AAA on ASA 5500 Series
cisco_trooper
Member Posts: 1,441 ■■■■□□□□□□
in CCNP
Ok, so I'm sure we're all familiar with standard aaa configs on Catalyst switches:
I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as
I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.
Any direction would be appreciated....
aaa new-model aaa authentication login default group radius enable aaa authorization exec default group radius if-authenticated
I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as
aaa authorization exec default group radius if-authenticated
I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.
Any direction would be appreciated....
Comments
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Yeah, this guide sucks IMO.....
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1042026 -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Just made another case for TACACS+....ASA does not support command authorization for RADIUS, only TACACS+ and the LOCAL database. Bummer.....
In any case, this is as close as I can get to what I wanted with what is available to me at the time:aaa authentication ssh console RADIUS LOCAL aaa authentication enable console LOCAL aaa authorization command LOCAL
There is a LOCAL user on the device that matches the RADIUS user. When entering enable mode you will be asked for a password again.
If anyone has any better solutions they would be much appreciated..... -
dtlokee Member Posts: 2,378 ■■■■□□□□□□I am missing how you configured command authorization to a radius server on your switch configuration output you posted.The only easy day was yesterday!
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□dtlokee wrote:I am missing how you configured command authorization to a radius server on your switch configuration output you posted.
I didn't post the privilege commands. In addition to the commands above, here is what I've done on the ASA with a DUMMY command:username XXXXXXXXXXXXXX password XXXXXXXXXXXXXXX encrypted privilege 3 privilege cmd level 3 mode exec command DUMMY privilege show level 3 mode exec command DUMMY privilege clear level 3 mode exec command DUMMY
The Cats are pretty easy but I can post those too if people are interested....The command authorization on the ASA is only done locally on the ASA. The ASA does not support command authorization through Radius, which is why I have to add the freaking local user and assign it a privilege level. -
dtlokee Member Posts: 2,378 ■■■■□□□□□□If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.
You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).
aaa authorization commands 15 default group tacacs+
Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.The only easy day was yesterday! -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□dtlokee wrote:If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.
You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).
aaa authorization commands 15 default group tacacs+
Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.
Yeah, that's why I have to have the local user. I'm using RADIUS right now, and obviously making a case for TACACS. I'm highly annoyed that I can't do command authorization through RADIUS on the ASA, even though the Cats do it just fine.
Authenticate to the ASA with your RADIUS account (local if RADIUS unavailable):aaa authentication ssh console RADIUS LOCAL
When entering enable mode, authenticate with a local user:aaa authentication enable console LOCAL
Specify that the LOCAL account is used for command authorization:aaa authorization command LOCAL
Needless to say, a TACACS+ implementation is in the cards. Unfortunately I have a couple high profile projects brewing right now, so it will have to wait for a little while.... -
dtlokee Member Posts: 2,378 ■■■■□□□□□□You can't do command authorization via radius
6509E(config)#aaa authorization commands 15 default ? cache Use Cached-group group Use server-group. if-authenticated Succeed if user has authenticated. local Use local database. none No authorization (always succeeds). 6509E(config)#aaa authorization commands 15 default group ? WORD Server-group name tacacs+ Use list of all Tacacs+ hosts.
No option for radiusThe only easy day was yesterday! -
redwarrior Member Posts: 285Yep...this is going to be an issue for you. Basically, Cisco seems to be pushing customers more and more towards TACACS. We use a TACACS server at work and it works great with our ASA 5505's *except* where you have an ASA that you want to manage on the remote end of an Easy VPN tunnel. Then it just won't work. We even contact TAC about it and were told that TACACS for aaa just isn't supported with EasyVPN. (Neither are several other features, we've found.)
Just FYI.
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□dtlokee wrote:You can't do command authorization via radius
6509E(config)#aaa authorization commands 15 default ? cache Use Cached-group group Use server-group. if-authenticated Succeed if user has authenticated. local Use local database. none No authorization (always succeeds). 6509E(config)#aaa authorization commands 15 default group ? WORD Server-group name tacacs+ Use list of all Tacacs+ hosts.
No option for radius
That's a 6509 (I presume from the hostname), I have privilege levels on various commands set on at least 40 2950s. The user privilege level is assigned via an attribute assigned via RADIUS...I haven't tried the 6513s because I just don't let people even touch them...
I'll post the relevant config off the 2950s tomorrow if anyone cares. Anyway, we keep getting back to TACACS having better support from Cisco. +1 TACACS..... -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Ok, so I can't wait....the 2950s are easy...
aaa new-model
Authenticate through radius (local database is radius if unavailable):aaa authentication login default group radius local
Drop to exec mode if succesfully authenticated through radius:aaa authorization exec default group radius if-authenticated
Define the radius serverradius-server host XXX.XXX.XXX.XXX auth-port XXXX acct-port XXXX key 7 XXXXXXXXXXXXXXXXXXXX
Privilege commands:privilege interface level 2 description privilege interface level 2 switchport access vlan privilege interface level 2 shutdown privilege interface level 2 no shutdown privilege interface level 2 switchport nonegotiate privilege interface level 2 switchport port-security mac-address sticky privilege interface level 2 switchport port-security violation restrict privilege configure level 2 interface privilege exec level 2 ping privilege exec level 2 show running-config interface fastEthernet privilege exec level 2 configure terminal privilege exec level 2 write memory
The part you can't see here is the privilege level that is assigned via radius. With Microsoft IAS there is a Vendor-Specific attribute that you define. You define the Vendor obviously as Cisco and say that it conforms to the Radius RFC. The attribute number is 1, it is a string, and you set it (in this case) to shell:priv-lvl=2
I was trying to find some screenshots of the IAS setup and actually stumbled across this which has the RADIUS setup fairly well documented (minus screenshots):
http://www.techexams.net/forums/viewtopic.php?p=126387
Hope that clarifies what I'm talking about when I refer to "command authorization" on the Cats...I would imagine you could do the same on the 6500s.... -
dtlokee Member Posts: 2,378 ■■■■□□□□□□Sorry CT, that's not "command authorization via radius" the authorization is still local. If it was "via radius" (which you can't do with radius only tacacs) then you would not have the privilege levels locally defined. You are using radius to set the user's privilege level, that is not command authorization via a "AAA server".The only easy day was yesterday!
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□See what happens when you don't have the correct terminology in your head.....
Thanks DT I think that actually clears a couple things up for me.
So yeah, the whole reason this thread was started was that I wanted the ASA to drop me directly into exec mode if I authenticate via RADIUS. I was also wanted to be able to pass the privilege level of the user to the ASA via RADIUS...but it LOOKS like I can't drop directly into exec mode without authenticating with some sort of local account... I would still be interested in accomplishing this if anyone has anything that will work with RADIUS... -
dtlokee Member Posts: 2,378 ■■■■□□□□□□How are you trying to access the device? HTTP, SSH?The only easy day was yesterday!
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□aaa authorization exec authentication-serverThe only easy day was yesterday!
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□I think I tried that last night and it either didn't work, or it may have been the command that got me locked out of exec mode. I'll do some more testing with it and keep better track of my results....
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Here is the AAA config:
aaa-server RADIUS protocol radius aaa-server RADIUS host XXX.XXX.XXX.XXX retry-interval 5 timeout 5 key XXXXXXXXXXXXXXXXXXXXXXXXXXX authentication-port 1812 accounting-port 1813 aaa authentication http console RADIUS LOCAL aaa authentication ssh console RADIUS LOCAL aaa authentication serial console RADIUS LOCAL aaa authentication enable console RADIUS LOCAL aaa authorization exec authentication-server
Here is the result:login as: admin
admin@XXX.XXX.XXX.XXX's password:
Type help or '?' for a list of available commands.
ciscoasa> en
Password: ********
[ admin ] You do NOT have enable Admin Rights to the console
Password:
Password:
Access denied.
ciscoasa> login
Username: admin
Password: ********
ciscoasa#
aaa authorization exec authentication-server does not drop me directly into exec mode even though the account I used was a shell:priv-lvl=15 radius account....Does the ASA support that attribute?
-
dtlokee Member Posts: 2,378 ■■■■□□□□□□http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/extsvr.html#wp1753749
Supported RADIUS attribute pairs.The only easy day was yesterday! -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□DT,
Yep, saw that too just before I left work so I didn't get a chance to work with it.
I DID find this little tidbit but haven't been able to verify yet.....
http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html?sfQueryTermInfo=1+asa
This really beginning to annoy the crap out of me... -
redwarrior Member Posts: 285Just wait until you start trying to mess with QoS on these...or do load balancing...
For my part, I think ASA's are great at being firewalls and VPN concentrators, but they do have limitations. I worked at a company that wanted just to deploy ASA's everywhere and have that be the only device at a site...then they wanted all the features of a router and switch. I found myself constantly frustrated trying to make something that would be fairly easy to implement on a switch or router. I had to stop for a moment and think of how much easier it was to set up a firewall or VPN on an ASA.
It's hard when you're trying to hammer in a nail with a screwdriver!
CCNP Progress
ONT, ISCW, BCMSN - DONE
BSCI - In Progress
http://www.redwarriornet.com/ <--My Cisco Blog -
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□I've got command authorization via TACACS+ all figured out for the most part. I will be moving off of RADIUS in short order. Thanks to all who helped out here.
-
cisco_trooper Member Posts: 1,441 ■■■■□□□□□□Ok. I'm looking for THE TACACS+ resource. I'm really looking for best practices on configuration of the TACACS+ daemon. Misconfiguration is a big reason shops have vulnerabilities, and I'm not interested in being one of them.....
If anyone knows of anything please shoot me a message. I don't like what I'm finding so far...., -
instant000 Member Posts: 1,745It just so happened that I ran into this issue last week, whereby I needed to create read-only users for ASDM, while using RADIUS for user authentication.
Obviously, I was looking into command authorization, or so I thought.
TACACS and local have handy toggles to do this within the ASA, but RADIUS did not.
The workaround:
(1) set command privilege-levels on the ASA
(2) set the privilege-level of the user via RADIUS
(3) when the user logs in (via CLI or ASDM) they're restricted to the commands set for their privilege level
The trickiest part was figuring out how to set the privilege-level via the RADIUS, since it wasn't straightforward, and using regular "Cisco" within the RADIUS client wouldn't swing it. I believe the Cisco docs reference using integer. Configuring the Microsoft NPS called for decimal.
I ended up consulting the same Cisco docs that were mentioned here, just a different software version. I also ended up consulting the Microsoft docs, as I had a little trouble finding the "custom" attribute in the NPS.
I might make a blog posting on the solution, in order to show "screen grabs".Currently Working: CCIE R&S
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!) -
RADIUS-User Registered Users Posts: 1 ■□□□□□□□□□Hello instant000
i have the same problem with RADIUS NPS for user authorization and dont know how to configurate the NPS so that the ASA identify privilege levels.
You wanted to post a blog of your solution. Where I find this post?
I hope you can help me. Thank you.
Best regards,
Lars