Authentication, Authorization, and Accounting

Presentation on theme: "Authentication, Authorization, and Accounting"— Presentation transcript:

1 Authentication, Authorization, and Accounting
AAA Authentication, Authorization, and Accounting

2 AAA Network Configuration
Authentication(验证) 确定身份验证是否合法 Authorization(授权) 指定用户允许哪些操作 Accounting(统计) 确定用户做了哪些操作

3 AAA 认证流程的角色 CISCO 的AAA 认证流程的角色： AAA user:远程访问者 AAA client:RAS接入 服务器
AAA server:ACS 服务器（或在RAS 服务器本地验证） AAA database:数据库服务器（或在ACS 服务器上、或RAS 服务器本地） 接入服务器和访问控制服务器可使用以下安全协议: TACACS+:运行于TCP之上,cisco私有,能将验证和授权分开 RADIUS:运行于UDP上,开放的协议,不可将验证和授权分开

4 Supported AAA Servers TACACS+ RADIUS CSACS-NT CSACS-UNIX CSACS-NT
Livingston Merit TACACS+ Freeware

5 Cisco Secure ACS 安装及基本配置
步骤1、检查并调整计算机硬件配置，使其满足以下要求： Pentium Ⅲ 550MHz 以上 256M 内存 250M 以上的剩余硬盘空间 步骤2、检查windows 配置，安装Java run time（JRE）。 步骤3、检查服务器到Cisco 设备的网络连接。 步骤4、插入Cisco Secure ACS for windows 光盘，点击“Install”开始安装，然后按照windows 的提示一步步地完成安装 步骤5、在浏览器的地址栏里输入“ or IP address :2002”访问ACS 的web 配置页面。

6 web 配置页面

7 ACS 各导航条配置 ACS 各导航条配置的选项内容如下： 用户设置（User Setup）：查看、创建、编辑、删除用户帐号。
组设置（Group Setup）：查看、创建、编辑用户组设置。 共享配置组建（Shared Profile Components）：一些可共享的授权组件，它们可以应用与 一个或多个用户或用户组。授权组建包括：Network Access Restriction（NAR）、Command authorization set 和PIX downloadable ACL。 网络配置（Network Configuration）：查看、创建、编辑、删除网络服务器（网络设备， 如路由器、交换机等）的参数。 系统配置（System Configuration）：启动或停止ACS 服务，创建或删除网络日志，控制ACS数据库同步等。 接口配置（Interface Configuration）：配置TACACS+和RADIUS 的选项。 管理控制（Administration Control）：查看、创建、编辑、删除ACS 的管理员帐号参数。 外部数据库（External User Database）：配置ACS 的外部数据库类型以及未知的用户策略。 报告和活动（Report and Activity）：查看TACACS+和RADIUS 的审计报告、Failed Attempts报告以及已经登陆的用户信息等。 在线文档（Online Documentation）：提供关于Cisco Secure ACS 的更详细的文档。

8 Cisco IOS AAA 认证基本配置 步骤1、全局开启AAA 服务。
要使用AAA，就必须使用aaa new-model 全局配置命令启用AAA 服务。 Router(config)# aaa new-model 步骤2、配置ACS 服务器的地址和AAA client 密码，其命令格式如下： AAA Client 和AAA Server 之间使用TACACS+协议时： tacacs-server host IP_address tacacs-server key key AAA Client 和AAA Server 之间使用RADIUS 协议时： radius-server host IP_address radius-server key key

9 配置Cisco Secure ACS 服务器 步骤3、配置Cisco Secure ACS 服务器。
在ACS 导航条中选择“Network Configuration”，点击右边栏的“Add Entry”进入以上界面：

10 定义认证的方法列表，常见的认证方法主要有：
一个方法列表中也可以包含多种身份验证方法，这样可以确保在第一种方法失效的时候，设备可以使用备用的身份验证系统，例如： aaa authentication login example group tacacs+ group radius

11 配置与应用Authentication 使用用本地数据库认证
Switch(config)#aaa authentication login {default | list-name} method1 [method2...] Creates a local authentication list创建认证列表 Login 字符流认证模式(要配置设备,进入IOS命令行的用户的访问方式) Default 却省默认的认证方式 例　 aaa authentication login default local 使用用本地数据库认证 Purpose: This graphic covers the configuration of port security. Emphasize: The output of the show port command. Transition: We will now look at the methods of controlling access at the distribution layer. Switch(config-line)#login authentication {default | list-name} Applies the authentication list to a line（应用认证到线路下面）

12 ＡＡＡ身份验证 Switch(config)#aaa new-model
Switch(config)#aaa authentication login test group tacacs+ Switch(config)#tacacs-server host Switch(config)#line vty 0 4 Switch(config-line)#login authentication test

13 Authorization－－授权选项 授权选项 授权代理（auth-proxy）:基于用户来应用安全策略．使用
授权代理时，用户访问网络前，通过ＷＥＢ浏览器来向服务器证 明其身份．通过验证后，让用户访问． 　　命令（commands）:授权执行ＥＸＥＣ命令的权限．如，只 让普通用户执行show命令 　　网络（network）:网络授权应用于网络连接类型．如，远程 用户登录时，授予其访问ＰＰＰ等网络协议的权限 　　反向登陆：反向ＴＥＬＮＥＴ会话，用于从控制台访问各种 线路

14 Authorization－－授权方法 ＴＡＣＡＣＳ＋：一种客户／服务器的方法．交换机路由
ＴＡＣＡＣＳ＋：一种客户／服务器的方法．交换机路由　　　　　　　　　 器的ＡＡＡ授权后台程序通过与该服务器通信来确定各种授权． ＲＡＤＵＩＳ：与上者一样，也是一种客户／服务器模型 If-authentication:使用这种方法，只要用户通过了身份验证，便能访问任何功能 Ｎone:　在接口禁用授权 Ｌocal: 使用交换机和路由器中的用户名与口令数据库 可以使用username来配置本地数据库

15 Configuring Authorization
Switch(config)#aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name} [method1 [method2...]] Creates an authorization method list and enables authorization Switch(config)#interface interface-type interface-number Enters interface configuration mode Purpose: This graphic covers the configuration of port security. Emphasize: The output of the show port command. Transition: We will now look at the methods of controlling access at the distribution layer. Switch(config-if)#ppp authorization {default | list-name} Applies the named authorization method list to the interface

16 对用户的等级进行授权 第一步：启用AAA，配置本地数据库，为不同的用户设置不同的权限
Router(config)#aaa new-model Router(config)#username user1 privilege 1 password user1 Router(config)#username user2 privilege 7 password user2 Router(config)#username user3 privilege 15 password user3 第二步：配置EXEC 会话授权的方法 Router(config)#aaa authorization exec cisco local 第三步：在虚拟终端线路上应用授权 Router(config)#line vty 0 4 Router(config-line)#authorization exec cisco 用户还可以对Cisco CLI 的命令权限级别进行修改，例如：clear line 命令的默认级别为15，但是我们可以使用privilege exec 命令将其权限修改为级别7 Router(config)# privilege exec level 7 clear line

17 Cisco IOS 认证代理 认证代理是Cisco IOS 12.3 防火墙特性集中的一个功能，它可以在用户访问Internet 时对用户进行认证和授权。 图中的 为Cisco Secure ACS 服务器，路由器使用Tacacs+协议与服务器通信。当用户输入正确用户名和密码后，路由器从ACS 上获取用户的访问配置文件，并且加入到相应的访问控制列表中

18 第一步，启动AAA Router(config)# aaa new-model
Router(config)# aaa authentication login default group tacacs+ Router(config)# aaa authorization auth-proxy default group tacacs+ Router(config)# tacacs-server host key cisco

19 第二步，在ACS 上将路由器设置为AAA client
在ACS 导航栏中点击“Network Configuration”，在AAA client 中点击“Add Entry”添加AAA 客户端，如下图所示：

20 第三步，在ACS 上配置代理服务 在ACS 导航栏中点击“Interface Configuration”，点击“Tacacs +（Cisco IOS）”进入以下界面： 在new Services 中添加一个新的服务，名称为“auth-proxy”，如上图所示。

