© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lesson 11 Authentication, Authorization, and Accounting
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Objectives Upon completion of this lesson, you will be able to perform the following tasks: Define authentication, authorization, and accounting. Describe the differences between authentication, authorization, and accounting. Describe how users authenticate to the PIX Firewall. Describe how cut-through proxy technology works. Name the AAA protocols supported by the PIX Firewall. Configure AAA on the PIX Firewall. Install and configure Cisco Secure ACS for Windows NT. Define and configure Cisco Secure ACS user authorization. Define and configure downloadable ACLs.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Introduction
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authentication, Authorization, and Accounting Web server Internet Cisco Secure ACS server Authentication –Who you are Authorization –What you can do Accounting –What you did
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Types of Authentication Types of authentication: Console access authentication Interactive user authentication Web server Internet Cisco Secure ACS server Internet Cisco Secure ACS server PIX Firewall console access Interactive user authentication PIX Firewall console access
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Types of Interactive User Authentication Web server Internet Cisco Secure ACS server Types of interactive user authentication - Telnet- HTTP - FTP- HTTPS Bill Smith cisco123 Authentication
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Bill Smith cisco123 Web server Internet The user makes a request to access the web server. The user is prompted by the PIX Firewall. The PIX Firewall queries Cisco Secure ACS for the remote username and password. 3 Cisco Secure ACS server If Cisco Secure ACS authenticates, the user is cut through the PIX Firewall. 4 The local username and password are passed to the web server to authenticate Cut-Through Proxy Operation
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Types of PIX Console Authentication Web server Internet Cisco Secure ACS server Types of PIX Firewall console authentication - Telnet- Serial - SSH- Enable PIX Firewall console access
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA RADIUSTACACS+ Cisco Secure ACS-UNIX Cisco Secure ACS-NT Supported AAA Servers TACACS + freeware MeritLivingston Cisco Secure ACS-UNIX Cisco Secure ACS-NT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Installation of Cisco Secure ACS for Windows NT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Installation Wizard
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Basic Configuration Authenticate users using –TACACS+ (Cisco) –RADIUS (Cisco) Access server name –Enter the PIX Firewall name Access server IP address –Enter the PIX Firewall IP address Windows NT server IP address –Enter the AAA server IP address TACACS+ or RADIUS key –Enter a secret key –Must be the same in the PIX Firewall
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authentication Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Interactive User Authentication Configuration Steps Authentication configuration steps Specify an AAA server group. aaa-server group_tag protocol auth_protocol Designate an authentication server. aaa-server group_tag (if_name) host server_ip key timeout seconds Enable user authentication. aaa authentication {include | exclude} or aaa authentication match (PIX Firewall Software Version 5.2 or later)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa-server group_tag protocol auth_protocol Specify an AAA Server Group Assigns a TACACS+ or RADIUS protocol to a group tag. pixfirewall (config)# Web server Internet TACACS+ pix1(config)# aaa-server NYCSACS protocol tacacs+ NYCSACS server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Designate an Authentication Server Web server Internet NYCSACS server pix1(config)# aaa-server NYCSACS (inside) host secretkey timeout 10 Identifies the AAA server for a given group tag. aaa-server group_tag (if_name) host server_ip key timeout seconds pixfirewall (config)#
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable authentication include | exclude Defines traffic to be authenticated: telnet, ftp, http, and https. aaa authentication {include|exclude} authen_service {inbound|outbound|if_name} local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pix1(config)# aaa authentication include ftp inbound NYCSACS pix1(config)# aaa authentication include telnet inbound NYCSACS pix1(config)# aaa authentication include http inbound NYCSACS pix1(config)# aaa authentication include https inbound NYCSACS Internet TACACS+ NYCSACS server ftp - telnet -http -https Authentication Inbound Outbound
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable authentication match Specify an access-list command statement name to match. aaa authentication match acl_name if_name server_tag pixfirewall (config)# pix1(config)# access-list 110 permit tcp any any eq telnet pix1(config)# access-list 110 permit tcp any any eq ftp pix1(config)# access-list 110 permit tcp any any eq www pix1(config)# aaa authentication match 110 outside NYCSACS Internet TACACS+ NYCSACS server access-list - ftp - telnet - http Authentication
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa authentication Example Internet authout pix1(config)# aaa-server authin protocol radius pix1(config)# aaa-server authin (inside) host cisco123 timeout 5 pix1(config)# aaa-server authout protocol tacacs+ pix1(config)# aaa-server authout (inside) host cisco456 timeout 5 pix1(config)# access-list 110 permit tcp any any eq telnet pix1(config)# access-list 110 permit tcp any any eq ftp pix1(config)# access-list 110 permit tcp any any eq www pix1(config)# aaa authentication match 110 outside authin pix1(config)# aaa authentication match 110 inside authout RADIUS Inbound Outbound TACACS+ authin
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA How to Add Users to Cisco Secure ACS
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authentication of Non-Telnet, FTP, or HTTP Traffic Authenticate to the PIX Firewall before accessing other services. – Virtual Telnet – Virtual HTTP Internet PIX virtual HTTP authentication Session with file server Cisco Secure ACS server File server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA virtual telnet ip_address pixfirewall (config)# pix1(config)# static (inside,outside) netmask pix1(config)# access-list aclout permit tcp any host eq telnet pix1(config)# virtual telnet Configuration of Virtual Telnet Authentication Enables access to the PIX Firewalls virtual server. –The IP address must be an unused global address. –If the connection is started on either the outside or a perimeter interface, a static and access-list command pair must be configured for the fictitious address. Internet Cisco Secure ACS server File server Virtual Telnet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Virtual Telnet Configuration Example Internet pix1(config)# static (inside,outside) netmask pix1(config)# access-list 120 permit tcp host host pix1(config)# aaa-server authin protocol radius pix1(config)# aaa-server authin (inside) host cisco123 timeout 5 pix1(config)# aaa authentication match 120 outside authin pix1(config)# virtual telnet Virtual Telnet C:\> telnet LOGIN Authentication Username: aaauser Password: aaapass Authentication Successful Cisco Secure ACS server File server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Virtual HTTP Virtual HTTP solves the problem of HTTP requests failing when web servers require credentials that differ from those required by the PIX Firewalls AAA server. When virtual HTTP is enabled, it redirects the browser to authenticate first to a virtual web server on the PIX Firewall. After authentication, the PIX Firewall forwards the web request to the intended web server. Internet Cisco Secure ACS server PIX virtual HTTP authentication IIS authentication IIS server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuration of Virtual HTTP Authentication For inbound clients, the IP address must be an unused global address. If the connection is started on either the outside or perimeter, a static and access-list command pair must be configured for the fictitious address. virtual http ip_address [warn] pixfirewall (config)# pix1(config)# virtual http Internet Cisco Secure ACS server IIS server Virtual HTTP login IIS HTTP login.3 Virtual HTTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authentication of Console Access Defines a console access method that requires authentication. aaa authentication [serial | enable | telnet | ssh | http] console group_tag pixfirewall (config)# pix1(config)# aaa authentication serial console MYTACACS pix1(config)# aaa authentication enable console MYTACACS pix1(config)# aaa authentication telnet console MYTACACS pix1(config)# aaa authentication ssh console MYTACACS pix1(config)# aaa authentication http console MYTACACS Internet Cisco Secure ACS server PIX Firewall console access PIX Firewall console access
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA auth-prompt [accept | reject | prompt] string pixfirewall (config)# pix1(config)# auth-prompt prompt Please Authenticate pix1(config)# auth-prompt reject Authentication Failed, Try Again pix1(config)# auth-prompt accept Youve been Authenticated How to Change the Authentication Prompts Defines the prompt users see when authenticating. Defines the message users get when they successfully or unsuccessfully authenticate. By default, only username and password prompts are seen. Please Authenticate Username: asjdkl Password: Authentication Failed, Try Again Please Authenticate to the Firewall Username: asjfkl Password: Youve been Authenticated
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA timeout uauth hh:mm:ss [absolute|inactivity] pixfirewall (config)# pix1(config)# timeout uauth 3:00:00 absolute pix1(config)# timeout uauth 0:30:00 inactivity How to Change the Authentication Timeouts Sets the time interval before users will be required to reauthenticate –AbsoluteTime interval starts at user login –InactivityTime interval for inactive sessions (no traffic) - Inactivity timeout - Absolute timeout
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authorization Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall User Authorization Two supported methods: Classic user authorization, where a TACACS+ AAA server is configured with rules and consulted for every connection Download of a per-user ACL from the RADIUS AAA server on demand Internet Cisco Secure ACS server FTP server Authorization FTP FTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA TACACS+ Authorization Configuration Two-step process to configure the aaa authorization command Configure the PIX Firewall – aaa authorization {include | exclude} – aaa authorization match pix1(config)# access-list 101 permit tcp any any eq telnet pix1(config)# access-list 101 permit tcp any any eq ftp pix1(config)# access-list 101 permit tcp any any eq www pix1(config)# aaa authorization match 101 outside authin Configure TACACS+ AAA server parameters – Commands – Arguments
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pix1(config)# aaa authorization include ftp inbound authin pix1(config)# aaa authorization exclude ftp inbound authin Enable authorization include | exclude Defines traffic that requires AAA server authorization. author_service = ftp, http, telnet, protocol/port, or any. Internet Cisco Secure ACS server FTP server Authorization FTP
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization match acl_name if_name server_tag pixfirewall (config)# pix1(config)# access-list 101 permit tcp any any eq telnet pix1(config)# access-list 101 permit tcp any any eq ftp pix1(config)# access-list 101 permit tcp any any eq www pix1(config)# aaa authorization match 101 outside authin Enable authorization match Internet Authorization FTP PIX Firewall Software Version 5.2 feature allows the aaa authorization match statement in conjunction with defined ACL to replace the aaa authorization {include | exclude} statements. Note that the old and new verbiage should not be mixed. Cisco Secure ACS server FTP server
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authorization Rules Allowing Specific Services Per-group setup Command authorization Unmatched PIX Firewall commands –Deny Command –ftp Arguments –None Unlisted arguments –Permit
