Step 1: Create a AAA server group, if none already exists, and configure how servers in the group are accessed (protocol, port, and how to determine if a server is failing communication).
Step 2: Populate the server group with member servers. Define the location of each server and assign a symmetric password, which will be used to encrypt the communication session (or portions thereof, depending on the protocol used) between the ASA and the remote AAA server. This same password must be configured on the server when defining the ASA as a AAA client.
Step 3: Enable user authentication for each remote management access channel (the consoles). Define which authentication server group will be used for each console upon which AAA authentication is enabled (note that you define a group here, not a specific server).
For this scenario, we configured the ASA to authenticate the login info of the user "John" via TACACS+ protocol to the ACS (Access Control Server) before providing access to the firewall.
configure mode commands/options:
enable Enable
exclude Exclude the service, local and foreign network which
needs to be authenticated, authorized, and accounted
http HTTP
include Include the service, local and foreign network which
needs to be authenticated, authorized, and accounted
listener Configure an HTTP or HTTPS authentication listener
match Specify this keyword to configure an ACL to match
secure-http-client Specify this keyword to ensure HTTP client authentication
is secured (over SSL)
serial Serial
ssh SSH
telnet Telnet
FIREWALL(config)# aaa authentication enable ?
configure mode commands/options:
console Specify this keyword to identify a server group for administrative
authentication
FIREWALL(config)# aaa authentication enable console ?
configure mode commands/options:
LOCAL Predefined server tag for AAA protocol 'local'
WORD Name of RADIUS or TACACS+ aaa-server group for administrative
authentication
FIREWALL(config)# aaa authentication enable console TEST-TACACS
FIREWALL(config)# aaa-server ?
configure mode commands/options:
WORD < 17 char Enter a AAA server group tag
exec mode commands/options:
WORD < 17 char Enter a AAA server group tag
FIREWALL(config)# aaa-server TEST-TACACS ?
configure mode commands/options:
( Open parenthesis for the name of the network interface
where the designated AAA server is accessed
deadtime Specify the amount of time that will elapse between the
disabling of the last server in the group and the
subsequent re-enabling of all servers
host Enter this keyword to specify the IP address for the
server
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
protocol Enter the protocol for a AAA server group
exec mode commands/options:
active transition a FAILED AAA server to ACTIVE
fail transition an ACTIVE AAA server to FAILED
FIREWALL(config)# aaa-server TEST-TACACS protocol ?
configure mode commands/options:
http-form Protocol HTTP form-based
kerberos Protocol Kerberos
ldap Protocol LDAP
nt Protocol NT
radius Protocol RADIUS
sdi Protocol SDI
tacacs+ Protocol TACACS+
FIREWALL(config)# aaa-server TEST-TACACS protocol tacacs+
FIREWALL(config-aaa-server-group)# ?
AAA server configuration commands:
accounting-mode Enter this keyword to specify accounting mode
exit Exit from aaa-server group configuration mode
help Help for AAA server configuration commands
max-failed-attempts Specify the maximum number of failures that will be
allowed for any server in the group before that server
is deactivated
no Remove an item from aaa-server group configuration
reactivation-mode Specify the method by which failed servers are
reactivated
FIREWALL(config-aaa-server-group)# max-failed-attempts ?
aaa-server-group mode commands/options:
<1-5> Maximum number of failures (1-5)
FIREWALL(config-aaa-server-group)# max-failed-attempts 3
FIREWALL(config-aaa-server-group)# exit
FIREWALL(config)# aaa-server TEST-TACACS (inside) ?
configure mode commands/options:
host Enter this keyword to specify the IP address for the server
FIREWALL(config)# aaa-server TEST-TACACS (inside) host 10.1.1.20 ?
configure mode commands/options:
WORD Alphanumeric keyword up to 128 characters used as the encryption key
for communicating with the AAA server.
timeout Specify the maximum time to wait for response from configured server
<cr>
FIREWALL(config)# aaa-server TEST-TACACS (inside) host 10.1.1.20 cisco123
FIREWALL(config)# test ?
exec mode commands/options:
aaa-server Test aaa-server configuration
dynamic-access-policy-record Test DAP posture assesment.
regex Test a regular expression
sso-server Test sso-server configuration
FIREWALL(config)# test aaa-server ?
exec mode commands/options:
ad-agent Test connectivity to the AD agent server
authentication Test connectivity to the authentication server
authorization Test connectivity to the authorization server
FIREWALL(config)# test aaa-server authentication ?
exec mode commands/options:
WORD < 17 char Enter a AAA server group tag
FIREWALL(config)# test aaa-server authentication TEST-TACACS ?
exec mode commands/options:
delegate Test Kerberos constrained delegation
host Enter this keyword to specify the IP address for the server
impersonate Test Kerberos protocol transition
password Password keyword
self Test Kerberos self-ticket retrieval
username Username keyword
<cr>
FIREWALL(config)# test aaa-server authentication TEST-TACACS username ?
exec mode commands/options:
WORD Enter the username
FIREWALL(config)# test aaa-server authentication TEST-TACACS username John ?
exec mode commands/options:
delegate Test Kerberos constrained delegation
impersonate Test Kerberos protocol transition
password Password keyword
<cr>
FIREWALL(config)# test aaa-server authentication TEST-TACACS username John password cisco123
Server IP Address or name: 10.1.1.20
INFO: Attempting Authentication test to IP address <10.1.1.20> (timeout: 12 seconds)
INFO: Authentication Successful
FIREWALL(config)# show aaa-server TEST-TACACS
Server Group: TEST-TACACS
Server Protocol: tacacs+
Server Address: 10.1.1.20
Server port: 49
Server status: ACTIVE, Last transaction at 17:56:06 UTC Mon Jul 1 2013
Number of pending requests 0
Average round trip time 18ms
Number of authentication requests 27
Number of authorization requests 0
Number of accounting requests 0
Number of retransmissions 0
Number of accepts 3
Number of rejects 24
Number of challenges 0
Number of malformed responses 0
Number of bad authenticators 0
Number of timeouts 0
Number of unrecognized responses 0
Below are the configuration screenshots for the ACS/TACACS+ server:
No comments:
Post a Comment