Securing access to ASA/PIX Firewall with AAA commands Cisco Forum FAQSimilar to router, PIX or ASA can use either local credential or remote credential stored on external AAA server such as TACACS+ and RADIUS. Using such external servers for authentication are highly recommended to provide more secure approach.
These AAA command set has been tested in various situation; including automatic failover from TACACS+ server to local credential or local enable password during unreachable TACACS+ server situation due to down server or down network.
At first AAA command set to authenticate using local credential only is introduced to provide preliminary understanding. Then external TACACS+ server utilization is introduced to provide greater security perimeter.
PIX Firewall running OS version 6.3
Using Local Credential
Sample #1:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
Note:
To login, enter the local username and password. To enter the privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Note:
Password to login and to enter privilege mode is the same. Therefore you don't use the enable password to enter the privilege mode.
2. Using External TACACS+ Server
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
Note:
When TACACS+ server fails, the PIX Firewall uses local credential to authenticate access.
ASA or PIX Firewall running OS version 7.0 or newer
1. Using Local Credential
Sample #1:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
Note:
To login, enter the local username and password. To enter the privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
Note:
Password to login and to enter privilege mode is the same. Therefore you don't use the enable password to enter the privilege mode.
2. Using External TACACS+ Server
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa-server LOCAL protocol local
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command TACACS+
Note:
When TACACS+ server fails, the PIX Firewall uses local credential to authenticate access. FYI, the aaa accounting command set against TACACS+ credential is available starting at OS version 7.0 or newer.
Setting local account privilege level and authorized command list
Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
there is a discussion of setting up certain Privilege Level 15 commands to Privilege Level 0 users. Let's say the following commands are authorized to use for those Privilege Level 0 users in addition to the default Privilege Level 0 authorized command list.
show arp
show interface
show ip (i.e. show ip address, show ip audit count)
show route
show crypto (i.e. show crypto isakmp, show crypto ipsec)
show conn
show cpu
show memory
show xlate
clear xlate
ping
As discussed in the FAQ link, there should be a centralized TACACS+ server to regulate those commands on the list. However in case of down network or unreachable TACACS+ server, those Privilege Level 0 users should still be able to issue those commands. When the TACACS+ server is unreachable from the ASA or PIX Firewall perspective, then one way to keep those Privilege Level 0 users be able to issue those commands is to locally define those commands as additional authorized commands for Privilege Level 0 users. To make that happen, following should be on the ASA or PIX Firewall configuration in addition to the above AAA command set of your choice.
username [ENTER Privilege Level 0 USERNAME HERE] password [ENTER YOUR PASSWORD HERE] privilege 0
privilege show level 0 command arp
privilege show level 0 command interface
privilege show level 0 command ip
privilege show level 0 command route
privilege show level 0 command crypto
privilege show level 0 command conn
privilege show level 0 command cpu
privilege show level 0 command memory
privilege show level 0 command xlate
privilege clear level 0 command xlate
privilege level 0 command ping
feedback form
by aryoba
last modified: 2008-08-16 22:09:29