+ Reply to Thread
Results 1 to 25 of 25
  1. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #1

    Default AAA on ASA 5500 Series

    Ok, so I'm sure we're all familiar with standard aaa configs on Catalyst switches:

    Code:
    aaa new-model
    aaa authentication login default group radius enable
    aaa authorization exec default group radius if-authenticated
    I want to do the same thing on my ASAs, but I can't seem to find anything that does the same thing as
    Code:
    aaa authorization exec default group radius if-authenticated
    I have privilege levels implemented on the Cats and am beginning a similar implementation on the ASAs, but just am not having much luck...and the documentation I'm finding really sucks.

    Any direction would be appreciated....
    Reply With Quote Quote  

  2. SS -->
  3. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #2
    Reply With Quote Quote  

  4. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #3
    Just made another case for TACACS+....ASA does not support command authorization for RADIUS, only TACACS+ and the LOCAL database. Bummer.....

    In any case, this is as close as I can get to what I wanted with what is available to me at the time:
    Code:
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication enable console LOCAL
    aaa authorization command LOCAL
    There is a LOCAL user on the device that matches the RADIUS user. When entering enable mode you will be asked for a password again.

    If anyone has any better solutions they would be much appreciated.....
    Reply With Quote Quote  

  5. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #4
    I am missing how you configured command authorization to a radius server on your switch configuration output you posted.
    Reply With Quote Quote  

  6. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #5
    Quote Originally Posted by dtlokee
    I am missing how you configured command authorization to a radius server on your switch configuration output you posted.
    I didn't post the privilege commands. In addition to the commands above, here is what I've done on the ASA with a DUMMY command:
    Code:
    username XXXXXXXXXXXXXX password XXXXXXXXXXXXXXX encrypted privilege 3
    privilege cmd level 3 mode exec command DUMMY
    privilege show level 3 mode exec command DUMMY
    privilege clear level 3 mode exec command DUMMY
    The Cats are pretty easy but I can post those too if people are interested....The command authorization on the ASA is only done locally on the ASA. The ASA does not support command authorization through Radius, which is why I have to add the freaking local user and assign it a privilege level.
    Reply With Quote Quote  

  7. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #6
    If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.

    You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).

    aaa authorization commands 15 default group tacacs+

    Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.
    Reply With Quote Quote  

  8. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #7
    Quote Originally Posted by dtlokee
    If you are assigning the commands different privilege levels locally that wouldn't be command authorization via a radius server.

    You can set a user's privilege level from the radius server as part of the "authorization exec" configuration but command authorization can only be done to a tacacs server (or locally).

    aaa authorization commands 15 default group tacacs+

    Tells the router to ask the tacacs box if the user is authorized to run a particular level 15 command without needing to reset it's level locally on the switch. If you use ACS you can make command authorization sets.
    Yeah, that's why I have to have the local user. I'm using RADIUS right now, and obviously making a case for TACACS. I'm highly annoyed that I can't do command authorization through RADIUS on the ASA, even though the Cats do it just fine.

    Authenticate to the ASA with your RADIUS account (local if RADIUS unavailable):
    Code:
    aaa authentication ssh console RADIUS LOCAL
    When entering enable mode, authenticate with a local user:
    Code:
    aaa authentication enable console LOCAL
    Specify that the LOCAL account is used for command authorization:
    Code:
    aaa authorization command LOCAL

    Needless to say, a TACACS+ implementation is in the cards. Unfortunately I have a couple high profile projects brewing right now, so it will have to wait for a little while....
    Reply With Quote Quote  

  9. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #8
    You can't do command authorization via radius

    Code:
    6509E(config)#aaa authorization commands 15 default ?
      cache             Use Cached-group
      group             Use server-group.
      if-authenticated  Succeed if user has authenticated.
      local             Use local database.
      none              No authorization (always succeeds).
    
    6509E(config)#aaa authorization commands 15 default group ?
      WORD     Server-group name
      tacacs+  Use list of all Tacacs+ hosts.
    No option for radius
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Mar 2008
    Location
    Jacksonville, Florida
    Posts
    284

    Certifications
    CCNA, Network+, various Microsoft. ONT and ISCW down, 2 more to go!!!
    #9
    Yep...this is going to be an issue for you. Basically, Cisco seems to be pushing customers more and more towards TACACS. We use a TACACS server at work and it works great with our ASA 5505's *except* where you have an ASA that you want to manage on the remote end of an Easy VPN tunnel. Then it just won't work. We even contact TAC about it and were told that TACACS for aaa just isn't supported with EasyVPN. (Neither are several other features, we've found.)

