module 6: configure trust and identity at layer 3 - modified

1© 2005 Cisco Systems, Inc. All rights reserved. 111© 2004, Cisco Systems, Inc. All rights reserved.

2© 2005 Cisco Systems, Inc. All rights reserved.

Network Security 1

Module 6 – Configure Trust and Identity at Layer 3

3© 2005 Cisco Systems, Inc. All rights reserved.

Learning Objectives

6.1 Cisco IOS Firewall Authentication Proxy

6.2 Introduction to PIX Security Appliance AAA Features

6.3 Configure AAA on the PIX Security Appliance

4© 2005 Cisco Systems, Inc. All rights reserved.

Module 6 – Configure Trust and Identity at Layer 3

6.1 Cisco IOS Firewall Authentication Proxy

5© 2005 Cisco Systems, Inc. All rights reserved.

What Is the Authentication Proxy?

• Provides dynamic, per-user HTTP, HTTPS, FTP, and Telnet authentication and authorization via TACACS+ and RADIUS protocols

• Once authenticated, all types of application traffic can be authorized

• The user profiles are active only when there is active traffic from the authenticated users.

• Works on any interface type for inbound or outbound traffic

6© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Proxy Operation

• When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy .

• The authentication proxy first checks to see if the user has been authenticated.

• If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy.

• If no entry exists, the authentication proxy responds to the connection request by prompting the user for a username and password.

7© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Proxy Operation (Cont.)

• Users must successfully authenticate with the authentication server by entering a valid username and password.

• If the authentication succeeds, the user’s authorization profile is retrieved from the authentication, authorization, and accounting (AAA) server.

• The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound ACL of an input interface, and to the outbound ACL of an output interface if an output ACL exists at the interface.

• By doing this, the firewall allows authenticated users access to the network as permitted by the authorization profile.

8© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Proxy Operation (Cont.)

• If the authentication fails, the authentication proxy reports the failure to the user and prompts the user for a configurable number of retries.

• The authentication proxy sets up an inactivity, or idle, timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and all authorized user traffic is permitted access through the firewall.

• If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic ACL entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet connection to trigger the authentication proxy.

9© 2005 Cisco Systems, Inc. All rights reserved.

•RADIUS•TACACS+

Cisco SecureCisco SecureACS UNIXACS UNIX

Cisco SecureCisco SecureACS UNIXACS UNIX

Cisco SecureCisco SecureACS NT/2000ACS NT/2000Cisco SecureCisco SecureACS NT/2000ACS NT/2000

Supported AAA Servers

TACACSTACACS+ +

FreewareFreeware

TACACSTACACS+ +

FreewareFreewareLucentLucentLucentLucent

Cisco SecureCisco SecureACS UNIXACS UNIX

Cisco SecureCisco SecureACS UNIXACS UNIX

Cisco SecureCisco SecureACS NT/2000ACS NT/2000Cisco SecureCisco SecureACS NT/2000ACS NT/2000

10© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Proxy Configuration

• The authentication proxy is applied in the inward direction at any interface on the router where per-user authentication and authorization occurs.

• Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall.

• If the user fails to authenticate with the AAA server, the connection request is dropped.

11© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Proxy Configuration (Cont.)

• All traffic through an interface can be blocked, and then the authentication proxy feature can be enabled to require authentication and authorization for all user-initiated HTTP, HTTPS, FTP, or Telnet connections.

• Users are authorized for services only after successful authentication with the AAA server.

12© 2005 Cisco Systems, Inc. All rights reserved.

aaa new-model

Enable AAA

Enables the AAA functionality on the router (default = disabled)

Router(config)#

13© 2005 Cisco Systems, Inc. All rights reserved.

aaa authentication login default method1 [method2]

Specify Authentication Protocols

Defines the list of authentication methods that will be used

Methods: TACACS+, RADIUS, or both

Router(config)# aaa authentication login default group tacacs+

Router(config)#

14© 2005 Cisco Systems, Inc. All rights reserved.

aaa authorization auth-proxy default method1 [method2]

Specify Authorization Protocols

Use the auth-proxy keyword to enable authorization proxy for AAA methods

Methods: TACACS+, RADIUS, or both

Router(config)#

Router(config)# aaa authorization auth-proxy default group tacacs+

15© 2005 Cisco Systems, Inc. All rights reserved.

tacacs-server host ip_addr

Define a TACACS+ Server and Its Key

Specifies the TACACS+ server IP address

Specifies the TACACS+ server key

Router(config)#

Router(config)# tacacs-server host 10.0.1.12Router(config)# tacacs-server key secretkey

tacacs-server key string

Router(config)#

16© 2005 Cisco Systems, Inc. All rights reserved.

