Enable Authentication

Enable Authentication
This section explains how to configure and troubleshoot Enable authentication with various methods.

Configuring Enable Authentication
Enable password authentication can be performed one of the following ways:

1. Enable Authentication with Enable Password.

By default, enable password is none (meaning no password is required) on the firewall, and has a privilege level of 15. So if you do not have any configuration for the enable authentication, the enable password none is used, unless you define one or more enable passwords. You can assign different privilege levels (1-15) to the enable password.

When the users enter into enable mode with a specific level (for example enable 10) the enable password configured for that specific level must be used. For example, if enable password is configured on the firewall with the enable password cisco level 10 command, then the user must enter into the enable mode with the Firewall> enable 10 command, not with the Firewall> enable command. Be sure to create an enable password with privilege level 15.

Following is the syntax to define enable password on the firewall:


PIX(config)# enable password password [level level] [encrypted]


To remove enable password, use the following command:


PIX(config)# no enable password level level




2. Enable authentication with the local user database.

If you perform login authentication with the local user database, then be sure to assign a privilege level to the user. The same password and the privilege level will be provided to the user for enable access. If you perform login authentication with the AAA server, but enable authentication with the local user database, then be sure to configure the same username defined on the AAA server and assign a password for the user that will be used for enable access. This password can be different than the login password defined on the AAA server. A user can be created with a different privilege level with the following command:


[View full width]PIX(config)# username {name} {nopassword | password password [encrypted]} [privilege
priv_level]}


To remove the user, use the following command:


PIX(config)# no username [name]


To turn on authentication for the enable authentication with the local user database, use the following command:


PIX(config)# aaa authentication enable console LOCAL




3. Enable authentication with the external AAA server.

If the enable authentication is performed using RADIUS protocol, the enable password is the same as the login password, and the privilege level 15 is assigned for all users. In essence, enable authentication with the RADIUS protocol does not add any additional security for the enable access.

To configure enable authentication with the RADIUS protocol, use the following command:


PIX(config)# aaa authentication enable console AuthRadius


Here the AuthRadius is the radius server tag.

We recommend strongly that you configure enable authentication with TACACS+ protocol. As with TACACS+, you can define a separate enable password, assign privilege levels to the user, and control what commands users can execute in a more granular fashion than for a local user database. You must configure both TACACS+ server and the firewall to configure enable authentication.

On the firewall, you need the following command to turn on enable authentication with TACACS+ protocol:


PIX(config)# aaa authentication enable console AuthTacacs


Work through the following steps to configure the Cisco Secure ACS server for the enable password configuration:


a. On CS ACS GUI, go to Interface Configuration > Advanced TACACS+ Settings. Check Advanced TACACS+ Features in Advanced Configuration Options and click Submit. This makes the Advanced TACACS+ Settings visible under the user configuration.


b. Go to User Setup, then either create a new user or edit an exiting user. In the User Setup page, check the radio button for Max Privilege for any AAA Client, and select the level to 15 from the drop-down box next to it under Advanced TACACS+ Settings. Also under TACACS+ Enable Password, choose the password you want to use for enable password. Then click Submit.


Note

Unlike working with a router, you cannot take the user directly to the privilege mode based on the privilege level. The privilege level is assigned based on the enable privilege level. So, the user always will be taken to the user mode and based on the enable level, will be assigned to a certain level.

4. Use the fallback method for enable authentication.

Just as with authentication, if you want to use the local user database as a fallback method for enable authentication, use the following command:


PIX(config)# aaa authentication enable console AuthTacacs LOCAL


If the AAA server is unavailable, you can gain access to the enable mode with the password defined for the user you have used to login to the PIX. So it is critical that you configure at least one user with privilege level 15 and turn on the fallback method for the login authentication also.



Troubleshooting Enable Authentication
Troubleshooting steps for enable password authentication are almost same as those discussed for Login Authentication. Example 10-10 shows a successful enable password authentication with TACACS+ protocol:

Example 10-10. Successful User Authentication with TACACS+ Protocol
PIX# debug aaa authentication
PIX# debug tacacs
! By now the user authentication is successful, hence rest of the debug output if for
! enable authentication only.
PIX# Jmk_pkt - type: 0x1, session_id: 2147485158
user: kodom
Tacacs packet sent
Sending TACACS Start message. Session id: 2147485158, seq no:1
Received TACACS packet. Session id:1036787635 seq no:2
tacp_procpkt_authen: GETPASS
Authen Message: Password:
! Same username as login is used with the enable password defined for the user
uProcessing challenge for user kodom, session id: 2147485158, challenge: Password:
mk_pkt - type: 0x1, session_id: 2147485158
mkpkt_continue - response: ***
Tacacs packet sent
Sending TACACS Continue message. Session id: 2147485158, seq no:3
Received TACACS packet. Session id:1036787635 seq no:4
! Shows successful enable password authentication
tacp_procpkt_authen: PASS
TACACS Session finished. Session id: 2147485158, seq no: 3
l 25 2005 07:01:31 : %PIX-6-609001: Built local-host outside:171.69.89.217
PIX#





Additional information that is important and specific to enable password authentication is as follows:

Under Advanced TACACS+ Settings of User Profile, or under Enable Option of Group profile, be sure "No enable Privilege" is not checked. You must assign privilege level 15. Otherwise, enable authentication will fail.

