AAA on the PIX Firewall

The Cisco PIX Firewall supports AAA network security services. This chapter assumes familiarity with Authentication, Authorization, and Accounting (AAA), introduced in Chapter 4, and basic installation of Cisco Secure ACS software, covered in Chapter 5. AAA configuration involves defining the AAA server(s), and then the services that will use AAA authentication. Optionally, AAA authorization and accounting can be configured.

Defining the AAA Server

Use the configuration mode aaa-server commands to specify AAA server groups. AAA server groups are defined by a tag name. If the first authentication server defined in the group fails, AAA fails over to the next server in the tag group. There can be up to 14 tag groups, and each group can have up to 14 AAA servers, for a total of up to 196 AAA servers.

Creating a Server Group (Optional)

The following command creates a server group, assigns a name (server_tag) to the group, and—most important—specifies which protocol is used by the group. Use the clear aaa-server command to remove a named server group. The syntax is

Pix(config)# aaa-server server_tag protocol [tacacs+ | radius]
Pix(config)# clear aaa-server server_tag

This command is optional because three default server groups are defined on the PIX Firewall in v6.2 that can be used. The show aaa-server command shows the default groups.

Pix(config)# show aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
Pix(config)#

Notice the group name (tag) is nothing more than the protocol name. This provides backward compatibility to older OS versions. Another group should only be created if several AAA servers exist and it would help to keep their functions straight. The LOCAL group was added in version 6.2, and can be used for authentication and command authorization. This new feature is covered in the next section.

The following output shows creating separate TACACS+ server groups for inbound and outbound traffic, plus a RADIUS group for accounting functions. The server tags are up to the administrator, but should be descriptive. The server tags are case sensitive.

Pix(config)# aaa-server TacIn protocol tacacs+
Pix(config)# aaa-server TacOut protocol tacacs+
Pix(config)# aaa-server RadAcctg protocol radius

The remaining AAA commands use the group tag to identify which group of servers will perform the AAA function.

Defining the Server Group

The next command defines the connecting PIX interface, server IP address, an optional encryption key shared with the AAA server, and an optional retransmit timer. The default interface is (inside). If more than one server is defined in the group, they’ll be used in order of entry. This command doesn’t verify the existence of the server(s). Use the no form of the command to remove the server from the group. The syntax is

Pix(config)# aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]
Pix(config)# no aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]

host server_ip	IP address of the TACACS+ or RADIUS server.
key	Case-sensitive, alphanumeric key up to 127 characters, shared by the PIX and AAA server for encrypting data between them. No spaces, but most special characters are allowed.
timeout seconds	Retransmit timer. The time the PIX unit waits for each transmit attempt. After four failed attempts to reach the AAA server, PIX transmits to the next server. Default: five seconds (range 1 to 30 seconds).

Note?

The server_tag is case sensitive. The way you type it here determines how it must be addressed in future AAA commands. If you type one of the default groups TACACS+ or RADIUS in any other case, then you create a new server group using the default protocol tacacs+.

This example tries to demonstrate this case importance. The first command, show aaa-server, displays the default groups. Lines 5 and 6 show an attempt to assign a server to each of the default server groups (TACACS+ and RADIUS). The next show aaa-server command reveals that two new groups were created and they both use the tacacs+ protocol.

Pix(config)# show aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
Pix(config)# aaa-server tacacs+ (inside) host 192.168.1.3 3key timeout 20
Pix(config)# aaa-server radius host 192.168.1.4 4key
Pix(config)# show aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 192.168.1.3 3key timeout 20
aaa-server radius protocol tacacs+
aaa-server radius (inside) host 192.168.1.4 4key timeout 10
Pix(config)#

The following example creates the RadIn and TacOut server groups and defines two inside servers to each. From the previous example, you know Line 1 is necessary, but Line 4 could be omitted.

Pix(config)# aaa-server RadIn protocol radius
Pix(config)# aaa-server RadIn (inside) host 192.168.1.5 5key timeout 10
Pix(config)# aaa-server RadIn (inside) host 192.168.1.6 6key
Pix(config)# aaa-server TacOut protocol tacacs+
Pix(config)# aaa-server TacOut host 192.168.1.7 7key timeout 20
Pix(config)# aaa-server TacOut host 192.168.1.8 8key

Local User Database

PIX Firewall software v6.2 introduced the concept of the local user authentication database, common in router configurations to the PIX Firewall family. Like its router relatives, the local PIX Firewall user authentication database consists of the users entered with the username command. The PIX Firewall login command can use this database for authentication. Use the no form of the command to remove a user from the database. The syntax is

Pix(config)# username usr_name {[{nopassword | password password} [encrypted]]
[privilege level]}
Pix(config)# no username usr_name

The minimum usr_name and password are four and three alphanumeric characters, respectively. Because the PIX automatically encrypts all passwords, the encrypted option means the entry will already be encrypted.

Use the show username [usr_name] command to display the users defined in the local PIX Firewall user authentication database.

Pix(config)# username admin7 password cisCo7 privilege 7
Pix(config)# username bill password pearson privilege 12
Pix(config)# username mike password chow privilege 15
Pix(config)# show username
username mike password 6NVlMI5JXIWRfMS7 encrypted privilege 15
username admin7 password zs7H.SH1jCsgkxKA encrypted privilege 7
username bill password 7/y5W7TBQ4r2o7OF encrypted privilege 12
Pix(config)#
Pix(config)# no username bill
Pix(config)# no username mike
Pix(config)# no username admin7
Warning:Local user database is empty and there are still 'aaa' commands for 
'LOCAL'.
Pix(config)#

The preceding example shows how to remove users from the local user database. The warning shows the result of removing the last user if some features, such as AAA, are using the local user database.

The login Command

The login command can be used to log a user into the PIX Firewall, another privilege level, or another Command mode using the local user authentication database. This command is available in Unprivileged mode. The user can use the logout, exit, or quit commands to go back to Unprivileged mode. The following example shows the prompt after a login command.

Pix> login
Username:
Username: mike
Password: ****
Pix#

Local User Database and AAA

Cisco Secure ACS AAA services support using the local user database (LOCAL) as an alternative to TACACS+ or RADIUS servers for user authentication and command authorization tasks. The following output shows using the local user database with AAA commands. The details of these commands are reviewed in the next pages.

Pix(config)# aaa authentication telnet console LOCAL
Pix(config)# aaa authentication enable console LOCAL
Pix(config)# aaa authorization command LOCAL

Verifying AAA Services

Use the show aaa (not show AAA) command to list AAA services configured, as shown in the following example:

Pix(config)# sho aaa
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Pix(config)#

Configuring AAA Features

After designating at least one authentication server with the aaa-server command, it’s time to define the AAA services to be used by the PIX Firewall. The help aaa command displays the syntax and use for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.

Server Group Case-Sensitivity Issues

Be aware that AAA does some strange things with case sensitivity. The local user database must be referred to as LOCAL or you get the error “bad auth-server groupname local.” The show aaa command returns an Ambiguous command if the aaa is in uppercase.

The first seven lines of the following output you saw earlier created a new server group called tacacs+ because of the case difference between Line 1 and the default group name.

Pix(config)# aaa-server tacacs+ (inside) host 192.168.1.4 4key timeout 20
Pix(config)# sho aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 192.168.1.4 4key timeout 20
Pix(config)#
Pix(config)# aaa authentication telnet console TACACS+
No authentication servers found!
Pix(config)# aaa authentication telnet console Tacacs+
bad auth-server groupname Tacacs+
Pix(config)# aaa authentication telnet console tacacs+
Pix(config)#

Line 9 shows that if you revert back to TACACS+ in the aaa authentication command, you’re notified that no servers are in that group name. They were assigned to tacacs+.

Line 11 shows a straight case mismatch issue and the resulting “bad auth-server groupname Tacacs+” message.

The last two lines confirm that once the case is correct, the command will be accepted.

Authenticating Console Sessions

AAA can be used to authenticate the four types of console connections, plus allowing for unique enable passwords. The configuration mode aaa authentication console command requires authentication verification to access the PIX Firewall unit’s console features. Use the no form of the command to remove the authentication. The syntax is

Pix(config)# aaa authentication [serial | enable | telnet | ssh | http] console group_tag
Pix(config)# no aaa authentication [serial | enable | telnet | ssh | http] console group_tag

The group_tag can include any server_tag or the local user database (LOCAL). Examples of each of these might look like this:

Pix(config)# aaa authentication serial console LOCAL
Pix(config)# aaa authentication enable console LOCAL
Pix(config)# aaa authentication telnet console TACACS+
Pix(config)# aaa authentication ssh console TACACS+
Pix(config)# aaa authentication http console MyRadius

The Serial Connection and Enable Privilege mode access will be authenticated by the local user database. Telnet and SSH connections are authenticated by the default TACACS+ group, while HTTP connections are authenticated by a named group of RADIUS servers.

Feature Characteristics

The Telnet, HTTP, and SSH connections were covered at the beginning of this chapter.

The Serial option refers to console cable connection. If configured with AAA authentication, it requires a user name and a password combination to gain user-level access (unprivileged). The serial console option also logs any configuration changes made from the serial console to a Syslog server.

The Enable option refers to the enable password that allows access to the Privilege mode from any of the other four console connections. The password required is now the same password used to authenticate into the console session. The Enable option prompts only for a password, not a user name/password combination, regardless of what the documentation might say.

The following output shows that exiting from Privilege mode now logs the user out, and requires a user name and password. The first password effort shows the word “chow” was rejected. Even though chow is a valid password in the user database, it isn’t the same as the login password (pearson).

Pix# exit
Logoff

Username: bill
Password: ******* ?????????????????(pearson from earlier example)
Type help or '?' for a list of available commands.
Pix> en
Password: **** ????????????????????(chow entered)
Password: ******* ?????????????????(pearson entered)
Pix#

The Enable and SSH options allow only three attempts before stopping with an access denied message. The Serial and Telnet options prompt continually until a successful login.

If the specified server or user database is unavailable, try user name pix and either the Telnet password (set with the passwd command) or enable password for the password. The PIX default if AAA authentication is not configured is no user name and the enable password for the password.

Authenticating User Sessions

The PIX Firewall interacts with FTP, HTTP (Web access), and Telnet protocols to display the correct prompts for logging in to the network or logging in to exit the network. For each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections. The no form of the command removes the entry from the configuration. The syntax is

Pix(config)# aaa authentication {include | exclude} authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag Pix(config)# no aaa authentication {include | exclude} authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag

authentication	Enable or disable user authentication, prompts user for user name and password, and verifies information with AAA authentication server.
include	Create a new rule for the specified service.
exclude	Create an exception to a previously defined rule by excluding the specified service from authentication, authorization, or accounting to the specified host.
authen_service	Application used to access the network. Use any (tcp/0), ftp, http, or telnet. PIX Firewalls only use FTP, HTTP, and Telnet for authentication. The Any option includes ftp, http, and telnet only.
if_name	Interface name from which users require authentication.
local_ip	IP address of host or network to be authenticated or authorized. 0 combined with 0 local_mask includes all hosts.
local_mask	Netmask of local_ip to define specific host(s). Use 255.255.255.255 for a host address. Use 0 if local_ip is set to 0 to include all hosts.
foreign_ip	IP address of the host(s) to access the local_ip address. 0 to include all hosts.
foreign_mask	Netmask of foreign_ip to define specific host(s). Use 255.255.255.255 for a host. Use 0 if the foreign_ip address is 0 to include all hosts.
server_tag	The AAA server group tag defined by the aaa-server command. Note, protocol “local” is available only for console authentication.

Outbound connections will need a NAT translation pass through the PIX Firewall. Inbound connections still need static and access-list command statements to allow access to inside IP addresses through the PIX Firewall from the outside network.

If both the optional foreign_ip and foreign_mask are omitted, then the default 0 0 is assumed allowing all other hosts. There are no other defaults.

Inbound vs. Outbound

The combination of the if_name, local_ip, and foreign_ip variables defines the flow of the connection being authenticated. The local_ip address is always on the higher security level interface, while the foreign_ip is always on the lower security level. This means the foreign_ip is asking the interface’s (if_name) permission to access the local_ip.

The following example assigns server, 192.168.1.3, to the tacacs+ server group, located on the inside interface. Lines 2 and 3 create two new authentication rules, while Line 4 creates an exception to the rule created by Line 3. The rest of the lines show the resulting entries. Notice the exclude statement moved to the top of the list.

Pix(config)# aaa-server tacacs+ (inside) host 192.168.1.3 3key timeout 20
Pix(config)# aaa authentication include any inside 192.168.1.0 255.255.255.0
 1.10.1.0 255.255.255.0 tacacs+
Pix(config)# aaa authentication include any outside 0 0 tacacs+
Pix(config)# aaa authentication exclude ftp outside 0 0 tacacs+
Pix(config)# show aaa
aaa authentication exclude ftp outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authentication include tcp/0 inside 192.168.1.0 255.255.255.0 1.10.1.0
 255.255.255.0 tacacs+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
Pix(config)#

Authorizing Access

Except for its use with command authorization, the aaa authorization command can’t function alone: it requires a previous aaa authentication command. Current PIX OS versions support only TACACS+ servers for this command. RADIUS servers and LOCAL aren’t supported. For each IP address, only one aaa authorization command is permitted. To authorize more than one service, use the any parameter for the service type. The no form of the command removes the entry from the configuration. The syntax is

Pix(config)# aaa authorization {include | exclude} author_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag Pix(config)# no aaa authorization {include | exclude} author_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag

authorization	Enable or disable TACACS+ server to perform user authorization.
author_service	The services that require authorization. Use any, ftp, http, telnet, or protocol/port combination. Services not specified are authorized implicitly. Services defined in the aaa authentication command don’t affect the services that require authorization.

To use Protocol/Port option, use a format like udp/53. The details are as follows:

protocol	The protocol TCP (6), UDP (17), or ICMP (1)
port	TCP, UDP, or ICMP destination port number, such as udp/69 or tcp/25. TCP and UDP protocols can use port range, like tcp/1024–49151. Using 0 for the port means to include all ports, like udp/0. Use any for all TCP services. Protocols other than TCP, UDP, and ICMP won’t work and shouldn’t be used.

Outbound connections need a NAT translation to pass through the PIX Firewall. Inbound connections still need static and access-list command statements to allow access to inside IP addresses through the PIX Firewall from the outside network.

If both the optional foreign_ip and foreign_mask are omitted, then the default 0 0 is assumed and allows all other hosts. No other defaults exist.

The following example shows a variety of protocol/port specifications and the resulting configuration statements. Notice icmp is replaced by the number 1, while tcp/23 is replaced by telnet. The exclude statements move to the top of the configuration.

Pix(config)# aaa authorization include udp/53 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization include tcp/0 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization include icmp/0 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization exclude tcp/23 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization exclude udp/23 inside 0 0 0 0 tacacs+
Pix(config)# show aaa
aaa authorization exclude udp/23 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization exclude telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization include udp/53 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization include 1/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
Pix(config)#

Accounting for Resource Usage

User accounting services keep a record of which network services a user has accessed, and these records are stored on the designated AAA server. Accounting information is only sent to the active server in a server group. The aaa accounting command always follows the aaa authentication command. The no form of the command removes the entry from the configuration. The syntax is

Pix(config)#aaa accounting {include | exclude} acct_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag Pix(config)#no aaa accounting {include | exclude} acct_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag

accounting	Enable or disable accounting services with authentication server. Must be a TACACS+ or RADIUS servers. Local user database isn’t supported.
acct_service	The accounting service. Accounting is provided for all services or you can limit it to one or more services. Use any, ftp, http, telnet, or protocol/port combination. Use any to provide accounting for all TCP services. The Protocol/Port option is the same as in aaa authorization.

Outbound connections need a NAT translation pass through the PIX Firewall. Inbound connections still need static and access-list command statements to allow access to inside IP addresses through the PIX Firewall from the outside network.

If both the optional foreign_ip and foreign_mask are omitted, then the default 0 0 is assumed and allows all other hosts. No other defaults exist.

The following example demonstrates the aaa accounting commands.

Pix(config)# aaa accounting include any outside 0 0 0 0 tacacs+
Pix(config)# aaa accounting include udp/0 outside 0 0 0 0 tacacs+
Pix(config)# show aaa
aaa accounting include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa accounting include udp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
Pix(config)#

Access Lists with AAA

You can use an access list to determine the addresses that will be allowed to authenticate. The access list is then linked to the aaa command via the match acl_name feature. The keyword permit means “yes” and deny means “no.” The syntax for this command is as follows:

Pix(config)# aaa {authentication | authorization | accounting} match acl_name if_name server_tag
Pix(config)# no aaa {authentication | authorization | accounting} match acl_name if_name server_tag

Pix(config)# access-list acl_out permit tcp 192.168.1.0 255.255.255.0 any
Pix(config)# aaa authentication match acl_out outside tacacs+
Pix(config)# show aaa
aaa authentication match acl_out outside tacacs+
Pix(config)#

Command-Level Authorization

Beginning with PIX Firewall software v6.2, the PIX Firewall devices support command-level authorization. This is user-defined command privilege levels (0 to 15) for PIX Firewall CLI commands, similar to the privilege levels supported on Cisco routers (Chapter 2) and switches. Local command authorization is done by assigning privilege levels to commands and users with the privilege and user name commands, respectively. Remote command authorization is done through one or more TACACS+ AAA servers.

By using a Cisco Secure ACS server, you can define authorized CLI command sets on a per-user basis without needing to define command sets across all users. This feature is consistent with other downloadable Cisco Secure ACS features covered in several chapters.

Privilege-level command tracing is supported using the PIX Firewall Syslog features. Privilege configuration updates are displayed in the show version command output.

Remote Command Authorization

As seen earlier in this chapter, PIX Firewall users can authenticate using an AAA TACACS+ or RADIUS server, or by using the LOCAL user database. Command authorization can be implemented using the LOCAL database or a TACACS+ server. Implementing command authorization assumes the following software and hardware versions:

PIX Software version 6.2
CiscoSecure Access Control Server (ACS) for Windows version 3.0 (CSNT)

CiscoSecure ACS for UNIX (CSUnix) version 2.3.6

Note?

Command-level authorization sets work correctly with Cisco Secure ACS for Windows Version 3.0.2 or higher. Other 3.0 users should look for the patch available on the PIX Software download page.

Use the Configuration mode aaa authorization command command to enable command authorization. Only one command authorization method can be defined at a time. Use the no form of the command to remove the entry. The syntax is as follows:

Pix(config)# aaa authorization command {LOCAL | tacacs_server_tag}
Pix(config)# no aaa authorization command {LOCAL | tacacs_server_tag}

The following example shows defining the LOCAL database to perform command authorization:

Pix(config)# aaa authorization command LOCAL
Pix(config)# show aaa
aaa authorization command LOCAL
Pix(config)#

The next section looks at the privilege-level features incorporated into the PIX Firewall to facilitate command-level authorization.

Firewall Privilege Levels

Use the configuration mode privilege command to set user-defined privilege levels for specified PIX Firewall commands. This command is modeled after the Cisco IOS privilege command feature. The structure of this command makes it easy to set different privilege levels for related configuration, show, and clear commands.

When both commands and users have privilege levels set, the two can be compared to determine if the user can execute a specific command. If the user’s privilege level is lower than the command’s privilege level, the user is prevented from using the command. Use the no form of the command to remove the privilege declaration. The syntax is

Pix(config)# privilege [show | clear | configure] level level [mode {enable | configure}] command command Pix(config)# no privilege [show | clear | configure] level level [mode {enable | configure}] command command

show	Sets the privilege level for the specified show command.
clear	Sets the privilege level for the specified clear command.
configure	Sets the privilege level for the specified configure command.
level level	Privilege level (0 to 15). The lower the numbers, the lower the privilege.
enable	For commands in both Enable and Configuration modes, indicates the enable mode command.
configure	For commands in both Enable and Configuration modes, indicates the configure mode command.
command command	The command to allow. Use the no command form to disallow.

Any aaa authentication and aaa authorization commands must be updated to include any new privilege levels before they can be used with the AAA server configuration.

Use the show curpriv command to display the current privilege level for a user and show privilege [all | command command | level level] to display the privileges for a command or set of commands.

The following output shows creating a user admin7 assigned to privilege level 7, and then a series of show commands available to privilege level 7.

Pix(config)# username admin7 password cisCo7 privilege 7
Pix(config)# show username 
username admin7 passowrd zs7H.SH1jCsgkxKA encrypted privelege 7
Pix (config)# privilege show level 7 command ip
Pix (config)# privilege show level 7 command interface
Pix (config)# privilege show level 7 command nat
Pix (config)# privilege show level 7 command xlate
Pix (config)# privilege show level 7 command global

The following output shows the results of logging in as admin7, the show curpriv command showing the privilege level, and an attempt to run two commands not defined for privilege level 7. P_UNPR indicates user (unprivileged) level, P_PRIV indicates that the enable command has been issued.

Pix# exit
Logoff

Username: admin7
Password: ******
Type help or '?' for a list of available commands.
Pix> show curpriv
Username : admin7
Current privilege level : 1
Current Mode/s : P_UNPR
Pix> en
Password: ******
Pix# show curpriv
Username : admin7
Current privilege level : 7
Current Mode/s : P_PRIV
Pix# show username
Command authorization failed
Pix# reload
Command authorization failed
Pix#

Configuring Cisco Secure ACS for Windows

Understanding the process of configuring Cisco Secure ACS for Windows is an exam objective, and this topic was covered in Chapters 4 and 8. Review that material, and, if possible, get a little hands-on experience configuring an ACS server.