AAA on ASA 5500 Series

Ok, so I'm sure we're all familiar with standard aaa configs on Catalyst switches:

aaa new-model
aaa authentication login default group radius enable
aaa authorization exec default group radius if-authenticated

I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as

aaa authorization exec default group radius if-authenticated

I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.

Any direction would be appreciated....

Find more posts tagged with

Comments

cisco_trooper

Yeah, this guide sucks IMO.....

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1042026

cisco_trooper

Just made another case for TACACS+....ASA does not support command authorization for RADIUS, only TACACS+ and the LOCAL database. Bummer.....

In any case, this is as close as I can get to what I wanted with what is available to me at the time:

aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL

There is a LOCAL user on the device that matches the RADIUS user. When entering enable mode you will be asked for a password again.

If anyone has any better solutions they would be much appreciated.....

dtlokee

I am missing how you configured command authorization to a radius server on your switch configuration output you posted.

cisco_trooper

dtlokee wrote:

I am missing how you configured command authorization to a radius server on your switch configuration output you posted.

I didn't post the privilege commands. In addition to the commands above, here is what I've done on the ASA with a DUMMY command:

username XXXXXXXXXXXXXX password XXXXXXXXXXXXXXX encrypted privilege 3
privilege cmd level 3 mode exec command DUMMY
privilege show level 3 mode exec command DUMMY
privilege clear level 3 mode exec command DUMMY

The Cats are pretty easy but I can post those too if people are interested....The command authorization on the ASA is only done locally on the ASA. The ASA does not support command authorization through Radius, which is why I have to add the freaking local user and assign it a privilege level.

dtlokee

If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.

You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).

aaa authorization commands 15 default group tacacs+

Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.

cisco_trooper

dtlokee wrote:

If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.

You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).

aaa authorization commands 15 default group tacacs+

Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.

Yeah, that's why I have to have the local user. I'm using RADIUS right now, and obviously making a case for TACACS. I'm highly annoyed that I can't do command authorization through RADIUS on the ASA, even though the Cats do it just fine.

Authenticate to the ASA with your RADIUS account (local if RADIUS unavailable):

aaa authentication ssh console RADIUS LOCAL

When entering enable mode, authenticate with a local user:

aaa authentication enable console LOCAL

Specify that the LOCAL account is used for command authorization:

aaa authorization command LOCAL

Needless to say, a TACACS+ implementation is in the cards. Unfortunately I have a couple high profile projects brewing right now, so it will have to wait for a little while....

dtlokee

You can't do command authorization via radius

6509E(config)#aaa authorization commands 15 default ?
  cache             Use Cached-group
  group             Use server-group.
  if-authenticated  Succeed if user has authenticated.
  local             Use local database.
  none              No authorization (always succeeds).

6509E(config)#aaa authorization commands 15 default group ?
  WORD     Server-group name
  tacacs+  Use list of all Tacacs+ hosts.

No option for radius

redwarrior

Yep...this is going to be an issue for you. Basically, Cisco seems to be pushing customers more and more towards TACACS. We use a TACACS server at work and it works great with our ASA 5505's *except* where you have an ASA that you want to manage on the remote end of an Easy VPN tunnel. Then it just won't work. We even contact TAC about it and were told that TACACS for aaa just isn't supported with EasyVPN. (Neither are several other features, we've found.)

Just FYI.

cisco_trooper

dtlokee wrote:

You can't do command authorization via radius

6509E(config)#aaa authorization commands 15 default ?
  cache             Use Cached-group
  group             Use server-group.
  if-authenticated  Succeed if user has authenticated.
  local             Use local database.
  none              No authorization (always succeeds).

6509E(config)#aaa authorization commands 15 default group ?
  WORD     Server-group name
  tacacs+  Use list of all Tacacs+ hosts.

No option for radius

That's a 6509 (I presume from the hostname), I have privilege levels on various commands set on at least 40 2950s. The user privilege level is assigned via an attribute assigned via RADIUS...I haven't tried the 6513s because I just don't let people even touch them...

I'll post the relevant config off the 2950s tomorrow if anyone cares. Anyway, we keep getting back to TACACS having better support from Cisco. +1 TACACS.....

cisco_trooper

Ok, so I can't wait....the 2950s are easy...

aaa new-model

Authenticate through radius (local database is radius if unavailable):

aaa authentication login default group radius local

Drop to exec mode if succesfully authenticated through radius:

aaa authorization exec default group radius if-authenticated

Define the radius server

radius-server host XXX.XXX.XXX.XXX auth-port XXXX acct-port XXXX key 7 XXXXXXXXXXXXXXXXXXXX

Privilege commands:

privilege interface level 2 description
privilege interface level 2 switchport access vlan
privilege interface level 2 shutdown
privilege interface level 2 no shutdown
privilege interface level 2 switchport nonegotiate
privilege interface level 2 switchport port-security mac-address sticky
privilege interface level 2 switchport port-security violation restrict
privilege configure level 2 interface
privilege exec level 2 ping
privilege exec level 2 show running-config interface fastEthernet
privilege exec level 2 configure terminal
privilege exec level 2 write memory

The part you can't see here is the privilege level that is assigned via radius. With Microsoft IAS there is a Vendor-Specific attribute that you define. You define the Vendor obviously as Cisco and say that it conforms to the Radius RFC. The attribute number is 1, it is a string, and you set it (in this case) to shell:priv-lvl=2

I was trying to find some screenshots of the IAS setup and actually stumbled across this which has the RADIUS setup fairly well documented (minus screenshots):

http://www.techexams.net/forums/viewtopic.php?p=126387

Hope that clarifies what I'm talking about when I refer to "command authorization" on the Cats...I would imagine you could do the same on the 6500s....

dtlokee

Sorry CT, that's not "command authorization via radius" the authorization is still local. If it was "via radius" (which you can't do with radius only tacacs) then you would not have the privilege levels locally defined. You are using radius to set the user's privilege level, that is not command authorization via a "AAA server".

cisco_trooper

See what happens when you don't have the correct terminology in your head.....

Thanks DT I think that actually clears a couple things up for me.

So yeah, the whole reason this thread was started was that I wanted the ASA to drop me directly into exec mode if I authenticate via RADIUS. I was also wanted to be able to pass the privilege level of the user to the ASA via RADIUS...but it LOOKS like I can't drop directly into exec mode without authenticating with some sort of local account... I would still be interested in accomplishing this if anyone has anything that will work with RADIUS...

dtlokee

How are you trying to access the device? HTTP, SSH?

cisco_trooper

SSH...

dtlokee

aaa authorization exec authentication-server

cisco_trooper

I think I tried that last night and it either didn't work, or it may have been the command that got me locked out of exec mode. I'll do some more testing with it and keep better track of my results....

cisco_trooper

Here is the AAA config:

aaa-server RADIUS protocol radius
aaa-server RADIUS host XXX.XXX.XXX.XXX
 retry-interval 5
 timeout 5
 key XXXXXXXXXXXXXXXXXXXXXXXXXXX
 authentication-port 1812
 accounting-port 1813
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authorization exec authentication-server

Here is the result:

login as: admin
admin@XXX.XXX.XXX.XXX's password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password: ********

[ admin ] You do NOT have enable Admin Rights to the console
Password:
Password:
Access denied.
ciscoasa> login
Username: admin
Password: ********
ciscoasa#

aaa authorization exec authentication-server does not drop me directly into exec mode even though the account I used was a shell:priv-lvl=15 radius account....Does the ASA support that attribute?

dtlokee

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1753749

Supported RADIUS attribute pairs.

cisco_trooper

DT,

Yep, saw that too just before I left work so I didn't get a chance to work with it.

I DID find this little tidbit but haven't been able to verify yet.....

http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html?sfQueryTermInfo=1+asa

This really beginning to annoy the crap out of me...

redwarrior

Just wait until you start trying to mess with QoS on these...or do load balancing...

For my part, I think ASA's are great at being firewalls and VPN concentrators, but they do have limitations. I worked at a company that wanted just to deploy ASA's everywhere and have that be the only device at a site...then they wanted all the features of a router and switch. I found myself constantly frustrated trying to make something that would be fairly easy to implement on a switch or router. I had to stop for a moment and think of how much easier it was to set up a firewall or VPN on an ASA.

It's hard when you're trying to hammer in a nail with a screwdriver!

cisco_trooper

I've got command authorization via TACACS+ all figured out for the most part. I will be moving off of RADIUS in short order. Thanks to all who helped out here.

cisco_trooper

Ok. I'm looking for THE TACACS+ resource. I'm really looking for best practices on configuration of the TACACS+ daemon. Misconfiguration is a big reason shops have vulnerabilities, and I'm not interested in being one of them.....

If anyone knows of anything please shoot me a message. I don't like what I'm finding so far....,

instant000

It just so happened that I ran into this issue last week, whereby I needed to create read-only users for ASDM, while using RADIUS for user authentication.

Obviously, I was looking into command authorization, or so I thought.
TACACS and local have handy toggles to do this within the ASA, but RADIUS did not.

The workaround:
(1) set command privilege-levels on the ASA
(2) set the privilege-level of the user via RADIUS
(3) when the user logs in (via CLI or ASDM) they're restricted to the commands set for their privilege level

The trickiest part was figuring out how to set the privilege-level via the RADIUS, since it wasn't straightforward, and using regular "Cisco" within the RADIUS client wouldn't swing it. I believe the Cisco docs reference using integer. Configuring the Microsoft NPS called for decimal.

I ended up consulting the same Cisco docs that were mentioned here, just a different software version. I also ended up consulting the Microsoft docs, as I had a little trouble finding the "custom" attribute in the NPS.

I might make a blog posting on the solution, in order to show "screen grabs".

RADIUS-User

Hello instant000

i have the same problem with RADIUS NPS for user authorization and dont know how to configurate the NPS so that the ASA identify privilege levels.
You wanted to post a blog of your solution. Where I find this post?
I hope you can help me. Thank you.

Best regards,
Lars