21 第四,五步，在ACS 中添加用户，并配置用户授权文件
在ACS 导航栏中点击“Group Setup”，选中相应的组，点击“Edit Settings”，将滚动菜单下拉到以下界面： 如上图所示，选中auth-proxy 和Custom Attributes 复选框，在Custom Attributes 的文本框中输入该组用户的授权文件。用户授权文件其实就是将来路由器要加载的ACL，每条语句使用proxyacl#n 的形式来表示，并且只能包含permit 语句。路由器下载授权文件后，它会自动将每条语句中的源地址（any）替换成用户的源IP 地址。下面是一个授权文件的实例： proxyacl#1=permit tcp any any eq www proxyacl#2=permit tcp any any eq 20 proxyacl#3=permit tcp any any eq 21 priv-lvl=15 『注意』授权文件的最后一行必须以priv-lvl=15 结尾。

22 第六步，在路由器上定义进站访问控制列表，只允许到路由器的AAA 流量
Router(config)#access-list 101 permit tcp host eq tacacs host Router(config)#access-list 101 deny ip any any Router(config-if)# access-list 100 permit tcp any eq tacacs any Router(config)#interface fa0/1 Router(config-if)#ip access-group 101 in

23 第七步，打开路由器的HTTP 服务器 第八步，配置认证代理规则
Router(config)# access-list 1 permit !规定哪些主机使用认证代理上网 Router(config)# ip auth-proxy name cisco http list 1 Router(config)# interface fa0/1 Router(config-if)# ip auth-proxy cisco Router(config-if)# exit Router(config)#ip http server router(config)#ip http authentication aaa

24 第九步，测试 用户访问Internet 上的服务器 时，路由器会弹出下图所示的web 页面提示用户输入用户名和密码。

25 Accounting- 统计 网络统计：提供所有ＰＰＰ等会话的信息，包括数据包数和字节数． 连接统计：提供从网络中发起的所有外出的连接
ＥＸＥＣ统计：提供网络介入服务器上用户会话信息，包括用户名，日期，起始和结束时间等 系统统计：提供所有系统级事件信息，如，系统重起等 命令统计：提供在网络介入服务器上执行的特定权限的命令信息 资源统计：提供通过了用户身份验证的呼叫的真实记录和终止记录

26 Configuring Accounting
Switch(config)#aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1 [method2...]] Creates an accounting method list and enables accounting Switch(config)#interface interface-type interface-number Enters interface configuration mode Purpose: This graphic covers the configuration of port security. Emphasize: The output of the show port command. Transition: We will now look at the methods of controlling access at the distribution layer. Switch(config-if)#ppp accounting {default | list-name} Applies the named accounting method list to the interface

27 ＡＡＡ统计 Switch(config)#aaa new-model
Switch(config)#aaa accounting exec default start-stop group tacacs+ Switch(config)#line vty 0 4 Switch(config)#accounting exec default 完成设置后，在ACS 的管理页面上点击“Report and activity”查看信息

28 802.1X Port-Based Authentication(基于端口的访问控制协议)
Restricts unauthorized clients from connecting to a LAN through publicly accessible ports

29 IEEE 802.1x简介 IEEE 802.1x访问控制特性是一种基于行业标准的第2层访问控制方法，提供了集中管理功能。IEEE 802.1x访问控制特性还被广泛应用于无线网络 使用802.1x的时候，在交换机接收器端口连接的工作站发送的数据包之前，将请求身份验证服务器对工作站进行身份验证。在身份验证服务器验证工作站的身份之前，802.1x访问控制特性只允许EAPOL(Extensible Authentication Protocol over LAN，LAN上的可扩展身份验证协议)通信流通过工作站连接的端口。通过身份验证后，常规通信流才能通过该端口 基于端口的802.1x身份验证涉及3种设备： 客户（client）---使用802.1x请求网络对其进行身份验证的工作站。当前，只有Microsoft Windows XP和Windows 2003内置了对802.1x支持功能 身份验证服务器（Authentication server）---负责验证交换机转发的客户请求。当前，身份验证服务器是安装了EAPOL扩展的RADIUS服务器。 交换机---负责将客户请求转发给身份验证服务器，并在客户通过身份验证后授予其访问网络的权限。在802.1x运行期间，交换机实际上是代理

30 Configuring 802.1X Port-Based Authentication
Switch(config)#aaa authentication dot1x {default} method1 [method2...] Creates an 802.1X port-based authentication method list Switch(config)#dot1x system-auth-control Globally enables 802.1X port-based authentication Switch(config)#interface type slot/port Enters interface configuration mode Switch(config-if)#dot1x port-control auto Enables 802.1X port-based authentication on the interface

31 启用８０２．１x Switch(config)#aaa new-model
Switch(config)#aaa authertication dot1x default group tacacs+ Switch(config)# dot1x system-auth-control Switch(config)#inter fa 5/1 Switch(config-if)# dot1x port-control auto

32 使用802.1x 实现动态VLAN 技术

33 第一步，在交换机上启动AAA，配置认证和授权
switch(config)# aaa new-model switch(config)# username juniper password cisco switch(config)# aaa authentication login default local //定义login 的认证方法，此配置和802.1x 无关，仅用于管理交换机 switch(config)# aaa authentication dot1x default group radius switch(config)# aaa authorization network default group radius //配置认证和授权方法

34 第二步，配置AAA 服务器参数 switch(config)# radius-server host key cisco switch(config)# radius-server vsa send //由于需要做动态VLAN 分配，因此必须让交换机识别radius 服务器发送的VSA 值

35 第三步，启动802.1x switch(config)# dot1x system-control //全局开启802.1x
switch(config)# interface range fa0/1 – 20 switch(config-if-range)# switchport mode access switch(config-if-range)# spanning-tree portfast switch(config-if-range)# dot1x port-control auto //在端口上开启802.1x

36 第四步，配置Radius 服务器 1、在ACS 导航条中点击“Network Configuration”将交换机添加为AAA client，认证协议使用“Radius（IETF）”，如下图所示：

37 选中“ [064] Tunnel-Type ” 、“ [065] Tunnel-Medium-Type ” 、“ [081]
2、在ACS 导航条中点击“Interface Configuration”，点击“Radius（IETF）”进入以下界面： 选中“ [064] Tunnel-Type ” 、“ [065] Tunnel-Medium-Type ” 、“ [081] Tunnel-Private-Group-ID”复选框，点击“submit”。

38 3、在ACS 导航条中点击“User Setup”添加用户并且分配到相应的组中。
4、在ACS 导航条中点击“Group Setup”编辑组设置，将“[064] Tunnel-Type”标签1 的 值设置为“VLAN”，将“[065] Tunnel-Medium-Type” 标签1 的值设置为“802”，将“[081] Tunnel-Private-Group-ID” 标签1 的值设置为该组用户所对应的VLAN ID。如下图所示：

39 5、在ACS 导航条中点击“System configuration”，将“Allow LEAP (For Aironet only)”签名的勾去掉，如下图所示：

40 第五步，测试 目前支持802.1x 认证的windows 操作系统有Windows 2000 sp4、Windows xp、Windows server2003，将PC 接到交换机端口前还需将“本地连接”的802.1x 验证方式选为“MD5-质询”，如下图所示：

41 第五步，测试 接下来，将PC 接入到交换机上，不用多久，任务栏上会弹出提示框，提示输入用户名和密码，如下图所示：
点击该消息后，用户可以在下面的对话框中输入帐号和密码，如果正确，可以在交换机上使用show vlan 命令发现该端口被分配到用户所属的vlan 中。

42 Authentication, Authorization, and Accounting
PIX----AAA Authentication, Authorization, and Accounting

43 Authentication, Authorization, and Accounting
Who you are Can exist without authorization Authorization What you can do Requires authentication Accounting What you did

44 What the User Sees Telnet HTTP: FTP Username: smith Password: 2bon2b
PIX Firewall: HTTP: Username: smith Password: 2bon2b Server: Username: alex Password: v1v10k4 FTP PIX Firewall: Username: Password:

45 Cut-Through Proxy Operation
1 The user makes a request to access the web server. Internet Internet Web server 4 If CSACS authenticates, the user is “cut-through” the PIX Firewall, and the local username and password are passed to the web server to authenticate. 2 The user is prompted by the PIX Firewall. Intranet 3 The PIX Firewall queries CSACS for the remote username and password. CSACS

46 Installation of CSACS for Windows NT

47 Installation Wizard

48 Basic Configuration Authenticate users using TACACS+ (Cisco)
RADIUS (Cisco) Access server name Enter the PIX Firewall name Access server IP address Enter the PIX Firewall IP address Windows NT server IP address Enter the AAA server IP address TACACS+ or RADIUS key Enter a secret key Must be the same in the PIX Firewall

49 Authentication Configuration

50 Specify AAA Servers aaa-server group_tag protocol auth_protocol
pixfirewall (config)# aaa-server group_tag protocol auth_protocol Assigns a TACACS+ or RADIUS protocol to a group tag. pixfirewall (config)# aaa-server group_tag (if_name) host server_ip key timeout seconds Identifies the AAA server for a given group tag. pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host secretkey timeout 10

51 Enable Authentication
pixfirewall (config)# aaa authentication include|exclude authen_service inbound|outbound|if_name local_ip local_mask foreign_ip foreign_mask group_tag Defines traffic to be authenticated authen_service = any, ftp, http, or telnet any = all TCP traffic pixfirewall(config)# aaa authentication include any inbound MYTACACS pixfirewall(config)# aaa authentication include telnet outbound MYTACACS pixfirewall(config)# aaa authentication include ftp dmz MYTACACS pixfirewall(config)# aaa authentication exclude any outbound MYTACACS

52 aaa authentication Example
.50 pixfirewall(config)# nat (inside) pixfirewall(config)# aaa authentication include any outbound 0 0 MYTACACS pixfirewall(config)# aaa authentication exclude any outbound MYTACACS /24 4 /24 IP addresses through can originate outbound connections, but users must be authenticated. Host is allowed to start outbound connections without being authenticated. /24 3 2 1 AAA server .42 .5

53 How to Add Users to CSACS-NT

54 Authentication of Non-Telnet, FTP, or HTTP Traffic
Option 1—Authenticate first by accessing a Telnet, FTP, or HTTP server before accessing other services. Option 2—Authenticate to the PIX Firewall virtual Telnet service before accessing other services.

55 Virtual Telnet Example
Internet pixfirewall(config)# virtual telnet pixfirewall(config)# aaa-server MYTACACS protocol tacacs+ pixfirewall(config)# aaa-server MYTACACS (inside) host secretkey pixfirewall(config)# aaa authentication include any outbound MYTACACS Backbone, web, FTP, and TFTP server “Superserver” .1 /24 The PIX Firewall passes the username and password to the AAA server at for authentication. .2 2 PIX Firewall /24 .1 If the AAA server verifies that the username and password are correct, the PIX Firewall caches the user’s authentication credentials for the duration of the uauth timeout. C:\> telnet LOGIN Authentication Username: aaauser Password: aaapass Authentication Successful 3 1 .11 AAA server The user is able to connect to super server on port 139 using the run command without being required to re-authenticate. 4 \\Superserver

56 Configuration of Virtual Telnet Authentication
pixfirewall (config)# virtual telnet ip_address Enables access to the PIX Firewall’s virtual server. The IP address must be an unused global address. If the connection is started on either the outside or a perimeter interface, a static and access-list command pair must be configured for the fictitious address. pixfirewall(config)# virtual telnet

57 Virtual HTTP Virtual HTTP solves the problem of HTTP requests failing when web servers require credentials that differ from those required by the PIX Firewall’s AAA server. When virtual HTTP is enabled, it redirects the browser to authenticate first to a virtual web server on the PIX Firewall. After authentication, the PIX Firewall forwards the web request to the intended web server. Virtual HTTP is transparent to the user. Virtual http solves the problem of http requests failing when web servers require credentials that differ from those required by the PIX Firewall’s AAA server.

