Configuring External AAA Server Authentication

Configuring External AAA Server Authentication
As mentioned before, the local user database is not very scalable when there are a large number of users to manage. Therefore, you must use an external AAA server for the central point of user management. Configuring an external AAA server-based authentication for login requires configuring both an AAA server and the PIX firewall. Work through to following steps to accomplish this task:

Step 1. Configure AAA Server for user setup and AAA client configuration.

Before you turn on AAA for the login on the PIX firewall, you must configure the AAA server. The term Cisco Secure Access Control Server (CS ACS) is used throughout this chapter for the AAA server. Work through the following steps to configure the Cisco Secure ACS Server:


a. Define the PIX firewall as an AAA ClientThe PIX firewall must be defined as an AAA client on the AAA server for the PIX to be able to connect to the AAA server to send authentication requests. On CS ACS, go to Network Configuration > Click on Network Device Group (if NDG is configured) > Add Entry> Give an AAA client name for PIX, define the IP address of the PIX, and the shared secret key. For Authenticating Using, select TACACS+ (Cisco IOS) for TACACS+ or RADIUS (Cisco IOS/PIX) for RADIUS authentication.


b. Create UsersGo under User Setup and add a user. You do not need a special configuration for simple login authentication. Assign the user to a specific group.



Step 2. Define communication parameters for the AAA server on the PIX firewall.

To define the AAA server, you need to define the type of protocol you want to use (RADIUS or TACACS+), the IP address of the AAA server, and optionally a shared secret key. We recommend strongly that you use the complex shared secret key for better security. See Example 10-6 for both RADIUS and TACACS+ server definitions on the PIX firewall.


Example 10-6. Defining AAA Server
! Following two lines define a AAA server with TACACS+ protocol. Note that
! MY_TACACS is the tag for the AAA server and has to be match (case sensitive)
! on both lines.
PIX(config)# aaa-server AuthTacacs protocol tacacs+
PIX(config)# aaa-server AuthTacacs host 192.168.1.5 cisco timeout 5
! The following two lines define a AAA server with RADIUS protocol
PIX(config)# aaa-server AuthRadius protocol radius
PIX(config)# aaa-server AuthRadius host 192.168.1.10 cisco timeout 5
PIX(config) exit
PIX#





Step 3. Turn on AAA for Login Authentication.

Commands for turning on authentication are slightly different for different methods of login to the PIX firewall. For example, to enable authentication for SSH using TACACS+ protocol, use the following command:


PIX(config)# aaa authentication ssh console AuthTacacs


To use the RADIUS server, use the following command:


PIX(config)# aaa authentication ssh console AuthRadius


When users use SSH to access the PIX with the preceding command turned on, they are prompted for username and password, which is defined on the AAA server. It is important to note that console is the keyword that tells the PIX that authentication is for an administrative connection. Console authentication is turned on by the keyword serial.



Caution

While adding authentication statements, always have a connection open to the PIX in the event that backing out the commands is necessary. Additionally, do not save the configuration unless you thoroughly test your AAA configuration so that if you are locked out, you need only perform a reboot to return your original configuration.



Configuring Fallback Method for Authentication
Beginning with PIX version 6.3.4, you can configure a local user database as a fallback method in case the AAA server is unavailable. Fallback method is available to use only with the local user database.

To configure fallback, you need to combine the procedure for authentication using both the AAA server and the local user database. For example, to turn on fallback for SSH connection to the firewall, use the following command:

PIX(config)# aaa authentication ssh console AuthTacacs LOCAL



With the preceding configuration, if the TACACS+ server is unavailable, the local user database will be used for SSH authentication. Note that if multiple TACACS+ servers are defined with the AuthTacacs server tag, the firewall will try all TACACS+ servers in the list before it uses the local user database.

If a fallback method is used, you need to configure the AAA server that is used as a primary method for authentication with proper parameters on the firewall. For example, if the fallback method is used, you might not want to increase the maximum failed attempts to a high number, because that could delay the authentication if the AAA server is down. Following is a list of options available for configuring different parameters for the AAA server:

Max-failed-attempts This is the maximum number of AAA requests attempted to each server within an AAA server group. The parameter must be within [1-5] inclusive. The default value is 3.

PIX(config)# [no] aaa-server AAA-Server-Tag max-failed-attempts number

Deadtime Deadtime is the number of timeout minutes for declaring an AAA server group as unresponsive. The parameter must be within [0-1440] inclusive. The default value is 10.

PIX(config)# [no] aaa-server AAA-Server-Tag deadtime minutes

Note

The AAA fallback is available only for administrative session traffic authentication and command authorization, not for cut-through proxy or x-auth traffic.



Troubleshooting Login Authentication
Before delving into the details of troubleshooting authentication problem for SSH, Telnet and other types of connections, it is worth of going through a debug output for a successful user authentication, which is shown in Example 10-7.

Example 10-7. Successful User Authentication for SSH Session with Output from the debug aaa authentication and debug tacacs Commands
PIX(config)# logging console debugging
PIX(config)# debug aaa authentication
PIX(config)# debug tacacs
! Following lines show the SSH connection is allowed and username prompt is sent to the
! user
PIX# Jul 25 2005 02:23:49 : %PIX-6-609001: Built local-host outside:10.25.136.50
Jul 25 2005 02:23:49 : %PIX-6-609001: Built local-host NP Identity
Ifc:172.16.172.164
Jul 25 2005 02:23:49 : %PIX-6-302013: Built inbound TCP connection 5849 for
outside:10.25.136.50/3455 (10.25.136.50/3455) to NP Identity Ifc:172.16.172.164/
22 (172.16.172.164/22)
Jul 25 2005 02:23:49 : %PIX-7-710001: TCP access requested from 10.25.136.50/3455
to outside:172.16.172.164/ssh
Jul 25 2005 02:23:49 : %PIX-7-710002: TCP access permitted from 10.25.136.50/3455
to outside:172.16.172.164/ssh
PIX-A#
! Username and the password information is received and sent to the AAA server
PIX-A# JReceived response from kodom, session id 2147485136
Making authentication request for host 171.69.89.217, user kodom, session id:
2147485136
mk_pkt - type: 0x1, session_id: 2147485136
ul user: kodom
Tacacs packet sent
Sending TACACS Start message. Session id: 2147485136, seq no:1
Received TACACS packet. Session id:537906095 seq no:2
! Asking for the password from the user
25 tacp_procpkt_authen: GETPASS
Authen Message: Password:
Processing challenge for user kodom, session id: 2147485136, challenge: Password:
Received response from kodom, session id 2147485136
Making authentication request for host 171.69.89.217, user kodom, session id:
2147485136
mk_pkt - type: 0x1, session_id: 2147485136
mkpkt_continue - response: ***
Tacacs packet sent
Sending TACACS Continue message. Session id: 2147485136, seq no:3
Received TACACS packet. Session id:537906095 seq no:4
! The following line indicates the successful user authentication
tacp_procpkt_authen: PASS
TACACS Session finished. Session id: 2147485136, seq no: 3
2005 02:24:03 : %PIX-6-609001: Built local-host outside:171.69.89.217
Jul 25 2005 02:24:03 : %PIX-6-302013: Built outbound TCP connection 5850 for
outside:171.69.89.217/49 (171.69.89.217/49) to NP Identity Ifc:172.16.172.164/
1374 (172.16.172.164/1374)
Jul 25 2005 02:24:03 : %PIX-6-109005: Authentication succeeded for user 'kodom' from
10.25.136.50/0 to 172.16.172.164/22 on interface outside
! Shows the login is permitted to the PIX
Jul 25 2005 02:24:03 : %PIX-6-605005: Login permitted from 10.25.136.50/3455 to
outside:172.16.172.164/ssh for user "kodom"
Jul 25 2005 02:24:03 : %PIX-6-302014: Teardown TCP connection 5850 for
outside:171.69.89.217/49 to NP Identity Ifc:172.16.172.164/1374 duration 0:00:00
bytes 108 TCP FINs
Jul 25 2005 02:24:03 : %PIX-6-609002: Teardown local-host outside:171.69.89.217
duration 0:00:00
PIX#





Work through the following steps to troubleshoot authentications problem with login:


Step 1. Turn off AAA for login.

If the login is not working for SSH, console, PDM/ASDM, Firewall MC and so on, when AAA is configured, turn off AAA and configure the Basic Login credential to ensure that the problem is not with the connection method configured. For example, if SSH is configured with AAA on the PIX, turn off AAA for SSH and check to see if you can log in with the basic login credentials. Your host IP address might not be configured as the allowed host. If not, you might get the following message in the syslog:


315001: Denied SSH session from 50.1.1.1 on interface outside


Then find out if the 50.1.1.1 address is allowed on the PIX with the following command:


PIX# show ssh
192.168.1.0 255.255.255.0 inside
PIX#


As you can see, 192.168.1.0 is the only network allowed from which you can use SSH to log in to the PIX firewall. To add the 50.1.1.1 address for an SSH connection, you can use the following command:


PIX# configure terminal
PIX(config)# ssh 50.1.1.1 255.255.255.255 outside
PIX(config)# exit
PIX#



Step 2. Check for a bad Username/Password on the AAA Server.

If the authentication is working with basic login credentials, turn AAA back on, and check to see if the user is entering the correct username and password. Example 10-8 shows an example of authentication failure either because of the wrong username or a bad password.


Example 10-8. Authentication Failure for SSH Connection
PIX# debug aaa authentication
PIX# debug tacacs
Sending TACACS Continue message. Session id: 2147485138, seq no:3
! A failed message indicates either username or password is not correct.
Received TACACS packet. Session id:1969178652 seq no:4
tacp_procpkt_authen: FAIL
TACACS Session finished. Session id: 2147485138, seq no: 3
25 2005 06:11:03 : %PIX-6-609001: Built local-host outside:171.69.89.217
PIX#






Step 3. The AAA server is not responding.

Authentication might fail if the AAA server is down, which will result in the messages shown in Example 10-9.


Example 10-9. Error Message Received in the Syslog When the AAA Server Is Down
PIX# debug aaa authentication
PIX# debug tacacs
JReceived response from kodom, session id 2147485144
Making authentication request for host 171.69.89.217, user kodom, session id:
2147485144
umk_pkt - type: 0x1, session_id: 2147485144
user: kodom
l Tacacs packet sent
2Sending TACACS Start message. Session id: 2147485144, seq no:1
! Following message indicates PIX is unable to make authentication request to
! the AAA server.
TACACS Request timed out
Received response from kodom, session id 2147485144
Making authentication request for host 171.69.89.217, user kodom, session id:
2147485144
PIX#





Step 4. Configure Network Access Restrictions on the AAA server.

Network Access Restrictions (NAR) is a filtering mechanism on the AAA server that takes place during the authentication. Nothing special needs to be configured on the firewall. On the AAA server, for example on Cisco Secure ACS, you can configure NAS (PIX, routers and so on) to allow or deny users from accessing the NAS. Set this up under Group Settings as either Denied Calling/Point of Access Locations or Permitted Calling/Point of Access. If the authentication is failing even after defining the correct username and password, ensure that authentication is not failing due to NAR configuration on the AAA server.