If login is done externally with an AAA server but enable authentication is performed locally, be sure the user name matches between the AAA server and the local user database.

If a separate password is used for enable authentication, be sure you are entering the password correctly. If the external database is configured on the Cisco Secure ACS server for enable password, change it to use the same password as login to see if the external server is causing the problem. If you find it is an external database issue, investigate the issue on the AAA server (refer to Chapter 13, "Troubleshooting Cisco Secure ACS on Windows" for details).

If enable password is configured locally with different privileges, be sure that you are authenticating enable password with that specific privilege level. For example, if the enable password is at level 10, configure, then be sure to go into enable mode by typing enable 10 not just enable.

Command Authorization
With the blessings of privilege levels, you can control the commands users can execute on the firewall after the enable authentication with the local user database. If TACACS+ is used, more granular command authorization is possible with the TACACS+ server. This section explains how to control command authorization for different methods of authentication for enable access:

Command Authorization based on Enable Password Privilege level

Command Authorization using local user database

Command Authorization using an external AAA server

Command Authorization Based on Enable Password Privilege Level
As discussed before, you can configure multiple enable passwords with different privilege levels locally. Every command on the PIX firewall has a privilege level assigned. If you authenticate enable access with a password that has the same or higher privilege level than the level of the command, that command will be allowed. For example, if your enable password is defined as cisco3, which has level 3, you can execute every command that is at level 0. You must have the authorization turned on to use a local user database with the following command to control the command execution; otherwise, you will be able to execute all commands regardless of the privilege level assigned to you.

Command Authorization Using Local User Database
Command authorization done locally on PIX Firewall is based on privilege level. There are 16 privilege levels in PIX Firewall. Two of them are set to the defaults 0 and 15. Anything from 1 to 14 has the same sets of commands that the privilege level 0 has. Every command has a predefined privilege level and most of them are at level 15. However, it is possible to change the command privilege level from higher to lower. For instance, show running-config is a level 15 command, and it is possible to bring this down to level 10. So, a user with level 10 or above can execute this command. Users with levels lower than 10 will not be able to execute a level 10 command. Example 10-11 walks you through the privilege level concept and different commands available with local database command authorization. The example also shows how to turn on command authorization with the following command:

PIX(config)# aaa authorization command LOCAL



Example 10-11. Privilege Level Command Execution and How to Turn on Command Authorization Based on the Privilege Level
PIX# configure terminal
! Create a user with privilege level 15 named superuser
PIX(config)# username superuser password cisco123 privilege 15
! If you want some users to be able to execute subset of all the commands available on
! the PIX, you must create user in a lower level than 15. User alice is created with the
! privilege level 10 below.
PIX(config)# username alice password cisco privilege 10
! As most of the commands are at level 15 by default, you have to move some commands down
! to level 10 so that "alice" can issue them. In this instance, you want your level 10
! user to be able to issue the show clock command, but not to reconfigure the clock.
PIX(config)# privilege show level 10 command clock
! You must also allow the users to be able to logout even if the user is at level 1. As
! the level 10 should be able to execute any commands available between level 0-9, it
! makes sense to assign this command to level 1.
PIX(config)# privilege configure level 1 command logout
! You will need the user to be able to issue the enable command (the user will be in
! level 1 when attempting this).
PIX(config)# privilege configure level 1 mode enable command enable
! By moving the disable command to level 1, any user between levels 2-15 can get out of
! enable mode.
PIX(config)# privilege configure level 1 command disable
! With the above setup if the user alice telnets in and go into enable mode with the same
! password, then alice with the assigned to privilege 10 which will have same command
! access as level 1.
PIX# show curpriv
Username : alice
Current privilege level : 10
Current Mode/s : P_PRIV
! At this point, open up another telnet and login to the PIX with superuser that has
! privilege level 15 so that you can use that window for configuration changes and
! modification.
PIX# show curpriv
Username : superuser
Current Privilege level : 15
Current Mode/s : P PRIV
! Once logged in with superuser and verifying the privilege level, turn on command
! Authorization as follows.
PIX(config)# aaa authorization command LOCAL
! On the other window login to the PIX with username alice that has privilege level 10
! and execute show xlate that should fail. Show clock should be successful.
PIX# show clock
19:18:53.026 UTC Sun Jan 9 2005
PIX# show xlate
Command authorization failed
PIX#