module 6: configure trust and identity at layer 3 - modified
DESCRIPTION
TRANSCRIPT
1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.
2© 2005 Cisco Systems, Inc. All rights reserved.
Network Security 1
Module 6 – Configure Trust and Identity at Layer 3
3© 2005 Cisco Systems, Inc. All rights reserved.
Learning Objectives
6.1 Cisco IOS Firewall Authentication Proxy
6.2 Introduction to PIX Security Appliance AAA Features
6.3 Configure AAA on the PIX Security Appliance
4© 2005 Cisco Systems, Inc. All rights reserved.
Module 6 – Configure Trust and Identity at Layer 3
6.1 Cisco IOS Firewall Authentication Proxy
5© 2005 Cisco Systems, Inc. All rights reserved.
What Is the Authentication Proxy?
• Provides dynamic, per-user HTTP, HTTPS, FTP, and Telnet authentication and authorization via TACACS+ and RADIUS protocols
• Once authenticated, all types of application traffic can be authorized
• The user profiles are active only when there is active traffic from the authenticated users.
• Works on any interface type for inbound or outbound traffic
6© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Proxy Operation
• When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy .
• The authentication proxy first checks to see if the user has been authenticated.
• If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy.
• If no entry exists, the authentication proxy responds to the connection request by prompting the user for a username and password.
7© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Proxy Operation (Cont.)
• Users must successfully authenticate with the authentication server by entering a valid username and password.
• If the authentication succeeds, the user’s authorization profile is retrieved from the authentication, authorization, and accounting (AAA) server.
• The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound ACL of an input interface, and to the outbound ACL of an output interface if an output ACL exists at the interface.
• By doing this, the firewall allows authenticated users access to the network as permitted by the authorization profile.
8© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Proxy Operation (Cont.)
• If the authentication fails, the authentication proxy reports the failure to the user and prompts the user for a configurable number of retries.
• The authentication proxy sets up an inactivity, or idle, timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and all authorized user traffic is permitted access through the firewall.
• If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic ACL entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet connection to trigger the authentication proxy.
9© 2005 Cisco Systems, Inc. All rights reserved.
•RADIUS•TACACS+
Cisco SecureCisco SecureACS UNIXACS UNIX
Cisco SecureCisco SecureACS UNIXACS UNIX
Cisco SecureCisco SecureACS NT/2000ACS NT/2000Cisco SecureCisco SecureACS NT/2000ACS NT/2000
Supported AAA Servers
TACACSTACACS+ +
FreewareFreeware
TACACSTACACS+ +
FreewareFreewareLucentLucentLucentLucent
Cisco SecureCisco SecureACS UNIXACS UNIX
Cisco SecureCisco SecureACS UNIXACS UNIX
Cisco SecureCisco SecureACS NT/2000ACS NT/2000Cisco SecureCisco SecureACS NT/2000ACS NT/2000
10© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Proxy Configuration
• The authentication proxy is applied in the inward direction at any interface on the router where per-user authentication and authorization occurs.
• Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall.
• If the user fails to authenticate with the AAA server, the connection request is dropped.
11© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Proxy Configuration (Cont.)
• All traffic through an interface can be blocked, and then the authentication proxy feature can be enabled to require authentication and authorization for all user-initiated HTTP, HTTPS, FTP, or Telnet connections.
• Users are authorized for services only after successful authentication with the AAA server.
12© 2005 Cisco Systems, Inc. All rights reserved.
aaa new-model
Enable AAA
Enables the AAA functionality on the router (default = disabled)
Router(config)#
13© 2005 Cisco Systems, Inc. All rights reserved.
aaa authentication login default method1 [method2]
Specify Authentication Protocols
Defines the list of authentication methods that will be used
Methods: TACACS+, RADIUS, or both
Router(config)# aaa authentication login default group tacacs+
Router(config)#
14© 2005 Cisco Systems, Inc. All rights reserved.
aaa authorization auth-proxy default method1 [method2]
Specify Authorization Protocols
Use the auth-proxy keyword to enable authorization proxy for AAA methods
Methods: TACACS+, RADIUS, or both
Router(config)#
Router(config)# aaa authorization auth-proxy default group tacacs+
15© 2005 Cisco Systems, Inc. All rights reserved.
tacacs-server host ip_addr
Define a TACACS+ Server and Its Key
Specifies the TACACS+ server IP address
Specifies the TACACS+ server key
Router(config)#
Router(config)# tacacs-server host 10.0.1.12Router(config)# tacacs-server key secretkey
tacacs-server key string
Router(config)#
16© 2005 Cisco Systems, Inc. All rights reserved.
