Module 6: Configure Trust and Identity at Layer 3 - Modified

1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.

2© 2005 Cisco Systems, Inc. All rights reserved.

Network Security 1

Module 6 – Configure Trust and Identity at Layer 3


Learning Objectives

6.1 Cisco IOS Firewall Authentication Proxy

6.2 Introduction to PIX Security Appliance AAA Features

6.3 Configure AAA on the PIX Security Appliance



6.1 Cisco IOS Firewall Authentication Proxy


What Is the Authentication Proxy?

• Provides dynamic, per-user HTTP, HTTPS, FTP, and Telnet authentication and authorization via TACACS+ and RADIUS protocols

• Once authenticated, all types of application traffic can be authorized

• The user profiles are active only when there is active traffic from the authenticated users.

• Works on any interface type for inbound or outbound traffic


Authentication Proxy Operation

• When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy .

• The authentication proxy first checks to see if the user has been authenticated.

• If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy.

• If no entry exists, the authentication proxy responds to the connection request by prompting the user for a username and password.


Authentication Proxy Operation (Cont.)

• Users must successfully authenticate with the authentication server by entering a valid username and password.

• If the authentication succeeds, the user’s authorization profile is retrieved from the authentication, authorization, and accounting (AAA) server.

• The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound ACL of an input interface, and to the outbound ACL of an output interface if an output ACL exists at the interface.

• By doing this, the firewall allows authenticated users access to the network as permitted by the authorization profile.


Authentication Proxy Operation (Cont.)

• If the authentication fails, the authentication proxy reports the failure to the user and prompts the user for a configurable number of retries.

• The authentication proxy sets up an inactivity, or idle, timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and all authorized user traffic is permitted access through the firewall.

• If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic ACL entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet connection to trigger the authentication proxy.


•RADIUS•TACACS+

Cisco SecureCisco SecureACS UNIXACS UNIX


Cisco SecureCisco SecureACS NT/2000ACS NT/2000Cisco SecureCisco SecureACS NT/2000ACS NT/2000

Supported AAA Servers

TACACSTACACS+ +

FreewareFreeware

TACACSTACACS+ +

FreewareFreewareLucentLucentLucentLucent



Cisco SecureCisco SecureACS NT/2000ACS NT/2000Cisco SecureCisco SecureACS NT/2000ACS NT/2000


Authentication Proxy Configuration

• The authentication proxy is applied in the inward direction at any interface on the router where per-user authentication and authorization occurs.

• Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall.

• If the user fails to authenticate with the AAA server, the connection request is dropped.


Authentication Proxy Configuration (Cont.)

• All traffic through an interface can be blocked, and then the authentication proxy feature can be enabled to require authentication and authorization for all user-initiated HTTP, HTTPS, FTP, or Telnet connections.

• Users are authorized for services only after successful authentication with the AAA server.


aaa new-model

Enable AAA

Enables the AAA functionality on the router (default = disabled)

Router(config)#


aaa authentication login default method1 [method2]

Specify Authentication Protocols

Defines the list of authentication methods that will be used

Methods: TACACS+, RADIUS, or both

Router(config)# aaa authentication login default group tacacs+

Router(config)#


aaa authorization auth-proxy default method1 [method2]

Specify Authorization Protocols

Use the auth-proxy keyword to enable authorization proxy for AAA methods

Methods: TACACS+, RADIUS, or both

Router(config)#

Router(config)# aaa authorization auth-proxy default group tacacs+


tacacs-server host ip_addr

Define a TACACS+ Server and Its Key

Specifies the TACACS+ server IP address

Specifies the TACACS+ server key

Router(config)#

Router(config)# tacacs-server host 10.0.1.12Router(config)# tacacs-server key secretkey

tacacs-server key string

Router(config)#


Define a RADIUS Server and Its Key

Specifies the RADIUS server IP address

Specifies the RADIUS server key

Router(config)# radius-server host 10.0.1.12Router(config)# radius-server key secretkey

radius-server host ip_addr

Router(config)#

radius-server key string

Router(config)#


Router(config)# access-list 111 permit tcp host 10.0.1.12 eq tacacs host 10.0.1.1

Router(config)# access-list 111 permit icmp any anyRouter(config)# access-list 111 deny ip any anyRouter(config)# interface ethernet0/0Router(config-if)# ip access-group 111 in

Allow AAA Traffic to the Router

– Create an ACL to permit TACACS+ traffic from the AAA server to the firewall

Source address = AAA server

Destination address = interface where the AAA server resides

– May want to permit ICMP

– Deny all other traffic

– Apply the ACL to the interface on the side where the AAA server resides


Allow AAA Traffic to the Router (Cont.)

• All traffic requiring authentication and authorization should be denied by the router using extended ACLs.

• Upon successful authentication, dynamic ACEs will be inserted into the ACLs to permit only the traffic authorized by the user profile.

• The authentication proxy customizes each of the ACEs in the user profile by replacing the source IP addresses in the downloaded ACL with the source IP address of the authenticated host.


Allow AAA Traffic to the Router (Cont.)

• An extended ACL should be applied to the inbound direction of the interface that is configured for proxy authentication.

• All other ACLs that restrict traffic in the direction of authenticated traffic flow should be extended ACLs so that proxy authentication can dynamically update the ACEs as necessary to permit authorized traffic to pass.


Router(config)# ip http serverRouter(config)# ip http authentication aaa

Enable the Router HTTP or HTTPS Server

Enables the HTTP server on the router

Sets the HTTP server authentication method to AAA

Proxy uses HTTP server for communication with a client

ip http server

Router(config)#

ip http authentication aaa

Router(config)#

ip http secure-server

Router(config)#

Enables the HTTPS server on the router


HTTP and HTTPS

• The HTTPS feature requires a Cisco IOS crypto image.

• HTTP-initiated sessions normally exchange the username and password in clear text. This exchange is encrypted when using HTTPS.

• To use the authentication proxy with HTTPS, use the ip http secure-server command to enable the HTTP secure server on the router. Then use the ip http authentication aaa command to require the HTTP server to use AAA for authentication.


ip auth-proxy {inactivity-timer min | absolute-timer min}

Authentication inactivity timer in minutes (default = 60 minutes)

Absolute activity timer in minutes (default = 0 minutes)

Set Global Timers

Router(config)#

Router(config)# ip auth-proxy inactivity-timer 120


Set Global Timers – Inactivity Timeout

• The inactivity timeout value is the length of time that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity.

• To set the global authentication proxy inactivity timeout value, use the ip auth-proxy inactivity-timer global configuration command .


Set Global Timers – Absolute Timeout

• The absolute-timer min option allows administrators to configure a window during which the authentication proxy on the enabled interface is active.

• Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity.

• The global absolute timeout value can be overridden by the local value, which is enabled via the ip auth-proxy name command (next slide).


Router(config)# ip auth-proxy name aprule httpRouter(config)# interface ethernet0Router(config-if)# ip auth-proxy aprule

Define and Apply Authentication Proxy Rules

Creates an authorization proxy rule

Applies an authorization proxy rule to an interface

For outbound authentication, apply to inside interface

For inbound authentication, apply to outside interface

ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute-timer min][list {acl | acl-name}]

Router(config)#

ip auth-proxy auth-proxy-name

Router(config-if)#


Authentication Proxy Rules with ACLs

Creates an authorization proxy rule with an access list

ip auth-proxy name auth-proxy-name http list {acl-num | acl-name}

Router(config)#

Router(config)# ip auth-proxy name aprule http list 10

Router(config)# access-list 10 permit 10.0.1.0 0.0.0.255

Router(config)# interface ethernet0Router(config-if)# ip auth-proxy aprule


Create auth-proxy Service in the Cisco Secure ACS

Enter the new service:auth-proxy.


Create a User Authentication Profile in the Cisco Secure ACS


User Authorization Profiles


Test and Verify the Configuration


What the User Sees


clear ip auth-proxy cache * | ip_addr

• Clears authentication proxy entries from the router

Clear the AuthenticationProxy Cache

•Router(config)#


show ip auth-proxy cache

show ip auth-proxy configuration

show ip auth-proxy statistics• Displays statistics, configurations, and

cache entries of authentication proxy subsystem

show Commands

•Router(config)#


debug ip auth-proxy ftp

debug ip auth-proxy function-trace

debug ip auth-proxy http

debug ip auth-proxy object-creation

debug ip auth-proxy object-deletion

debug ip auth-proxy tcp

debug ip auth-proxy telnet

debug ip auth-proxy timer• Helps with troubleshooting

debug Commands

•Router(config)#



6.2 Introduction to PIX Security Appliance AAA Features


Types of Authentication


Types of Authorization


Types of Accounting



6.3 Configure AAA on the PIX Security Appliance


Types of Access Authentication


Authentication Configuration Steps


Add Users to the Local User Database


AAA Local Authentication Attempts Max-Fail Command


Authentication Prompts


Authentication Timeouts


Cut-Through Proxy


PIX Cut-Through Proxy – Three Ways to Authenticate

telnet

http

ftp


Login Method for Telnet

A prompt is generated by the PIX Firewall.

The user has up to four chances to log in.

If authentication and authorization are successful, the user is prompted for a username and password if required by the destination server.

PIX:

Server:


Login Method for FTP

If an incorrect password is entered, the connection is dropped immediately.

If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via FTP, enter the username and password in the following format:

aaa_user@remote_user and

aaa_password@remote_password


Login Method for HTTP

The browser generates a username and password pop-up window.

If an incorrect password is entered, the user is prompted again (and again).

If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via HTTP, use virtual http.


Login Method for HTTPS

The user gets a prompt generated by the PIX.

The user has up to three chances to log in.

If the username or password fails after the third attempt, the PIX drops the connection.


Enable Authentication –Manually Designating AAA Authentication Parameters

Defines traffic to be authenticated

authen_service = any, ftp, http, or telnet

any = all TCP traffic

aaa authentication include|exclude authen_service inbound|outbound|if_name local_ip local_mask foreign_ip foreign_mask group_tag

pixfirewall (config)#

pixfirewall(config)# aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authentication include telnet outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authentication include ftp dmz 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS


aaa authentication Example

pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# aaa authentication include any outbound 0 0 MYTACACS

pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.42 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS


aaa authentication command parameters

include – create a new rule with the specified service to include.

authen_service – the application with which a user is accessing a network. Use any, ftp, http, or telnet.

inbound – authenticate inbound connections. Inbound means that the connection originates on the outside interface and is being directed to the inside interface.

outbound – authenticate outbound connections. Outbound means that the connection originates on the inside and is being directed to the outside interface.

if_name – interface name from which users require authentication.


Virtual Telnet and HTTP


Authentication of Non-Telnet, FTP, or HTTP Traffic


Virtual Telnet


Virtual HTTP


Tunnel User Authentication


Authorization Configuration


User Authorization


aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag


pixfirewall(config)# aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authorization exclude ftp outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS

Enable Authorization

Defines traffic that requires AAA server authorization

author_service = any, ftp, http, or telnet

any = All TCP traffic


User Authorization



Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic


aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag


pixfirewall(config)# aaa authorization include udp/0 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authorization include tcp/30-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authorization include icmp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Authorization of Non-Telnet, FTP, or HTTP Traffic

author_service = protocol or port

protocol—tcp (6), udp (17), icmp (1), or others (protocol #)

port:

single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports)

ICMP message type (8 = echo request, 0 = echo reply)

port is not used for protocols other than TCP, UDP, or ICMP


Downloadable ACLs


Accounting Configuration


Configuring Accounting for Traffic Through the Firewall

Accounting can be configured for traffic through the firewall.

The syntax for this command is very similar to that of the aaa authentication command.

All parameters are the same except for the acct_service. Possible values for the acct_service parameter are any, ftp, http, telnet, or <protocol/port>.

You do not need to perform any configuration tasks on the Cisco Secure ACS server for it to be able to receive accounting data from a PIX firewall.


Enable Accounting

Defines traffic that requires AAA server accounting

acctg_service = any, ftp, http, or telnet

any = All TCP traffic

aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag


pixfirewall(config)# aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa accounting exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS


Enable Accounting Match



Admin Accounting


Command Accounting


Accounting of Non-Telnet, FTP, or HTTP Traffic

When configuring aaa accounting of non-Telnet, FTP, or HTTP traffic, the syntax of the command is slightly different from Telnet, FTP, or HTTP-specific traffic.

The syntax for acctg_service is specified in the format protocol/port.



pixfirewall(config)# aaa accounting include udp/53 inbound

0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACSpixfirewall(config)# aaa accounting include udp/54-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Accounting of Non-Telnet, FTP, or HTTP Traffic

acctg_service = protocol or port

protocol: tcp (6), udp (17), or others (protocol #)

port = single port (e.g., 53), port range (e.g., 2000–2050), or port 0 (all ports) (port is not used for protocols other than TCP or UDP)

aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag


How to View Accounting Information in CSACS-NT

In the navigation bar select Reports and Activity. The Reports and Activity window opens.

Under Reports first select TACACS+ Accounting and then select TACACS+ Accounting active.csv under Select a TACACS+ Accounting file to display the accounting records.

787878© 2005, Cisco Systems, Inc. All rights reserved.

Documents

Module 6: Configure Trust and Identity at Layer 3 - Modified