58 Configuration of Virtual HTTP Authentication
pixfirewall (config)# virtual http ip_address [warn] Enables access to the PIX Firewall’s virtual server. For inbound clients, the IP address must be an unused global address. If the connection is started on either the outside or a perimeter interface, a static and access-list command pair must be configured for the fictitious address. pixfirewall(config)# virtual http

59 Authentication of Console Access
pixfirewall (config)# aaa authentication [serial | enable | telnet | ssh | http] console group_tag Defines a console access method that requires authentication. pixfirewall(config)# aaa authentication serial console MYTACACS pixfirewall(config)# aaa authentication enable console MYTACACS pixfirewall(config)# aaa authentication telnet console MYTACACS pixfirewall(config)# aaa authentication ssh console MYTACACS pixfirewall(config)# aaa authentication http console MYTACACS

60 How to Change the Authentication Timeouts
pixfirewall (config)# timeout uauth hh:mm:ss [absolute|inactivity] Sets the time interval before users will be required to reauthenticate Absolute—Time interval starts at user login Inactivity—Time interval for inactive sessions (no traffic) pixfirewall(config)# timeout uauth 3:00:00 absolute pixfirewall(config)# timeout uauth 0:30:00 inactivity

61 How to Change the Authentication Prompts
pixfirewall (config)# auth-prompt [accept | reject | prompt] string Defines the prompt users see when authenticating Defines the message users get when they successfully or unsuccessfully authenticate By default, only the username and password prompts are seen pixfirewall(config)# auth-prompt prompt Please Authenticate to the Firewall pixfirewall(config)# auth-prompt reject Authentication Failed, Try Again pixfirewall(config)# auth-prompt accept You’ve been Authenticated

62 Authorization Configuration

63 Enable Authorization pixfirewall (config)# aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag Defines traffic that requires AAA server authorization author_service = any, ftp, http, or telnet any = All TCP traffic pixfirewall(config)# aaa authorization include ftp outbound MYTACACS pixfirewall(config)# aaa authorization exclude ftp outbound MYTACACS

64 Authorization Rules Allowing Specific Services
Select Per Group Command Authorization. Select Deny. Select Command. Enter the allowable service. Leave this blank. Select Permit. Click Submit to add more rules. Click Submit + Restart when finished.

65 Authorization Rules Allowing Services Only to Specific Hosts
Select Per Group Command Authorization. Select Deny. Select Command. Enter the allowable service. Enter the allowable destination hosts. Select Deny. Click Submit to add more rules. Click Submit + Restart when finished.

66 Authorization of Non-Telnet, FTP, or HTTP Traffic
pixfirewall (config)# aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag author_service = protocol or port protocol—tcp (6), udp (17), icmp (1), or others (protocol #) port: single port (e.g., 53), port range (e.g., ), or port 0 (all ports) ICMP message type (8 = echo request, 0 = echo reply) port is not used for protocols other than TCP, UDP, or ICMP pixfirewall(config)# aaa authorization include udp/0 inbound MYTACACS pixfirewall(config)# aaa authorization include tcp/ outbound MYTACACS pixfirewall(config)# aaa authorization include icmp/8 outbound MYTACACS

67 Authorization of Non-Telnet, FTP, or HTTP Traffic on CSACS-NT
Select Per Group Command Authorization. Select Deny. Select Command. Enter the allowable service. Leave this blank. Select Permit. Click Submit to add more rules. Click Submit + Restart when finished.

68 Downloadable ACLs

69 Downloadable ACLs Web FTP The HTTP request to is intercepted by the PIX Firewall. Authentication request to AAA server. Authentication response containing ACL name from AAA server. The PIX Firewall checks to see if the user’s ACL is already present. Request from the PIX Firewall to the AAA server for the user’s ACL. The ACL is sent to the PIX Firewall. The HTTP request is forwarded to 7 6 PIX Firewall 3 2 4 5 AAA server 1 This figure shows how the lab is wired in Austin. Note that the common Windows 2000 server at is connected to a hub that all of the concentrator private network interfaces are connected to. Student PC

70 Configuring Downloadable ACLs in ACS
Shared Profile Components is the new category in the ACS 3.0. User can set up the ACL template and define the template name to specific users. The template name can be used in multiple user. This is useful comparing AV pair method where you need to define the each acl lines in the user profile.

