User Guide for Cisco Security MARS Local and Global Controllers, Release 6.x
Authenticating MARS Accounts with External AAA Server

Table Of Contents

Authenticating MARS Accounts with External AAA Servers

Information About Authenticating MARS User Accounts with External AAA Servers

Supported AAA Protocols and Servers

Configuration Overview

Summary of MARS Appliance AAA Configuration Tasks

Summary of AAA Server Configuration Tasks

Global Controller Considerations with External AAA Servers

Failed Authentication Lockout (Login Failure)

System Events related to Authentication and Login Attempts

System Reports and Rules Related to Authentication Method

System Reports

System Rules

Procedure for First-time Configuration of MARS AAA Feature

Edit an External AAA Server

Delete an External AAA Server

Unlock an Account after Login Failure


Authenticating MARS Accounts with External AAA Servers


Revised: April 5, 2007

External Authentication, Authorization, and Auditing (AAA) servers can act as the authentication mechanism for MARS Appliance GUI logins (username and password). This permits authentication and centralized password management for all MARS Appliances.

Table 14-1 Feature History for MARS Appliance AAA Authentication Method 

Release
Modification

4.3.1 and 5.3.1

This feature was introduced.


This chapter describes the Authentication, Authorization and Accounting (AAA) feature for the MARS Appliances and includes the following sections:

This chapter contains the following topics:

Information About Authenticating MARS User Accounts with External AAA Servers

Procedure for First-time Configuration of MARS AAA Feature

Edit an External AAA Server

Delete an External AAA Server

Unlock an Account after Login Failure

Information About Authenticating MARS User Accounts with External AAA Servers

The administrator can configure MARS to authenticate GUI login attempts with an external AAA server, or with the default method of authenticating to the appliance's local database.

This section contains the following topics:

Supported AAA Protocols and Servers

Configuration Overview

Global Controller Considerations with External AAA Servers

Failed Authentication Lockout (Login Failure)

System Events related to Authentication and Login Attempts

System Reports and Rules Related to Authentication Method

Supported AAA Protocols and Servers

The AAA protocol used by MARS is a basic Remote Authentication Dial In User Service (RADIUS) protocol. The supported external RADIUS servers are as follows:

Cisco Secure Access Control Server (ACS) for UNIX

Cisco Secure Access Control Server (ACS) for Windows

Microsoft Internet Authentication Service (IAS) Server

Juniper Steel belted RADIUS

Configuration Overview

The following overview describes the Local Controller. Global Controller differences are discussed in the section "Global Controller Considerations with External AAA Servers" section.

Summary of MARS Appliance AAA Configuration Tasks

1. Create user accounts on the MARS Appliances.

On each MARS Appliance to which a user must have access, the MARS administrator must create a user account for that user (contact information, group permissions and role). The account can be created on the Local Controller or on a Global Controller and pushed to the Local Controller.

2. Configure all MARS Appliances to use AAA authentication method.

Each MARS Appliance must be individually configured to run the AAA authentication method. From the AAA Configuration page (Admin > System Setup > Authentication Configuration ), manually add external AAA servers in a procedure similar to that of adding a software security application on a new host.

Up to three AAA servers can be selected for AAA server authentication. They are named the primary, secondary, and tertiary servers, which signifies their rank in the AAA server failover sequence.


Note When the administrator changes the MARS authentication method from Local to AAA, all passwords from accounts other than administrator, are deleted from the local user profiles. When changing from AAA to Local, the MARS administrator must recreate passwords for each local account.


When the MARS Appliance operates with the AAA authentication method, every login except the administrator accounts are authenticated by the external AAA server.

All authentication method changes, successful logins, and failed logins are captured as event messages.

Summary of AAA Server Configuration Tasks

1. Configure the MARS Appliance as an AAA client of the AAA server.

2. The AAA server administrator must create the MARS user accounts in the external AAA servers to provide only login name/password authentication for each MARS user.

See the user guide of your AAA server for details.

Global Controller Considerations with External AAA Servers

The following constraints and recommendations pertain to using the AAA authentication method with a Global Controller:

Global and Local Accounts for the Same User

Using the Local authentication method, a user can have two accounts with the same login name and different passwords on a single appliance, for example, global:person1 created on the Global Controller and pushed to the Local Controller and local:person1 created on the Local Controller. Because the AAA server has only one password per login name, do the following to maintain the Local method functionality with the AAA method:

Use the same password for both the global and local accounts.

Use different AAA servers to authenticate the global and local login names.

Changing Global Controller to AAA Authentication Method

Configuring AAA Authentication Method on a Global Controller is similar to configuring AAA on a Local Controller, except that AAA servers cannot be added, edited or deleted on a Global Controller. The list of available AAA server names in the GUI is populated from the Local Controllers reporting to the Global Controller. The hostname of the reporting Local Controller is prepended to the AAA server name. The Global Controller should use an AAA server from the closest Local Controller on the network.

Use the same Authentication Method for all Global and Local Controllers

To avoid login problems, the optimal scenario is to have all Local Controller and Global Controllers use the same authentication method, either all Local or all AAA. For example, when a Global Controller uses AAA method, and a Local Controller uses Local method, any global user accounts pushed to the Local Controller will not have passwords. Any login attempt by the global user to that Local Controller fails until the administrator configures a password for the global account.

Setup accounts for Global Controller Users in all AAA servers used by Local Controllers

When a Global Controller and a Local Controller use different AAA servers for authentication the Global Controller login name and password must be configured in one of the Local Controller's AAA servers or the Global Controller user cannot log in to the Local Controller.

Deleting AAA servers on Local Controllers

If a Local Controller deletes the AAA server in use by a Global Controller, the Global Controller is automatically switched to Local authentication. To reestablish AAA authentication for the Global Controller, the administrator must reconfigure the Global Controller to AAA authentication method and select another AAA server.

Just before a Local Controller being deleted from a Global Controller, a warning message appears if it is the Local Controller with the AAA server to which the Global Controller authenticates.

Unlocking Accounts

Unlocking is not replicated through Global Controller-Local Controller communications, it applies only to the local appliance. An account locked on a Global Controller does not replicate the locked status to global accounts on Local Controllers. A global account locked on two different appliances must be unlocked manually on each appliance.

Failed Authentication Lockout (Login Failure)

For both Local or AAA authentication methods, GUI access is prevented (locked) for an account upon login failure, which occurs when a specified number of incorrect password entries are made for a single login name.

The maximum number of password attempts before locking is set by the Maximum Login Failures parameter in the Account Lockout Policy box of the AAA configuration page (Admin > System Setup > Authentication Configuration ). The default setting is 5 attempts. By setting the Account Lockout Policy to Never Lock, the administrator can disable GUI locking for all accounts, but not specific accounts.

The count of incorrect attempts before login failure clears only when a successful login occurs, it does not age out. For example, if a user performs two incorrect password attempts then quits for the day, they must succeed on the first attempt the next morning or the account will be locked. A running session does not terminate if a login failure occurs for the same user account attempting to open another session, but the account will be locked to all future login attempts.

Once locked, an account must be unlocked by the MARS administrator. The Admin > User Management page of the GUI displays locked accounts. The Status column indicates if the account is active, locked or password expired. An administrator can unlock accounts from the User Management page by selecting the accounts and clicking Unlock.


Note An account password expires when the authentication method is changed from Local to AAA then back to Local, because the initial change from Local to AAA erased all the passwords of the non-administrative local accounts. The passwords must be reset by editing each account from the User Management page.


The CLI access through the console or through SSH is never locked. The unlock CLI command can unlock GUI access for some or all accounts. This is the recourse when the administrator is locked out from the GUI. For information on the unlock command, see the Cisco Security MARS Command Reference.

System Events related to Authentication and Login Attempts

Table 14-2 lists events triggered by Local and AAA authentication method actions.

Table 14-2 MARS AAA-related Events 

Event
Raw Messages

CS-MARS admin user login success

GUI Raw message:% MARS-3-400001 CS-MARS GUI login successful for admin user 'username(CS_MARS_LC)@LC42' from: <src-ip> using local authentication

GUI Raw message: % MARS-3-400001 CS-MARS GUI login successful for admin user 'username(CS_MARS_GC)@GC41' from: <src-ip> using AAA authentication at server: <aaa-ip>

CS-MARS admin user login failure

GUI Raw message: %MARS-2-400002 CS-MARS GUI login failure for admin user 'username(CS_MARS_LC)@LC42' from: <src-ip> using local authentication

GUI Raw message: %MARS-2-400002 CS-MARS GUI login failure for admin user 'username(CS_MARS_LC)@LC42' from: <src-ip> using AAA, reason: user information is not verified in local DB

GUI Raw message: %MARS-2-400002 CS-MARS GUI login failure for admin user 'username(CS_MARS_GC)@GC41' from: <src-ip> using AAA authentication at server: <aaa-ip>, reason: invalid user or password

CS-MARS non-admin user login success

GUI Raw message: %MARS-3-400003 CS-MARS GUI login successful for non-admin user 'username(CS_MARS_LC)@LC42' from: <src-ip> using local authentication"

GUI Raw message: %MARS-3-400003 CS-MARS GUI login successful for non-admin user 'username(CS_MARS_GC)@GC41' from: <src-ip> using AAA authentication at server: <aaa-ip>

CS-MARS non-admin user login failure

GUI Raw message: %MARS-2-400004 CS-MARS GUI login failure for non-admin user 'username(CS_MARS_LC)@LC42' from: <src-ip> using local authentication

GUI Raw message: %MARS-2-400004 CS-MARS GUI login failure for non-admin user 'username(CS_MARS_LC)@LC42' from: <src-ip> using AAA authentication, reason: user information is not verified in local DB

GUI Raw message: %MARS-2-400004 CS-MARS GUI login failure for non-admin user 'username(CS_MARS_GC)@GC41' from: <src-ip> using AAA authentication at server: <aaa-ip>, reason: invalid user or password

CS-MARS failed to connect to AAA server

GUI Raw message: %MARS-2-400005 CS-MARS GUI failed to connect to AAA server at: <aaa-ip> for authenticating admin user 'username(CS_MARS_LC)@LC42', reason: <reason-string>

GUI Raw message: %MARS-2-400005 CS-MARS GUI failed to connect to AAA server at: <aaa-ip> for authenticating non-admin user 'username(CS_MARS_LC)@LC42', reason: <reason-string>

CS-MARS pnadmin user password changed

GUI raw message: %MARS-2-401001 CS-MARS 'pnadmin(CS_MARS_LC)@LC42' user password has changed from GUI at <src-ip>

CLI raw message: %MARS-2-401001 CS-MARS 'pnadmin(CS_MARS_LC)@LC42' user password has changed from CLI at <src-ip>

CS-MARS pnadmin user password remains default

raw message: '%MARS-2-401002 CS-MARS 'pnadmin(CS_MARS_LC)@LC42' user password remains default for the past 24 hours

CS-MARS admin user account locked

Raw message: %MARS-2-402001 CS-MARS locked admin user account 'username(CS_MARS_LC)@LC42' after <number> login failures. The current login attempt originated from: <src-ip> with local authentication

Raw message: %MARS-2-402001 CS-MARS locked admin user account 'username(CS_MARS_LC)@LC42' after <number> login failures. The current login attempt originated from: <src-ip> with AAA authentication at server: <aaa-ip>

Raw message: %MARS-2-402001 CS-MARS locked admin user account 'username(CS_MARS_LC)@LC42' after <number> login failures. The current login attempt originated from: <src-ip> with AAA authentication but failed in local user verification

CS-MARS admin user account unlocked

GUI Raw message: %MARS-3-402003 CS-MARS unlocked admin user account 'username(CS_MARS_LC)@LC42' from GUI by admin user 'adminuser(CS_MARS_LC)@LC42' while logged in from: <src-ip>

CLI Raw message: %MARS-3-402003 CS-MARS unlocked admin user account 'username(CS_MARS_LC)@LC42' from CLI by admin user 'pnadmin(CS_MARS_LC)@LC42' while logged in from: <src-ip>

CS-MARS non-admin user account unlocked

Raw message: %MARS-2-402002 CS-MARS locked non-admin user account 'username(CS_MARS_LC)@LC42' after <number> login failures. The current login attempt originated from: <src-ip> with local authentication

Raw message: %MARS-2-402002 CS-MARS locked non-admin user account 'username(CS_MARS_LC)@LC42' after <number> login failures. The current login attempt originated from: <src-ip> with AAA authentication at server: <aaa-ip>

Raw message: %MARS-2-402002 CS-MARS locked non-admin user account 'username(CS_MARS_LC)@LC42' after <number> login failures. The current login attempt originated from: <src-ip> with AAA authentication but failed in local user verification

CS-MARS unlocked all accounts

CLI raw message: %MARS-3-402005 CS-MARS unlocked all accounts while logged in from: <src-ip>

CS-MARS Authentication method changed from Local to AAA

GUI raw message: %MARS-2-403001 CS-MARS Authentication method was changed from Local to AAA by admin user 'username(CS_MARS_LC)@LC42' while logged in from: <src-ip>

CS-MARS Authentication method changed from AAA to Local

GUI raw message: %MARS-2-403002 CS-MARS Authentication method was changed from AAA to Local by admin user 'username(CS_MARS_LC)@LC42' while logged in from: <src-ip>'


System Reports and Rules Related to Authentication Method

For descriptions of MARS reports and rules, please see Appendix E, "System Rules and Reports."

