude ftp outbound MYTACACS Enable Authorization Defines traffic that requires AAA server authorization author_service = any, ftp, http, or telnet any = All TCP traffic
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Select Per Group Command Authorization. Select Deny. Select Command. Enter the allowable service. Leave this blank. Select Permit. Click Submit to add more rules. Click Submit + Restart when finished. Authorization Rules Allowing Specific Services
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authorization Rules Allowing Services Only to Specific Hosts Select Per Group Command Authorization. Select Deny. Select Command. Enter the allowable service. Enter the allowable destination hosts. Select Deny. Click Submit to add more rules. Click Submit + Restart when finished.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa authorization include udp/0 inbound MYTACACS pixfirewall(config)# aaa authorization include tcp/ outbound MYTACACS pixfirewall(config)# aaa authorization include icmp/8 outbound MYTACACS Authorization of Non-Telnet, FTP, or HTTP Traffic author_service = protocol or port –protocoltcp (6), udp (17), icmp (1), or others (protocol #) –port: single port (e.g., 53), port range (e.g., ), or port 0 (all ports) ICMP message type (8 = echo request, 0 = echo reply) port is not used for protocols other than TCP, UDP, or ICMP
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Authorization of Non-Telnet, FTP, or HTTP Traffic on CSACS-NT Select Per Group Command Authorization. Select Deny. Select Command. Enter the allowable service. Leave this blank. Select Permit. Click Submit to add more rules. Click Submit + Restart when finished.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Downloadable ACLs
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Downloadable ACLs Student PC PIX Firewall Web FTP AAA server 1. The HTTP request to is intercepted by the PIX Firewall. 2. Authentication request to AAA server. 3. Authentication response containing ACL name from AAA server. 4. The PIX Firewall checks to see if the users ACL is already present. 5. Request from the PIX Firewall to the AAA server for the users ACL. 6. The ACL is sent to the PIX Firewall. 7. The HTTP request is forwarded to
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Downloadable ACLs in ACS
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Assigning the ACL to the User
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Accounting Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Enable Accounting Defines traffic that requires AAA server accounting acctg_service = any, ftp, http, or telnet any = All TCP traffic aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa accounting include any outbound MYTACACS pixfirewall(config)# aaa accounting exclude any outbound MYTACACS
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA aaa match acl_name Option Enables TACACS+ or RADIUS user authentication, authorization, and accounting of traffic specified in an access list. All TCP traffic from to is permitted, but users must be authenticated. aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag pixfirewall(config)# access-list mylist permit tcp pixfirewall(config)# aaa authentication match mylist outbound MYTACACS pixfirewall (config)#
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA How to View Accounting Information in CSACS-NT
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall (config)# pixfirewall(config)# aaa accounting include udp/53 inbound MYTACACS pixfirewall(config)# aaa accounting include udp/ outbound MYTACACS Accounting of Non-Telnet, FTP, or HTTP Traffic acctg_service = protocol or port –protocol: tcp (6), udp (17), or others (protocol #) –port = single port (e.g., 53), port range (e.g., 2000–2050), or port 0 (all ports) (port is not used for protocols other than TCP or UDP) aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Troubleshooting the AAA Configuration
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show Commands show aaa [authentication | authorization | accounting] show aaa-server pixfirewall (config)# pixfirewall(config)# show aaa aaa authentication any outbound MYTACACS aaa authentication telnet console MYTACACS aaa authorization telnet outbound MYTACACS aaa accounting any outbound MYTACACS pixfirewall(config)# show aaa-server aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host secretkey timeout 5
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA show Commands (cont.) pixfirewall(config)# show auth-prompt auth-prompt prompt prompt Authenticate to the Firewall auth-prompt prompt accept Youve been Authenticated auth-prompt prompt reject Authentication Failed show timeout uauth show virtual [http | telnet] pixfirewall (config)# show auth-prompt [prompt | accept | reject] pixfirewall (config)# pixfirewall(config)# show timeout uauth timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity pixfirewall(config)# show virtual virtual http virtual telnet
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Summary Authentication is who you are, authorization is what you can do, and accounting is what you did. The PIX Firewall supports the following AAA protocols: TACACS+ and RADIUS. Users are authenticated with Telnet, FTP, or HTTP by the PIX Firewall. Cut-through proxy technology allows users through the PIX Firewall after authenticating. Two steps must be taken to enable AAA: –Configure AAA on the PIX Firewall. –Install and configure CSACS on a server. Downloadable ACLs enable you to enter an ACL once, in CSACS, and then load that ACL to any number of PIX Firewalls during user authentication.
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2003, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Remote: 10.1.P.11 Local: 10.0.P.11 Remote: 10.1.Q.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastion host: Web FTP P Q.0 bastion host: Web FTP.1