Define a RADIUS Server and Its Key

Specifies the RADIUS server IP address

Specifies the RADIUS server key

Router(config)# radius-server host 10.0.1.12Router(config)# radius-server key secretkey

radius-server host ip_addr

Router(config)#

radius-server key string

Router(config)#

17© 2005 Cisco Systems, Inc. All rights reserved.

Router(config)# access-list 111 permit tcp host 10.0.1.12 eq tacacs host 10.0.1.1

Router(config)# access-list 111 permit icmp any anyRouter(config)# access-list 111 deny ip any anyRouter(config)# interface ethernet0/0Router(config-if)# ip access-group 111 in

Allow AAA Traffic to the Router

– Create an ACL to permit TACACS+ traffic from the AAA server to the firewall

Source address = AAA server

Destination address = interface where the AAA server resides

– May want to permit ICMP

– Deny all other traffic

– Apply the ACL to the interface on the side where the AAA server resides

18© 2005 Cisco Systems, Inc. All rights reserved.

Allow AAA Traffic to the Router (Cont.)

• All traffic requiring authentication and authorization should be denied by the router using extended ACLs.

• Upon successful authentication, dynamic ACEs will be inserted into the ACLs to permit only the traffic authorized by the user profile.

• The authentication proxy customizes each of the ACEs in the user profile by replacing the source IP addresses in the downloaded ACL with the source IP address of the authenticated host.

19© 2005 Cisco Systems, Inc. All rights reserved.

Allow AAA Traffic to the Router (Cont.)

• An extended ACL should be applied to the inbound direction of the interface that is configured for proxy authentication.

• All other ACLs that restrict traffic in the direction of authenticated traffic flow should be extended ACLs so that proxy authentication can dynamically update the ACEs as necessary to permit authorized traffic to pass.

20© 2005 Cisco Systems, Inc. All rights reserved.

Router(config)# ip http serverRouter(config)# ip http authentication aaa

Enable the Router HTTP or HTTPS Server

Enables the HTTP server on the router

Sets the HTTP server authentication method to AAA

Proxy uses HTTP server for communication with a client

ip http server

Router(config)#

ip http authentication aaa

Router(config)#

ip http secure-server

Router(config)#

Enables the HTTPS server on the router

21© 2005 Cisco Systems, Inc. All rights reserved.

HTTP and HTTPS

• The HTTPS feature requires a Cisco IOS crypto image.

• HTTP-initiated sessions normally exchange the username and password in clear text. This exchange is encrypted when using HTTPS.

• To use the authentication proxy with HTTPS, use the ip http secure-server command to enable the HTTP secure server on the router. Then use the ip http authentication aaa command to require the HTTP server to use AAA for authentication.

22© 2005 Cisco Systems, Inc. All rights reserved.

ip auth-proxy {inactivity-timer min | absolute-timer min}

Authentication inactivity timer in minutes (default = 60 minutes)

Absolute activity timer in minutes (default = 0 minutes)

Set Global Timers

Router(config)#

Router(config)# ip auth-proxy inactivity-timer 120

23© 2005 Cisco Systems, Inc. All rights reserved.

Set Global Timers – Inactivity Timeout

• The inactivity timeout value is the length of time that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity.

• To set the global authentication proxy inactivity timeout value, use the ip auth-proxy inactivity-timer global configuration command .

24© 2005 Cisco Systems, Inc. All rights reserved.

Set Global Timers – Absolute Timeout

• The absolute-timer min option allows administrators to configure a window during which the authentication proxy on the enabled interface is active.

• Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity.

• The global absolute timeout value can be overridden by the local value, which is enabled via the ip auth-proxy name command (next slide).

25© 2005 Cisco Systems, Inc. All rights reserved.

Router(config)# ip auth-proxy name aprule httpRouter(config)# interface ethernet0Router(config-if)# ip auth-proxy aprule

Define and Apply Authentication Proxy Rules

Creates an authorization proxy rule

Applies an authorization proxy rule to an interface

For outbound authentication, apply to inside interface

For inbound authentication, apply to outside interface

ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min] [absolute-timer min][list {acl | acl-name}]

Router(config)#

ip auth-proxy auth-proxy-name

Router(config-if)#

26© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Proxy Rules with ACLs

Creates an authorization proxy rule with an access list

ip auth-proxy name auth-proxy-name http list {acl-num | acl-name}

Router(config)#

Router(config)# ip auth-proxy name aprule http list 10

Router(config)# access-list 10 permit 10.0.1.0 0.0.0.255

Router(config)# interface ethernet0Router(config-if)# ip auth-proxy aprule

27© 2005 Cisco Systems, Inc. All rights reserved.

