Sample Configuration Guide for Cisco Secure ACS and PIX Firewall
Inbound RADIUS AAA with Remote Cisco Secure ACS Administration

Table Of Contents

Inbound RADIUS AAA with Remote Cisco Secure ACS Administration

Example Network

Scenario

Cisco Secure ACS Remote Administration Preparation

Configuring Access Policy

Inbound RADIUS Configuration

Cisco Secure ACS RADIUS Authentication Configuration

PIX Firewall RADIUS Server Configuration

PIX Firewall RADIUS Authentication Configuration

PIX Firewall RADIUS Accounting Configuration

Cisco Secure ACS RADIUS Accounting Configuration

Downloadable ACLs for Inbound RADIUS-based Access

Creating the Downloadable ACL Set

Applying the Downloadable ACL Set to a Group

PIX Firewall RADIUS Downloadable ACLs for Inbound RADIUS

Inbound RADIUS AAA with Remote Cisco Secure ACS Administration


This chapter describes how to configure inbound RADIUS AAA to permit access to the CiscoSecure ACS HTML interface from computers outside the PIXFirewall. An inbound session is a session transiting the PIXFirewall from its outside interface to its inside interface, as shown in Figure5-1. For more information about the example presented in this chapter, see Scenario.

This chapter contains the following topics:

Example Network

Scenario

CiscoSecure ACS Remote Administration Preparation

Configuring Access Policy

Inbound RADIUS Configuration

CiscoSecure ACS RADIUS Authentication Configuration

PIXFirewall RADIUS Server Configuration

PIXFirewall RADIUS Authentication Configuration

PIXFirewall RADIUS Accounting Configuration

CiscoSecure ACS RADIUS Accounting Configuration

Downloadable ACLs for Inbound RADIUS-based Access

Creating the Downloadable ACL Set

Applying the Downloadable ACL Set to a Group

PIXFirewall RADIUS Downloadable ACLs for Inbound RADIUS

Example Network

Figure5-1 illustrates the network used for this example.

Figure 5-1 Example Network

Scenario

In this sample configuration—inbound RADIUS AAA with remote CiscoSecure ACS administration—the details presented enable an CiscoSecure ACS administrator to use a web browser on a computer in the 209.165.201.0 network to access the HTML interface of CiscoSecure ACS. Additionally, the administrator is to be authenticated as a network user to determine if the administrator has permission to open the TCP connection required to access the CiscoSecure ACS HTML interface.

For PIXFirewall to permit this, this sample configuration describes enabling inbound RADIUS AAA, including using downloadable ACLs, so that the administrator is authenticated by CiscoSecure ACS as a network user and assigned ACLs from CiscoSecure ACS that permit HTTP traffic from the 209.165.201.0 network to the TCP ports used by CiscoSecure ACS.

The CiscoSecure ACS administrator requests access to the CiscoSecure ACS HTML interface with a URL that uses the CiscoSecure ACS hostname. As with all new administrative session requests, this request is directed to port 2002 of the CiscoSecure ACS server.

PIXFirewall challenges the administrator for his network username and password.

The administrator responds with his network username and password.

PIXFirewall sends the username and password to CiscoSecure ACS, using RADIUS.

CiscoSecure ACS authenticates the username and password, determines the ACLs associated with the user, and returns an ACCESS-ACCEPT message to the PIXFirewall, along with the ACLs.

PIXFirewall applies the ACLs, determines that the administrator is permitted to access the HTML interface of CiscoSecure ACS, and so allows the original HTTP or HTTPS request to proceed.

CiscoSecure ACS responds with its login page.

The administrator enters his CiscoSecure ACS administrator name and password and submits the login request.

CiscoSecure ACS grants the administrative session, assigns the new session a random TCP port from the range of TCP ports it is configured to use, and returns the initial page to the browser. All links on the initial page use the new port number. All communication from the browser to CiscoSecure ACS will be sent to the new port number.

Because the ACLs downloaded from CiscoSecure ACS permit all ports that CiscoSecure ACS might use for administrative sessions, the PIXFirewall permits all subsequent HTTP or HTTPS requests.

Cisco Secure ACS Remote Administration Preparation

With respect to the CiscoSecure ACS HTML interface, a remote administrative session is any administrative session using a browser that runs on a computer other than the computer running CiscoSecure ACS. For CiscoSecure ACS Solution Engine, all administrative sessions are remote sessions.

All remote sessions require a CiscoSecure ACS administrator name and password. CiscoSecure ACS also provides an IP address filtering feature for remote sessions. This feature enables you to permit or deny access to the HTML interface based on the IP address of the computer running the web browser.

In this sample configuration, the following aspects of administration control are addressed:

Administrator account —All remote sessions require a CiscoSecure ACS administrator name and password. This guide assumes that at least one administrator account with permissions to configure all groups and all features has been created. If the CiscoSecure ACS shown in Figure5-1 is CiscoSecure ACS Solution Engine, the default administrator has these privileges and can be used.

IP address filtering —Disabled by default, this feature enables you to specify what IP address are allowed to access the CiscoSecure ACS HTML interface. While use of this feature is not required for remote access, this sample configuration recommends its use and provides steps for configuring it in Configuring Access Policy.

HTTP port range —By default, CiscoSecure ACS uses TCP ports 1024 to 65535 for administrative sessions. While narrowing this port range is not required for remote access, this sample configuration recommends doing so and provides an example range and steps for configuring it in Configuring Access Policy.

HTTP or HTTPS support —By default, CiscoSecure ACS uses HTTP for its administrative sessions. This sample configuration presents details for using either HTTP or HTTPS for accessing the CiscoSecure ACS HTML interface; however, it does not present details regarding certificate configuration, which is required before you can enable HTTPS.


Note CiscoSecure ACS certificate configuration is beyond the scope of this guide.


Configuring Access Policy

In the Administration Control section of the CiscoSecure ACS HTML interface, the Access Policy Setup page controls remote access to the HTML interface. This procedure provides steps for the following:

Specifying the IP addresses from which CiscoSecure ACS accepts requests for remote administration

Determining the range of TCP ports that CiscoSecure ACS uses for administrative sessions

Determining whether CiscoSecure ACS uses HTTP or HTTPS for administrative sessions

Before You Begin

Determine the largest possible number of concurrent administrative sessions that you need CiscoSecure ACS to support. This sample configuration uses the assumption that no more than five administrators require access to CiscoSecure ACS at the same time.

For the number of concurrent administrative sessions that you need CiscoSecure ACS to support, select a TCP port range that does not include ports used by other applications and does not include port 2002, which is reserved by CiscoSecure ACS for new administrative session requests. This sample configuration uses TCP ports 2153 through 2157. This range of ports is considered unassigned by IANA; however, if you use CiscoSecure ACS for Windows Server, other applications installed on the CiscoSecure ACS server could use these TCP ports.

CiscoSecure ACS certificate configuration is beyond the scope of this guide. This sample configuration presents details for using either HTTP or HTTPS for accessing the CiscoSecure ACS HTML interface; however, it does not present details regarding certificate configuration, which is required before you can enable HTTPS.

To configure the Access Policy Setup page, follow these steps:


Step1 Select Administration Control > Access Policy .

Step2 Configure IP address filtering. To do so, follow these steps:


Note Using IP address filtering helps safeguard against unauthorized access attempts from the Internet, as it is defined in Figure5-1.


a. In the IP Address Filtering table, select the Allow only listed IP addresses to connect option.

b. For each row in Table 5-1 , type the IP addresses from the Start IP Address and End IP Address columns in the corresponding boxes in a row of the IP Address Ranges table in the HTML interface.

Table 5-1 IP Address Ranges 

Start IP Address
End IP Address

209.165.201.1

209.165.201.255

10.1.1.1

10.1.1.255

192.168.3.1

192.163.3.255


CiscoSecure ACS allows administrative sessions only from web browsers run on computers with an IP address in the ranges specified.