System Reports

The following six reports disclose authentication events. All the reports are custom column, run on-demand only, with a time range of 1 day.

Activity: CS-MARS Login Failures

Activity: CS-MARS Successful Logins

Activity: CS-MARS Accounts Locked

Activity: CS-MARS Accounts Unlocked

Activity: CS-MARS Authentication Method Modifications

Activity: CS-MARS pnadmin User Password Status

System Rules

The following three rules capture authentication method configuration actions:

System Rule: CS-MARS Authentication Method Modified - AAA to Local

System Rule: CS-MARS Login Failures - Admin User

System Rule: CS-MARS Login Failures - Non-Admin User

The following system rule is triggered depending on how events are grouped:

System Rule: Vulnerable Host Found (Event: CS-MARS pnadmin user password remains default)

Because MARS login successes and failures are grouped into event groups the following rules could fire if a MARS Local Controller is also the target of attacks described in each of the following rules:

System Rule: Local Attack - Attempt

System Rule: Local Attack - Success Likely

System Rule: Password Attack: System - Attempt

System Rule: Password Attack: System - Success Likely

System Rule: Password Attack: System - Success Likely

Login events groups—Info/SuccessfulLogin/System/Root, Info/SuccessfulLogin/System/Non-root, Penetrate/GuessPassword/System/Root and Penetrate/GuessPassword/System/Non-root

Procedure for First-time Configuration of MARS AAA Feature

This procedure demonstrates a first-time configuration of AAA Authentication method for a MARS Appliance.

Summary of steps:

1. Add a new external AAA Server

2. Select AAA Authentication

3. Configure Account Lockout Policy (optional)

Before You Begin

The following prerequisites are required to configure the AAA authentication method:

User profiles created in each MARS Appliance (role and contact involver each intended user)

MARS configured as an AAA client on the external AAA server


Tip For the Cisco Secure ACS, MARS must be configured as an AAA client. You may choose any vendor-specific attribute (VSA) configuration that uses port 1812 as an authentication port and port 1813 as an accounting port. We recommend the Cisco VPN3000/ASA/PIX 7.x+ VSA. For further information see the User Guide for Cisco Secure Access Control Server 4.1.


MARS user accounts created in the external AAA server to provide only login name/password authentication


Note The MARS Appliance login name is case-sensitive, the Cisco Secure ACS User Setup username is not. For example, the MARS login names Victor, victor, and VICTOR will match the Cisco Secure ACS username "victor." Thus, three MARS users could share the same password. We recommend that there be a one-to-one correspondence of MARS login names to Cisco Secure ACS usernames.


(Local Controller only) AAA server configuration information required by MARS as follows:

Access and Reporting IP addresses

Interface addresses

Shared secret string

Authentication port (default is 1812)

Accounting port (default is 1813)

To configure the MARS AAA Feature, follow these steps:


Step 1 Click the Admin tab to navigate to System Setup page.

Figure 14-1 Admin > System Setup Page

Step 2 Click Authentication Configuration to display the AAA configuration page, as shown in Figure 14-2.

If you are configuring a Global Controller, please skip to Step 10.

Figure 14-2 AAA Configuration Page

Add an external AAA Server

Step 3 Click Add in the AAA Server Configuration box.

The Add Reporting Device page appears, as shown in Figure 14-3.

Figure 14-3 Add Reporting Device Page

Step 4 Type in the configuration information and click Next.

The reporting application dialog appears as shown in Figure 14-4.

The usage guidelines for the configuration fields are equivalent to those for adding a monitoring device.


Note The Done and Apply buttons are used when editing a configuration, not in a first-time configuration. Clicking Done returns you to the AAA Configuration page.


Figure 14-4 Reporting Application Dialog

Step 5 Select Generic AAA Server and then click Add.

The AAA Server Configuration pop-up window appears, as shown in Figure 14-5.

Figure 14-5 AAA Server Configuration Pop-up Window

Step 6 Enter AAA Server configuration information.

