programming4us
programming4us
ENTERPRISE

Identity on Cisco Firewalls : Administrative Access Control on ASA

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

The previous section presented in great level of detail the theory of operations of a flexible and scalable access control architecture that leverages some characteristics of the TACACS+ protocol design and the maturity of Cisco Secure ACS product.

The concepts previously discussed for IOS are still valid for ASA, but some configuration and implementation details are different. The examples analyzed in this section point out the relevant distinctions.

 Example 1 reminds you that individual command authorization is not supported by RADIUS.

Example 1. Individual Command Authorization Is Not Supported by RADIUS
! Verifying the available arguments for the command "aaa authorization command"

ASA1(config)# aaa authorization command ?
configure mode commands/options:
  LOCAL  Predefined server tag for AAA protocol 'local'
  WORD   Specify the name of a TACACS+ aaa-server group to be used for command authorization

Example 2 shows the baseline configuration for enabling command authorization and accounting on ASA.

Example 2. Basic Configuration for ASA Command Authorization and Accounting
! Defining an AAA server-group called TACACS1

aaa-server TACACS1 protocol tacacs+
aaa-server TACACS1 (dmz) host 172.21.21.250
 key cisco123
!
! Defining the LOGIN authentication method for the console line

aaa authentication serial console LOCAL
!
! Defining TACACS+ as the method for Telnet Authentication

aaa authentication telnet console TACACS1
!
! Defining TACACS+ as the method for Enable Authentication

aaa authentication enable console TACACS1
!
! Defining EXEC session authorization (does not include console line)

aaa authorization exec authentication-server
!
! Accounting, for all the configured forms of access, uses TACACS+

aaa accounting telnet console TACACS1
aaa accounting serial console TACACS1
!
! Defining TACACS+ as the method for command authorization

aaa authorization command TACACS1
!
! Defining TACACS+ as the method for command accounting

aaa accounting command TACACS1

Note

In IOS, you can assign a value of “15” to the user privilege level (priv-lvl=15) during EXEC authorization. This approach makes it possible for IOS to eliminate the enable authentication process and rely on shell command authorization sets for authorizing commands of any level. ASA does not enable the priv-lvl to be directly assigned and does requires the aaa authentication enable console command .


Example 3 depicts a command authorization failure for ASA. Authorization failures do not generate accounting records because accounting, strictly speaking, is associated with successful operations (authentication or authorization). Refer to Figure 1, which shows a sample log of Failed Attepts of command execution in CS-ACS (Reports and Activity session).

Figure 1. Sample ASA Command Authorization Failures in CS-ACS (“Failed Attempts”)

Example 3. User Issues Command not allowed by Shell Command Set
! Command "show route" not authorized

mk_pkt - type: 0x2, session_id: 417
mkpkt - authorize user: user2
cmd=show
cmd-arg=route Tacacs packet sent
Sending TACACS Authorization message. Session id: 417, seq no:1
Received TACACS packet. Session id:1761304772  seq no:2
tacp_procpkt_author: FAIL
TACACS Session finished. Session id: 417, seq no: 1

Examples 4 and 5 contrast ASA behavior about command accounting when a show command is issued. Although the show command is individually authorized, ASA does not send an accounting message registering it.

Figure 2 displays some examples of command accounting for the ASA. Notice the absence of show commands in the CS-ACS report.

Figure 2. Sample ASA Command Accounting in CS-ACS (“TACACS+ Administration”)

Example 4. User Issues an Authorized “show” Command
! Command "show uauth" is authorized. No accounting happens for "show commands"

mk_pkt - type: 0x2, session_id: 421
mkpkt - authorize user: user2
cmd=show
cmd-arg=uauth Tacacs packet sent
Sending TACACS Authorization message. Session id: 421, seq no:1
Received TACACS packet. Session id:1409549404  seq no:2
tacp_procpkt_author: PASS_ADD
tacp_procpkt_author: PASS_REPL
TACACS Session finished. Session id: 421, seq no: 1

Example 5. User Issues Authorized Command (not a “show” command)
! User issues "ping 172.21.21.1" (successful authorization and accounting)

mk_pkt - type: 0x2, session_id: 419
mkpkt - authorize user: user2
cmd=ping
cmd-arg=172.21.21.1 Tacacs packet sent
Sending TACACS Authorization message. Session id: 419, seq no:1
Received TACACS packet. Session id:998474355  seq no:2
tacp_procpkt_author: PASS_ADD
tacp_procpkt_author: PASS_REPL
TACACS Session finished. Session id: 419, seq no: 1
!
mk_pkt - type: 0x3, session_id: 420
mkpkt - accounting username: user2
remote ip : 172.21.21.101 task_id=40
 Tacacs packet sent
Sending TACACS Accounting message. Session id: 420, seq no:1
Received TACACS packet. Session id:15914798  seq no:2
TACACS Session finished. Session id: 420, seq no: 1
Other  
  •  Identity on Cisco Firewalls : Administrative Access Control on IOS
    •
  •  Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 3) - Integrating Auth-Proxy and the ZFW
    •
  •  Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 2) - Establishing user-group Membership Awareness in IOS - Method 2
    •
  •  Identity on Cisco Firewalls : User-Based Zone Policy Firewall (part 1) - Establishing user-group Membership Awareness in IOS - Method 1
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 4) - Combining Classic IP Inspection (CBAC) and Auth-Proxy
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 3) - IOS Auth-Proxy with Downloadable ACLs
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 2) - IOS Auth-Proxy with Downloadable Access Control Entries
    •
  •  Identity on Cisco Firewalls : IOS User-Level Control with Auth-Proxy (part 1)
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 6) - HTTP Listener
    •
  •  Identity on Cisco Firewalls : ASA User-Level Control with Cut-Through Proxy (part 5) - Cut-Through Proxy with Downloadable ACLs
    •
     
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us
    programming4us
     
    		 
    		programming4us