184 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
Here’s an even more specific example:
proxyacl#1=permit tcp any any eq www proxyacl#2=permit tcp any any eq ftp proxyacl#3=permit tcp any host 192.168.55.3 eq smtp priv-lvl=15
Combining both of these examples with your past experience with ACLs in the Cisco IOS should help you get the syntax down. Here are a few general rules to keep in mind:
Only use permit statements, no deny statements.
The source address must be set to any. These addresses will be dynamically replaced with actual source addresses in operation.
End each list by setting the privilege level to 15.
At this point, the configuration of the AAA server is complete, but you still have to configure AAA on the router and then configure the Authentication Proxy before you can validate your work here.
Configuring AAA
Now that the CSACS server is configured, let’s move on to configuring the router that will act as the IOS Firewall Authentication Proxy. First, you enable AAA on the router in preparation for configuring the IOS Firewall Authentication Proxy by following these six steps:
1.Enable AAA.
2.Configure the authentication protocol.
3.Configure the authorization protocol.
4.Specify the TACACS+ server and key.
5.Create an ACL to allow AAA traffic to the router.
6.Enable the router’s HTTP server to use AAA.
I’ll go over each of these steps separately while you configure the Lab_B router.
Enabling AAA
First, enable AAA by using the aaa new-model command in global configuration mode:
Lab_B#conf t
Lab_B(config)#aaa new-model
Lab_B(config)#^Z
Lab_B#
The router is now prepared for further AAA configuration. (Remember, if you want to remove AAA from the router, you can use the no aaa new-model command in global configuration mode.)
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Introduction to the Cisco IOS Firewall Authentication Proxy |
185 |
Configuring the Authentication Protocol
Next, enable AAA authentication. You can do this several different ways, and you can also specify multiple methods if you want. Here’s the configuration on the Lab_B router:
Lab_B#conf t
Lab_B(config)#aaa authentication ?
arap |
Set authentication lists for arap. |
attempts |
Set the maximum number of authentication attempts |
banner |
Message to use when starting login/authentication. |
enable |
Set authentication list for enable. |
fail-message |
Message to use for failed login/authentication. |
login |
Set authentication lists for logins. |
nasi |
Set authentication lists for NASI. |
password-prompt |
Text to use when prompting for a password |
ppp |
Set authentication lists for ppp. |
username-prompt |
Text to use when prompting for a username |
Lab_B(config)#aaa authentication login ?
WORD Named authentication list. default The default authentication list.
Lab_B(config)#aaa |
authentication |
login default ? |
|
enable |
Use |
enable password for authentication. |
|
group |
Use |
Server-group |
|
line |
Use |
line password for authentication. |
|
local |
Use |
local username authentication. |
|
local-case Use |
case-sensitive local username authentication. |
||
none |
NO authentication. |
|
|
Lab_B(config)#aaa authentication login default group ? |
|||
WORD |
Server-group name |
|
|
radius |
Use list of all Radius hosts. |
||
tacacs+ |
Use list of all Tacacs+ hosts. |
||
Lab_B(config)#aaa authentication login default group tacacs+
Lab_B(config)#^Z
Lab_B#
In this example, you specified the server-group authentication using a TACACS+ server. If necessary, you could have specified an additional authentication method besides TACACS+.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
186 Chapter 6 Cisco IOS Firewall Authentication and Intrusion Detection
Configuring the Authorization Protocol
As with the authentication protocol, there are a number of choices available for specifying the authorization protocol for AAA. In this case, specify the authorization for the IOS Firewall Authentication Proxy service, which is reflected in the command syntax. Here’s how the Lab_B router configuration looks now:
Lab_B#conf t
Lab_B(config)#aaa authorization ?
auth-proxy |
For Authentication Proxy Services |
cache |
For AAA cache configuration |
commands |
For exec (shell) commands. |
config-commands |
For configuration mode commands. |
configuration |
For downloading configurations from AAA server |
exec |
For starting an exec (shell). |
network |
For network services. (PPP, SLIP, ARAP) |
reverse-access |
For reverse access connections |
Lab_B(config)#aaa authorization auth-proxy ? default The default authorization list.
Lab_B(config)#aaa authorization auth-proxy default ? group Use server-group.
Lab_B(config)#aaa authorization auth-proxy default group ?
WORD |
Server-group name |
radius |
Use list of all Radius hosts. |
tacacs+ |
Use list of all Tacacs+ hosts. |
Lab_B(config)#aaa authorization auth-proxy default group tacacs+
Lab_B(config)#^Z
Lab_B#
As with the authentication protocol, you’re using TACACS+, but you could have specified multiple authorization protocols had it been necessary.
Specifying the TACACS+ Server and Key
The router certainly needs a TACACS+ server and server key configured, and you can even configure multiple TACACS+ servers. The IOS Firewall Authentication Proxy will query them in the order you enter them. The no tacacs-server host command removes individual servers from the list. Remember, you’ve designated the CSACS server at 192.168.254.253 in the corporate network example. Here’s the Lab_B router configuration:
Lab_B#conf t
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Introduction to the Cisco IOS Firewall Authentication Proxy |
187 |
Lab_B(config)#tacacs-server host 192.168.254.253
Lab_B(config)#tacacs-server key todd
Lab_B(config)#^Z
Lab_B#
Creating an ACL to Allow AAA Traffic to the Router
Now you’re going to create an access list that will allow incoming TACACS+ traffic from the CSACS box to the router. You’re also going to permit all ICMP traffic, but deny everything else. Here’s how Lab_B’s output looks now:
Lab_B#conf t
Lab_B(config)#access-list 155 permit tcp host 192.168.254.253 eq tacacs host
172.16.1.254
Lab_B(config)#access-list 155 permit icmp any any
Lab_B(config)#access-list 155 deny ip any any
Lab_B(config)#int fast0/0
Lab_B(config-if)#ip access-group 155 in
Lab_B(config)#^Z
Lab_B#
Does it seem as if what you just did totally screwed things up? No worries. Remember, just as with CBAC, this ACL isn’t going to be what it looks like right off the bat. In a second, when you apply the IOS Firewall Authentication Proxy to this interface, all appropriate network traffic will flow, and all will be well. But even so, there are a few important things to keep in mind when creating this ACL. First, the source address in the first line is the CSACS server, so you’ve got to be sure to allow traffic types that are consistent with the authentication and authorization methods specified earlier (TACACS+ and/or RADIUS). Secondly, the destination will be the IP address of the interface closest to the CSACS server. And finally, don’t forget to explicitly deny all other IP traffic!
Enabling the Router’s HTTP Server to Use AAA
You’ve enabled the HTTP server on the router and told it to use AAA for authentication—check out the configuration on Lab_B now:
Lab_B#conf t
Lab_B(config)#ip http server
Lab_B(config)#ip http ?
access-class |
Restrict access by access-class |
authentication |
Set http authentication method |
path |
Set base path for HTML |
port |
HTTP port |
server |
Enable HTTP server |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |