Table Of Contents
A through B Commands
aaa accounting
Enable, disable, or view LOCAL, TACACS+, or RADIUS user accounting (on a server designated by the aaa-server command).
[no] aaa accounting include | exclude service if_name local_ip local_mask foreign_ip foreign_mask server_tag
[no] aaa accounting include | exclude service if_name server_tag
clear aaa [accounting include | exclude service if_name server_tag]
[no] aaa accounting match acl_name if_name server_tag
show aaa
Syntax Description
Defaults
For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP, the port is not applicable and should not be used.
Command Modes
Configuration mode.
Usage Guidelines
User accounting services keep a record of which network services a user has accessed. These records are also kept on the designated AAA server. Accounting information is only sent to the active server in a server group.
Use the aaa accounting command with the aaa authentication and aaa authorization commands.
The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
Note
Traffic that is not specified by an include statement is not processed.
For outbound connections, first use the nat command to determine which IP addresses can access the PIX Firewall. For inbound connections, first use the static and access-list command statements to determine which inside IP addresses can be accessed through the PIX Firewall from the outside network.
Note
If you want to allow connections to come from any host, code the local IP address and netmask as 0.0.0.0 0.0.0.0, or 0 0. The same convention applies to the foreign host IP address and netmask; 0.0.0.0 0.0.0.0 means any foreign host.
Tip
Examples
The default PIX Firewall configuration provides the following aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local
The following example uses the default protocol TACACS+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
Related Commands
aaa authentication
Enable, disable, or view LOCAL, TACACS+, or RADIUS user authentication, on a server designated by the aaa-server command, or PDM user authentication.
[no] aaa authentication include | exclude authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag
clear aaa [authentication include | exclude authen_service if_name local_ip local_mask foreign_ip foreign_mask server_tag]
[no] aaa authentication match acl_name if_name server_tag
[no] aaa authentication secure-http-client
[no] aaa authentication [serial | enable | telnet | ssh | http] console server_tag [LOCAL]
show aaa
Syntax Description
Defaults
If a aaa authentication http console server_tag command statement is not defined, you can gain access to the PIX Firewall (via PDM) with no username and the PIX Firewall enable password (set with the password command). If the aaa commands are defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password. By default, the enable password is not set.
The PIX Firewall supports authentication usernames up to 127 characters and passwords of up to 16 characters (some AAA servers accept passwords up to 32 characters). A password or username may not contain an "@" character as part of the password or username string, with a few exceptions.
Tip
The authentication ports supported for AAA are fixed. We support port 21 for FTP, port 23 for Telnet, and port 80 for HTTP. For this reason, do not use Static PAT to reassign ports for services you wish to authenticate. In other words, when the port to authenticate is not one of the three known ports, the firewall rejects the connection instead of authenticating it.
Command Modes
Configuration mode.
Usage Guidelines
To use the aaa authentication command, you must first designate an authentication server with the aaa-server command. Also, for each IP address, one aaa authentication command is permitted for inbound connections and one for outbound connections.
Use the if_name, local_ip, and foreign_ip variables to define where access is sought and from whom. The address for local_ip is always on the highest security level interface and foreign_ip is always on the lowest.
The aaa authentication command is not intended to mandate your security policy. The authentication servers determine whether a user can or cannot access the system, what services can be accessed, and what IP addresses the user can access. The PIX Firewall interacts with FTP, HTTP , HTTPS, and Telnet to display the credentials prompts for logging in to the network or logging in to exit the network. You can specify that only a single service be authenticated, but this must agree with the authentication server to ensure that both the firewall and server agree.
Note
The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, these aaa authentication command statements will be removed from your configuration.
Note
aaa authentication console command
The aaa authentication serial console command enables you to require authentication verification to access the PIX Firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console server_tag [LOCAL] command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts. The [LOCAL] keyword option specifies a second authentication method that can be local only.
Telnet access to the PIX Firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the PIX Firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if a aaa authentication ssh console server_tag command statement is not defined, you can gain access to the PIX Firewall console with the username pix and with the PIX Firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests timeouts, which implies the AAA servers may be down or not available, you can gain access to the PIX Firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
If the console login request times out, you can gain access to the PIX Firewall from the serial console by entering the username pix and the enable password.
The LOCAL keyword is optional when specified as a RADIUS or TACACS+ server only. Any access to the module (SSH, Telnet, enable) requiring a username and password is prompted only three times.
If an aaa authentication ssh console server_tag command is not defined, you can gain access to the CLI with the username pix and with the PIX Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests timeouts, which implies that the AAA servers may be down or not available, you can gain access to the PIX Firewall using the username pix and the enable password (set with the enable password command).
The PIX Firewall supports authentication usernames up to 127 characters and passwords up to 16 characters (some AAA servers accept passwords up to 32 characters). A password or username may not contain an "@" character as part of the password or username string.
The command only accepts the second, optional LOCAL keyword when the server_tag refers to an existing, valid TACACS+ or RADIUS server group defined in a aaa-server command. You can configure LOCAL as the first and only server_tag.
The no form of the command removes the complete command and does not support removing single methods.
aaa authentication secure-http-client
The aaa authentication secure-http-client command enables SSL and secures username and password exchange between HTTP clients and the firewall. It offers a secure method for user authentication to the firewall prior to allowing the user's HTTP-based web requests to traverse the firewall.
The following example configures HTTP traffic to be authenticated securely:
aaa authentication secure-http-clientaaa authentication include http ...where "..." represents your values for authen_service if_name local_ip local_mask [foreign_ip foreign_mask] server_tag.
The following are limitations of the aaa authentication secure-http-client command:
•
•
•
static (inside,outside) tcp 10.132.16.200 www 10.130.16.10 wwwstatic (inside,outside) tcp 10.132.16.200 443 10.130.16.10 443Enabling Authentication
The aaa authentication command enables or disables the following features:
•
•
The prompts users see requesting AAA credentials differ between the three services that can access the PIX Firewall for authentication: Telnet, FTP, HTTP, and HTTPS:
•
•
authentication_user_name@remote_system_user_nameauthentication_password@remote_system_passwordIf you daisy-chain PIX Firewall units, Telnet authentication works in the same way as a single unit, but FTP and HTTP authentication have additional complexity for users because they have to enter each password and username with an additional at (@) character and password or username for each daisy-chained system. Users can exceed the 63-character password limit depending on how many units are daisy-chained and password length.
Some FTP graphical user interfaces (GUIs) do not display challenge values.
•
Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication console command:
•
•
•
•
You can specify an interface name with the aaa authentication command. In previous versions, if you specified aaa authentication include any outbound 0 0 server, PIX Firewall only authenticated outbound connections and not those to the perimeter interface. PIX Firewall now authenticates any outbound connection to the outside as well as to hosts on the perimeter interface. To preserve the behavior of previous versions, use these commands to enable authentication and to disable authentication from the inside to the perimeter interface:
aaa authentication include any outbound 0 0 serveraaa authentication exclude outbound perim_net perim_mask serverWhen a host is configured for authentication, all users on the host must use a web browser or Telnet first before performing any other networking activity, such as accessing mail or a news reader. The reason for this is that users must first establish their authentication credentials and programs such as mail agents and newsreaders do not have authentication challenge prompts.
The PIX Firewall only accepts 7-bit characters during authentication. After authentication, the client and server can negotiate for 8 bits if required. During authentication, the PIX Firewall only negotiates Go-Ahead, Echo, and NVT (network virtual terminal).
HTTP Authentication
When using HTTP authentication to a site running Microsoft IIS that has "Basic text authentication" or "NT Challenge" enabled, users may be denied access from the Microsoft IIS server. This occurs because the browser appends the string: "Authorization: Basic=Uuhjksdkfhk==" to the HTTP GET commands. This string contains the PIX Firewall authentication credentials.
Note
Windows NT Microsoft IIS servers respond to the credentials and assume that a Windows NT user is trying to access privileged pages on the server. Unless the PIX Firewall username password combination is exactly the same as a valid Windows NT username and password combination on the Microsoft IIS server, the HTTP GET command is denied.
To solve this problem, PIX Firewall provides the virtual http command, which redirects the browser's initial connection to another IP address, authenticates the user, then redirects the browser back to the URL which the user originally requested.
Once authenticated, a user never has to reauthenticate no matter how low the PIX Firewall uauth timeout is set. This is because the browser caches the "Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to that particular site. This can only be cleared when the user exits all instances of Netscape Navigator or Internet Explorer and restarts. Flushing the cache is of no use.
As long as the user repeatedly browses the Internet, the browser resends the "Authorization: Basic=Uuhjksdkfhk==" string to transparently reauthenticate the user.
Multimedia applications such as CU-SeeMe, Intel Internet Phone, MeetingPoint, and MS NetMeeting silently start the HTTP service before an H.323 session is established from the inside to the outside.
Network browsers such as Netscape Navigator do not present a challenge value during authentication; therefore, only password authentication can be used from a network browser.
Note
TACACS+ and RADIUS servers
Up to 196 TACACS+ or RADIUS servers are permitted (up to 14 servers in each of the up to 14 server groups—set with the aaa-server command). When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
The PIX Firewall permits only one authentication type per network. For example, if one network connects through the PIX Firewall using TACACS+ for authentication, another network connecting through the PIX Firewall can authenticate with RADIUS, but one network cannot authenticate with both TACACS+ and RADIUS.
For the TACACS+ server, if you do not specify a key to the aaa-server command, no encryption occurs.
The PIX Firewall displays the same timeout message for both RADIUS and TACACS+. The message "aaa server host machine not responding" displays when either of the following occurs:
•
•
Previously, TACACS+ differentiated between the two preceding states and provided two different timeout messages, while RADIUS did not differentiate between the two states and provided one timeout message.
aaa authentication match
The aaa authentication match acl_name interface_name server_tag command specifies to match an access-list command statement and then to provide authentication for that match. However, do not use an access-list command statement that uses the source port to identify matching traffic. Like the aaa authentication include | exclude command, the source port is not supported in the match criteria of the aaa authentication match acl_name command.
The following set of examples illustrates how to use this command, as follows:
show access-listaccess-list mylist permit tcp 10.0.0.0 255.255.255.0 172.23.2.0 255.255.255.0access-list yourlist permit tcp any anyshow aaaaaa authentication match mylist outbound TACACS+Similar to IPSec, the keyword permit means "yes" and deny means "no." Therefore, the following command,
aaa authentication match yourlist outbound tacacsis equal to this command:
aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 tacacsThe aaa command statement list is order-dependent between access-list command statements. If the following command is entered:
aaa authentication match yourlist outbound tacacsafter this command:
aaa authentication match mylist outbound TACACS+The PIX Firewall tries to find a match in the mylist access-list command statement group before it tries to find a match in the yourlist access-list command statement group.
Old aaa command configuration and functionality stays the same and is not converted to the access-list command format. Hybrid access control configurations (that is, old configurations combined with new access-list command-based configurations) are not recommended.
Examples
The following example shows use of the aaa authentication command:
pixfirewall(config) aaa authentication telnet console radiusThe following example lists the new include and exclude options:
aaa authentication include any outbound 172.31.0.0 255.255.0.0 0.0.0.0 0.0.0.0 tacacs+aaa authentication exclude telnet outbound 172.31.38.0 255.255.255.0 0.0.0.0 0.0.0.0 tacacs+The following examples demonstrate ways to use the if_name parameter. The PIX Firewall has an inside network of 192.168.1.0, an outside network of 209.165.201.0 (subnet mask 255.255.255.224), and a perimeter network of 209.165.202.128 (subnet mask 255.255.255.224).
This example enables authentication for connections originated from the inside network to the outside network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the inside network to the perimeter network:
aaa authentication include any outbound 192.168.1.0 255.255.255.0 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the inside network:
aaa authentication include any inbound 192.168.1.0 255.255.255.0 209.165.201.0 255.255.255.224 tacacs+This example enables authentication for connections originated from the outside network to the perimeter network:
aaa authentication include any inbound 209.165.201.0 255.255.255.224 209.165.202.128 255.255.255.224 tacacs+This example enables authentication for connections originated from the perimeter network to the outside network:
aaa authentication include any outbound 209.165.202.128 255.255.255.224 209.165.201.0 255.255.255.224 tacacs+This example specifies that IP addresses 10.0.0.1 through 10.0.0.254 can originate outbound connections and then enables user authentication so that those addresses must enter user credentials to exit the PIX Firewall. In this example, the first aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The second aaa authentication command lets host 10.0.0.42 start outbound connections without being authenticated. This example uses the default authentication group tacacs+.
nat (inside) 1 10.0.0.0 255.255.255.0aaa authentication include any outbound 0 0 tacacs+aaa authentication exclude outbound 10.0.0.42 255.255.255.255 tacacs+ anyThis example permits inbound access to any IP address in the range of 209.165.201.1 through 209.165.201.30 indicated by the 209.165.201.0 network address (subnet mask 255.255.255.224). All services are permitted by the access-list command, and the aaa authentication command permits authentication on FTP, HTTP, or Telnet depending on what the authentication server handles. The authentication server is at IP address 10.16.1.20 on the inside interface.
aaa-server AuthIn protocol tacacs+aaa-server AuthIn (inside) host 10.16.1.20 thisisakey timeout 20static (inside,outside) 209.165.201.0 10.16.1.0 netmask 255.255.255.224access-list acl_out permit tcp 10.16.1.0 255.255.255.0 209.165.201.0 255.255.255.224access-group acl_out in interface outsideaaa authentication include any inbound 0 0 AuthInRelated Commands
aaa authorization
Enable or disable LOCAL or TACACS+ user authorization services.
[no] aaa authorization command {LOCAL | tacacs_server_tag}
[no] aaa authorization include | exclude svc if_name local_ip local_mask foreign_ip foreign_mask
clear aaa [authorization [include | exclude svc if_name local_ip local_mask foreign_ip foreign_mask]]
[no] aaa authorization match acl_name if_name server_tag
show aaa
Syntax Description
Defaults
An IP address of 0 means all hosts.
Command Modes
Configuration mode.
Usage Guidelines
Except for its use with command authorization, the aaa authorization command requires previous configuration with the aaa authentication command; however, use of the aaa authentication command does not require use of a aaa authorization command.
Currently, the aaa authorization command is supported for use with LOCAL and TACACS+ servers but not with RADIUS servers.
Tip
For each IP address, one aaa authorization command is permitted. If you want to authorize more than one service with aaa authorization, use the any parameter for the service type.
If the first attempt at authorization fails and a second attempt causes a timeout, use the
service resetinbound command to reset the client that failed the authorization so that it will not retransmit any connections. An example authorization timeout message in Telnet follows.Unable to connect to remote host: Connection timed outUser authorization services control which network services a user can access. After a user is authenticated, attempts to access restricted services cause the PIX Firewall unit to verify the access permissions of the user with the designated AAA server.
The include and exclude options are not backward compatible with previous PIX Firewall versions. If you downgrade to an earlier version, the aaa command statements will be removed from your configuration.
Note
If the AAA console login request times out, you can gain access to the PIX Firewall from the serial console by entering the pix username and the enable password.Examples
The default PIX Firewall configuration provides the following aaa-server protocols:
aaa-server TACACS+ protocol tacacs+aaa-server RADIUS protocol radiusaaa-server LOCAL protocol local
The following example uses the default protocol TACACS+ with the aaa commands:
aaa-server TACACS+ (inside) host 10.1.1.10 thekey timeout 20aaa authentication include any outbound 0 0 0 0 TACACS+aaa authorization include any outbound 0 0 0 0aaa accounting include any outbound 0 0 0 0 TACACS+aaa authentication serial console TACACS+This example specifies that the authentication server with the IP address 10.1.1.10 resides on the inside interface and is in the default TACACS+ server group. The next three command statements specify that any users starting outbound connections to any foreign host will be authenticated using TACACS+, that the users who are successfully authenticated are authorized to use any service, and that all outbound connection information will be logged in the accounting database. The last command statement specifies that access to the PIX Firewall unit's serial console requires authentication from the TACACS+ server.
The following example enables authorization for DNS lookups from the outside interface:
aaa authorization include udp/53 inbound 0.0.0.0 0.0.0.0The following example enables authorization of ICMP echo-reply packets arriving at the inside interface from inside hosts:
aaa authorization include 1/0 outbound 0.0.0.0 0.0.0.0This means that users will not be able to ping external hosts if they have not been authenticated using Telnet, HTTP, or FTP.
The following example enables authorization for ICMP echoes (pings) only that arrive at the inside interface from an inside host:
aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0Related Commands
aaa mac-exempt
Exempts a list of MAC addresses from authentication and authorization.
[no] aaa mac-exempt match id
Syntax Description
Defaults
None.
Command Modes
The aaa mac-exempt match id command is available in configuration mode.
Usage Guidelines
The aaa mac-exempt match id command exempts a list of MAC addresses from authentication and authorization.
Note
Examples
The following example shows how to configure MAC-based AAA:
pixfirewall(config)# show mac-listmac-list adc permit 00a0.c95d.0282 ffff.ffff.ffffmac-list adc deny 00a1.c95d.0282 ffff.ffff.ffffmac-list ac permit 0050.54ff.0000 ffff.ffff.0000mac-list ac deny 0061.54ff.b440 ffff.ffff.ffffmac-list ac deny 0072.54ff.b440 ffff.ffff.ffffpixfirewall(config)# aaa mac-exempt match acpixfirewall(config)# show aaaaaa mac-exempt match acpixfirewall(config)# aaa ?Usage: [no] aaa authentication|authorization|accounting include|exclude <svc><if_name><l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>[no] aaa authentication serial|telnet|ssh|http|enable console <server_tag>[no] aaa authentication|authorization|accounting match <acl_name> <if_name> <server_tag>[no] aaa authorization command {LOCAL | tacacs_server_tag} aaa proxy-limit <proxy limit> | disable[no] aaa mac-exempt match <mcl-id>Related Commands
aaa proxy-limit
Specifies the number of concurrent proxy connections allowed per user.
[no] aaa proxy-limit proxy_limit | disable
show aaa proxy-limit
Syntax Description
disable
Disables the proxy limit.
proxy_limit
Specifies the number of concurrent proxy connections allowed per user, from 1 to 128. (The default value is 16.)
Defaults
The default proxy limit value is 16.
Command Modes
Configuration mode.
Usage Guidelines
The aaa proxy-limit command enables you to manually configure the uauth session limit by setting the maximum number of concurrent proxy connections allowed per user. By default, this value is set to 16. If a source address is a proxy server, consider excluding this IP address from authentication or increasing the number of allowable outstanding AAA requests.
The show aaa proxy-limit command displays the number of outstanding authentication requests allowed, or indicates that the proxy limit is disabled if disabled.
Examples
The following example shows how to set and display the maximum number of outstanding authentication requests allowed:
pixfirewall(config)# aaa proxy-limit 6pixfirewall(config)# show aaa proxy-limitaaa proxy-limit 6Related Commands
aaa-server
Defines the AAA server group.
[no] aaa-server server_tag deadtime <minutes>
[no] aaa-server server_tag [(if_name)] host server_ip [key] [timeout seconds]
[no] aaa-server server_tag max-failed-attempts <number>
[no] aaa-server server_tag protocol auth_protocol
[no] aaa-server radius-acctport [acct_port]
[no] aaa-server radius-authport [auth_port]
clear aaa-server [server_tag]
show aaa-server
debug radius session
Syntax Description
