Firewall commands - aaa
Enable, disable, or view TACACS+ or RADIUS user authentication, authorization, and accounting for the server previously designated with the aaa-server command. (Configuration mode.)
[no] aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
[no] aaa accounting match acl_name inbound | outbound | if_name group_tag
[no] aaa authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
[no] aaa authentication match acl_name inbound | outbound | if_name group_tag
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tag[no] aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask
[no] aaa authorization match acl_name inbound | outbound | if_name group_tag
clear aaa [accounting include | exclude authen_service inbound | outbound | if_name group_tag]
clear aaa [authentication include | exclude authen_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag]
clear aaa [authorization [include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask]]show aaa
Syntax Definitions
accounting
Enable or disable accounting services with authentication server. Use of this command requires that you previously used the aaa-server command to designate an authentication server.include
Create a new rule with the specified service to include.exclude
Create an exception to a previously stated rule by excluding the specified service from authentication, authorization, or accounting to the specified host. The exclude parameter improves the former except option by allowing the user to specify a port to exclude to a specific host or hosts.acctg_service
The accounting service. Accounting is provided for all services or you can limit it to one or more services. Possible values are any, ftp, http, telnet, or protocol/port. Use any to provide accounting for all TCP services. To provide accounting for UDP services, use the protocol/port form. For protocol/port, the TCP protocol appears as 6, the UDP protocol appears as 17, and so on, and port is the TCP or UDP destination port. A port value of 0 (zero) means all ports. For protocols other than TCP and UDP the port is not applicable and should not be used.match acl_name
Specify an access-list command statement name.authentication
Enable or disable user authentication, prompt user for username and password, and verify information with authentication server.
When used with the console option, enables or disables authentication service for access to the firewall console over Telnet or from the Console connector on the firewall unit.
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.
The aaa authentication command supports HTTP authentication. The firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the firewall.
authen_service
The application with which a user is accessing a network. Use any, ftp, http, or telnet. The any value enables accounting or authentication for all TCP services. To have users prompted for authentication credentials, they must use FTP. HTTP, or Telnet. (HTTP is the Web and only applies to web browsers that can prompt for a username and password.)If the authentication or authorization server is authenticating services other than FTP. HTTP, or Telnet, using any will not permit those services to authenticate in the firewall. The firewall only knows how to communicate with FTP. HTTP, and Telnet for authentication and authorization.
Only set this parameter to a service other than any if the authentication or authorization server is set the same way. Unless you want to temporarily restrict access to a specific service, setting a service in this command can increase system administration work and may cause all connections to fail if the authentication or authorization server is authenticating one service and you set this command to another.
authorization
Enable or disable TACACS+ user authorization for services (firewall does not support RADIUS authorization). The authentication server determines what services the user is authorized to access.author_service
The services which require authorization. Use any, ftp, http, telnet, or protocol/port. Services not specified are authorized implicitly. Services specified in the aaa authentication command do not affect the services which require authorization.For protocol/port:
- The protocol (6 for TCP, 17 for UDP 1 for ICMP, and so on).
- The TCP or UDP destination port, or port range. The port can also be the ICMP type; that is, 8 for ICMP echo or ping. A port value of 0 (zero) means all ports. Port ranges only applies to the TCP and UDP protocols, not to ICMP. For protocols other than TCP, UDP and ICMP the port is not applicable and should not be used. An example port specification follows.
aaa authorization include udp/53-1024 inside 0 0 0 0This example enables authorization for DNS lookups to the inside interface for all clients, and authorizes access to any other services that have ports in the range of 53 to 1024.
Note Specifying a port range may produce unexpected results at the authorization server. firewall sends the port range to the server as a string with the expectation that the server will parse it out into specific ports. Not all servers do this. In addition, you may want users to be authorized on specific services, which will not occur if a range is accepted.
if_name
Interface name from which users require authentication. Use if_name in combination with the local_ip address and the foreign_ip address to determine where access is sought and from whom. The local_ip address is always on the highest security level interface and foreign_ip is always on the lowest. See the Examples section for how the if_name affects the use of this command.
local_ip
The IP address of the host or network of hosts that you want to be authenticated or authorized. You can set this address to 0 to mean all hosts and to let the authentication server decide which hosts are authenticated.
local_mask
Network mask of local_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.foreign_ip
The IP address of the hosts you want to access the local_ip address. Use 0 to mean all hosts.
foreign_mask
Network mask of foreign_ip. Always specify a specific mask value. Use 0 if the IP address is 0. Use 255.255.255.255 for a host.group_tag
The AAA server group tag defined by the aaa-server command.console
Specify that access to the firewall console require authentication and optionally, log configuration changes to a syslog server.
The aaa authentication serial console command allows you to require authentication verification to access the firewall unit's serial console. The serial console options also logs to a syslog server changes made to the configuration from the serial console.
Authenticated access to the firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts.
Telnet access to the firewall console is available from any internal interface, and from the outside interface with IPSec configured, and requires previous use of the telnet command. SSH access to the firewall console is also available from any interface without IPSec configured, and requires previous use of the ssh command.
The new ssh option specifies the group of AAA servers to be used for SSH user authentication. The authentication protocol and AAA server IP addresses are defined with the aaa-server command statement.
Similar to the Telnet model, if an aaa authentication ssh console group_tag command statement is not defined, you can gain access to the firewall console with the username pix and with the firewall Telnet password (set with the passwd command). If the aaa command is defined but the SSH authentication requests a timeout, which implies the AAA servers may be down or not available, you can gain access to the firewall using username pix and the enable password (set with the enable password command). By default, the Telnet password is cisco and the enable password is not set.
If the console login request times out, you can gain access to the firewall from the serial console by entering the pix username and the enable password.
The maximum password length for accessing the console is 16 characters.
Usage Guidelines
The aaa command enables or disables the following AAA (Authentication, Authorization, and Accounting) features:
User authentication services provided by a TACACS+ or RADIUS server are first designated with the aaa-server command. A user starting a connection via FTP. Telnet, or over the World Wide Web is prompted for their username and password. If the username and password are verified by the designated TACACS+ or RADIUS authentication server, the firewall unit will allow further traffic between the authentication server and the connection to interact independently through the firewall unit's cut-through proxy feature.
User authorization services which control which network services a user can access. After a user is authenticated, attempts to access restricted services cause the firewall unit to verify the access permissions of the user with the designated AAA server.
User accounting services keep a record of which network services a user has accessed. These records are also kept on the designated AAA server. Accounting information is only sent to the active server in a server group.
Administrative authentication services providing access to the firewall unit's console via Telnet, SSH, or the serial console. Telnet access requires previous use of the telnet command. SSH access requires previous use of the ssh command.
Note RADIUS authorization is supported with the use of access-list command statement and configuring a RADIUS server to send an acl=acl_name vendor-specific identifier. Refer to the access-list command page for more information. Also see the aaa-server radius-authport commands.
If the AAA console login request times out, you can gain access to the firewall from the serial console by entering the pix username and the enable password
aaa authentication
The aaa authentication command has been modified to support PDM authentication. The firewall requires authentication verification of the HTTP server through the aaa authentication http console command before PDM can access the firewall. (Configuration mode.)
[no] aaa authentication [serial | enable | telnet | ssh | http] console group_tagDefaults
If an aaa authentication http console group_tag command statement is not defined, you can gain access to the firewall (via PDM) with no username and the firewall enable password (set with the password command). If the aaa command is defined but the HTTP authentication requests a time out, which implies the AAA servers may be down or not available, you can gain access to the firewall using the username pix and the enable password. By default, the enable password is not set.Usage Guidelines
Use of the aaa authentication command requires that you previously used the aaa-server command to designate an authentication server.The web browser prompts for the username and password with a pop-up window.
Examples
The following example shows use of the aaa authentication command:
pixfirewall(config) aaa authentication telnet console radiusRelated Commands Related Commands
- aaa-server
- http
- setup