71 Assigning the ACL to the User

72 Accounting Configuration

73 Enable Accounting pixfirewall (config)# aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag Defines traffic that requires AAA server accounting acctg_service = any, ftp, http, or telnet any = All TCP traffic pixfirewall(config)# aaa accounting include any outbound MYTACACS pixfirewall(config)# aaa accounting exclude any outbound MYTACACS

74 aaa match acl_name Option
pixfirewall (config)# aaa authentication | authorization | accounting match acl_name inbound | outbound | interface_name group_tag Enables TACACS+ or RADIUS user authentication, authorization, and accounting of traffic specified in an access list. If there is more text than will fit on a page, try use any of the following options: Size the text to 11 points. (Do not go smaller than 11 points.) Reduce or eliminate the space following paragraphs. Create a blank slide following the slide with a large amount of text and do the following: On the slide, make the slide title read, “Instructor Notes Attached.” On the notes page: Delete the slide image Resize the height of the body placeholder to use the entire page if necessary Enter the additional text In the Slide Sorter View, hide the slide so it won’t appear during a presentation. pixfirewall(config)# access-list mylist permit tcp pixfirewall(config)# aaa authentication match mylist outbound MYTACACS All TCP traffic from to is permitted, but users must be authenticated.

75 How to View Accounting Information in CSACS-NT

76 Accounting of Non-Telnet, FTP, or HTTP Traffic
pixfirewall (config)# aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag acctg_service = protocol or port protocol: tcp (6), udp (17), or others (protocol #) port = single port (e.g., 53), port range (e.g., 2000–2050), or port 0 (all ports) (port is not used for protocols other than TCP or UDP) pixfirewall(config)# aaa accounting include udp/53 inbound MYTACACS pixfirewall(config)# aaa accounting include udp/ outbound MYTACACS

77 Troubleshooting the AAA Configuration

78 show Commands show aaa-server pixfirewall(config)# show aaa-server
aaa-server MYTACACS protocol tacacs+ aaa-server MYTACACS (inside) host secretkey timeout 5 pixfirewall (config)# show aaa [authentication | authorization | accounting] pixfirewall(config)# show aaa aaa authentication any outbound MYTACACS aaa authentication telnet console MYTACACS aaa authorization telnet outbound MYTACACS aaa accounting any outbound MYTACACS

79 show Commands (cont.) show auth-prompt [prompt | accept | reject]
pixfirewall (config)# show auth-prompt [prompt | accept | reject] pixfirewall(config)# show auth-prompt auth-prompt prompt prompt Authenticate to the Firewall auth-prompt prompt accept You’ve been Authenticated auth-prompt prompt reject Authentication Failed pixfirewall (config)# show timeout uauth pixfirewall(config)# show timeout uauth timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity pixfirewall (config)# show virtual [http | telnet] pixfirewall(config)# show virtual virtual http virtual telnet

80 Summary This section covers configuration of the fundamental outbound PIX features. Not all features are covered here. The PIX command-line interface makes the features relatively easy to configure. All of the commands are covered in the PIX Firewall Command Reference.

81 Summary Authentication is who you are, authorization is what you can do, and accounting is what you did. The PIX Firewall supports the following AAA protocols: TACACS+ and RADIUS. Users are authenticated with Telnet, FTP, or HTTP by the PIX Firewall. Cut-through proxy technology allows users through the PIX Firewall after authenticating. Two steps must be taken to enable AAA: Configure AAA on the PIX Firewall. Install and configure CSACS on a server. Downloadable ACLs enable you to enter an ACL once, in CSACS, and then load that ACL to any number of PIX Firewalls during user authentication.

82 Lab Exercise

83 Lab Visual Objective Pods 1–5 Pods 6–10 Web FTP .50 172.26.26.0 .150
RBB Q.0 .2 .2 bastion host: Web FTP .2 .1 .1 .2 bastion host: Web FTP PIX Firewall PIX Firewall P.0 Q.0 .1 .1 10.0.P.0 10.0.Q.0 .100 .100 RTS RTS This figure shows how the lab is wired in Austin. Note that the common Windows 2000 server at is connected to a hub that all of the concentrator private network interfaces are connected to. Remote: 10.1.P.11 Local: 10.0.P.11 Web/FTP CSACS Web/FTP CSACS Remote: 10.1.Q.11 Local: 10.0.Q.11 Student PC Student PC