AAA on ASA 5500 Series
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
in CCNP
Ok, so I'm sure we're all familiar with standard aaa configs on Catalyst switches:
I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as
I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.
Any direction would be appreciated....
aaa new-model aaa authentication login default group radius enable aaa authorization exec default group radius if-authenticated
I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as
aaa authorization exec default group radius if-authenticated
I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.
Any direction would be appreciated....
Comments
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1042026
In any case, this is as close as I can get to what I wanted with what is available to me at the time:
There is a LOCAL user on the device that matches the RADIUS user. When entering enable mode you will be asked for a password again.
If anyone has any better solutions they would be much appreciated.....
I didn't post the privilege commands. In addition to the commands above, here is what I've done on the ASA with a DUMMY command:
The Cats are pretty easy but I can post those too if people are interested....The command authorization on the ASA is only done locally on the ASA. The ASA does not support command authorization through Radius, which is why I have to add the freaking local user and assign it a privilege level.
You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).
aaa authorization commands 15 default group tacacs+
Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.
Yeah, that's why I have to have the local user. I'm using RADIUS right now, and obviously making a case for TACACS. I'm highly annoyed that I can't do command authorization through RADIUS on the ASA, even though the Cats do it just fine.
Authenticate to the ASA with your RADIUS account (local if RADIUS unavailable): When entering enable mode, authenticate with a local user: Specify that the LOCAL account is used for command authorization:
Needless to say, a TACACS+ implementation is in the cards. Unfortunately I have a couple high profile projects brewing right now, so it will have to wait for a little while....
No option for radius
Just FYI.
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog
That's a 6509 (I presume from the hostname), I have privilege levels on various commands set on at least 40 2950s. The user privilege level is assigned via an attribute assigned via RADIUS...I haven't tried the 6513s because I just don't let people even touch them...
I'll post the relevant config off the 2950s tomorrow if anyone cares. Anyway, we keep getting back to TACACS having better support from Cisco. +1 TACACS.....
Authenticate through radius (local database is radius if unavailable): Drop to exec mode if succesfully authenticated through radius: Define the radius server
Privilege commands:
The part you can't see here is the privilege level that is assigned via radius. With Microsoft IAS there is a Vendor-Specific attribute that you define. You define the Vendor obviously as Cisco and say that it conforms to the Radius RFC. The attribute number is 1, it is a string, and you set it (in this case) to shell:priv-lvl=2
I was trying to find some screenshots of the IAS setup and actually stumbled across this which has the RADIUS setup fairly well documented (minus screenshots):
http://www.techexams.net/forums/viewtopic.php?p=126387
Hope that clarifies what I'm talking about when I refer to "command authorization" on the Cats...I would imagine you could do the same on the 6500s....
Thanks DT I think that actually clears a couple things up for me.
So yeah, the whole reason this thread was started was that I wanted the ASA to drop me directly into exec mode if I authenticate via RADIUS. I was also wanted to be able to pass the privilege level of the user to the ASA via RADIUS...but it LOOKS like I can't drop directly into exec mode without authenticating with some sort of local account... I would still be interested in accomplishing this if anyone has anything that will work with RADIUS...
Here is the result:
aaa authorization exec authentication-server does not drop me directly into exec mode even though the account I used was a shell:priv-lvl=15 radius account....Does the ASA support that attribute?
Supported RADIUS attribute pairs.
Yep, saw that too just before I left work so I didn't get a chance to work with it.
I DID find this little tidbit but haven't been able to verify yet.....
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html?sfQueryTermInfo=1+asa
This really beginning to annoy the crap out of me...
For my part, I think ASA's are great at being firewalls and VPN concentrators, but they do have limitations. I worked at a company that wanted just to deploy ASA's everywhere and have that be the only device at a site...then they wanted all the features of a router and switch. I found myself constantly frustrated trying to make something that would be fairly easy to implement on a switch or router. I had to stop for a moment and think of how much easier it was to set up a firewall or VPN on an ASA.
It's hard when you're trying to hammer in a nail with a screwdriver!
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog
If anyone knows of anything please shoot me a message. I don't like what I'm finding so far....,
Obviously, I was looking into command authorization, or so I thought.
TACACS and local have handy toggles to do this within the ASA, but RADIUS did not.
The workaround:
(1) set command privilege-levels on the ASA
(2) set the privilege-level of the user via RADIUS
(3) when the user logs in (via CLI or ASDM) they're restricted to the commands set for their privilege level
The trickiest part was figuring out how to set the privilege-level via the RADIUS, since it wasn't straightforward, and using regular "Cisco" within the RADIUS client wouldn't swing it. I believe the Cisco docs reference using integer. Configuring the Microsoft NPS called for decimal.
I ended up consulting the same Cisco docs that were mentioned here, just a different software version. I also ended up consulting the Microsoft docs, as I had a little trouble finding the "custom" attribute in the NPS.
I might make a blog posting on the solution, in order to show "screen grabs".
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
i have the same problem with RADIUS NPS for user authorization and dont know how to configurate the NPS so that the ASA identify privilege levels.
You wanted to post a blog of your solution. Where I find this post?
I hope you can help me. Thank you.
Best regards,
Lars