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authorization Rules Allowing Specific Services to Specific Hosts Per-group setup Command authorization Unmatched PIX Firewall commands –Deny Command –ftp Arguments –permit Unlisted arguments –Deny
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa authorization {include | exclude} author_service {inbound | outbound | if_name} local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pix1(config)# aaa authorization include udp/0 inbound authin pix1(config)# aaa authorization include tcp/ outbound authin pix1(config)# aaa authorization include icmp/8 outbound authin Authorization of Non-Telnet, FTP, or HTTP Traffic author_service = protocol or port –protocoltcp (6), udp (17), icmp (1), or others (protocol #) –Port number and message type: Port number is used for TCP, UDP, or ICMP Single port (e.g., 53), port range (e.g., ), or port 0 (all ports) ICMP message type (8 = echo request, 0 = echo reply)
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Authorization of Non-Telnet, FTP, or HTTP Traffic on Cisco Secure ACS Per-group setup Command authorization - Unmatched PIX commands - Deny - Command - 1/8 - Arguments - None - Unlisted arguments - Permit
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Downloadable ACLs
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA PIX Firewall Downloadable ACL Authorization Downloadable ACLs: Authentication request to AAA server Authentication response containing ACL ACL download of a per-user, or per-group, ACL authorization Internet Cisco Secure ACS server FTP server FTP Authentication Download ACL
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Downloadable ACLs Student PC PIX Firewall Web FTP AAA server 1. The HTTP request to is intercepted by the PIX Firewall. 2. An authentication request is sent to AAA server. 3. The authentication response contains the ACL name from AAA server. 4. The PIX Firewall checks to see if the users ACL is already present. 5. A request is sent from the PIX Firewall to the AAA server for the users ACL. 6. The ACL is sent to the PIX Firewall. 7. The HTTP request is forwarded to
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Configuring Downloadable ACLs in Cisco Secure ACS
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Assigning the ACL to the User or Group
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Accounting Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Enable Accounting Defines traffic that requires AAA server accounting. acctg_service = any, ftp, http, telnet, or protocol/port any = All TCP traffic aaa accounting {include | exclude} acctg_service {inbound | outbound | if_name} local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pix1(config)# aaa accounting include any outbound NYCACS pix1(config)# aaa accounting exclude any outbound NYCACS Internet Cisco Secure ACS server Accounting
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA aaa match acl_name Option Enables TACACS+ or RADIUS user authentication, authorization, and accounting of traffic specified in an access list. aaa {authentication | authorization | accounting} match acl_name inbound | outbound | interface_name group_tag pix1(config)# access-list mylist permit tcp pix1(config)# aaa accounting match mylist outbound NYCACS pixfirewall (config)# Internet Cisco Secure ACS server Accounting
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA How to View Accounting Information in Cisco Secure ACS-NT
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA pixfirewall (config)# pix1(config)# aaa accounting include udp/53 inbound NYCACS pix1(config)# aaa accounting include udp/ outbound NYCACS Accounting of Non-Telnet, FTP, or HTTP Traffic acctg_service = protocol or port –Protocol: tcp (6), udp (17), or others (protocol #) –Port = Single port (such as 53), port range (such as 2000–2050), or port 0 (all ports); port not used for protocols other than TCP or UDP aaa accounting {include | exclude} acctg_service {inbound | outbound | if_name} local_ip local_mask foreign_ip foreign_mask group_tag
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Troubleshooting the AAA Configuration
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show Commands show aaa [authentication | authorization | accounting] show aaa-server pixfirewall# pix1# show aaa aaa authentication any outbound authout aaa authentication telnet console authout aaa authorization telnet outbound authout aaa accounting any outbound authout pix1# show aaa-server aaa-server authout protocol tacacs+ aaa-server authout (inside) host secretkey timeout 5
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA show Commands (Cont.) pix1# show auth-prompt auth-prompt prompt prompt Authenticate to the Firewall auth-prompt prompt accept Youve been Authenticated auth-prompt prompt reject Authentication Failed show timeout uauth show virtual [http | telnet] pixfirewall# show auth-prompt [prompt | accept | reject] pixfirewall# pix1# show timeout uauth timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity pix1# show virtual virtual http virtual telnet
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Summary Authentication is who you are, authorization is what you can do, and accounting is what you did. The PIX Firewall supports the following AAA protocols: TACACS+ and RADIUS. Users are authenticated with Telnet, FTP, or HTTP by the PIX Firewall. Cut-through proxy technology allows users through the PIX Firewall after authentication. Two steps must be taken to enable AAA: –Configure AAA on the PIX Firewall. –Install and configure Cisco Secure ACS on a server. Downloadable ACLs enable you to enter an ACL once, in Cisco Secure ACS, and then download that ACL to any number of PIX Firewalls during user authentication.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Lab Exercise
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA Q P.0 Lab Visual Objective Student PC.2.1 Student PC PIX Firewall Web/FTP CSACS PIX Firewall.1 Local: 10.0.P.11 Local: 10.0.Q P Q.0 RTS.100 RTS.100 Pods 1–5 Pods 6– Web FTP RBB.2 bastion host: Web FTP P Q.0 bastion host: Web FTP.1