Create auth-proxy Service in the Cisco Secure ACS

Enter the new service:auth-proxy.

28© 2005 Cisco Systems, Inc. All rights reserved.

Create a User Authentication Profile in the Cisco Secure ACS

29© 2005 Cisco Systems, Inc. All rights reserved.

User Authorization Profiles

30© 2005 Cisco Systems, Inc. All rights reserved.

Test and Verify the Configuration

31© 2005 Cisco Systems, Inc. All rights reserved.

What the User Sees

32© 2005 Cisco Systems, Inc. All rights reserved.

clear ip auth-proxy cache * | ip_addr

• Clears authentication proxy entries from the router

Clear the AuthenticationProxy Cache

•Router(config)#

33© 2005 Cisco Systems, Inc. All rights reserved.

show ip auth-proxy cache

show ip auth-proxy configuration

show ip auth-proxy statistics• Displays statistics, configurations, and

cache entries of authentication proxy subsystem

show Commands

•Router(config)#

34© 2005 Cisco Systems, Inc. All rights reserved.

debug ip auth-proxy ftp

debug ip auth-proxy function-trace

debug ip auth-proxy http

debug ip auth-proxy object-creation

debug ip auth-proxy object-deletion

debug ip auth-proxy tcp

debug ip auth-proxy telnet

debug ip auth-proxy timer• Helps with troubleshooting

debug Commands

•Router(config)#

35© 2005 Cisco Systems, Inc. All rights reserved.

Module 6 – Configure Trust and Identity at Layer 3

6.2 Introduction to PIX Security Appliance AAA Features

36© 2005 Cisco Systems, Inc. All rights reserved.

Types of Authentication

37© 2005 Cisco Systems, Inc. All rights reserved.

Types of Authorization

38© 2005 Cisco Systems, Inc. All rights reserved.

Types of Accounting

39© 2005 Cisco Systems, Inc. All rights reserved.

Module 6 – Configure Trust and Identity at Layer 3

6.3 Configure AAA on the PIX Security Appliance

40© 2005 Cisco Systems, Inc. All rights reserved.

Types of Access Authentication

41© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Configuration Steps

42© 2005 Cisco Systems, Inc. All rights reserved.

Add Users to the Local User Database

43© 2005 Cisco Systems, Inc. All rights reserved.

AAA Local Authentication Attempts Max-Fail Command

44© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Prompts

45© 2005 Cisco Systems, Inc. All rights reserved.

Authentication Timeouts

46© 2005 Cisco Systems, Inc. All rights reserved.

Cut-Through Proxy

47© 2005 Cisco Systems, Inc. All rights reserved.

PIX Cut-Through Proxy – Three Ways to Authenticate

telnet

http

ftp

48© 2005 Cisco Systems, Inc. All rights reserved.

Login Method for Telnet

A prompt is generated by the PIX Firewall.

The user has up to four chances to log in.

If authentication and authorization are successful, the user is prompted for a username and password if required by the destination server.

PIX:

Server:

49© 2005 Cisco Systems, Inc. All rights reserved.

Login Method for FTP

If an incorrect password is entered, the connection is dropped immediately.

If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via FTP, enter the username and password in the following format:

aaa_user@remote_user and

aaa_password@remote_password

50© 2005 Cisco Systems, Inc. All rights reserved.

Login Method for HTTP

The browser generates a username and password pop-up window.

If an incorrect password is entered, the user is prompted again (and again).

If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via HTTP, use virtual http.

51© 2005 Cisco Systems, Inc. All rights reserved.

Login Method for HTTPS

The user gets a prompt generated by the PIX.

The user has up to three chances to log in.

If the username or password fails after the third attempt, the PIX drops the connection.

52© 2005 Cisco Systems, Inc. All rights reserved.

Enable Authentication –Manually Designating AAA Authentication Parameters

Defines traffic to be authenticated

authen_service = any, ftp, http, or telnet

any = all TCP traffic

aaa authentication include|exclude authen_service inbound|outbound|if_name local_ip local_mask foreign_ip foreign_mask group_tag

pixfirewall (config)#

pixfirewall(config)# aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authentication include telnet outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authentication include ftp dmz 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS

53© 2005 Cisco Systems, Inc. All rights reserved.

aaa authentication Example

pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0

pixfirewall(config)# aaa authentication include any outbound 0 0 MYTACACS

pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.42 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS

54© 2005 Cisco Systems, Inc. All rights reserved.

aaa authentication command parameters

include – create a new rule with the specified service to include.

authen_service – the application with which a user is accessing a network. Use any, ftp, http, or telnet.

inbound – authenticate inbound connections. Inbound means that the connection originates on the outside interface and is being directed to the inside interface.

outbound – authenticate outbound connections. Outbound means that the connection originates on the inside and is being directed to the outside interface.

if_name – interface name from which users require authentication.

55© 2005 Cisco Systems, Inc. All rights reserved.

Virtual Telnet and HTTP

56© 2005 Cisco Systems, Inc. All rights reserved.

Authentication of Non-Telnet, FTP, or HTTP Traffic

57© 2005 Cisco Systems, Inc. All rights reserved.

Virtual Telnet

58© 2005 Cisco Systems, Inc. All rights reserved.

Virtual HTTP

59© 2005 Cisco Systems, Inc. All rights reserved.

Tunnel User Authentication

60© 2005 Cisco Systems, Inc. All rights reserved.

Authorization Configuration

61© 2005 Cisco Systems, Inc. All rights reserved.

User Authorization

62© 2005 Cisco Systems, Inc. All rights reserved.

aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag

pixfirewall (config)#

pixfirewall(config)# aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authorization exclude ftp outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS

Enable Authorization

Defines traffic that requires AAA server authorization

author_service = any, ftp, http, or telnet

any = All TCP traffic

63© 2005 Cisco Systems, Inc. All rights reserved.

User Authorization

64© 2005 Cisco Systems, Inc. All rights reserved.

65© 2005 Cisco Systems, Inc. All rights reserved.

Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic

66© 2005 Cisco Systems, Inc. All rights reserved.

aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag

pixfirewall (config)#

pixfirewall(config)# aaa authorization include udp/0 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authorization include tcp/30-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa authorization include icmp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Authorization of Non-Telnet, FTP, or HTTP Traffic

author_service = protocol or port

protocol—tcp (6), udp (17), icmp (1), or others (protocol #)

port:

single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports)

ICMP message type (8 = echo request, 0 = echo reply)

port is not used for protocols other than TCP, UDP, or ICMP

67© 2005 Cisco Systems, Inc. All rights reserved.

Downloadable ACLs

68© 2005 Cisco Systems, Inc. All rights reserved.

Accounting Configuration

69© 2005 Cisco Systems, Inc. All rights reserved.

Configuring Accounting for Traffic Through the Firewall

Accounting can be configured for traffic through the firewall.

The syntax for this command is very similar to that of the aaa authentication command.

All parameters are the same except for the acct_service. Possible values for the acct_service parameter are any, ftp, http, telnet, or <protocol/port>.

You do not need to perform any configuration tasks on the Cisco Secure ACS server for it to be able to receive accounting data from a PIX firewall.

70© 2005 Cisco Systems, Inc. All rights reserved.

Enable Accounting

Defines traffic that requires AAA server accounting

acctg_service = any, ftp, http, or telnet

any = All TCP traffic

aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag

pixfirewall (config)#

pixfirewall(config)# aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

pixfirewall(config)# aaa accounting exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS

71© 2005 Cisco Systems, Inc. All rights reserved.

Enable Accounting Match

72© 2005 Cisco Systems, Inc. All rights reserved.

73© 2005 Cisco Systems, Inc. All rights reserved.

Admin Accounting

74© 2005 Cisco Systems, Inc. All rights reserved.

Command Accounting

75© 2005 Cisco Systems, Inc. All rights reserved.

Accounting of Non-Telnet, FTP, or HTTP Traffic

When configuring aaa accounting of non-Telnet, FTP, or HTTP traffic, the syntax of the command is slightly different from Telnet, FTP, or HTTP-specific traffic.

The syntax for acctg_service is specified in the format protocol/port.

76© 2005 Cisco Systems, Inc. All rights reserved.

pixfirewall (config)#

pixfirewall(config)# aaa accounting include udp/53 inbound

0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACSpixfirewall(config)# aaa accounting include udp/54-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Accounting of Non-Telnet, FTP, or HTTP Traffic

acctg_service = protocol or port

protocol: tcp (6), udp (17), or others (protocol #)

port = single port (e.g., 53), port range (e.g., 2000–2050), or port 0 (all ports) (port is not used for protocols other than TCP or UDP)

aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag

77© 2005 Cisco Systems, Inc. All rights reserved.

How to View Accounting Information in CSACS-NT

In the navigation bar select Reports and Activity. The Reports and Activity window opens.

Under Reports first select TACACS+ Accounting and then select TACACS+ Accounting active.csv under Select a TACACS+ Accounting file to display the accounting records.

787878© 2005, Cisco Systems, Inc. All rights reserved.