Tip By default, CiscoSecure ACS send the message "Invalid Administration Connection" when you attempt to access it with an IP address not in a permitted range. You can disable this message. To do so, select Administration Control> Session Policy and deselect the Respond to invalid IP address connections check box.


Step3 Configure HTTP port allocation. To do so, follow these steps:

a. In the HTTP Configuration table, select the Restrict Administration Sessions to the following port range option.

CiscoSecure ACS assigns each concurrent administrative session a different TCP port number, randomly selected from the range defined by the From Port X to Port Y boxes.

b. In the From Port X box, type 2153 .

c. In the to Port Y box, type 2157 .

Step4 Configure HTTP or HTTPS for administrative sessions. Do one of the following:

If you want to use HTTP for administrative sessions, under Secure Socket Layer Setup, deselect the Use HTTPS Transport for Administration Access check box.

If you want to use HTTPS for administrative sessions, under Secure Socket Layer Setup, select the Use HTTPS Transport for Administration Access check box.


Note If you have not completed server certificate and certification authority certificate configuration, CiscoSecure ACS does not permit HTTPS.


Step5 Click Submit .


Inbound RADIUS Configuration

Inbound RADIUS authentication is very similar to outbound RADIUS authentication. The distinction is that inbound RADIUS authentication enforces authentication for users outside the PIXFirewall requesting a session with a computer inside the PIXFirewall; however, much of the configuration steps are shared with inbound RADIUS configuration, already described in "Outbound RADIUS AAA". This section assumes that you completed the outbound RADIUS configuration described in "Outbound RADIUS AAA".

This section contains the following topics:

CiscoSecure ACS RADIUS Authentication Configuration

PIXFirewall RADIUS Server Configuration

PIXFirewall RADIUS Authentication Configuration

PIXFirewall RADIUS Accounting Configuration

CiscoSecure ACS RADIUS Accounting Configuration

Cisco Secure ACS RADIUS Authentication Configuration

The CiscoSecure ACS RADIUS configuration specified in CiscoSecure ACS Configuration for Outbound RADIUS Accounting, enables CiscoSecure ACS to support requests for inbound RADIUS authentication, too. No additional CiscoSecure ACS configuration is needed.

PIX Firewall RADIUS Server Configuration

The PIXFirewall RADIUS server configuration specified in PIXFirewall AAA Server Configuration for Outbound RADIUS, provides the RADIUS server definition needed for outbound RADIUS authentication, too. No additional PIXFirewall RADIUS server configuration is needed.

PIX Firewall RADIUS Authentication Configuration

To enable RADIUS authentication on the PIXFirewall, use the aaa authentication command. This example makes use of the AAA server group named RADIUS, configured in PIXFirewall AAA Server Configuration for Outbound RADIUS.


Note Enabling RADIUS authentication automatically enables RADIUS authorization. This is because of the design of the RADIUS protocol. When you use RADIUS, you cannot separate the functions of authentication and authorization.


The following commands enable RADIUS authentication specifically for TCP requests on port 2002 from any computer on the 209.265.201.0 network to CiscoSecure ACS on the inside interface of the PIXFirewall. The final keyword in each command, "RADIUS", specifies the AAA server group created in PIXFirewall AAA Server Configuration for Outbound RADIUS.

aaa authentication include tcp/2002 outside 10.1.1.12 255.255.255.255 209.265.201.0 
255.255.255.255 RADIUS

The service is specified as tcp/2002 because CiscoSecure ACS accepts new HTTP and HTTPS session requests only on port 2002 and not on port 80 or 443, which the PIXFirewall keywords http and https correspond to, respectively.

PIX Firewall RADIUS Accounting Configuration

To enable RADIUS accounting of all TCP services, use the aaa accounting command. The following command causes the PIXFirewall to send RADIUS accounting packets for RADIUS-authenticated inbound sessions to the AAA server group named "RADIUS".

aaa accounting include any outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 RADIUS

Cisco Secure ACS RADIUS Accounting Configuration

The CiscoSecure ACS RADIUS accounting configuration specified in CiscoSecure ACS Configuration for Outbound RADIUS Authentication, enables CiscoSecure ACS to support requests for inbound RADIUS authentication, too. No additional CiscoSecure ACS configuration is required.

It is possible, however, that the attributes logged for inbound sessions should be different, depending upon security and auditing requirements. Should this be the case, follow the steps in CiscoSecure ACS Configuration for Outbound RADIUS Authentication.

Downloadable ACLs for Inbound RADIUS-based Access

While RADIUS authentication permits the user basic access to the network, it is the ACLs assigned to the user that specifically permit access to the ports used by CiscoSecure ACS for administrative sessions. In "ACLs with RADIUS", three methods for creating and assigning ACLs to a user are described. This example describes only the downloadable ACL approach; however, the other two methods, RADIUS specification of named ACLs and RADIUS ACLs using the Cisco AV Pair, would work as well.

This section contains the following topics:

Creating the Downloadable ACL Set

Applying the Downloadable ACL Set to a Group

PIXFirewall RADIUS Downloadable ACLs for Inbound RADIUS

Creating the Downloadable ACL Set

In this example, the ACLs required to limit access to the CiscoSecure ACS server are given. You can add or remove ACLs from a downloadable ACL set as needed.

To create the downloadable ACL set, follow these steps:


Step1 Make sure the downloadable IP ACL feature is enabled. To do so, follow these steps:

a. Click Interface Configuration and then click Advanced Options .

b. Select the Group-Level Downloadable ACLs check box.

c. Click Submit .

Where applicable, the CiscoSecure ACS HTML interface displays features related to downloadable IP ACLs.

Step2 Click Shared Profile Components followed by Downloadable IP ACLs , and then click Add .

The page for adding a downloadable ACL set appears.

Step3 In the Name box, type Remote ACS Access .

Step4 In the Description box, type Permits access to the ACS server .

Step5 In the ACL Definitions box, type the following:

permit tcp 10.1.1.12 255.255.255.255 209.165.201.0 255.255.255.255 eq 2002
permit tcp 10.1.1.12 255.255.255.255 209.165.201.0 255.255.255.255 range 2153 2157

Step6 Click Submit .

CiscoSecure ACS saves the downloadable ACL set. You can apply it by name to group or user profiles.


Applying the Downloadable ACL Set to a Group

After you have created the downloadable ACL set in Creating the Downloadable ACL Set, you must associate it with the group that contains the members of the engineering department. This procedure provides the steps to do so.

To apply the shell command authorization set, follow these steps:


Step1 Click Group Setup .

Step2 From the Group list, select the group to which you want to assign users who are also CiscoSecure ACS administrators.


Tip Select Rename Group , change the group name to ACS Admins , and click Submit . Later, you can find the group by its name rather than having to remember the number of the group you meant to assign engineers to.


Step3 Select Edit Settings .

The Group Settings page for the group selected appears.

Step4 From the Jump To list, select Downloadable ACLs .

The browser scrolls to the Downloadable ACLs table on the Group Settings page.

Step5 In the Downloadable ACLs table, select the Assign IP ACL check box.

Step6 From the Assign IP ACL list, select Remote ACS Access .

CiscoSecure ACS will use the downloadable ACL set named "Remote ACS Access" to send ACLs to the PIXFirewall when members of the ACS Admins group authenticate. You created the Remote ACS Access set in Creating the Downloadable ACL Set.

Step7 Select Submit + Restart .

CiscoSecure ACS saves the group settings, restarts services, and begins enforcing the group settings.


PIX Firewall RADIUS Downloadable ACLs for Inbound RADIUS

Aside from enabling RADIUS authentication, as shown in PIXFirewall Configuration for Outbound RADIUS Authentication, downloadable ACLs require no further configuration on the PIXFirewall. Provided that RADIUS authentication is configured correctly on the PIXFirewall, the PIXFirewall applies them automatically.

The result is that remote administration requests from the 209.265.201.0 network are authorized on the port range you configured in CiscoSecure ACS.

For information about how PIXFirewall interprets and applies downloadable ACLs, see the configuration guide for your PIXFirewall.