Monday, December 20, 2010

ASA/PIX: Cut-thru authentication/authorization with RADIUS

Cut-thru authentication provides an added layer of security and a central point to manage access-lists, the ACS in this case.

First, create a "downloadable IP ACL" within the ACS framework.
Shared Profile Components -> Downloadable IP ACLs -> Add (ACL and ACE's)

Next, associate this ACL with an ACS user or group. Note that you might have to modify "Interface Configuration" and "Advanced Options" to make "downloadable ACLs" appear in the user definition pages.

Now, on the ASA:

First create an access-list to define interesting traffic:
access-list redzone permit tcp any any eq telnet

Next permit access to either the appliance's virtual telnet addresses or at least one inside target host via telnet in the access-list applied on the outside interface:
access-list outside_in permit tcp any host 10.35.0.252 eq telnet

Next, configure AAA authentication:
aaa authentication match redzone outside myRadiusServer

Note that you should configure your RADIUS server:
aaa-server myRaidiusServer protocol radius
aaa-server myRadiusServer (outside) host H.O.S.T key secret

You can also configure local authentication with the appliance:
virtual telnet h.0.s.t

Remember to allow telnet access to the this virtual telnet IP address via the outside_in access-list.

Once the user is authenticated, you can verify by:
show uauth
show access-lists

You will see the temporary ACL in the output of the show command. Note that no "authorization" configuration was necessary when using RADIUS (contrast with the post that describes TACACS+ authentication and authorizaton).

No comments:

Post a Comment