The default authentication and authorization port is 1812.

The default accounting port is 1813.

Step 7 Click Test Connectivity.

A pop-up window appears for success or failure, as shown in Figure 14-6 and Figure 14-7.


Note The AAA Server Configuration field values are provided by the AAA server administrator.


Figure 14-6 Connectivity Succeeds Pop-up Window

Figure 14-7 Connectivity Fails Pop-up Window

Step 8 If the connectivity test succeeds, enter any User Name and Password configured for MARS on the AAA server and click Submit to verify that the added external AAA server correctly authenticates you to the MARS account.

You are returned to the AAA Configuration Page, as shown in Figure 14-2.

If the connectivity fails, you are returned to the AAA Server Configuration Pop-up Window, as shown in Figure 14-5. Troubleshoot the AAA server connection until connectivity succeeds.

Step 9 Add Secondary or Tertiary AAA servers per your administrative requirements.

Select AAA Authentication

Step 10 In the Authentication Method box of the AAA Configuration Page, click the AAA Server radio button, and select your primary AAA server from the drop-down list. Select secondary and tertiary servers as appropriate to your network.

If you are configuring a Global Controller, select the AAA server closest to the Global Controller.

Figure 14-8 Select Newly-added AAA Server From Drop-down List

Configure Account Lockout Policy (optional)

In the Account Lockout Policy box, configure the maximum login failures threshold, or click the Never Lock radio button.

Figure 14-9 Maximum Login Failure Parameter

Step 11 Click Submit.

When the authentication method is changed from Local to AAA Server, all user passwords are removed from the MARS local database (except administrators). If you change the authentication method back to Local from AAA Server, you must reconfigure all the user passwords with the MARS GUI (Management > User Management).

When the MARS authentication is set to AAA server mode, user passwords can not be added or edited on the MARS User Management page.

End of Procedure for First-time Configuration of MARS AAA Feature.


Edit an External AAA Server


Step 1 Click the Admin tab to navigate to System Setup page.

Step 2 Click Authentication Configuration to display the AAA configuration page, as shown in Figure 14-2.

Step 3 In the AAA Server Configuration box, select the external AAA Server to edit.

Step 4 Click Edit. The Edit Server page appears, as shown in Figure 14-10.

Figure 14-10 Edit Server Page

Step 5 Click the checkbox of the Device Type to change then click Edit. The Server Configuration pop-up window appears, as shown in Figure 14-5.

Step 6 Make changes, click Test Connectivity.

Step 7 If the connectivity test succeeds, enter your User Name and Password and click Submit to verify that the added external AAA server correctly authenticates you to your MARS account.

You are returned to the AAA Configuration Page, as shown in Figure 14-2.

If the connectivity fails, you are returned to the AAA Server Configuration Pop-up Window, as shown in Figure 14-5. Troubleshoot the AAA server connection until connectivity succeeds.

Step 8 Click Submit. You are returned to AAA configuration page.

End of Edit an External AAA Server.


Delete an External AAA Server


Step 1 Click the Admin tab to navigate to System Setup page.

Step 2 Click Authentication Configuration to display the AAA configuration page, as shown in Figure 14-2.

Step 3 In the AAA Server Configuration box, select the external AAA Server to delete.

Step 4 Click Delete. A delete confirmation pop-up window appears, as shown in Figure 14-11.

Figure 14-11 Server Delete Confirmation

Step 5 Click Submit. You are returned to AAA configuration page.

If the AAA server deleted is a primary server used by a Global Controller, The Global Controller automatically switches to the Local authentication method and the administrator must reconfigure the Global Controller to AAA method and select another AAA server as required.

End of Delete an External AAA Server.


Unlock an Account after Login Failure

The following procedure details the steps required to unlock a non-administrative Local Controller or Global Controller account. To unlock an administrative account, use the unlock CLI command, as described in the Cisco Security MARS Command Reference.

A login failure to the MARS GUI is signaled by the Login Failure message, as shown in Figure 14-12.

Figure 14-12 Login Failure Message


Step 1 Log in to an administrator account.

Step 2 Navigate to the User Management subtab (Management > User Management), as shown in Figure 14-2.

The status column indicates which accounts are locked.

Click the check box of the user accounts to unlock.

Figure 14-13 Unlocking a Locked User Account

Step 3 Click Unlock. The status of the user account changes from Locked to Active.

End of Unlock an Account after Login Failure.