AAA configuration: Authentication – Authorization – Accounting on Cisco ASA Firewall
When it comes to authentication services in networks and IT systems in general, it is best practice to have a centralized authentication system that securely holds user account credentials and controls all authentication and authorization.
This is why Active Directory in a Microsoft environment is such a useful and powerful authentication program. In the network world, we have AAA servers that centrally control and manage all authentication requests from users who need to access peripheral network devices.
So what is AAA?
AAA stands for Authentication, Authorization and Accounting. AAA is a mechanism used to tell a firewall device (or any network device) who the user is (Authentication), what actions the user is allowed to perform on the network (Authorization) and what the user did on the network after the connection (Test). In this post, we will see examples of how to configure all the AAA elements on the ASA (Authentication, Authorization and Accounting).
Authentication types supported on ASA devices
Three types of Authentication are available for firewalls Cisco ASA:
1. User authentication to access the security device itself.
2. Authenticate Users to access services through security devices. This is also known as a “cut-through proxy” and is used to authenticate users accessing Telnet, FTP, HTTP, and HTTPs services located within the network through a firewall.
3. User authentication to access the VPN tunnel (IPsec or SSL VPN).
We will take a configuration example for the first type (authentication to access the security device for management using Serial Console, SSH and Telnet access).
Authentication configuration using TACACS+ (Authentication configuration using TACACS+):
In this example, we assume that we have installed and configured a AAA server (for example, Cisco ACS) running the TACACS+ authentication protocol.
Note: Cisco ACS has reached end of life (EOL). The alternative option is Cisco ISE (Identity Services Engine) but the authentication concepts via TACACS+ are the same.
On the AAA server, it is assumed to have configured a username/password account that the firewall administrator will use for authentication. Also assume that the AAA server is located on the internal LAN with address 10.1.1.1
According to the image above, the firewall administrator (Admin) requires firewall (serial console, SSH or Telnet) access (Arrow 1) to manage the device.
The ASA firewall (Arrow 2) will request Authentication permission from the AAA server to prompt the administrative user (Admin) for Username / Password credentials.
After the Administrator successfully enters his or her login information, the AAA server will grant permissions to the Firewall to allow the user in.
Configuration below:
! Specify the AAA server name (NY_AAA) and the protocol to use (Radius or TACACS+)
ASA-TGM(config)# aaa-server NY_AAA protocol tacacs+
! Specify the authentication server IP address and authentication secret key
ASA-TGM(config)# aaa-server NY_AAA (inside) host 10.1.1.1
ASA-TGM(config-aaa-server-host)# key secretauthkey
ASA-TGM(config-aaa-server-host)# exit
! Enable Authentication for management access
ASA-TGM(config)# aaa authentication serial console NY_AAA LOCAL
ASA(config)# aaa authentication telnet console NY_AAA LOCAL
ASA(config)# aaa authentication ssh console NY_AAA LOCAL
The “LOCAL” keyword at the end specifies the use of the local firewall username database for authentication in cases where AAA server authentication is unavailable (for example, the AAA server fails).
Of course, to complete the above scenario, you need to properly configure the AAA Server with the internal IP address of the ASA firewall and the same authentication key (e.g. secretauthkey) as the key you configured on the ASA above.
Accounting configuration using TACACS+ (Test configuration using TACACS+):
Following the previous example above of AAA Authentication for managing access to Cisco Firewall ASA, in this section will describe how we can monitor administrative user authentication requests to the firewall.
This can be useful for recording the date and time that an administrator user connected to the firewall. This functionality can be achieved by configuring “Accounting” above ASA Firewall.
This will allow the tool to create audit profiles that mark the establishment and termination of management access via Telnet, Serial Console and SSH.
Let’s assume that we have installed a AAA server and configured the details on the firewall (see previous section). The name of the AAA server is NY_AAA.
Configuration below:
ASA-TGM(config)# aaa accounting serial console NY_AAA
ASA-TGM(config)# aaa accounting telnet console NY_AAA
ASA-TGM(config)# aaa accounting ssh console NY_AAA
The above configuration will keep a record in the AAA server database of the start time and end time of the administrator’s firewall access.
Now, if we also need to monitor all the commands entered by administrators when they are connected to the firewall, we can use “accounting command” as shown below:
ASA-TGM(config)# aaa accounting command NY_AAA
Authorization configuration using TACACS+ (Authorization configuration using TACACS+):
With Authorization, we can specify which commands are allowed to run for each specific user. For example, we might have a low-privileged user who is only allowed to execute monitoring commands (e.g., only “show” commands) and nothing else.
This can be achieved with Authorization configured as below:
ASA-TGM(config)# aaa authorization exec authentication-server auto-enable
ASA-TGM(config)# aaa authorization command NY_AAA LOCAL
Good luck!
Xem tiếp...