    Just FYI.
    Reply With Quote Quote  

  11. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #10
    Quote Originally Posted by dtlokee
    You can't do command authorization via radius

    Code:
    6509E(config)#aaa authorization commands 15 default ?
      cache             Use Cached-group
      group             Use server-group.
      if-authenticated  Succeed if user has authenticated.
      local             Use local database.
      none              No authorization (always succeeds).
    
    6509E(config)#aaa authorization commands 15 default group ?
      WORD     Server-group name
      tacacs+  Use list of all Tacacs+ hosts.
    No option for radius
    That's a 6509 (I presume from the hostname), I have privilege levels on various commands set on at least 40 2950s. The user privilege level is assigned via an attribute assigned via RADIUS...I haven't tried the 6513s because I just don't let people even touch them...

    I'll post the relevant config off the 2950s tomorrow if anyone cares. Anyway, we keep getting back to TACACS having better support from Cisco. +1 TACACS.....
    Reply With Quote Quote  

  12. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #11
    Ok, so I can't wait....the 2950s are easy...

    Code:
    aaa new-model
    Authenticate through radius (local database is radius if unavailable):
    Code:
    aaa authentication login default group radius local
    Drop to exec mode if succesfully authenticated through radius:
    Code:
    aaa authorization exec default group radius if-authenticated
    Define the radius server
    Code:
    radius-server host XXX.XXX.XXX.XXX auth-port XXXX acct-port XXXX key 7 XXXXXXXXXXXXXXXXXXXX
    Privilege commands:
    Code:
    privilege interface level 2 description
    privilege interface level 2 switchport access vlan
    privilege interface level 2 shutdown
    privilege interface level 2 no shutdown
    privilege interface level 2 switchport nonegotiate
    privilege interface level 2 switchport port-security mac-address sticky
    privilege interface level 2 switchport port-security violation restrict
    privilege configure level 2 interface
    privilege exec level 2 ping
    privilege exec level 2 show running-config interface fastEthernet
    privilege exec level 2 configure terminal
    privilege exec level 2 write memory
    The part you can't see here is the privilege level that is assigned via radius. With Microsoft IAS there is a Vendor-Specific attribute that you define. You define the Vendor obviously as Cisco and say that it conforms to the Radius RFC. The attribute number is 1, it is a string, and you set it (in this case) to shellriv-lvl=2


    I was trying to find some screenshots of the IAS setup and actually stumbled across this which has the RADIUS setup fairly well documented (minus screenshots):

    http://www.techexams.net/forums/viewtopic.php?p=126387

    Hope that clarifies what I'm talking about when I refer to "command authorization" on the Cats...I would imagine you could do the same on the 6500s....
    Reply With Quote Quote  

  13. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #12
    Sorry CT, that's not "command authorization via radius" the authorization is still local. If it was "via radius" (which you can't do with radius only tacacs) then you would not have the privilege levels locally defined. You are using radius to set the user's privilege level, that is not command authorization via a "AAA server".
    Reply With Quote Quote  

  14. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #13
    See what happens when you don't have the correct terminology in your head.....

    Thanks DT I think that actually clears a couple things up for me.

    So yeah, the whole reason this thread was started was that I wanted the ASA to drop me directly into exec mode if I authenticate via RADIUS. I was also wanted to be able to pass the privilege level of the user to the ASA via RADIUS...but it LOOKS like I can't drop directly into exec mode without authenticating with some sort of local account... I would still be interested in accomplishing this if anyone has anything that will work with RADIUS...
    Reply With Quote Quote  

  15. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #14
    How are you trying to access the device? HTTP, SSH?
    Reply With Quote Quote  

  16. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #15
    SSH...
    Reply With Quote Quote  

  17. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #16
    aaa authorization exec authentication-server
    Reply With Quote Quote  

  18. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #17
    I think I tried that last night and it either didn't work, or it may have been the command that got me locked out of exec mode. I'll do some more testing with it and keep better track of my results....
    Reply With Quote Quote  

  19. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #18
    Here is the AAA config:
    Code:
    aaa-server RADIUS protocol radius
    aaa-server RADIUS host XXX.XXX.XXX.XXX
     retry-interval 5
     timeout 5
     key XXXXXXXXXXXXXXXXXXXXXXXXXXX
     authentication-port 1812
     accounting-port 1813
    aaa authentication http console RADIUS LOCAL
    aaa authentication ssh console RADIUS LOCAL
    aaa authentication serial console RADIUS LOCAL
    aaa authentication enable console RADIUS LOCAL
    aaa authorization exec authentication-server

    Here is the result:
    login as: admin
    admin@XXX.XXX.XXX.XXX's password:
    Type help or '?' for a list of available commands.
    ciscoasa> en
    Password: ********

    [ admin ] You do NOT have enable Admin Rights to the console
    Password:
    Password:
    Access denied.
    ciscoasa> login
    Username: admin
    Password: ********
    ciscoasa#
    aaa authorization exec authentication-server does not drop me directly into exec mode even though the account I used was a shellriv-lvl=15 radius account....Does the ASA support that attribute?

    Reply With Quote Quote  

  20. Village Idiot dtlokee's Avatar
    Join Date
    Mar 2007
    Location
    NJ
    Posts
    2,389

    Certifications
    CCIE #19991 R+S, CCNA, CCNP, CCIP, CCVP, CCSP, CCSI, MCSE NT4.0, 2000, 2003, + Messaging and Security, MCDBA, MCSD, MCAD
    #19
    http://www.cisco.com/en/US/docs/secu...html#wp1753749

    Supported RADIUS attribute pairs.
    Reply With Quote Quote  

  21. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #20
    DT,

    Yep, saw that too just before I left work so I didn't get a chance to work with it.

    I DID find this little tidbit but haven't been able to verify yet.....

    http://www.experts-exchange.com/Secu...TermInfo=1+asa

    This really beginning to annoy the crap out of me...
    Reply With Quote Quote  

  22. Senior Member
    Join Date
    Mar 2008
    Location
    Jacksonville, Florida
    Posts
    284

    Certifications
    CCNA, Network+, various Microsoft. ONT and ISCW down, 2 more to go!!!
    #21
    Just wait until you start trying to mess with QoS on these...or do load balancing...

    For my part, I think ASA's are great at being firewalls and VPN concentrators, but they do have limitations. I worked at a company that wanted just to deploy ASA's everywhere and have that be the only device at a site...then they wanted all the features of a router and switch. I found myself constantly frustrated trying to make something that would be fairly easy to implement on a switch or router. I had to stop for a moment and think of how much easier it was to set up a firewall or VPN on an ASA.

    It's hard when you're trying to hammer in a nail with a screwdriver!
    Reply With Quote Quote  

  23. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #22

    Default TACACS+ is a go...

    I've got command authorization via TACACS+ all figured out for the most part. I will be moving off of RADIUS in short order. Thanks to all who helped out here.
    Reply With Quote Quote  

  24. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #23
    Ok. I'm looking for THE TACACS+ resource. I'm really looking for best practices on configuration of the TACACS+ daemon. Misconfiguration is a big reason shops have vulnerabilities, and I'm not interested in being one of them.....

    If anyone knows of anything please shoot me a message. I don't like what I'm finding so far....,
    Reply With Quote Quote  

  25. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #24
    It just so happened that I ran into this issue last week, whereby I needed to create read-only users for ASDM, while using RADIUS for user authentication.

    Obviously, I was looking into command authorization, or so I thought.
    TACACS and local have handy toggles to do this within the ASA, but RADIUS did not.

    The workaround:
    (1) set command privilege-levels on the ASA
    (2) set the privilege-level of the user via RADIUS
    (3) when the user logs in (via CLI or ASDM) they're restricted to the commands set for their privilege level

    The trickiest part was figuring out how to set the privilege-level via the RADIUS, since it wasn't straightforward, and using regular "Cisco" within the RADIUS client wouldn't swing it. I believe the Cisco docs reference using integer. Configuring the Microsoft NPS called for decimal.

    I ended up consulting the same Cisco docs that were mentioned here, just a different software version. I also ended up consulting the Microsoft docs, as I had a little trouble finding the "custom" attribute in the NPS.

    I might make a blog posting on the solution, in order to show "screen grabs".
    Reply With Quote Quote  

  26. Junior Member Registered Member
    Join Date
    May 2017
    Posts
    1
    #25
    Hello instant000

    i have the same problem with RADIUS NPS for user authorization and dont know how to configurate the NPS so that the ASA identify privilege levels.
    You wanted to post a blog of your solution. Where I find this post?
    I hope you can help me. Thank you.

    Best regards,
    Lars
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks