- AAA Protocols and Services Supported by Cisco ASA
- Defining an Authentication Server
- Configuring Authentication of Administrative Sessions
- Authenticating Firewall Sessions (Cut-Through Proxy Feature)
- Configuring Authorization
- Configuring Accounting
- Summary
Configuring Authentication of Administrative Sessions
Cisco ASA supports authentication of administrative sessions by using a local user database, a RADIUS server, or a TACACS+ server. An administrator can connect to the Cisco ASA via
- Telnet
- Secure Shell (SSH)
- Serial console connection
- Cisco ASA Device Manager (ASDM)
If connecting via Telnet or SSH, the user can retry authentication three times in case of user error. After the third time, the authentication session and connection to the Cisco ASA are closed. Authentication sessions via the console prompt the user continuously until the correct username and password are entered.
Before you start the configuration, you must decide which user database you will use (local or external AAA server). If you are using an external AAA server, configure the AAA server group and host as covered in the previous section. You can use the aaa authentication command to require authentication verification when accessing Cisco ASA for administration. The following sections teach you how to configure external authentication for each type of connection.
Authenticating Telnet Connections
You can enable Telnet access to the Cisco ASA to any internal interface or to the outside if an IPSec connection is established. (Telnet sessions are allowed to the outside interface only over an IPSec connection.) To configure authentication for Telnet connections to the Cisco ASA using ASDM, complete the following steps:
- Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication. The screen illustrated in Figure 6-6 is displayed.
Figure 6-6 Using ASDM to Configure Authentication for Telnet Connections
- Step 2. Select Telnet under the Require Authentication for the Following Types of Connections section.
- Step 3. In this example, the RADIUS server previously configured in the AAA server group is used for authentication. Select the server group (my-radius-group) from the Server Group pull-down menu.
- Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails, as shown in Figure 6-6.
- Step 5. Click OK.
- Step 6. Click Apply to apply the configuration changes.
- Step 7. Click Save to save the configuration in the Cisco ASA.
You can also authenticate any users before they use the enable command via the CLI. To accomplish this task, complete the following steps:
- Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication.
- Step 2. Select the Enable check box under the Require Authentication to Allow Use of Privilege Mode Commands section, as shown in Figure 6-6.
- Step 3. In this example, the RADIUS server is used for authentication. Select the server group my-radius-group from the Server Group drop-down list.
- Step 4. To allow the Cisco ASA to use the local database as a fallback method, select the Use LOCAL when Server Group Fails check box.
- Step 5. Click OK.
- Step 6. Click Apply to apply the configuration changes.
- Step 7. Click Save to save the configuration in the Cisco ASA.
Example 6-5 shows the CLI commands sent by ASDM to the Cisco ASA.
Example 6-5. Using the CLI to Configure Authentication for Telnet Connections
aaa authentication enable console my-radius-group LOCAL aaa authentication telnet console my-radius-group LOCAL telnet 0.0.0.0 0.0.0.0 inside
In Example 6-5, the aaa authentication enable console command is set to require authentication before any user can enter into enable mode. The my-radius-group AAA server group name is applied to this command. The keyword LOCAL is used to enable fallback to the local database if the configured authentication server is unavailable.
The second line in Example 6-5 enables authentication for Telnet connections by using the my-radius-group AAA server group, as well as the LOCAL keyword to enable fallback to the local database.
Authenticating SSH Connections
The steps for using ASDM to configure authentication for SSH administrative sessions to the Cisco ASA are very similar to the ones discussed in the previous section. Complete the following steps to configure authentication for SSH connections to the Cisco ASA:
- Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication. The same screen illustrated in Figure 6-6 is displayed.
- Step 2. Select SSH under the Require Authentication for the Following Types of Connections section.
- Step 3. In this example, the RADIUS server previously configured in the AAA server group (my-radius-group) is used for authentication.
- Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails, as shown in Figure 6-6.
- Step 5. Click OK.
- Step 6. Click Apply to apply the configuration changes.
- Step 7. Click Save to save the configuration in the Cisco ASA.
To enable SSH on Cisco ASA via the CLI, you first configure a hostname and domain name before generating the RSA key pair used by SSH. Example 6-6 shows how to generate the RSA key pair and enable SSH version 2 connections from any systems on the inside interface.
Example 6-6. Generating RSA Key Pair and Enabling SSH Version 2
New York# configure terminal New York(config)# hostname ASA New York(config)# domain-name cisco.com New York(config)# crypto key generate rsa modulus 2048 INFO: The name for the keys will be: ASA.cisco.com Keypair generation process begin. New York(config)# ssh 0.0.0.0 0.0.0.0 inside New York(config)# ssh version 2
After the RSA key pair has been generated and SSH has been enabled, complete your AAA server group and host configuration. In this example, the my-radius-group AAA server group is used in the aaa authentication ssh console command to enable SSH authentication, as shown in Example 6-7.
Example 6-7. Configuring SSH Authentication to a TACACS+ Server
New York(config)# aaa authentication ssh console my-radius-group LOCAL
The LOCAL keyword is used in Example 6-7 to enable fallback to the local database. Make sure to issue the write memory command to save the configuration after the RSA keypair is generated.
Authenticating Serial Console Connections
Complete the following steps to configure authentication for serial console connections to the Cisco ASA, using ASDM:
- Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication.
- Step 2. Select Serial under the Require Authentication for the Following Types of Connections section.
- Step 3. In this example, the RADIUS server previously configured in the AAA server group (my-radius-group) is used for authentication.
- Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails.
- Step 5. Click OK.
- Step 6. Click Apply to apply the configuration changes.
- Step 7. Click Save to save the configuration in the Cisco ASA.
To configure authentication of serial console connections, use the aaa authentication serial console command. Be aware that you can get locked out of the Cisco ASA easily with any misconfiguration. Example 6-8 demonstrates how to configure serial console authentication, using the AAA server group previously configured.
Example 6-8. Configuring Serial Console Authentication
New York(config)# aaa authentication serial console my-radius-group LOCAL
Authenticating Cisco ASDM Connections
Complete the following steps to configure authentication for ASDM administrative connections to the Cisco ASA using ASDM:
- Step 1. Log in to ASDM and navigate to Configuration > Device Management > Users/AAA > AAA Access > Authentication.
- Step 2. Select HTTP/ASDM under the Require Authentication for the Following Types of Connections section.
- Step 3. In this example, the RADIUS server previously configured in the AAA server group (my-radius-group) is used for authentication.
- Step 4. If you would like to fall back to the local user database in case the RADIUS server fails, select Use LOCAL when Server Group Fails.
- Step 5. Click OK.
- Step 6. Click Apply to apply the configuration changes.
- Step 7. Click Save to save the configuration in the Cisco ASA.
Alternatively, the aaa authentication http console CLI command can be configured to require authentication for Cisco ASDM users. Example 6-9 demonstrates how to configure ASDM authentication, using the AAA server group previously configured.
Example 6-9. Configuring HTTP Authentication for ASDM Users
New York(config)# aaa authentication http console my-radius-group LOCAL
If this command is not configured, Cisco ASDM users can gain access to the ASA by entering only the enable password, and no username, at the authentication prompt.