Define a RADIUS Server and Its Key
Specifies the RADIUS server IP address
Specifies the RADIUS server key
Router(config)# radius-server host 10.0.1.12Router(config)# radius-server key secretkey
radius-server host ip_addr
Router(config)#
radius-server key string
Router(config)#
17© 2005 Cisco Systems, Inc. All rights reserved.
Router(config)# access-list 111 permit tcp host 10.0.1.12 eq tacacs host 10.0.1.1
Router(config)# access-list 111 permit icmp any anyRouter(config)# access-list 111 deny ip any anyRouter(config)# interface ethernet0/0Router(config-if)# ip access-group 111 in
Allow AAA Traffic to the Router
– Create an ACL to permit TACACS+ traffic from the AAA server to the firewall
Source address = AAA server
Destination address = interface where the AAA server resides
– May want to permit ICMP
– Deny all other traffic
– Apply the ACL to the interface on the side where the AAA server resides
18© 2005 Cisco Systems, Inc. All rights reserved.
Allow AAA Traffic to the Router (Cont.)
• All traffic requiring authentication and authorization should be denied by the router using extended ACLs.
• Upon successful authentication, dynamic ACEs will be inserted into the ACLs to permit only the traffic authorized by the user profile.
• The authentication proxy customizes each of the ACEs in the user profile by replacing the source IP addresses in the downloaded ACL with the source IP address of the authenticated host.
19© 2005 Cisco Systems, Inc. All rights reserved.
Allow AAA Traffic to the Router (Cont.)
• An extended ACL should be applied to the inbound direction of the interface that is configured for proxy authentication.
• All other ACLs that restrict traffic in the direction of authenticated traffic flow should be extended ACLs so that proxy authentication can dynamically update the ACEs as necessary to permit authorized traffic to pass.
20© 2005 Cisco Systems, Inc. All rights reserved.
Router(config)# ip http serverRouter(config)# ip http authentication aaa
Enable the Router HTTP or HTTPS Server
Enables the HTTP server on the router
Sets the HTTP server authentication method to AAA
Proxy uses HTTP server for communication with a client
ip http server
Router(config)#
ip http authentication aaa
Router(config)#
ip http secure-server
Router(config)#
Enables the HTTPS server on the router
21© 2005 Cisco Systems, Inc. All rights reserved.
HTTP and HTTPS
• The HTTPS feature requires a Cisco IOS crypto image.
• HTTP-initiated sessions normally exchange the username and password in clear text. This exchange is encrypted when using HTTPS.
• To use the authentication proxy with HTTPS, use the ip http secure-server command to enable the HTTP secure server on the router. Then use the ip http authentication aaa command to require the HTTP server to use AAA for authentication.
22© 2005 Cisco Systems, Inc. All rights reserved.
ip auth-proxy {inactivity-timer min | absolute-timer min}
Authentication inactivity timer in minutes (default = 60 minutes)
Absolute activity timer in minutes (default = 0 minutes)
Set Global Timers
Router(config)#
Router(config)# ip auth-proxy inactivity-timer 120
23© 2005 Cisco Systems, Inc. All rights reserved.
Set Global Timers – Inactivity Timeout
• The inactivity timeout value is the length of time that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity.
• To set the global authentication proxy inactivity timeout value, use the ip auth-proxy inactivity-timer global configuration command .
24© 2005 Cisco Systems, Inc. All rights reserved.
Set Global Timers – Absolute Timeout
• The absolute-timer min option allows administrators to configure a window during which the authentication proxy on the enabled interface is active.
• Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity.
• The global absolute timeout value can be overridden by the local value, which is enabled via the ip auth-proxy name command (next slide).
25© 2005 Cisco Systems, Inc. All rights reserved.
Router(config)# ip auth-proxy name aprule httpRouter(config)# interface ethernet0Router(config-if)# ip auth-proxy aprule
Define and Apply Authentication Proxy Rules
Creates an authorization proxy rule
Applies an authorization proxy rule to an interface
For outbound authentication, apply to inside interface
For inbound authentication, apply to outside interface
ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute-timer min][list {acl | acl-name}]
Router(config)#
ip auth-proxy auth-proxy-name
Router(config-if)#
26© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Proxy Rules with ACLs
Creates an authorization proxy rule with an access list
ip auth-proxy name auth-proxy-name http list {acl-num | acl-name}
Router(config)#
Router(config)# ip auth-proxy name aprule http list 10
Router(config)# access-list 10 permit 10.0.1.0 0.0.0.255
Router(config)# interface ethernet0Router(config-if)# ip auth-proxy aprule
27© 2005 Cisco Systems, Inc. All rights reserved.
Create auth-proxy Service in the Cisco Secure ACS
Enter the new service:auth-proxy.
28© 2005 Cisco Systems, Inc. All rights reserved.
Create a User Authentication Profile in the Cisco Secure ACS
29© 2005 Cisco Systems, Inc. All rights reserved.
User Authorization Profiles
30© 2005 Cisco Systems, Inc. All rights reserved.
Test and Verify the Configuration
31© 2005 Cisco Systems, Inc. All rights reserved.
What the User Sees
32© 2005 Cisco Systems, Inc. All rights reserved.
clear ip auth-proxy cache * | ip_addr
• Clears authentication proxy entries from the router
Clear the AuthenticationProxy Cache
•Router(config)#
33© 2005 Cisco Systems, Inc. All rights reserved.
show ip auth-proxy cache
show ip auth-proxy configuration
show ip auth-proxy statistics• Displays statistics, configurations, and
cache entries of authentication proxy subsystem
show Commands
•Router(config)#
34© 2005 Cisco Systems, Inc. All rights reserved.
debug ip auth-proxy ftp
debug ip auth-proxy function-trace
debug ip auth-proxy http
debug ip auth-proxy object-creation
debug ip auth-proxy object-deletion
debug ip auth-proxy tcp
debug ip auth-proxy telnet
debug ip auth-proxy timer• Helps with troubleshooting
debug Commands
•Router(config)#
35© 2005 Cisco Systems, Inc. All rights reserved.
Module 6 – Configure Trust and Identity at Layer 3
6.2 Introduction to PIX Security Appliance AAA Features
36© 2005 Cisco Systems, Inc. All rights reserved.
Types of Authentication
37© 2005 Cisco Systems, Inc. All rights reserved.
Types of Authorization
38© 2005 Cisco Systems, Inc. All rights reserved.
Types of Accounting
39© 2005 Cisco Systems, Inc. All rights reserved.
Module 6 – Configure Trust and Identity at Layer 3
6.3 Configure AAA on the PIX Security Appliance
40© 2005 Cisco Systems, Inc. All rights reserved.
Types of Access Authentication
41© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Configuration Steps
42© 2005 Cisco Systems, Inc. All rights reserved.
Add Users to the Local User Database
43© 2005 Cisco Systems, Inc. All rights reserved.
AAA Local Authentication Attempts Max-Fail Command
44© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Prompts
45© 2005 Cisco Systems, Inc. All rights reserved.
Authentication Timeouts
46© 2005 Cisco Systems, Inc. All rights reserved.
Cut-Through Proxy
47© 2005 Cisco Systems, Inc. All rights reserved.
PIX Cut-Through Proxy – Three Ways to Authenticate
telnet
http
ftp
48© 2005 Cisco Systems, Inc. All rights reserved.
Login Method for Telnet
A prompt is generated by the PIX Firewall.
The user has up to four chances to log in.
If authentication and authorization are successful, the user is prompted for a username and password if required by the destination server.
PIX:
Server:
49© 2005 Cisco Systems, Inc. All rights reserved.
Login Method for FTP
If an incorrect password is entered, the connection is dropped immediately.
If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via FTP, enter the username and password in the following format:
aaa_user@remote_user and
aaa_password@remote_password
50© 2005 Cisco Systems, Inc. All rights reserved.
Login Method for HTTP
The browser generates a username and password pop-up window.
If an incorrect password is entered, the user is prompted again (and again).
If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via HTTP, use virtual http.
51© 2005 Cisco Systems, Inc. All rights reserved.
Login Method for HTTPS
The user gets a prompt generated by the PIX.
The user has up to three chances to log in.
If the username or password fails after the third attempt, the PIX drops the connection.
52© 2005 Cisco Systems, Inc. All rights reserved.
Enable Authentication –Manually Designating AAA Authentication Parameters
Defines traffic to be authenticated
authen_service = any, ftp, http, or telnet
any = all TCP traffic
aaa authentication include|exclude authen_service inbound|outbound|if_name local_ip local_mask foreign_ip foreign_mask group_tag
pixfirewall (config)#
pixfirewall(config)# aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authentication include telnet outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authentication include ftp dmz 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
53© 2005 Cisco Systems, Inc. All rights reserved.
aaa authentication Example
pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0
pixfirewall(config)# aaa authentication include any outbound 0 0 MYTACACS
pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.42 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
54© 2005 Cisco Systems, Inc. All rights reserved.
aaa authentication command parameters
include – create a new rule with the specified service to include.
authen_service – the application with which a user is accessing a network. Use any, ftp, http, or telnet.
inbound – authenticate inbound connections. Inbound means that the connection originates on the outside interface and is being directed to the inside interface.
outbound – authenticate outbound connections. Outbound means that the connection originates on the inside and is being directed to the outside interface.
if_name – interface name from which users require authentication.
