Authentication Authorization and Accounting Configuration on the Cisco PIX Firewall.pdf

(6519 KB) Pobierz

Authentication,

Authorization, and

Accounting

Configuration on the

Cisco PIX Firewall

Overview

This chapter includes the following topics:

Objectives

Introduction

Installation of CSACS for Windows NT

Authentication configuration

Authorization configuration

Accounting configuration

Troubleshooting the AAA configuration

Summary

Lab exercise

Objectives

This section lists the chapter’s objectives.

Objectives

Upon completion of this chapter, you will be able

to perform the following tasks:

•

Define authentication, authorization, and accounting.

•

Describe the differences between authentication,

authorization, and accounting.

•

Describe how users authenticate to the PIX Firewall.

•

Describe how cut-through proxy technology works.

•

Name the AAA protocols supported by the PIX

Firewall.

•

Install and configure CSACS for Windows NT.

•

Configure AAA on the PIX Firewall.

www.cisco.com

CSPFA 2.1—13-2

13-2

Cisco Secure PIX Firewall Advanced 2.1



2002, Cisco Systems, Inc.

Introduction

This section introduces the authentication, authorization, and accounting concepts

and how the Cisco PIX Firewall supports them.

Authentication, Authorization,

and Accounting

•

Authentication

–

Who you are

–

Can exist without authorization

•

Authorization

–

What you can do

–

Requires authentication

•

Accounting

–

What you did

www.cisco.com

CSPFA 2.1—13-4

Authentication, Authorization, and Accounting (AAA) is used to tell the PIX

Firewall who the user is, what the user can do, and what the user did.

Authentication is valid without authorization. Authorization is never valid without

authentication.

Suppose you have 100 users inside and you want only six of these users to

perform FTP, Telnet, or HTTP outside the network. Tell the PIX Firewall to

authenticate outbound traffic and give all 6 users identifications on the Terminal

Access Controller Access Control System (TACACS+) or Remote Authentication

Dial-In User Service (RADIUS) AAA server. With simple authentication, these

six users are authenticated with a username and password, and then permitted

outside the network. The other 94 users cannot go outside the network. The PIX

Firewall prompts users for their username and password, and then passes their

username and password to the TACACS+ or RADIUS AAA server. Depending on

the response, the PIX Firewall opens or denies the connection.

Suppose one of these users, “baduser,” is not to be trusted. You want to allow

“baduser” to perform FTP, but not HTTP or Telnet, to the outside network. This

means you must add authorization, that is, authorize what users can do in addition

to authenticating who they are. This is only valid with TACACS+. When you add

authorization to the PIX Firewall, it first sends the untrusted user a username and

password to the AAA server, then sends an authorization request telling the AAA

server what command “baduser” is trying to do. With the server set up properly,

“baduser” is allowed to perform FTP but is not allowed to perform HTTP or

Telnet.



2002, Cisco Systems, Inc.

Authentication, Authorization, and Accounting Configuration on the Cisco PIX Firewall

13-3

What the User Sees

•

Telnet

–

PIX Firewall:

•

HTTP

Username:

smith

Password:

2bon2b

–

Server:

Username:

alex

Password:

v1v10k4

•

FTP

–

PIX Firewall:

Username:

smith@alex

Password:

2bon2b@v1v10k4

smith@alex

2bon2b@vlvl0k4

www.cisco.com

CSPFA 2.1—13-5

You can authenticate with the PIX Firewall in one of three ways:

Telnet—You get a prompt generated by the PIX Firewall. You have up to

four chances to log in. If the username or password fails after the fourth

attempt, the PIX Firewall drops the connection. If authentication and

authorization are successful, you are prompted for a user name and password

by the destination server.

FTP—You get a prompt from the FTP program. If you enter an incorrect

password, the connection is dropped immediately. If the username or

password on the authentication database differs from the username or

password on the remote host to which you are accessing via FTP, enter the

username and password in the following formats:

–

aaa_username@remote_username

aaa_password@remote_password

The PIX Firewall sends the aaa_username and aaa_password to the AAA

server, and if authentication and authorization are successful, the

remote_username and remote_password are passed to the destination FTP

server.

Note

Some FTP GUIs do not display challenge values.

HTTP—You see a pop-up window generated by the web browser. If you

enter an incorrect password, you are prompted again. If the username or

password on the authentication database differs from the username or

password on the remote host to which you are using HTTP to access, enter

the username and password in the following formats:

–

aaa_username@remote_username

13-4

Cisco Secure PIX Firewall Advanced 2.1



2002, Cisco Systems, Inc.

–

aaa_password@remote_password

The PIX Firewall sends the aaa_username and aaa_password to the

AAA server, and if authentication and authorization are successful, the

remote_username and remote_password are passed to the destination

HTTP server.

Keep in mind that browsers cache usernames and passwords. If you

believe that the PIX Firewall should be timing out an HTTP connection

but it is not, re-authentication may actually be taking place with the web

browser sending the cached username and password back to the PIX

Firewall. The Syslog service will show this phenomenon. If Telnet and

FTP seem to work normally, but HTTP connections do not, this is

usually why.

The PIX Firewall supports authentication usernames up to 127 characters and

passwords of up to 63 characters. A password or username may not contain an at

(@) character as part of the password or username string.

Note

If PIX Firewalls are in tandem, Telnet authentication works in the same way as a

single PIX Firewall, but FTP and HTTP authentication have additional complexity

because you have to enter each password and username with an additional “at”

(@) character and password or username for each in-tandem PIX Firewall.

Note

Once authenticated with HTTP, a user never has to reauthenticate no matter how

low the PIX Firewall uauth timeout is set. This is because the browser caches the

"Authorization: Basic=Uuhjksdkfhk==" string in every subsequent connection to

that particular site. This can only be cleared when the user exits all instances of

the web browser and restarts. Flushing the cache is of no use.



2002, Cisco Systems, Inc.

Authentication, Authorization, and Accounting Configuration on the Cisco PIX Firewall

13-5

Plik z chomika:

musli_com

Inne pliki z tego folderu:

McGraw-Hill - CCSP - Cisco Certified Security Professional Certification All-in-One Exam Guide.pdf (17647 KB)
Secur Student Guide V1.1-Securing Cisco IOS Networks[2004].pdf (9880 KB)
Cisco Press - CCSP SECUR Exam Certification Guide (CCSP Self-Study, 642-501).pdf (8953 KB)
CCSP_SECUR1.1_Knet_HiRes.pdf (9073 KB)
Sybex 642-501 CCSP Securing Cisco IOS Networks Study Guide.pdf (9510 KB)

Authentication Authorization and Accounting Configuration on the Cisco PIX Firewall.pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: