Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
PIX Firewall Command Authorization
Download this chapter
PIX Firewall Command AuthorizationPIX Firewall Command Authorization
give_us_feedback

Table Of Contents

PIX Firewall Command Authorization

Example Network

PIX Firewall AAA Server Configuration for TACACS+

TACACS+ Command Authorization Configuration

Cisco Secure ACS TACACS+ Command Authorization Configuration

PIX Firewall TACACS+ Command Authorization Configuration

PIX Firewall Command Authorization

This chapter describes how to set up command authorization for ssh, Telnet, and console sessions. Command authorization enables you to control what commands a PIXFirewall administrator can use when logged into the PIXFirewall. For more information about command authorization and this example scenario, see TACACS+ Command Authorization Configuration.

This chapter contains the following topics:

Example Network

PIXFirewall AAA Server Configuration for TACACS+

TACACS+ Command Authorization Configuration

CiscoSecure ACS TACACS+ Command Authorization Configuration

PIXFirewall TACACS+ Command Authorization Configuration

Example Network

As with the other chapters in this guide, Figure4-1 illustrates the network configuration used in this example.

Figure 4-1 Example Network

PIX Firewall AAA Server Configuration for TACACS+

In this chapter, TACACS+ authorization is introduced, which requires TACACS+ authentication as well; therefore, the PIXFirewall must have a server group for TACACS+. The aaa-server command is used both to define server groups and to add specific AAA servers to a server group.

In the context of this sample configuration, the TACACS+ server is the same server as the RADIUS server configured in other chapters: the CiscoSecure AccessControlServer (ACS) shown in Figure4-1. 

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (inside) host 10.1.1.12 58705da9b1690424aa7b64cf6aa9097d

The 16-character key provided for the server definition is a hexadecimal number randomly generated using an external entropy source. While PIXFirewall accepts up to 127 characters for a key, CiscoSecure ACS accepts a maximum of 32 characters for AAA client keys.

Tip For easy access to highly random numbers, visit http://www.random.org or http://www.fourmilab.ch/hotbits/.

TACACS+ Command Authorization Configuration

Command authorization enables you to restrict the commands that PIXFirewall administrators can perform, based on the individual authorizations associated with each administrator. When this feature is enabled, PIXFirewall defers to CiscoSecure ACS to determine whether or not the command entered at the console or in a Telnet or ssh session are permitted for that administrator.

In this example, you create two means of command authorization. The first is for use with PIXFirewall administrators who should be permitted to use all commands, referred to here as senior administrators. The second is for use with PIXFirewall administrators who should be restricted to viewing PIXFirewall configuration but not changing it, such as you might require for internal help desk employees.

In both means of command authorization, this sample configuration includes using TACACS+ for authentication of enable passwords. Without changing the default enable level assignments for PIXFirewall commands, permitting the enable command is necessary and centralizing authentication of enable passwords is a logical extension of your AAA architecture.

This section contains the following topics:

CiscoSecure ACS TACACS+ Command Authorization Configuration

PIXFirewall TACACS+ Command Authorization Configuration

Cisco Secure ACS TACACS+ Command Authorization Configuration

Configuring CiscoSecure ACS for TACACS+ command authorization requires an additional AAA client configuration so that CiscoSecure ACS responds to TACACS+ requests from PIXFirewall, configuring the HTML interface to show enable password and privilege level options, and creating command authorizations.

This section contains the following topics:

Adding the TACACS+ AAA Client

Configuring Enable Authentication and Authorization

Creating Command Authorizations for Senior Administrators

Command Authorization for Junior Administrators

Adding the TACACS+ AAA Client

Configuring CiscoSecure ACS to accept TACACS+ authentication requests consists entirely of creating a AAA client entry that represents the PIXFirewall for TACACS+ requests. This procedure describes how to create a AAA client entry in CiscoSecure ACS that represents the PIXFirewall in Figure4-1 and specifies TACACS+ as the AAA protocol.

To configure CiscoSecure ACS to perform TACACS+ authentication with the PIXFirewall, follow these steps:

Step1 Select Network Configuration .

Note If you are using Network Device Groups (NDGs), you must also click the name of the NDG that you want to add the AAA client entry to.

Step2 Under the AAA Clients table, select Add Entry .

The Add AAA Client page appears.

Step3 Configure the boxes, list, and check boxes on the Add AAA Client page as follows:

AAA Client Hostname —Type the hostname plus the AAA protocol, pixfirewall-tacacs.

AAA Client IP Address —The IP address of interface of the PIXFirewall from which CiscoSecure ACS will receive RADIUS requests. In this example, 10.1.1.1.

Key —The same key specified on the PIXFirewall for the TACACS+ server. For this example, type 58705da9b1690424aa7b64cf6aa9097d.

Authenticate Using —Select TACACS+ (Cisco IOS) .

The check boxes available on the Add AAA Client page are not used in this example.

Step4 Select Submit .

CiscoSecure ACS saves the AAA client entry but won't accept and process TACACS+ requests from the PIXFirewall until CiscoSecure ACS services are restarted. To maximize the availability of AAA services, we recommend postponing service restarts until you have completed all changes. Configuring command authorization will also require service restarts.

Configuring Enable Authentication and Authorization

CiscoSecure ACS can provide authentication of enable passwords, either by requiring the user's CiscoSecure user database PAP password, by authenticating the user and password against an external user database, or by a separate enable password. Because command authorization involves authorizing commands with different enable privilege levels, you probably should use CiscoSecure ACS to authenticate enable passwords, thus centralizing enable authentication.

Tip On a per-user or per-group basis, you can configure CiscoSecure ACS to specify the highest privilege level allowed. CiscoSecure ACS can also apply different privilege level permissions per network device group.

This procedure only provides steps for turning on enable authentication and authorization. Configuring the group profiles is detailed in later topics, when command authorization configuration is described.

To configure CiscoSecure ACS to authenticate enable passwords and authorize enable privileges, follow these steps:

Step1 Select Interface Configuration > TACACS+ (Cisco IOS) .

The TACACS+ (Cisco) page appears.

Step2 Under Advanced Configuration Options, select the Advanced TACACS+ Features check box and click Submit .

In user profiles, CiscoSecure ACS displays the Advanced TACACS+ Features table, which provides a means of configuring enable level authorizations and password settings. In group profiles, CiscoSecure ACS displays the Enable Options table, which provides a means of configuring enable privilege authorizations at a group level.

Step3 For each user you want to grant enable privileges to, follow these steps:

a. Access the user's profile in Cisco Secure ACS. To do so, click User Setup , type the username in the User box, and click Add/Edit .

b. In the Advanced TACACS+ Settings table, confirm that, under TACACS+ Enable Control, the Use Group Level Setting option is selected. If it is not, select it.

c. Under TACACS+ Enable Password, select the password option you want to implement. The default is to use a separate enable password, which is stronger security than using the same password that grants the user basic network access; however, Cisco Secure ACS password-aging features do not support changing separate enable passwords.

User profiles for PIXFirewall administrators are ready for enable password authentication. If you follow the topics of this chapter in order, you will perform the additional steps for group profile settings when you reach Creating Command Authorizations for Senior Administrators, and Applying the Command Authorization Set to the Junior Administrators Group.

Note Until you configure group profiles to allow enable privileges, enable authentication does not permit PIXFirewall administrator access to commands with enable levels greater than zero.

Creating Command Authorizations for Senior Administrators

In this example, senior administrators are PIXFirewall administrators who should be permitted to use all commands. Because all commands are to be permitted, you can grant these permissions without the use of a shell command authorization set, as will be used later for junior administrators.

Note When configuring command authorization, you should always allow for at least one PIXFirewall administrator to have full access to all commands. This safeguards against inadvertently locking yourself out of the PIXFirewall.

To assign full command access to senior administrators, follow these steps:

Step1 Select Group Setup .

Step2 From the Group list, select the group that you want to assign senior PIXFirewall administrators to.

Tip Select Rename Group , change the group name to Sr. PIX Admins , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign senior PIXFirewall administrators to.

Step3 Select Edit Settings .

The Group Settings page for the group selected appears.

Step4 From the Jump To list, select TACACS+ .

The browser scrolls to the TACACS+ Settings table on the Group Settings page.

Step5 In the TACACS+ Settings table, find the Shell Command Authorization Set section.

Step6 Under Shell Command Authorization Set, select Per Group Command Authorization .

CiscoSecure ACS will use the permissions created explicitly for this group rather than using a command authorization set.

Step7 Under Unmatched Cisco IOS commands , select Permit .

CiscoSecure ACS will permit PIXFirewall administrators assigned to this group to use any command in a console or Telnet session.

Tip If you need to, you can further define specific commands that were to be denied. This method of defining command authorization is easiest when you want to permit the majority of commands. For the purposes of this example, however, all commands should be permitted.

Step8 Permit enable privileges. To do so, follow these steps:

a. From the Jump To list, select Enable Options .

The browser scrolls to the Enable Options table on the Group Settings page.

b. Select the Max Privilege for any AAA Client option.

c. From the Max Privilege for any AAA Client list, select Level 15 .

CiscoSecure ACS will permit PIXFirewall administrators assigned to this group all enable privileges on all AAA clients that they can access; however, command authorization determines whether a given command is allowed, regardless of whether the command enable level is permitted.

Step9 Select Submit .

CiscoSecure ACS saves the group settings but will not enforce them until services are restarted. To maximize the availability of AAA services, we recommend postponing service restarts until you have completed all changes. Configuring command authorization for junior administrators will also require service restarts.

Command Authorization for Junior Administrators

In this example, junior administrators are PIXFirewall administrators who should be restricted to viewing the PIXFirewall configuration. You might want to allow such a limited set of commands to internal help desk employees who can investigate problems but should not effect changes to your network configuration.

This section contains the following topics:

Creating the Command Authorization Set for Junior Administrators

Applying the Command Authorization Set to the Junior Administrators Group

Creating the Command Authorization Set for Junior Administrators

Note CiscoSecure ACS supports command authorization of PIXFirewall commands using the Shell Command Authorization Sets feature and not the PIX Shell Command Authorization Sets feature, which requires that PIXFirewalls support a service called "pixshell". As of PIX 6.3, this service has not been implemented.

CiscoSecure ACS provides command authorization sets as a means of configuring sets of commands that can be applied to many user or group profiles. For this example, a basic set of commands are included in the authorization set. You can add or remove commands from a command authorization set as needed.

In this example, you will configure a command authorization set that permits the administrators it is assigned to only to view configuration details about the PIXFirewall. To do so, you will authorize a basic set of commands, including specific keywords for the show command, referred to as arguments in the CiscoSecure ACS HTML interface.

To create the shell command authorization set, follow these steps:

Step1 Select Shared Profile Components > Shell Command Authorization Sets > Add .

The page for adding a shell command authorization set appears.

Step2 In the Name box, type Jr. PIX Cmds .

Step3 In the Description box, type, For junior PIX administrators .

Step4 For each row in Table4-1, type the command in the box above the Add Command button and then click Add Command . If Table4-1 includes arguments for the command, type them in the box below the Permit Unmatched Args check box.

Note Do not select the Permit Unmatched Args check box for any of the commands.

Table 4-1 Commands and Arguments 

Command
Arguments

show 

permit curpriv

permit version

permit aaa

permit config

enable

none

disable

none

quit

none

login

none

logout

none

help

none


Tip For the show command, the permit config argument permits both the running-config and the startup-config keywords on the PIXFirewall. This is because CiscoSecure ACS performs pattern matching for argument authorization. Because both running-config and startup-config contain the string config, CiscoSecure ACS will permit either because permit config exists in the argument list for the show command.

The commands appear in the command box. By clicking on a command, you can see the arguments in the arguments box.

Step5 Click Submit .

CiscoSecure ACS stores the set, for use with user or group profiles. In Applying the Command Authorization Set to the Junior Administrators Group, you will associate this command set with the group that junior PIXFirewall administrators belong to.

Applying the Command Authorization Set to the Junior Administrators Group

Note CiscoSecure ACS supports command authorization of PIXFirewall commands using the Shell Command Authorization Sets feature and not the PIX Shell Command Authorization Sets feature, which requires that PIXFirewalls support a service called "pixshell". As of PIX 6.3, this service has not been implemented.

After you have created the shell command authorization set in Creating the Command Authorization Set for Junior Administrators, you must associate it with the users or groups that you allow to use the commands specific in the set. In this example, we apply the set to a group.

To apply the shell command authorization set, follow these steps:

Step1 Select Group Setup .

Step2 From the Group list, select the group that you want to assign junior PIXFirewall administrators to.

Tip Select Rename Group , change the group name to Jr. PIX Admins , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign junior PIXFirewall administrators to.

Step3 Select Edit Settings .

The Group Settings page for the group selected appears.

Step4 From the Jump To list, select TACACS+ .

The browser scrolls to the TACACS+ Settings table on the Group Settings page.

Step5 In the TACACS+ Settings table, find the Shell Command Authorization Set section.

Step6 Under Shell Command Authorization Set, select Assign a Shell Command Authorization Set for any network device .

Step7 From the Assign a Shell Command Authorization Set for any network device list, select Jr. PIX Cmds .

CiscoSecure ACS will use the shell command authorization set named "Jr. PIX Cmds" to determine command authorization for junior PIXFirewall administrators. You created the Jr. PIX Cmds set in Creating the Command Authorization Set for Junior Administrators.

Step8 Permit enable privileges. To do so, follow these steps:

a. From the Jump To list, select Enable Options .

The browser scrolls to the Enable Options table on the Group Settings page.

b. Select the Max Privilege for any AAA Client option.

c. From the Max Privilege for any AAA Client list, select Level 15 .

CiscoSecure ACS will permit PIXFirewall administrators assigned to this group all enable privileges on all AAA clients that they can access; however, command authorization determines whether a given command is permitted, regardless of whether the command enable level is permitted.

Step9 Select Submit + Restart .

CiscoSecure ACS saves the group settings, restarts services, and begins enforcing the group settings. CiscoSecure ACS also begins enforcing changes to Network Configuration and to other groups made since the last service restart.

PIX Firewall TACACS+ Command Authorization Configuration

Command authorization using TACACS+ also requires that the administrator using Telnet to access the PIXFirewall console must be authenticated with TACACS+; otherwise, CiscoSecure ACS would not know which user profile to use to determine the administrator authorization. To enable TACACS+ authentication, use the aaa authentication command with the telnet , console , and enable keywords. To enable TACACS+ command authorization, use the aaa authorization command with the command keyword.

The following commands enable TACACS+ authentication and command authorization on the PIXFirewall: 

aaa authentication telnet ssh serial enable TACACS+

aaa authorization command TACACS+