Configuring Downloadable Admission Lists Without Names

Configuring Downloadable Admission Lists

Without Names

To configure downloadable admission lists afterwards names, cross to the selected

user aural the User Bureaucracy window, and annal bottomward to the Cisco IOS/PIX

RADIUS Attributes area of the window. As apparent in Amount 5.47, baddest the

[009\\001] cisco-av-pair analysis box and accomplish the adapted admission account entries in

the argument box.The entries should accept the afterward format:

ip:inacl#=

www.syngress.com

Figure 5.46 Continued

Figure 5.47 Cisco Secure ACS: User Setup—Cisco IOS/PIX RADIUS Attributes

Authentication, Authorization, and Accounting • Affiliate 5 281

The ip:inacl# keyword specifies a cardinal (n) amid 0 and 999999999 that

identifies the adjustment of the access-list entry.The acl_command constant is an access

list admission account afterwards the access-list command or the name of the admission list.

NOTE

If you do not see the Cisco IOS/PIX RADIUS attributes displayed within

the user setup, you charge to accredit them via the Interface Configuration

window.

Figure 5.48 provides an archetype of what the bearding downloadable access

list looks like on the PIX firewall.Within the figure, the aboriginal appearance access-list

command was issued afore user authentication, and the additional appearance access-list

command was issued afterwards user authentication. As you can see, no admission lists were

defined afore user authentication, but there is a downloadable admission account defined

after authentication.

Figure 5.48 Bearding Downloadable Admission List: PIX Firewall View

PIX1(config)# appearance access-list

PIX1(config)# appearance access-list

access-list AAA-user-rsmith; 5 elements

access-list AAA-user-rsmith abjure tcp any host 206.65.190.2 eq www

(hitcnt=0)

access-list AAA-user-rsmith abjure tcp any host 207.46.197.102 eq www

(hitcnt=0)

access-list AAA-user-rsmith abjure tcp any host 192.168.1.2 any eq ftp

(hitcnt=0)

access-list AAA-user-rsmith abjure ip host 192.168.1.3 any (hitcnt=0)

access-list AAA-user-rsmith admittance ip any any (hitcnt=4)

www.syngress.com

282 Affiliate 5 • Authentication, Authorization, and Accounting

Summary

This affiliate provided an overview of AAA and its allowances and declared the

RADIUS and TACACS+ aegis protocols.AAA comprises the three independent

but accompanying functions of authentication, authorization, and accounting, which

are authentic as follows:

 Affidavit is the action of anecdotic and acceptance a user

before acceptance admission to arrangement accessories and services. User identification

and affidavit are analytical for the accurateness of the authorization

and accounting functions.

 Allotment is the action of free user privileges and access

rights afterwards users accept been authenticated.

 Accounting is the action of recording user activities for accountability,

billing, auditing, or advertisement purposes.

The allowances of implementing AAA accommodate scalability, added flexibility

and control, connected protocols and methods, and redundancy. Cisco PIX firewalls

support the RADIUS and TACACS+ aegis protocols for use aural an

AAA mechanism. Each agreement has its advantages and disadvantages; the protocol

that is appropriate for you will depend on your bearings and requirements.

To booty advantage of AAA, you charge apparatus and configure an AAA

server. Cisco Secure Admission Ascendancy Server (ACS) is AAA server software that

simultaneously supports both the TACACS+ and RADIUS protocols. After

installing the software, you can accomplish basal tasks such as abacus users AAA

clients. In addition, you can accomplish avant-garde tasks such as defining downloadable

access lists and command allotment sets.

On the PIX firewall, you can configure affidavit and allotment to

control both user accomplishments on the firewall and user accomplishments through the firewall.

Authentication of users attempting to admission the PIX firewall itself is alleged console

authentication. Allotment of user accomplishments on the PIX firewall is alleged command

authorization. For both animate affidavit and command authorization, you

can use the bounded database, RADIUS, or TACACS+.

For user accomplishments through the PIX firewall, Cisco provides a affection alleged cutthrough

proxy to abutment user affidavit and authorization. Cut-through

proxy allows you to apparatus affidavit and allotment for entering or

outbound HTTP, FTP, and Telnet connections.This functionality allows you to

control casework accessible through the firewall by user character rather than IP

address, giving you a bigger granularity of control. Because cut-through proxy only

www.syngress.com

Authentication, Authorization, and Accounting • Affiliate 5 283

authenticates and authorizes the antecedent affiliation attempt, it provides performance

advantages over acceptable proxy firewalls because consecutive communication

occurs anon amid the two endpoints while actuality inspected by the firewall.

Virtual HTTP and basic Telnet are appearance accompanying to cut-through proxy.

Virtual HTTP solves an affidavit affair that exists for some Microsoft IIS

servers that accept Basal Affidavit or NT Challenge enabled.Virtual Telnet

provides a apparatus for users to preauthenticate to the PIX firewall before

using casework that do not abutment authentication.

Downloadable ACLs acquiesce you to configure per-user or per-group admission lists

centrally on the AAA server, thereby abbreviating authoritative aerial and

increasing scalability.

Solutions Fast Track

AAA Concepts

 AAA is an architectural framework composed of the three independent

but accompanying functions of authentication, authorization, and accounting.The

benefits of implementing AAA accommodate scalability, added adaptability and

control, connected protocols and methods, and redundancy.

 Affidavit is the action of anecdotic and acceptance a user

before acceptance admission to arrangement accessories and services.

 Allotment is the action of free a user’s privileges and access

rights afterwards they accept been authenticated.

 Accounting is the action of recording user activities for accountability,

billing, auditing, or advertisement purposes.

Cisco Secure ACS for Windows

 To booty advantage of AAA, you charge apparatus and configure an AAA

server. Cisco Secure Admission Ascendancy Server (ACS) is AAA server software

that supports both the TACACS+ and RADIUS protocols.

 Cisco Secure ACS includes its own centralized database, but it additionally supports

authentication adjoin the afterward alien user databases:Windows

NT/2000, Generic LDAP, Novell NetWare Directory Casework (NDS),

www.syngress.com

284 Affiliate 5 • Authentication, Authorization, and Accounting

Open Database Connectivity (ODBC)-compliant relational databases,

CRYPTOCard badge server, SafeWord badge server,AXENT token

server, RSA SecureID badge server, ActivCard badge server, and Vasco

token server.

Configuring Animate Authentication

 Animate affidavit is acclimated to accredit users attempting to access

the PIX firewall itself. It can be configured to use the LOCAL,

TACACS+, or RADIUS databases.

 To use bounded animate authentication, you charge to ascertain users on the PIX

firewall application the username command.

 To use TACACS+/RADIUS animate authentication, you charge to

perform agreement tasks on the TACACS+/RADIUS server.You

need to ascertain the PIX firewall as an AAA applicant to the server and create

user accounts on the server.

Configuring Command Authorization

 Command allotment controls user accomplishments on the PIX firewall. It can

use the LOCAL or TACACS+ databases.

 To use bounded command authorization, you charge to ascertain users on the

PIX firewall application the username command and accredit commands to

selected advantage levels application the advantage command.

 To use TACACS+ command authorization, you charge to define

command allotment sets on the TACACS+ server and accredit these

command allotment sets to users.

Configuring Affidavit for Traffic

Through the Firewall

 Cut-through proxy allows you to accomplish user affidavit and

authorization of user accomplishments through the PIX firewall. Specifically, it

allows you to apparatus affidavit and allotment for inbound

or outbound HTTP, FTP, and Telnet admission and allows you to

www.syngress.com

Authentication, Authorization, and Accounting • Affiliate 5 285

control casework accessible through the firewall by user character rather than

IP address, which gives you a bigger granularity of control.

 Because the cut-through proxy alone authenticates and authorizes the

initial affiliation attempt, it provides achievement advantages over

traditional proxy firewalls because consecutive advice occurs

directly amid the two endpoints while actuality inspected by the firewall.

 You can ascendancy how frequently cut-through proxy users charge to

reauthenticate by ambience cessation and complete uauth timers.

 With cut-through proxy affidavit enabled for Web cartage (i.e.,

HTTP), your users could acquaintance some problems aback connecting

to Web sites that run Microsoft IIS with Basal Affidavit or NT

Challenge enabled.The PIX firewall gets about this affair by providing

a basic HTTP feature. Once enabled, the PIX firewall will redirect

incoming HTTP requests that crave affidavit to the virtual

server IP address, accredit the user, again alter the browser aback to

its aboriginal requested destination.

 If you enabled AAA affidavit for casework that do not support

authentication (i.e., casework added than HTTP, FTP, or Telnet), virtual

Telnet provides a way for users to preauthenticate themselves afore they

use those services.

Configuring Allotment for Traffic

Through the Firewall

 Once you accept configured affidavit for cartage through the firewall

using the cut-through proxy, you can additionally configure allotment for

traffic through the firewall.

 To configure Cisco Secure ACS for allotment for cartage through the

PIX firewall, you charge to ascertain a carapace command allotment set.You

define a carapace command allotment set for acceding cartage through

the firewall in the aforementioned address that you do for command authorization;

however, the commands that you admission should be the name of the

service that you appetite to acquiesce (e.g., HTTP,Telnet, FTP).

www.syngress.com

286 Affiliate 5 • Authentication, Authorization, and Accounting

Configuring Accounting for Traffic

Through the Firewall

 You do not charge to accomplish any agreement tasks on the Cisco

Secure ACS server for it to be able to accept accounting abstracts from a

PIX firewall.

 To appearance accounting abstracts that is stored on a Cisco Secure ACS server,

click the Reports and Activity button from the capital screen, bang the

TACACS+ Accounting link, and baddest the adapted TACACS+

accounting file.

Configuring Downloadable Admission Lists

 If you charge to admission users or groups of users altered privileges with

respect to the casework and hosts that they can admission through the

firewall, the PIX firewall provides the adequacy to ascertain per-user access

lists aback acclimated with an AAA server.

 Named downloadable admission lists can be authentic on Cisco Secure ACS

and aggregate amid users and groups. Instead of accepting to charm a given

access account every time you add a new user, you can created the admission list

once and again administer it to users as they are added.

www.syngress.com

Authentication, Authorization, and Accounting • Affiliate 5 287

Q: Are there AAA protocols added than RADIUS and TACACS+?

A: Yes.We articular and briefly discussed TACACS and XTACACS, which are

no best accurate by Cisco and are not acclimated abundant anymore. In addition,

DIAMETER is an AAA agreement that is advised to coexist with RADIUS.

It is still beneath development by the IETF’s AAA Working Group.You can find

more advice at www.diameter.org.

Q: I am absorbed in implementing a RADIUS server.Where can I acquisition information

on RADIUS products?

A: While you can absolutely accomplish a Web chase to assay RADIUS products,

a acceptable advertisement can be begin at http://ing.ctit.utwente.nl/WU5/D5.1/

Technology/radius/index.html#products. In addition, a advertisement of TACACS+

products can be begin at http://ing.ctit.utwente.nl/WU5/D5.1/

Technology/tacacs+/index.html#products.

Q: I am new to configuring the PIX firewall and am borderline if I accept configured

AAA correctly. Is there a way that I can analysis my configuration?

A: Output Interpreter, a apparatus on the Cisco abutment Web site, can assay your

PIX agreement and will address errors, abeyant problems, and suggested

fixes.You artlessly baddest PIX from the drop-down account and highlight the show

terminal selection. Admission the appearance terminal command on your PIX, adhesive the

output into the argument box, and bang the Submit button. Output Interpreter

will assay the agreement and accommodate you feedback.The apparatus is located

at www.cisco.com/cgi-bin/Support/OutputInterpreter/home.pl.

Q: Does the PIX firewall abutment AAA for acceptance Cisco software VPN

clients?

A: Yes.The PIX provides abutment for AAA affidavit with Cisco VPN

clients application xauth.You can acquisition added advice on this affair in Affiliate 7.