Using Authentication and Authorization
You can use access lists to control traffic based on IP address and protocol, but to control access and use for specific users or groups, you need to use authentication and authorization. Authentication, which is the process of identifying users, is supported by the firewall for RADIUS and TACACS+ servers. Authorization identifies the specific permissions for a given user.
If you want to apply authentication and authorization when an internal (local) host initiates a connection to an external (lower security) network, enable it on the internal (higher security) interface. To set up authentication and authorization to occur when an external host initiates a connection to an internal host, enable it on the outside interface.
If you want a host on an outside (lower security level) interface to initiate connections with a host on an internal (higher security level) interface, create static and access-list command statements for the connection.
Configuring AAA
To enable authentication and authorization identify the authentication server you are using and the server encryption key on the firewall. From the configuration on the authentication server you need to determine the users that can access the network, the services that they can use, and the hosts that they can access. Once you have this information, you can configure the firewall to either enable or disable authentication or authorization
In addition, you can configure the firewall to control user access to specific hosts or services. However, it is easier to maintain this kind of access control in a single location, at the authentication server. After you enable authentication and authorization the firewall provides prompts inbound or outbound for users of FTP, Telnet, or HTTP (Web) access. Controlling access to a specific system or service is handled by the authentication and authorization server.
Follow these steps to enable the firewall to support TACACS+ user authentication and authorization:
- For inbound authentication, create the static and access-list command statements required to permit outside hosts to access servers on the inside network.
- If the external network connects to the Internet, create a global address pool of registered IP addresses. Then specify the inside hosts that can start outbound connections with the nat command and with the access control lists features found in the outbound and apply commands.
- Identify the server that handles authentication or authorization using the aaa-server command. Create a unique server group name. For example:
aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound (inside) host 10.1.1.1 TheUauthKey
aaa-server AuthOutbound protocol tacacs+
aaa-server AuthOutbound (inside) host 10.1.1.2 TheUauthKeyThe first command statement creates the AuthInbound authentication group using TACACS+ authentication. The second command statement states that the AuthInbound server is on the inside interface, that its IP address is 10.1.1.1, and the encryption key is "TheUauthKey."
The third command statement creates the AuthOutbound authentication group using TACACS+ authentication. The fourth command statement states that the AuthOutbound server is on the inside interface, that its IP address is 10.1.1.2, and the encryption key is "TheUauthKey."
RADIUS authorization is provided with the access-list command statement as described in Configuring RADIUS Authorization.
- Enable authentication with the aaa authentication command:
aaa authentication include ftp outbound 0 0 0 0 AuthOutbound
aaa authentication include telnet outbound 0 0 0 0 AuthOutbound
aaa authentication include http outbound 0 0 0 0 AuthOutbound
aaa authentication include ftp inbound 0 0 0 0 AuthInbound
aaa authentication include telnet inbound 0 0 0 0 AuthInbound
aaa authentication include http inbound 0 0 0 0 AuthInboundThe AuthInbound and AuthOutbound groups are those you specified with the aaa-server command.
Be careful to apply authentication only to protocols that can be authenticated. Applying authentication using the any keyword will prevent protocols such as SMTP or HTTPS from passing through the firewall.
- Enable authorization with the aaa authorization command. firewall checks the authorization request with the AAA server, which makes the decision about what services a user can access. Use one or both of the following commands to specify outbound and inbound authorization
aaa authorization include ftp outbound 0 0 0 0
aaa authorization include telnet outbound 0 0 0 0
aaa authorization include http outbound 0 0 0 0
aaa authorization include ftp inbound 0 0 0 0
aaa authorization include telnet inbound 0 0 0 0
aaa authorization include http inbound 0 0 0 0You can specify port ranges for the aaa authorization command in the following format:
aaa authorization include | exclude author_service|[protocol/port[-port]] inbound |outbound | if_name local_ip local_mask foreign_ip foreign_mask
where:
- author_ serviceThe service that firewall listens to for AAA connections. Possible values are any, http, ftp, or telnet.
- protocolThe protocol for which you want to authorize access. Possible values are udp, tcp, or icmp.
- portA port value or range for which you want to authorize access.
- inbound, outbound, if_nameSpecify whether users are authenticated and authorized on inbound or outbound connections, or for connections that arrive at a specific interface.
- local_ip, local_maskSpecify the IP address on the higher security level interface from which or to which access is required.
- foreign_ip, foreign_maskSpecify the IP address on the lower security level interface from which or to which access is required.
Configuring RADIUS Authorization
The firewall allows a RADIUS server to send user group attributes to the firewall in the RADIUS authentication response message.
The administrator first defines access lists on the firewall for each user group. For example, there could be access lists for each department in an organization, sales, marketing, engineering, and so on. The administrator then lists the access list in the group profile in CiscoSecure.
After the firewall authenticates a user, it can then use the CiscoSecure acl attribute (attribute 11, filter-id) returned by the authentication server to identify an access list for a given user group. To maintain consistency, firewall also provides the same functionality for TACACS+.
Access lists can be used with either RADIUS or TACACS but authorizing FTP, HTTP, or telnet is only possible with TACACS+
To restrict users in a department to three servers and deny everything else, the access-list command statements are as follows:
access-list eng permit ip any server1 255.255.255.255
access-list eng permit ip any server2 255.255.255.255
access-list eng permit ip any server3 255.255.255.255
access-list eng deny ip any anyIn this example, the vendor-specific attribute string in the CiscoSecure configuration has been set to acl=eng. Use this field in the CiscoSecure configuration to identify the access-list identification name. The firewall gets the acl=acl_ID from CiscoSecure and extracts the ACL number from the attribute string, which it puts in a user's uauth entry. When a user tries to open a connection, firewall checks the access list in the user's uauth entry, and depending on the permit or deny status of the access list match, permits or denies the connection. When a connection is denied, firewall generates a corresponding syslog message. If there is no match, then the implicit rule is to deny.
Because the source IP of a given user can vary depending on where they are logging in from, set the source address in the access-list command statement to any, and the destination address to identify the network services to which user is permitted or denied access.
The aaa authorization command does not require or provide a separate RADIUS option. To enable RADIUS authorization perform the following steps.
- Enable RADIUS authentication with the aaa authentication command.
- Create the access-list command statements to specify the services that hosts are authorized to use with RADIUS.
- To configure the authentication server with the vendor-specific acl=acl_ID identifier to specify the access-list ID.
When the firewall sends a request to the authentication server, it returns the acl=acl_ID string, which tells firewall to use the access-list command statements to determine how RADIUS users are authorized.