Command Authorization Using an External AAA Server
Command Authorization with the local user database is not scalable. Hence, with a larger user database, you should consider implementing command authorization using an external AAA server. Command Authorization is possible with TACACS+ protocol but not with the RADIUS protocol.
Command authorization by TACACS+ is based on submitting the entire command expression to a TACACS+ server for authorization before execution. While this section deals only with command authorization for a TACACS+ server, a local user database as discussed in the preceding section will be used as a fallback method. Note that fallback using a local user database is possible only with PIX Version 6.3.4 and above.
Configuring command authorization with the external TACACS+ server is a two-step process: configuring the TACACS+ server, and configuring PIX Firewall.
Work through the steps that follow to configure an ACS in Windows for command authorization:
Step 1. Authentication must be working before performing command authorization. To perform command authorization with CS ACS, go to Interface Configuration > TACACS+ (Cisco). Check Shell (exec) for user and/or group and click Submit. This will make the shell command authorization settings visible under the user (or group) configuration.
Step 2. Go to User Setup and create a user who has permission to execute any commands on the firewall. For example, give this username superuser, and assign this user to a group name.
Step 3. Go to Group Setup, and select the group name where username superuser is assigned from the drop-down box and click on Edit Settings.
Step 4. In the Group Setting page, permit unmatched Cisco IOS commands.
Step 5. For the other users, select Group Settings, find the desired group from the drop-down box, and click Edit Settings.
Step 6. Go to Shell Command Authorization Set, check the Command button, and enter login. Select Permit, under Unlisted Arguments. Repeat these processes for the logout, enable, and disable commands.
Step 7. Go to Shell Command Authorization Set, check the Command button, and enter show. Under Arguments enter permit clock, and select deny for Unlisted Arguments. Refer to Figure 10-1 for the configurations of steps 4 and 5.
Figure 10-1. Command Authorization Setup on the ACS Server
[View full size image]
Step 8. Click Submit.
Once you are finished with the Cisco Secure ACS server configuration, you need to configure PIX Firewall for command authorization. Example 10-12 shows the configuration needed on the PIX firewall to turn on command authorization.
Example 10-12. AAA Configuration Needed for the Authorization with TACACS+ Server and Local User Database as a Fallback Method
PIX# configure terminal
! Assuming that the AAA-server is configured with AAA server name tag TACSERVER,
! following statements will enable telnet and enable authentication with tacacs+ server,
! and Local user database is configured as backup.
PIX(config)# aaa authentication telnet console TACSERVER LOCAL
PIX(config)# aaa authentication enable console TACSERVER LOCAL
! Following line will turn on authorization with tacacs+ server and local user database
! as fall-back method.
PIX(config)# aaa authorization command TACSERVER LOCAL
PIX(config)#
Troubleshooting Steps
To troubleshoot command authorization, run the following commands:
PIX# debug aaa authorization
PIX# debug tacacs
Before you look at some of the possible causes of failure, go through Example 10-13 for a successful command authorization using tacacs+ protocol:
Example 10-13. Command Authorization in Action for Administrative Session
PIX# debug aaa authorization
PIX# debug tacacs
Jul 25 2005 07:09:36 : %PIX-7-111009: User 'kodom' executed cmd: show running-config
Jmk_pkt - type: 0x2, session_id: 2147485175
mkpkt - authorize user: kodom
! Configure terminal is what entered in PIX CLI, and they are sent to the AAA server with
! command "configure" and argument "terminal" as you can see in the following lines.
cmd=configure
ucmd-arg=terminal Tacacs packet sent
Sending TACACS Authorization message. Session id: 2147485175, seq no:1
Received TACACS packet. Session id:243213034 seq no:2
! Following two lines indicate success of command authorization
tacp_procpkt_author: PASS_ADD
tacp_procpkt_author: PASS_REPL
TACACS Session finished. Session id: 2147485175, seq no: 1
l 25 2005 07:09:40 : %PIX-6-609001: Built local-host outside:171.69.89.217
Jul 25 2005 07:09:40 : %PIX-6-302013: Built outbound TCP connection 5918 for
outside:171.69.89.217/49 (171.69.89.217/49) to NP Identity Ifc:172.16.172.164/
1425 (172.16.172.164/1425)
Jul 25 2005 07:09:40 : %PIX-5-111007: Begin configuration: console reading from
terminal
Jul 25 2005 07:09:40 : %PIX-5-111008: User 'kodom' executed the 'configure terminal'
command.
PIX#
Command authorization might not work due to one or more of the following reasons:
If the authorization does not work at all, be sure that authorization is turned on with the following command:
aaa authorization command TACSERVER LOCAL
If authorization is performed with the local user database, be sure that the command is at the same or at a lower privilege level than the user's privilege. Otherwise, you need to log in as admin user with privilege level 15 to bring the privilege level down to the user level.
If authorization is turned on with the TACACS+ protocol, run debug aaa authorization and debug tacacs to find out how the command is sent out to the AAA server. Revise the AAA server group profile configuration to ensure that the command and arguments are match the permit as you see it in the debug on the PIX firewall.
If expected permit commands are denied, and vice versa, revise the logic of the commands, and correct if needed.
Accounting
Beginning with PIX Version 7.0, Accounting for firewall administrative sessions is possible. Previously it was only available with the syslog. To enable accounting for a special connection type, use the following command:
[View full width]Firewall(config)# [no] aaa accounting http | serial | telnet | ssh | enable console
AAA-Server-Tag
You can enable accounting for capturing and sending the command executed on the firewall with the following command:
Firewall(config)# [no] aaa accounting command [privilege level] AAA-Server-Tag
Refer to Table 10-8 for an explanation of the arguments of the accounting command.
Table 10-8. Keywords for the AAA Accounting Command Shown for Admin Session Keywords
Meaning
AAA-Server-Tag
This is the AAA sever name tag.
Accounting
Enable or disable accounting services.
http
Enable or disable the generation of accounting records for HTTP connection.
Serial
Enable or disable the generation of accounting records for console session.
telnet
Enable or disable the generation of accounting records for Telnet connection.
SSH
Enable or disable the generation of accounting records for SSH connection.
Enable
Enable or disable the generation of accounting records for enable authentication.
Console
Indicates that accounting records will be generated for administrative session via different connection types.
Command
Enable or disable the generation of accounting records to record each command that is entered on the firewall.
Privilege Level
If specified, the privilege level indicates the minimum level that must be associated with a command to generate an accounting record. The default privilege level is 0, which means that every command executed on the firewall will generate accounting records.
If you are having problem with accounting, run the following debug commands on the PIX firewall:
PIX# debug aaa accounting
PIX# debug radius
or,
PIX# debug tacacs
Information can be shown either on the console or syslog. If Cisco Secure ACS is used as an external AAA server, you can view accounting records by clicking the Reports and Activity button. Then click TACACS+ Accounting or RADIUS Accounting. All accounting reports are in comma-separated value (.csv) format and can be displayed in a web browser.