Configuring AAA Features

After designating at least one authentication server with the aaa-server command, it’s time to define the AAA services to be used by the PIX Firewall. The help aaa command displays the syntax and use for the aaa authentication, aaa authorization, aaa accounting, and aaa proxy-limit commands in summary form.

Server Group Case-Sensitivity Issues

Be aware that AAA does some strange things with case sensitivity. The local user database must be referred to as LOCAL or you get the error “bad auth-server groupname local.” The show aaa command returns an Ambiguous command if the aaa is in uppercase.

The first seven lines of the following output you saw earlier created a new server group called tacacs+ because of the case difference between Line 1 and the default group name.

Pix(config)# aaa-server tacacs+ (inside) host 192.168.1.4 4key timeout 20
Pix(config)# sho aaa-server
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 192.168.1.4 4key timeout 20
Pix(config)#
Pix(config)# aaa authentication telnet console TACACS+
No authentication servers found!
Pix(config)# aaa authentication telnet console Tacacs+
bad auth-server groupname Tacacs+
Pix(config)# aaa authentication telnet console tacacs+
Pix(config)#

Line 9 shows that if you revert back to TACACS+ in the aaa authentication command, you’re notified that no servers are in that group name. They were assigned to tacacs+.

Line 11 shows a straight case mismatch issue and the resulting “bad auth-server groupname Tacacs+” message.

The last two lines confirm that once the case is correct, the command will be accepted.

Authenticating Console Sessions

AAA can be used to authenticate the four types of console connections, plus allowing for unique enable passwords. The configuration mode aaa authentication console command requires authentication verification to access the PIX Firewall unit’s console features. Use the no form of the command to remove the authentication. The syntax is

Pix(config)# aaa authentication [serial | enable | telnet | ssh | http] console group_tag
Pix(config)# no aaa authentication [serial | enable | telnet | ssh | http] console group_tag

The group_tag can include any server_tag or the local user database (LOCAL). Examples of each of these might look like this:

Pix(config)# aaa authentication serial console LOCAL
Pix(config)# aaa authentication enable console LOCAL
Pix(config)# aaa authentication telnet console TACACS+
Pix(config)# aaa authentication ssh console TACACS+
Pix(config)# aaa authentication http console MyRadius

The Serial Connection and Enable Privilege mode access will be authenticated by the local user database. Telnet and SSH connections are authenticated by the default TACACS+ group, while HTTP connections are authenticated by a named group of RADIUS servers.

Feature Characteristics

The Telnet, HTTP, and SSH connections were covered at the beginning of this chapter.

The Serial option refers to console cable connection. If configured with AAA authentication, it requires a user name and a password combination to gain user-level access (unprivileged). The serial console option also logs any configuration changes made from the serial console to a Syslog server.

The Enable option refers to the enable password that allows access to the Privilege mode from any of the other four console connections. The password required is now the same password used to authenticate into the console session. The Enable option prompts only for a password, not a user name/password combination, regardless of what the documentation might say.

The following output shows that exiting from Privilege mode now logs the user out, and requires a user name and password. The first password effort shows the word “chow” was rejected. Even though chow is a valid password in the user database, it isn’t the same as the login password (pearson).

Pix# exit
Logoff

Username: bill
Password: *******                  (pearson from earlier example)
Type help or '?' for a list of available commands.
Pix> en
Password: ****                     (chow entered)
Password: *******                  (pearson entered)
Pix#

The Enable and SSH options allow only three attempts before stopping with an access denied message. The Serial and Telnet options prompt continually until a successful login.

If the specified server or user database is unavailable, try user name pix and either the Telnet password (set with the passwd command) or enable password for the password. The PIX default if AAA authentication is not configured is no user name and the enable password for the password.

Authenticating User Sessions

The PIX Firewall interacts with FTP, HTTP (Web access), and Telnet protocols to display the correct prompts for logging in to the network or logging in to exit the network. For each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections. The no form of the command removes the entry from the configuration. The syntax is

Pix(config)# aaa authentication {include | exclude} authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag Pix(config)# no aaa authentication {include | exclude} authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag

authentication	Enable or disable user authentication, prompts user for user name and password, and verifies information with AAA authentication server.
include	Create a new rule for the specified service.
exclude	Create an exception to a previously defined rule by excluding the specified service from authentication, authorization, or accounting to the specified host.
authen_service	Application used to access the network. Use any (tcp/0), ftp, http, or telnet. PIX Firewalls only use FTP, HTTP, and Telnet for authentication. The Any option includes ftp, http, and telnet only.
if_name	Interface name from which users require authentication.
local_ip	IP address of host or network to be authenticated or authorized. 0 combined with 0 local_mask includes all hosts.
local_mask	Netmask of local_ip to define specific host(s). Use 255.255.255.255 for a host address. Use 0 if local_ip is set to 0 to include all hosts.
foreign_ip	IP address of the host(s) to access the local_ip address. 0 to include all hosts.
foreign_mask	Netmask of foreign_ip to define specific host(s). Use 255.255.255.255 for a host. Use 0 if the foreign_ip address is 0 to include all hosts.
server_tag	The AAA server group tag defined by the aaa-server command. Note, protocol “local” is available only for console authentication.

Outbound connections will need a NAT translation pass through the PIX Firewall. Inbound connections still need static and access-list command statements to allow access to inside IP addresses through the PIX Firewall from the outside network.

If both the optional foreign_ip and foreign_mask are omitted, then the default 0 0 is assumed allowing all other hosts. There are no other defaults.

Inbound vs. Outbound

The combination of the if_name, local_ip, and foreign_ip variables defines the flow of the connection being authenticated. The local_ip address is always on the higher security level interface, while the foreign_ip is always on the lower security level. This means the foreign_ip is asking the interface’s (if_name) permission to access the local_ip.

The following example assigns server, 192.168.1.3, to the tacacs+ server group, located on the inside interface. Lines 2 and 3 create two new authentication rules, while Line 4 creates an exception to the rule created by Line 3. The rest of the lines show the resulting entries. Notice the exclude statement moved to the top of the list.

Pix(config)# aaa-server tacacs+ (inside) host 192.168.1.3 3key timeout 20
Pix(config)# aaa authentication include any inside 192.168.1.0 255.255.255.0
 1.10.1.0 255.255.255.0 tacacs+
Pix(config)# aaa authentication include any outside 0 0 tacacs+
Pix(config)# aaa authentication exclude ftp outside 0 0 tacacs+
Pix(config)# show aaa
aaa authentication exclude ftp outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authentication include tcp/0 inside 192.168.1.0 255.255.255.0 1.10.1.0
 255.255.255.0 tacacs+
aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
Pix(config)#

Authorizing Access

Except for its use with command authorization, the aaa authorization command can’t function alone: it requires a previous aaa authentication command. Current PIX OS versions support only TACACS+ servers for this command. RADIUS servers and LOCAL aren’t supported. For each IP address, only one aaa authorization command is permitted. To authorize more than one service, use the any parameter for the service type. The no form of the command removes the entry from the configuration. The syntax is

Pix(config)# aaa authorization {include | exclude} author_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag Pix(config)# no aaa authorization {include | exclude} author_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag

authorization	Enable or disable TACACS+ server to perform user authorization.
author_service	The services that require authorization. Use any, ftp, http, telnet, or protocol/port combination. Services not specified are authorized implicitly. Services defined in the aaa authentication command don’t affect the services that require authorization.

To use Protocol/Port option, use a format like udp/53. The details are as follows:

protocol	The protocol TCP (6), UDP (17), or ICMP (1)
port	TCP, UDP, or ICMP destination port number, such as udp/69 or tcp/25. TCP and UDP protocols can use port range, like tcp/1024–49151. Using 0 for the port means to include all ports, like udp/0. Use any for all TCP services. Protocols other than TCP, UDP, and ICMP won’t work and shouldn’t be used.

Outbound connections need a NAT translation to pass through the PIX Firewall. Inbound connections still need static and access-list command statements to allow access to inside IP addresses through the PIX Firewall from the outside network.

If both the optional foreign_ip and foreign_mask are omitted, then the default 0 0 is assumed and allows all other hosts. No other defaults exist.

The following example shows a variety of protocol/port specifications and the resulting configuration statements. Notice icmp is replaced by the number 1, while tcp/23 is replaced by telnet. The exclude statements move to the top of the configuration.

Pix(config)# aaa authorization include udp/53 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization include tcp/0 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization include icmp/0 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization exclude tcp/23 inside 0 0 0 0 tacacs+
Pix(config)# aaa authorization exclude udp/23 inside 0 0 0 0 tacacs+
Pix(config)# show aaa
aaa authorization exclude udp/23 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization exclude telnet inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization include udp/53 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
aaa authorization include 1/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacs+
Pix(config)#

Accounting for Resource Usage

User accounting services keep a record of which network services a user has accessed, and these records are stored on the designated AAA server. Accounting information is only sent to the active server in a server group. The aaa accounting command always follows the aaa authentication command. The no form of the command removes the entry from the configuration. The syntax is

Pix(config)#aaa accounting {include | exclude} acct_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag Pix(config)#no aaa accounting {include | exclude} acct_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag

accounting	Enable or disable accounting services with authentication server. Must be a TACACS+ or RADIUS servers. Local user database isn’t supported.
acct_service	The accounting service. Accounting is provided for all services or you can limit it to one or more services. Use any, ftp, http, telnet, or protocol/port combination. Use any to provide accounting for all TCP services. The Protocol/Port option is the same as in aaa authorization.

Outbound connections need a NAT translation pass through the PIX Firewall. Inbound connections still need static and access-list command statements to allow access to inside IP addresses through the PIX Firewall from the outside network.