55© 2005 Cisco Systems, Inc. All rights reserved.
Virtual Telnet and HTTP
56© 2005 Cisco Systems, Inc. All rights reserved.
Authentication of Non-Telnet, FTP, or HTTP Traffic
57© 2005 Cisco Systems, Inc. All rights reserved.
Virtual Telnet
58© 2005 Cisco Systems, Inc. All rights reserved.
Virtual HTTP
59© 2005 Cisco Systems, Inc. All rights reserved.
Tunnel User Authentication
60© 2005 Cisco Systems, Inc. All rights reserved.
Authorization Configuration
61© 2005 Cisco Systems, Inc. All rights reserved.
User Authorization
62© 2005 Cisco Systems, Inc. All rights reserved.
aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
pixfirewall (config)#
pixfirewall(config)# aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authorization exclude ftp outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
Enable Authorization
Defines traffic that requires AAA server authorization
author_service = any, ftp, http, or telnet
any = All TCP traffic
63© 2005 Cisco Systems, Inc. All rights reserved.
User Authorization
64© 2005 Cisco Systems, Inc. All rights reserved.
65© 2005 Cisco Systems, Inc. All rights reserved.
Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic
66© 2005 Cisco Systems, Inc. All rights reserved.
aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
pixfirewall (config)#
pixfirewall(config)# aaa authorization include udp/0 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authorization include tcp/30-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa authorization include icmp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
Authorization of Non-Telnet, FTP, or HTTP Traffic
author_service = protocol or port
protocol—tcp (6), udp (17), icmp (1), or others (protocol #)
port:
single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports)
ICMP message type (8 = echo request, 0 = echo reply)
port is not used for protocols other than TCP, UDP, or ICMP
67© 2005 Cisco Systems, Inc. All rights reserved.
Downloadable ACLs
68© 2005 Cisco Systems, Inc. All rights reserved.
Accounting Configuration
69© 2005 Cisco Systems, Inc. All rights reserved.
Configuring Accounting for Traffic Through the Firewall
Accounting can be configured for traffic through the firewall.
The syntax for this command is very similar to that of the aaa authentication command.
All parameters are the same except for the acct_service. Possible values for the acct_service parameter are any, ftp, http, telnet, or <protocol/port>.
You do not need to perform any configuration tasks on the Cisco Secure ACS server for it to be able to receive accounting data from a PIX firewall.
70© 2005 Cisco Systems, Inc. All rights reserved.
Enable Accounting
Defines traffic that requires AAA server accounting
acctg_service = any, ftp, http, or telnet
any = All TCP traffic
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
pixfirewall (config)#
pixfirewall(config)# aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
pixfirewall(config)# aaa accounting exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
71© 2005 Cisco Systems, Inc. All rights reserved.
Enable Accounting Match
72© 2005 Cisco Systems, Inc. All rights reserved.
73© 2005 Cisco Systems, Inc. All rights reserved.
Admin Accounting
74© 2005 Cisco Systems, Inc. All rights reserved.
Command Accounting
75© 2005 Cisco Systems, Inc. All rights reserved.
Accounting of Non-Telnet, FTP, or HTTP Traffic
When configuring aaa accounting of non-Telnet, FTP, or HTTP traffic, the syntax of the command is slightly different from Telnet, FTP, or HTTP-specific traffic.
The syntax for acctg_service is specified in the format protocol/port.
76© 2005 Cisco Systems, Inc. All rights reserved.
pixfirewall (config)#
pixfirewall(config)# aaa accounting include udp/53 inbound
0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACSpixfirewall(config)# aaa accounting include udp/54-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
Accounting of Non-Telnet, FTP, or HTTP Traffic
acctg_service = protocol or port
protocol: tcp (6), udp (17), or others (protocol #)
port = single port (e.g., 53), port range (e.g., 2000–2050), or port 0 (all ports) (port is not used for protocols other than TCP or UDP)
aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
77© 2005 Cisco Systems, Inc. All rights reserved.
How to View Accounting Information in CSACS-NT
In the navigation bar select Reports and Activity. The Reports and Activity window opens.
Under Reports first select TACACS+ Accounting and then select TACACS+ Accounting active.csv under Select a TACACS+ Accounting file to display the accounting records.
787878© 2005, Cisco Systems, Inc. All rights reserved.