Cisco Secure ACS and Authorization

Cisco Secure ACS and Authorization
After the Cisco Security Appliances is configured correctly, you must configure authorization
on your Cisco Secure ACS. If your Cisco Secure ACS is already configured with the Security
Appliances as the NAS, a few steps remain to configure authorization:
Step 1 Configure user accounts within the Cisco Secure ACS.
Step 2 Assign users to a group.
Step 3 Apply authorization rules to the group.
Steps 1 and 2: Configuring User Accounts Within the Cisco Secure ACS and
Assigning Users to a Group
To configure new users in Cisco Secure ACS, click the User Setup button on the left
navigation bar. When the User Setup window appears, shown in Figure 18-6, enter the
username in the User box and then click Add/Edit.

Configuring Authorization on the PIX Firewall

Configuring Authorization on the PIX Firewall
PIXFirewall(config)# aaa authorization include any outside 0 0 0 0 TACACS+
PIXFirewall(config)# aaa authorization exclude http outside 0 0 192.168.1.28
255.255.255.255 TACACS+
PIXFirewall(config)# aaa authorization include udp/53 inside 0 0 0 0 TACACS+

NOTE To remove the AAA authorization from the configuration, enter no aaa
authorization.

Configuring Authorization

Configuring Authorization
When discussing authorization, you should first understand the difference between
authentication and authorization:
■ Authentication identifies who the user is.
■ Authorization determines what the user can do.
■ Authentication can be implemented without authorization.
■ Authorization cannot be used unless the user has successfully authenticated.
Authorization is not a requirement but rather a method of allowing you to become more
granular in what access you give specific users. After users have successfully authenticated,
they can be given the access they have requested. This access is configured using the aaa
authorization command, the syntax for which is very similar to the aaa authentication
command, except for the service. The Security Appliance does not permit or deny any traffic
based solely on the aaa authorization commands. This configuration merely tells the firewall
which services it needs to reference the AAA server for authorization before allowing or
denying the connection. A TACACS+ server performs AAA authorization. The server is
configured using the following syntax:
aaa authorization include | exclude svc if-name local-ip
local-mask foreign-ip foreign-mask
tacacs-server-tag specifies the TACACS+ server to be used for authorization

Configuring Timeout on the PIX Firewall

Configuring Timeout on the PIX Firewall
PIXFirewall(config)# timeout uauth 4:00:00 absolute
PIXFirewall(config)# timeout uauth 0:30:00 inactivity

The final command associated with timeouts is clear uauth. This command forces the system
to delete the authorization cache for all users. This makes the system reauthenticate every
user when they initiate their next connection.

Authentication Timeout

Authentication Timeout
After a user is successfully authenticated, their user information is saved in cache for a
predetermined amount of time. You set this time by configuring the timeout uauth command.
It is specified in hours, minutes, and seconds. If the user session idle time exceeds the timeout,
the session is terminated and the user is prompted to authenticate during the next connection.
To disable caching of users, use the timeout uauth 0 command. Be sure not to use timeout
uauth 0 when using virtual http. This setting prevents any connections to the real web server
after successful authentication at the Security Appliance.
Two command options or settings are associated with the timeout uauth command:
■ absolute—The default setting for the uauth timer. This setting sets the timer to prompt
the user to reauthenticate after the timer elapses only when the user starts a new
connection. If the user leaves the session open and the timer elapses, and the user closes
the browser without clicking another link, the user is not prompted to reauthenticate.
Setting the uauth timer to 0 disables caching of user authentication and therefore
disables the absolute option.
NOTE If the firewall is performing NAT, the timeout uauth value must be less than the
timeout xlate value to ensure that the user authentication times out before the address
translation.
554 Chapter 18: Configuration of AAA on the Cisco Security Appliance
■ inactivity—The inactivity timer starts after the connection becomes idle. If the user
establishes a new connection before the duration of the inactivity timer, the user is not
required to reauthenticate. If a user establishes a new connection after the inactivity
timer expires, the user must reauthenticate.
Example 18-7 depicts the timeout command with the absolute and inactivity settings. The
first command sets the timer to 4 hours and tells the system not to prompt the user after the
session times out unless the user initiates another session. The second command defines a
30-minute period of inactivity as an idle session and tells the system to start the timer at that
point.

Authentication Prompts

Authentication Prompts
The auth-prompt command is used to configure the exact text used when the user is
challenged to authenticate, successfully authenticates, or does not authenticate. This
command sets the text for FTP, HTTP, and Telnet session authentication. The syntax of this
command is
auth-prompt [prompt | accept | reject] string
Example 18-6 Configuring Virtual HTTP Inbound Connections
PIXFirewall(config)# ip address outside 192.168.1.1 255.255.255.0
PIXFirewall(config)# ip address inside 10.10.10.1 255.255.255.0
PIXFirewall(config)# global (outside) 1 192.168.1.20-192.168.1.40 netmask 255.255.255.0
PIXFirewall(config)# nat (inside) 1 0 0 0 0
PIXFirewall(config)# aaa-server TACACS+ protocol tacacs+
PIXFirewall(config)# aaa-server TACACS+ (DMZ) host 172.16.1.2 abc123 timeout 20
PIXFirewall(config)# static (inside, outside) 192.168.1.5 10.10.10.5 netmask
255.255.255.255 0 0
PIXFirewall(config)# aaa authentication include any outside 192.168.1.5 255.255.255.255
0 0 TACACS+
PIXFirewall(config)# access-list WebTest permit tcp any host 192.168.1.5 eq www
PIXFirewall(config)# access-group WebTest in interface outside
PIXFirewall(config)# virtual http 192.168.1.5
NOTE To remove the virtual HTTP from the configuration, enter no virtual http.
Configuring AAA on the Cisco Security Appliance 553
The string is the text that is displayed. It can be up to 235 characters in length for FTP and
Telnet connections. It is limited to 120 characters for HTTP connections using Netscape
Navigator, and it is limited to 37 characters for HTTP connections using Microsoft Internet
Explorer. The string should not include any special characters. It ends either by typing a
question mark (?) or by pressing the Enter key.
The auth-prompt command has three options:
■ prompt—Configures the text that is displayed when the user is prompted to authenticate:
“Access to this location is restricted, please provide username and password.”
■ accept—Configures the text that is displayed if the user successfully authenticates using
a Telnet session: “User Authentication complete, please continue.” No text is displayed
for authentication using FTP or HTTP.
■ reject—Configures the text that is displayed if the user is unable to successfully
authenticate using a Telnet session: “Authentication unsuccessful; if you feel that you
have received this message in error, please contact your systems administrator.” The text
for FTP and HTTP authentication sessions cannot be configured on the Security
Appliance.