Cut-thru authentication provides an added layer of security and a central point to manage access-lists, the ACS in this case.
First, create a "downloadable IP ACL" within the ACS framework.
Shared Profile Components -> Downloadable IP ACLs -> Add (ACL and ACE's)
Next, associate this ACL with an ACS user or group. Note that you might have to modify "Interface Configuration" and "Advanced Options" to make "downloadable ACLs" appear in the user definition pages.
Now, on the ASA:
First create an access-list to define interesting traffic:
access-list redzone permit tcp any any eq telnet
Next permit access to either the appliance's virtual telnet addresses or at least one inside target host via telnet in the access-list applied on the outside interface:
access-list outside_in permit tcp any host 10.35.0.252 eq telnet
Next, configure AAA authentication:
aaa authentication match redzone outside myRadiusServer
Note that you should configure your RADIUS server:
aaa-server myRaidiusServer protocol radius
aaa-server myRadiusServer (outside) host H.O.S.T key secret
You can also configure local authentication with the appliance:
virtual telnet h.0.s.t
Remember to allow telnet access to the this virtual telnet IP address via the outside_in access-list.
Once the user is authenticated, you can verify by:
show uauth
show access-lists
You will see the temporary ACL in the output of the show command. Note that no "authorization" configuration was necessary when using RADIUS (contrast with the post that describes TACACS+ authentication and authorizaton).
Monday, December 20, 2010
Friday, December 17, 2010
Smart filtering with SNMP v3
SNMP version 3 provides the wonderful benefits of strong authentication, privacy and tight control of what information you allow the device to reveal. With Cisco IOS 12.4T, the configuration tasks are quite simple:
First, define a "view" thusly:
snmp-server view NOC interfaces included
You can exclude specific interfaces. For example, "26" represents "Gi0/0.500" interface and you want to exclude it entirely:
snnp-server view NOC ifEntry.*.26 excluded
Note the "*" which is a wildcard to exclude all elements for ifIndex 26. This of course can be more specific to limit exactly the elements you choose to hide. Or you can very specific and only allow access to certain interfaces only.
Next, configure a SNMP group:
snmp-server group NOC v3 auth read NOC
Finally configure the user:
snmp-server user noc NOC v3 auth md5 soeasytosee
Or you can take a step further and enable privacy with DES as follows:
snmp-server user noc NOC v3 auth md4 soeasytosee priv des hidemeplease
You can test with "snmpwalk"
snmpwalk -v3 -aMD5 -Asoeasytosee -unoc -lauthNopriv host.ip.address
When privacy is enabled:
snmpwalk -v3 -unoc -aMD5 -Asoeasytosee -xDES -Xhidemeplease -lauthpriv host.ip.address
First, define a "view" thusly:
snmp-server view NOC interfaces included
You can exclude specific interfaces. For example, "26" represents "Gi0/0.500" interface and you want to exclude it entirely:
snnp-server view NOC ifEntry.*.26 excluded
Note the "*" which is a wildcard to exclude all elements for ifIndex 26. This of course can be more specific to limit exactly the elements you choose to hide. Or you can very specific and only allow access to certain interfaces only.
Next, configure a SNMP group:
snmp-server group NOC v3 auth read NOC
Finally configure the user:
snmp-server user noc NOC v3 auth md5 soeasytosee
Or you can take a step further and enable privacy with DES as follows:
snmp-server user noc NOC v3 auth md4 soeasytosee priv des hidemeplease
You can test with "snmpwalk"
snmpwalk -v3 -aMD5 -Asoeasytosee -unoc -lauthNopriv host.ip.address
When privacy is enabled:
snmpwalk -v3 -unoc -aMD5 -Asoeasytosee -xDES -Xhidemeplease -lauthpriv host.ip.address
Tuesday, December 14, 2010
ASA: AAA authorization with TACACS+
I have to admit, this was a tricky one! I have scoured the web for sometime now in an effort to accomplish AAA authorization, but using TACACS. While "downloadables ACLs" with RADIUS accomplish this and more relatively easily, getting TACACS to authorize is a bit more obscure.
access-list redzone permit tcp any host 10.35.0.0 255.255.255.0 eq telnet
access-list redzone permit tcp any host 10.35.0.0.0 255.255.255.0 eq http
aaa-server taca1 protocol tacacs
aaa-server taca1 (outside) host 172.30.3.100
key xxxx
aaa authentication match redzone outside taca1
aaa authorization match redzone outside taca1
Now for the interesting part:
On the ACS server, create a user and assign a "shell command authorization set" which specifes, for example here:
command: telnet
arg: permit 10.35.0.100
command: http
arg: permit 10.35.0.100
Please make sure you use the regular "shell command authorization and not the PIX/IOS set.
access-list redzone permit tcp any host 10.35.0.0 255.255.255.0 eq telnet
access-list redzone permit tcp any host 10.35.0.0.0 255.255.255.0 eq http
aaa-server taca1 protocol tacacs
aaa-server taca1 (outside) host 172.30.3.100
key xxxx
aaa authentication match redzone outside taca1
aaa authorization match redzone outside taca1
Now for the interesting part:
On the ACS server, create a user and assign a "shell command authorization set" which specifes, for example here:
command: telnet
arg: permit 10.35.0.100
command: http
arg: permit 10.35.0.100
Please make sure you use the regular "shell command authorization and not the PIX/IOS set.
Monday, December 6, 2010
ASA's address in traceroute
Have you wondered how you'd go about making the firewall show up in a traceroute command?
R1#trace 172.30.3.53
Type escape sequence to abort.Tracing the route to 172.30.3.53
1 fa-0-1-r5 (10.4.1.1) 4 msec * 0 msec 2 * fa-0-0-r5 (10.7.1.2) 4 msec * 3 10.25.4.1 0 msec * 0 msec 4 * 150.10.1.254 0 msec * 5 172.30.3.53 0 msec * 0 msec
On the ASA or PIx:
policy-map global_policy
class class-default set connection decrement-ttl
After modifying "global_policy" on the ASA or PIX:
R1#trace 172.30.3.53
Type escape sequence to abort.Tracing the route to 172.30.3.53
1 fa-0-1-r5 (10.4.1.1) 0 msec * 0 msec 2 * fa-0-0-r5 (10.7.1.2) 0 msec * 3 10.25.4.1 0 msec * 0 msec 4 * * 150.10.1.1 0 msec 5 * 150.10.1.254 0 msec * 6 172.30.3.53 0 msec * 0 msec
R1#trace 172.30.3.53
Type escape sequence to abort.Tracing the route to 172.30.3.53
1 fa-0-1-r5 (10.4.1.1) 4 msec * 0 msec 2 * fa-0-0-r5 (10.7.1.2) 4 msec * 3 10.25.4.1 0 msec * 0 msec 4 * 150.10.1.254 0 msec * 5 172.30.3.53 0 msec * 0 msec
On the ASA or PIx:
policy-map global_policy
class class-default set connection decrement-ttl
After modifying "global_policy" on the ASA or PIX:
R1#trace 172.30.3.53
Type escape sequence to abort.Tracing the route to 172.30.3.53
1 fa-0-1-r5 (10.4.1.1) 0 msec * 0 msec 2 * fa-0-0-r5 (10.7.1.2) 0 msec * 3 10.25.4.1 0 msec * 0 msec 4 * * 150.10.1.1 0 msec 5 * 150.10.1.254 0 msec * 6 172.30.3.53 0 msec * 0 msec
Subscribe to:
Posts (Atom)
