- Install Cisco Secure ACS
- Add the PIX security appliance to the Cisco Secure ACS database AAA client database
- Add a user to the Cisco Secure ACS database
- Identify the AAA server and protocol
- Configure and test inbound authentication
- Configure and test outbound authentication
- Configure and test console access authentication
- Configure and test virtual Telnet authentication
- Change and test authentication timeouts and prompts
- Configure ACS to write downloadable ACLs during authentication
- Test downloadable ACLs with inbound authentication
- Test downloadable ACLs with outbound authentication
- Configure and test accounting
Task 1: Install Cisco Secure ACS
(image)
Task 2: Add the Security Appliance to the Cisco Secure ACS Database AAA Client Database
Go to The Network ConfigurationAAA Client setup for PIX firewall
IP address: 10.10.10.11
Shared Secret: aaakey
Authenticate Using: TACAS+ (Cisco IOS)
(image)
Task 3: Add a User to the Cisco Secure ACS Database
Go to Group Setup
(image)Password: 12345678
Group: Default Group
(image)
Task 4: Identify the AAA Server and Protocol
Create a group tag called MYRADIUS and assign the RADIUS protocol to it.
pixP(config)# aaa-server MYTACAS+ protocol tacas+
pixP(config-aaa-server)# ?
Specify single accounting mode for the MYRADIUS group.
pixP(config-aaa-sever)# accounting-mode single
pixP(config-aaa-server)# exit
Assign the Cisco Secure ACS IP address and the encryption key aaakey.
pixP(config)# aaa-server MYTACAS+ (outside) host 192.168.3.11
pixP(config-aaa-server)# key aaakey
pixP(config-aaa-server)# exit
NOTE: Here, we use AAA server are outside, to instead of insidehost.
pixP(config)# show run aaa-server
Task 5: Configure and Test Inbound Authentication
Configure the security appliance to require authentication for all inbound traffic.
pixP(config)# aaa authentication include any outside 0 0 0 0 MYRADIUS
pixP(config)# show run aaa
pixP(config)# write memory
You must now test inbound web authentication. Have your peer open their web browser, and go to your dmz host web server
(image)
After you configure the commands above, open Web browser access to http://10.10.10.11 you need to authenticate with username and password.
(image)
username: aaauser
password: 12345678
(image)
After your peer successfully authenticates to your security appliance, display your security appliance authentication statistics.
pixP(config)# show uauthpixP(config)# clear uauth
pixfirewall# show uauth
Current Most Seen
Authenticated Users 1 1
Authen In Progress 0 1
user 'aaauser' at 192.168.3.11, authenticated (idle for 0:00:01)
absolute timeout: 0:05:00
inactivity timeout: 0:00:00
After your peer successfully authenticates to your security appliance, display your security appliance AAA server statistics.
pixP(config)# show aaa-server
Server Group: LOCAL
Server Protocol: Local database
Server Address: None
Server port: None
Server status: ACTIVE, Last transaction at 06:13:15 UTC Tue Jun 7 2011
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 1
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1 Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Server Group: MYTACAS+
Server Protocol: tacacs+
Server Address: 192.168.3.11
Server port: 49
Server status: ACTIVE, Last transaction at 06:28:23 UTC Tue Jun 7 2011
Number of pending requests 0
Average round trip time 55ms
Number of authentication requests 26
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 2
Number of rejects 21
Number of challenges 4
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 3
Number of unrecognized responses 0
Task 6: Configure and Test Outbound Authentication
Configure the security appliance to require authentication for all outbound connections to the Superserver.
pixP(config)# aaa authentication include any inside 0 0 172.26.26.50 255.255.255.255 MYTACAS+
Configure the security appliance to require authentication for all outbound connections to the 192.168.3.0 network.
pixP(config)# aaa authentication include any inside 0 0 192.168.3.0 255.255.255.0 MYTACAS+
Task 7: Configure and Test Console Access Authentication
------------- Before you executive this step, you need to prepare as following: ------------
pixfirewall(config)# username pixuser password ciscopix privilege 15
pixfirewall(config)# enable password cisco
Create ssh service to testing on PIX firewall:
pixfirewall(config)# crypto key generate rsa modulus 768
INFO: The name for the keys will be:
pixfirewall# show crypto key mypubkey rsa
Key pair was generated at: 04:47:05 UTC Jun 7 2011
Key name:
Usage: General Purpose Key
Modulus Size (bits): 568
Key Data:
307c300d 06092a86 4886f70d 01010105 00036b00 30680261 00a6cd50 48aee840 11a2e56a c61acb54 b1dd04e9 81b09074 817ded6e 6e605952 ad005e45 eceb178e 8846b828 8cee433e f19765fa ec381188 5a44e5a1 1637f35e e8417710 b3079129 2fae4bce 07c6eff2 7977252a 2382318c 3b38b492 212a2a68 3b020301 0001
-------------------------------------- the end -------------------------------------------
Configure the security appliance to require authentication for Telnet console connections.
pixP(config)# aaa authentication ssh console MYTACAS+ LOCAL
pixP(config)# aaa authentication serial console MYTACAS+ LOCAL
WARNING: local database is empty! Use 'username' command to define local users.
pixP(config)# show run aaa
Configure the security appliance to allow console SSH logins.
pixP(config)# ssh scopy enable
pixP(config)# ssh 192.168 255.255.255.255 inside
pixP(config)# ssh insidehost 255.255.255.255 outside
pixP(config)# ssh insidehost 255.255.255.255 dmz
pixP(config)# ssh version 2
From PC outside, Open PuTTY to ssh to 10.10.10.2:
(image)
pixfirewall# show aaa-server
Server Group: LOCAL
Server Protocol: Local database
Server Address: None
Server port: None
Server status: ACTIVE, Last transaction at 06:13:15 UTC Tue Jun 7 2011
Number of pending requests 0
Average round trip time 0ms
Number of authentication requests 1
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 1 Number of rejects 0
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Server Group: MYTACAS+
Server Protocol: tacacs+
Server Address: 192.168.3.11
Server port: 49
Server status: ACTIVE, Last transaction at 06:28:23 UTC Tue Jun 7 2011
Number of pending requests 0
Average round trip time 55ms
Number of authentication requests 26
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 2
Number of rejects 21
Number of challenges 4
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 3
Number of unrecognized responses 0
When you shutdown ACS server, Cisco IOS will authenticate with the local database:
(image)
Username: pixuser
Password: ciscopix
Task 8: Configure and Test Virtual Telnet Authentication (refer to documents)
Task 9: Change and Test Authentication Timeouts and Prompts
View the current uauth timeout settings.
pixP(config)# show run timeout uauth
Set the uauth absolute timeout to 3 hours.
pixP(config)# timeout uauth 3:0:0 absolute
Set the uauth inactivity timeout to 30 minutes.
pixP(config)# timeout uauth 0:30:0 inactivity
View the current authentication prompt settings.
Set the prompt that users will get when authenticating.
pixP(config)# auth-prompt prompt Please Authenticate
Set the message that users will get when their authentication is successful.
pixP(config)# auth-prompt accept You’ve been Authenticated
Set the message that users will get when their authentication is rejected.
pixP(config)# auth-prompt reject Authentication Failed, Try Again
pixP(config)# show run auth-prompt
Task 10: Configure ACS to Send Downloadable ACLs to the Security Appliance During RADIUS Authentication
Complete the following steps to configure ACS to send downloadable ACLs to the security appliance during RADIUS authentication.
Summary:
Three types of authentication:
• Authenticate access to the security appliance
• Authenticate access through the security appliance
– Cut-through proxy
• Authentication tunnel access
– IPSec
– SSL VPN
Three types of authorization:
• Console access—specifies whether command execution is subject to authorization.
• Cut-through proxy— specifies what “through” services are subject to authorization.
• Tunnel access-- specifies what “tunnel” services are authorized.
Three types of accounting:
• Accounting of security appliance console access
• Accounting of access through the security appliance
– Cut-through proxy
• Accounting of tunnel connections
– IPSec
– SSL VPN
0 comments
Post a Comment