AAA on ASA 5500 Series

cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
Ok, so I'm sure we're all familiar with standard aaa configs on Catalyst switches:
aaa new-model
aaa authentication login default group radius enable
aaa authorization exec default group radius if-authenticated

I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as
aaa authorization exec default group radius if-authenticated

I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.

Any direction would be appreciated....

Comments

  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Just made another case for TACACS+....ASA does not support command authorization for RADIUS, only TACACS+ and the LOCAL database. Bummer.....

    In any case, this is as close as I can get to what I wanted with what is available to me at the time:
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication enable console LOCAL
    aaa authorization command LOCAL
    

    There is a LOCAL user on the device that matches the RADIUS user. When entering enable mode you will be asked for a password again.

    If anyone has any better solutions they would be much appreciated.....
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    I am missing how you configured command authorization to a radius server on your switch configuration output you posted.
    The only easy day was yesterday!
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    dtlokee wrote:
    I am missing how you configured command authorization to a radius server on your switch configuration output you posted.

    I didn't post the privilege commands. In addition to the commands above, here is what I've done on the ASA with a DUMMY command:
    username XXXXXXXXXXXXXX password XXXXXXXXXXXXXXX encrypted privilege 3
    privilege cmd level 3 mode exec command DUMMY
    privilege show level 3 mode exec command DUMMY
    privilege clear level 3 mode exec command DUMMY
    

    The Cats are pretty easy but I can post those too if people are interested....The command authorization on the ASA is only done locally on the ASA. The ASA does not support command authorization through Radius, which is why I have to add the freaking local user and assign it a privilege level.
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.

    You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).

    aaa authorization commands 15 default group tacacs+

    Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.
    The only easy day was yesterday!
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    dtlokee wrote:
    If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.

    You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).

    aaa authorization commands 15 default group tacacs+

    Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.

    Yeah, that's why I have to have the local user. I'm using RADIUS right now, and obviously making a case for TACACS. I'm highly annoyed that I can't do command authorization through RADIUS on the ASA, even though the Cats do it just fine.

    Authenticate to the ASA with your RADIUS account (local if RADIUS unavailable):
    aaa authentication ssh console RADIUS LOCAL
    
    When entering enable mode, authenticate with a local user:
    aaa authentication enable console LOCAL
    
    Specify that the LOCAL account is used for command authorization:
    aaa authorization command LOCAL
    


    Needless to say, a TACACS+ implementation is in the cards. Unfortunately I have a couple high profile projects brewing right now, so it will have to wait for a little while.... icon_mad.gif
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    You can't do command authorization via radius
    6509E(config)#aaa authorization commands 15 default ?
      cache             Use Cached-group
      group             Use server-group.
      if-authenticated  Succeed if user has authenticated.
      local             Use local database.
      none              No authorization (always succeeds).
    
    6509E(config)#aaa authorization commands 15 default group ?
      WORD     Server-group name
      tacacs+  Use list of all Tacacs+ hosts.
    
    

    No option for radius
    The only easy day was yesterday!
  • redwarriorredwarrior Member Posts: 285
    Yep...this is going to be an issue for you. Basically, Cisco seems to be pushing customers more and more towards TACACS. We use a TACACS server at work and it works great with our ASA 5505's *except* where you have an ASA that you want to manage on the remote end of an Easy VPN tunnel. Then it just won't work. We even contact TAC about it and were told that TACACS for aaa just isn't supported with EasyVPN. (Neither are several other features, we've found.)

    Just FYI.

    CCNP Progress

    ONT, ISCW, BCMSN - DONE

    BSCI - In Progress

    http://www.redwarriornet.com/ <--My Cisco Blog
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    dtlokee wrote:
    You can't do command authorization via radius
    6509E(config)#aaa authorization commands 15 default ?
      cache             Use Cached-group
      group             Use server-group.
      if-authenticated  Succeed if user has authenticated.
      local             Use local database.
      none              No authorization (always succeeds).
    
