dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



Introduction

When there are no AAA commands implemented into routers, there must be a login and enable password set to have the PIX or ASA remotely accessible via telnet. Using more secure remote access method such as ssh is sometimes preferable or even required. Unlike routers that have no requirement of AAA implementation for ssh accessible, PIX or ASA requires such proper AAA implementation. With proper AAA command set implementation, all access attempt via telnet, ssh, http, https, SNMP, console in via Console port will be authenticated using the same credential.

Similar to router, PIX or ASA can use either local credential or remote credential stored on external AAA server such as TACACS+ and RADIUS. Using such external servers for authentication are highly recommended to provide more secure approach. Check out the following FAQ for more info on TACACS and RADIUS.

»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level

These AAA command set has been tested in various situation; including automatic failover from TACACS+ server to local credential or local enable password during unreachable TACACS+ server situation due to down server or down network.

At first AAA command set to authenticate using local credential only is introduced to provide preliminary understanding. Then external TACACS+ server utilization is introduced to provide greater security perimeter.

PIX Firewall running OS version 6.3

1. Using Local Credential

Sample #1:

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL

Behavior Description

With this AAA command set, there will be dedicated password for each username. There will be however single enable password that all usernames share to log into enable mode.

In other words, password for username and password for enable mode are in general different. When there is only single username defined, password for username and password for enable mode could be set as the same. With either case, this approach is considered insecure since the idea of having "shared password" as the only enable password is unreliable.

To login, enter the local username and password. To enter the privilege mode, enter the enable password.

Sample #2:

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL

Behavior Description

Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. You may note that there will be single enable password that all usernames could at one time share to log into enable mode.

By default, the shared enable password is not used. Each username has to use its own password to log into enable mode. If for some reason all of defined username is removed along with the password, then you may use the shared enable password to log into enable mode. However this condition may never occur since both username and shared enable password are defined locally. Compared to previous sample configuration, this approach is more secure since the shared password in reality may never be used at anytime.

With those in mind, note that in general password to login and to enter privilege mode is the same. Therefore you may never use the enable password to enter the privilege mode.

2. Using External TACACS+ Server

Sample #3:

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL

Behavior Description

Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. By default, the ASA/PIX Firewall uses whatever password the username has as defined in the TACACS+ server database. If for some reason the TACACS+ server is unreachable or unusable, the ASA/PIX Firewall uses local credential (local username and associated password) to authenticate users.

You may note that with this sample configuration, the TACACS+ server is located toward Inside interface from the ASA/PIX Firewall perspective. There can be maximum of three attempts to log into the ASA/PIX Firewall using correct username and password. When user is not entering username or password within ten seconds, the login session will be timed out.

This approach should be considered most secure compared to the previous two sample configurations since a centralized authentication system (in this case the TACACS+) is in place and is used as primary resource while the local authentication is just for backup.

ASA or PIX Firewall running OS version 7.0 or newer

The AAA command set for OS version 6.3 and for OS version 7.0 or newer is pretty much identical as follows. Note that in ASA OS version 8.x or later, the aaa-server LOCAL protocol local command may not be available therefore you can omit the command without showing different behavior.

1. Using Local Credential

Sample #4:

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL

Behavior Description

With this AAA command set, there will be dedicated password for each username. There will be however single enable password that all usernames share to log into enable mode.

In other words, password for username and password for enable mode are in general different. When there is only single username defined, password for username and password for enable mode could be set as the same. With either case, this approach is considered insecure since the idea of having "shared password" as the only enable password is unreliable.

To login, enter the local username and password. To enter the privilege mode, enter the enable password.

Sample #5:

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL

Behavior Description

Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. You may note that there will be single enable password that all usernames could at one time share to log into enable mode.

By default, the shared enable password is not used. Each username has to use its own password to log into enable mode. If for some reason all of defined username is removed along with the password, then you may use the shared enable password to log into enable mode. However this condition may never occur since both username and shared enable password are defined locally. Compared to previous sample configuration, this approach is more secure since the shared password in reality may never be used at anytime.

With those in mind, note that in general password to login and to enter privilege mode is the same. Therefore you may never use the enable password to enter the privilege mode.

2. Using External TACACS+ Server

Sample #6:

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command TACACS+

Behavior Description

Similar to previous AAA command set, there will be dedicated password for each username with this AAA command set. By default, the ASA/PIX Firewall uses whatever password the username has as defined in the TACACS+ server database. If for some reason the TACACS+ server is unreachable or unusable, the ASA/PIX Firewall uses local credential (local username and associated password) to authenticate users.

You may note that with this sample configuration, the TACACS+ server is located toward Inside interface from the ASA/PIX Firewall perspective. There can be maximum of three attempts to log into the ASA/PIX Firewall using correct username and password. When user is not entering username or password within ten seconds, the login session will be timed out.

This approach should be considered most secure compared to the previous two sample configurations since a centralized authentication system (in this case the TACACS+) is in place and is used as primary resource while the local authentication is just for backup.

FYI, the aaa accounting command set against TACACS+ credential is available starting at OS version 7.0 or newer. With accounting command, the TACACS+ server can keep track of what commands are issued by specific user during specific time.

Setting local account privilege level and authorized command list

Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level

there is a discussion of setting up certain Privilege Level 15 commands to Privilege Level 0 users. Let's say the following commands are authorized to use for those Privilege Level 0 users in addition to the default Privilege Level 0 authorized command list.

show arp
show interface
show ip (i.e. show ip address, show ip audit count)
show route
show crypto (i.e. show crypto isakmp, show crypto ipsec)
show conn
show cpu
show memory
show xlate
clear xlate
ping

As discussed in the FAQ link, there should be a centralized TACACS+ server to regulate those commands on the list. However in case of down network or unreachable TACACS+ server, those Privilege Level 0 users should still be able to issue those commands. When the TACACS+ server is unreachable from the ASA or PIX Firewall perspective, then one way to keep those Privilege Level 0 users be able to issue those commands is to locally define those commands as additional authorized commands for Privilege Level 0 users. To make that happen, following should be on the ASA or PIX Firewall configuration in addition to the above AAA command set of your choice.

username [ENTER Privilege Level 0 USERNAME HERE] password [ENTER YOUR PASSWORD HERE] privilege 0
privilege show level 0 command arp
privilege show level 0 command interface
privilege show level 0 command ip
privilege show level 0 command route
privilege show level 0 command crypto
privilege show level 0 command conn
privilege show level 0 command cpu
privilege show level 0 command memory
privilege show level 0 command xlate
privilege clear level 0 command xlate
privilege level 0 command ping

Discussion

»ASA Telnet/ssh login problems

Feedback received on this FAQ entry:
  • great tips! thank you

    2012-09-17 10:40:51

  • Really excillent document ...

    2009-10-16 07:30:46



Expand got feedback?

by aryoba See Profile
last modified: 2013-04-25 14:03:48