Problem Areas Analysis
The problem areas of AAA on PIX firewall and FWSM can be categorized as follows based on their implementations:
Firewall management with AAA troubleshooting
Cut-Through Proxy with AAA troubleshooting
Extended authentication (X-Auth) for IPsec VPN with AAA troubleshooting
The sections that follow discuss these problem areas.
Firewall Management with AAA Troubleshooting
You can connect to the PIX firewall in several ways to configure or monitor the PIX firewall. You can get CLI access to the PIX firewall for configuration and monitoring purpose in the following ways:
Using Console Console port is ready to be used on the PIX firewall as soon as you power on the PIX firewall. You do not need any configuration on the PIX firewall.
Using Telnet If you want to remotely manage the PIX firewall using Telnet, you can do so on all interfaces except the outside interface. For Telnet access to the outside interface, you must configure IPsec to include IP traffic that is generated by the PIX firewall, and enable Telnet on the outside interface.
Using SSH SSH can be configured instead of Telnet for secured access to the PIX firewall. We recommend that you manage PIX firewall with SSH instead of Telnet. Additionally, managing PIX Firewall from an outside network with Telnet is not possible, as Telnet is not allowed to the outside interface. Although it is possible to get around the problem by terminating a VPN tunnel on the outside interface, SSH is the preferred method to manage the PIX firewall from the outside.
Using Telnet over IPsec As mentioned before, Telnet is not allowed to the outside interface of the PIX firewall because of security reasons. So if you really need to Telnet to the outside interface, the only way to accomplish that is by creating an IPsec tunnel to the outside interface and then allowing the Telnet to the outside interface.
PDM/ASDM/Firewall MC/Security Monitor Connection between the Management Software (PDM/ASDM/Firewall MC) and the Monitoring Software (Security Monitor) takes place using HTTPS (http/SSL). You need to configure a web server and generate a certificate to allow the HTTPS connection to the firewall.
Once the connection parameters are configured on the firewall, you can add security to the connection by configuring AAA, which provides per-user control for the connections. This section presents the configuration and troubleshooting setup as follows:
Login authentication issues
Enable authentication issues
Authorization issues
Accounting issues
Login Authentication Issues
This section delves into the details of both login authentication and troubleshooting. Before you attempt to enable authentication, you should configure the authentication and be sure that it works with the basic login credentials without configuring AAA. This section explains the following topics in detail:
Configuring basic authentication with different communication methods on the Firewall
Configuring local user database authentication
Configuring external AAA server authentication
Configuring a fallback method for authentication
Troubleshooting login authentication
Configuring Basic Authentication with Different Communication Methods on the Firewall
Before you configure local user database or AAA for login authentication on the PIX firewall, be sure that you can connect to the PIX firewall with the Basic Login credentials. For login and enable authentication, you can use passwd to configure login password, and enable password to configure enable authentication. The following list of configuration methods on the PIX Firewall details the configuration for basic authentication for these different connection methods:
Basic Authentication for Telnet on the PIX firewall To turn on Telnet on the PIX firewall, you must use the telnet command. Example 10-3 shows how to turn on telnet on the PIX firewall for 192.168.1.0 network to the inside interface of the PIX firewall.
Example 10-3. Shows How to Configure Telnet Access to the PIX Firewall
PIX# configure terminal
! Set login password with the following command. If you want to set encrypted
! password you must provide 16 bytes string.
PIX(config)# passwd cisco12345678912 encrypted
! The following command will set up the enable password on the PIX firewall.
PIX(config)# enable password cisco76687463274 encrypted
! The following command allows 192.168.1.0 network to be able to telnet to the
! inside interface on the PIX firewall
PIX(config)# telnet 192.168.1.0 255.255.255.0 inside
! Following command is used to verify that the telnet is enabled.
PIX(config)# show running-config telnet
192.168.1.0 255.255.255.0 inside
PIX(config)#
Basic Authentication for SSH connection on the PIX firewall SSH requires that an RSA key be created on the PIX firewall. To create an RSA key, you must have Data Encryption Standard (DES) or 3DES features turned on (this can be verified with the show version command). If you do not have the DES/3DES feature enabled, you need to send an e-mail to licensing@cisco.com with your show version output and request for a DES/3DES activation key. Then you can insert the key into the PIX with the activation-key command. Use crypto key generate rsa general-keys to generate the RSA key on the PIX Firewall, and execute the SSH command to allow the addresses that can SSH into the PIX Firewall. Example 10-4 shows a sample configuration for turning on SSH on the PIX firewall.
Example 10-4. Sample Configuration SSH on the PIX Firewall
PIX# configure terminal
! Set login password with the following command. If you want to set encrypted
! password you must provide 16 bytes string.
PIX(config)# passwd cisco12345678912 encrypted
! The following command will set up the enable password on the PIX firewall.
PIX(config)# enable password cisco76687463274 encrypted
! Following two lines are needed to generate the RSA key
PIX(config)# hostname PIX
PIX(config)# domain-name cisco.com
! The following command will remove the existing key from the PIX.
PIX(config)# crypto key zeroize rsa
! Generate the key with the following command
PIX(config)# crypto key generate rsa general-keys
! Save the RSA key with the following command
PIX(config)# write memory
! Turn on and allow the SSH connection from 192.168.1.0/24 network with the
! following commands
PIX(config)# ssh 192.168.1.0 255.255.255.0 inside
PIX(config)# ssh timeout 60
PIX(config)# exit
! Save the configuration with the following command
PIX# write memory
PIX#
After successful configuration of SSH on the PIX firewall, you may use an SSH client (for example, putty.exe, which can be downloaded freely from the Internet by searching with the string "putty.exe") to connect to the PIX firewall. If the firewall gives you the option of accepting a certificate, then the PIX firewall is configured correctly for SSH. When asking for a username, enter pix as username and for the password enter the password configured on the PIX firewall. For enable access, just enter the enable password configured on the PIX.
Basic Authentication for VPN connection to allow Telnet to the outside interface of the PIX firewall with Basic Authentication You need to configure Remote Access VPN using IPsec protocol to allow the Telnet access from outside to the outside interface of the PIX firewall. Refer to Chapter 7, "Troubleshooting IPsec VPN on PIX Firewalls" for details on Remote Access VPN configuration using IPsec. Then, following the procedure explained earlier under "Basic Authentication for Telnet on the PIX Firewall," allow the Telnet access to the IP address assigned by the PIX to the VPN client. As the IP address is assigned from the pool, we recommend that you add the pool with the Telnet command to allow access. Here is an example to illustrate the point. Assume that you have an IP Pool defined for the VPN traffic with network address 192.168.1.0, so that the VPN client will get one of the IP addresses from this pool (It could be any IP address from the pool). Therefore, you need to include this network with the telnet command as follows:
PIX(config)# telnet 192.16.1.0 255.255.255.0 outside
Basic Authentication for PDM/ASDM/Firewall MC/Security Monitor Access (HTTPS) For PDM/ASDM/Firewall MC/Security Monitor access, you need to configure a web server on the firewall and generate a certificate for the HTTPS connection. Example 10-5 shows how to configure HTTPS on the firewall