    6509E(config)#aaa authorization commands 15 default group ?
      WORD     Server-group name
      tacacs+  Use list of all Tacacs+ hosts.
    
    

    No option for radius

    That's a 6509 (I presume from the hostname), I have privilege levels on various commands set on at least 40 2950s. The user privilege level is assigned via an attribute assigned via RADIUS...I haven't tried the 6513s because I just don't let people even touch them...

    I'll post the relevant config off the 2950s tomorrow if anyone cares. Anyway, we keep getting back to TACACS having better support from Cisco. +1 TACACS.....
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Ok, so I can't wait....the 2950s are easy...
    aaa new-model
    
    Authenticate through radius (local database is radius if unavailable):
    aaa authentication login default group radius local
    
    Drop to exec mode if succesfully authenticated through radius:
    aaa authorization exec default group radius if-authenticated
    
    Define the radius server
    radius-server host XXX.XXX.XXX.XXX auth-port XXXX acct-port XXXX key 7 XXXXXXXXXXXXXXXXXXXX
    

    Privilege commands:
    privilege interface level 2 description
    privilege interface level 2 switchport access vlan
    privilege interface level 2 shutdown
    privilege interface level 2 no shutdown
    privilege interface level 2 switchport nonegotiate
    privilege interface level 2 switchport port-security mac-address sticky
    privilege interface level 2 switchport port-security violation restrict
    privilege configure level 2 interface
    privilege exec level 2 ping
    privilege exec level 2 show running-config interface fastEthernet
    privilege exec level 2 configure terminal
    privilege exec level 2 write memory
    

    The part you can't see here is the privilege level that is assigned via radius. With Microsoft IAS there is a Vendor-Specific attribute that you define. You define the Vendor obviously as Cisco and say that it conforms to the Radius RFC. The attribute number is 1, it is a string, and you set it (in this case) to shell:priv-lvl=2


    I was trying to find some screenshots of the IAS setup and actually stumbled across this which has the RADIUS setup fairly well documented (minus screenshots):

    http://www.techexams.net/forums/viewtopic.php?p=126387

    Hope that clarifies what I'm talking about when I refer to "command authorization" on the Cats...I would imagine you could do the same on the 6500s....
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Sorry CT, that's not "command authorization via radius" the authorization is still local. If it was "via radius" (which you can't do with radius only tacacs) then you would not have the privilege levels locally defined. You are using radius to set the user's privilege level, that is not command authorization via a "AAA server".
    The only easy day was yesterday!
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    See what happens when you don't have the correct terminology in your head..... icon_redface.gif

    Thanks DT I think that actually clears a couple things up for me. :)

    So yeah, the whole reason this thread was started was that I wanted the ASA to drop me directly into exec mode if I authenticate via RADIUS. I was also wanted to be able to pass the privilege level of the user to the ASA via RADIUS...but it LOOKS like I can't drop directly into exec mode without authenticating with some sort of local account... I would still be interested in accomplishing this if anyone has anything that will work with RADIUS... icon_confused.gif
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    How are you trying to access the device? HTTP, SSH?
    The only easy day was yesterday!
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    aaa authorization exec authentication-server
    The only easy day was yesterday!
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    I think I tried that last night and it either didn't work, or it may have been the command that got me locked out of exec mode. I'll do some more testing with it and keep better track of my results....
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Here is the AAA config:
    aaa-server RADIUS protocol radius
    aaa-server RADIUS host XXX.XXX.XXX.XXX
     retry-interval 5
     timeout 5
     key XXXXXXXXXXXXXXXXXXXXXXXXXXX
     authentication-port 1812
     accounting-port 1813
    aaa authentication http console RADIUS LOCAL
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication serial console RADIUS LOCAL
    aaa authentication enable console RADIUS LOCAL
    aaa authorization exec authentication-server
    


    Here is the result:
    login as: admin
    admin@XXX.XXX.XXX.XXX's password:
    Type help or '?' for a list of available commands.
    ciscoasa> en
    Password: ********

    [ admin ] You do NOT have enable Admin Rights to the console
    Password:
    Password:
    Access denied.
    ciscoasa> login
    Username: admin
    Password: ********
    ciscoasa#

    aaa authorization exec authentication-server does not drop me directly into exec mode even though the account I used was a shell:priv-lvl=15 radius account....Does the ASA support that attribute?

    icon_confused.gificon_mad.gificon_evil.gificon_mad.gificon_confused.gificon_mad.gificon_evil.gificon_mad.gificon_confused.gificon_mad.gificon_evil.gificon_mad.gificon_confused.gificon_mad.gificon_evil.gificon_mad.gificon_confused.gif
  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    DT,

    Yep, saw that too just before I left work so I didn't get a chance to work with it.

    I DID find this little tidbit but haven't been able to verify yet.....

    http://www.experts-exchange.com/Security/Software_Firewalls/Enterprise_Firewalls/Cisco_PIX_Firewall/Q_23869838.html?sfQueryTermInfo=1+asa

    This really beginning to annoy the crap out of me... icon_evil.gif
  • redwarriorredwarrior Member Posts: 285
    Just wait until you start trying to mess with QoS on these...or do load balancing...

    For my part, I think ASA's are great at being firewalls and VPN concentrators, but they do have limitations. I worked at a company that wanted just to deploy ASA's everywhere and have that be the only device at a site...then they wanted all the features of a router and switch. I found myself constantly frustrated trying to make something that would be fairly easy to implement on a switch or router. I had to stop for a moment and think of how much easier it was to set up a firewall or VPN on an ASA.

    It's hard when you're trying to hammer in a nail with a screwdriver!

    CCNP Progress

    ONT, ISCW, BCMSN - DONE

    BSCI - In Progress

    http://www.redwarriornet.com/ <--My Cisco Blog
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    I've got command authorization via TACACS+ all figured out for the most part. I will be moving off of RADIUS in short order. Thanks to all who helped out here.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Ok. I'm looking for THE TACACS+ resource. I'm really looking for best practices on configuration of the TACACS+ daemon. Misconfiguration is a big reason shops have vulnerabilities, and I'm not interested in being one of them.....

    If anyone knows of anything please shoot me a message. I don't like what I'm finding so far....,
  • instant000instant000 Member Posts: 1,745
    It just so happened that I ran into this issue last week, whereby I needed to create read-only users for ASDM, while using RADIUS for user authentication.

    Obviously, I was looking into command authorization, or so I thought.
    TACACS and local have handy toggles to do this within the ASA, but RADIUS did not.

    The workaround:
    (1) set command privilege-levels on the ASA
    (2) set the privilege-level of the user via RADIUS
    (3) when the user logs in (via CLI or ASDM) they're restricted to the commands set for their privilege level

    The trickiest part was figuring out how to set the privilege-level via the RADIUS, since it wasn't straightforward, and using regular "Cisco" within the RADIUS client wouldn't swing it. I believe the Cisco docs reference using integer. Configuring the Microsoft NPS called for decimal.

    I ended up consulting the same Cisco docs that were mentioned here, just a different software version. I also ended up consulting the Microsoft docs, as I had a little trouble finding the "custom" attribute in the NPS.

    I might make a blog posting on the solution, in order to show "screen grabs".
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
  • RADIUS-UserRADIUS-User Registered Users Posts: 1 ■□□□□□□□□□
    Hello instant000

    i have the same problem with RADIUS NPS for user authorization and dont know how to configurate the NPS so that the ASA identify privilege levels.
    You wanted to post a blog of your solution. Where I find this post?
    I hope you can help me. Thank you.

    Best regards,
    Lars
Sign In or Register to comment.