© 2004, Cisco Systems, Inc. All rights reserved.
Network Security 1 Module 6 – Configure Trust and Identity at Layer 3
Learning Objectives <ul><ul><li>6.1 Cisco IOS Firewall Authentication Proxy </li></ul></ul><ul><ul><li>6.2 Introduction to...
Module 6 – Configure Trust and Identity at Layer 3 6.1 Cisco IOS Firewall Authentication Proxy
What Is the Authentication Proxy? <ul><li>Provides dynamic, per-user HTTP, HTTPS, FTP, and Telnet authentication and autho...
Authentication Proxy Operation  <ul><li>When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall,...
Authentication Proxy Operation (Cont.) <ul><li>Users must successfully authenticate with the authentication server by ente...
Authentication Proxy Operation (Cont.) <ul><li>If the authentication fails, the authentication proxy reports the failure t...
<ul><li>RADIUS </li></ul><ul><li>TACACS+ </li></ul>Supported AAA Servers Cisco Secure ACS UNIX Cisco Secure ACS NT/2000 TA...
Authentication Proxy Configuration <ul><li>The authentication proxy is applied in the inward direction at any interface on...
Authentication Proxy Configuration (Cont.) <ul><li>All traffic through an interface can be blocked, and then the authentic...
Enable AAA <ul><ul><li>Enables the AAA functionality on the router (default = disabled) </li></ul></ul>aaa new-model Route...
Specify Authentication Protocols <ul><ul><li>Defines the list of authentication methods that will be used </li></ul></ul><...
Specify Authorization Protocols <ul><ul><li>Use the auth-proxy keyword to enable authorization proxy for AAA methods </li>...
Define a TACACS+ Server and Its Key <ul><ul><li>Specifies the TACACS+ server IP address </li></ul></ul><ul><ul><li>Specifi...
Define a RADIUS Server and Its Key <ul><ul><li>Specifies the RADIUS server IP address </li></ul></ul><ul><ul><li>Specifies...
Allow AAA Traffic to the Router <ul><ul><li>Create an ACL to permit TACACS+ traffic from the AAA server to the firewall </...
Allow AAA Traffic to the Router (Cont.) <ul><li>All traffic requiring authentication and authorization should be denied by...
Allow AAA Traffic to the Router (Cont.) <ul><li>An extended ACL should be applied to the inbound direction of the interfac...
Enable the Router HTTP or HTTPS Server <ul><ul><li>Enables the HTTP server on the router </li></ul></ul><ul><ul><li>Sets t...
HTTP and HTTPS <ul><li>The HTTPS feature requires a Cisco IOS crypto image.  </li></ul><ul><li>HTTP-initiated sessions nor...
<ul><ul><li>Authentication inactivity timer in minutes (default = 60 minutes) </li></ul></ul><ul><ul><li>Absolute activity...
Set Global Timers – Inactivity Timeout <ul><li>The  inactivity timeout  value is the length of time that an authentication...
Set Global Timers – Absolute Timeout <ul><li>The  absolute-timer  min  option allows administrators to configure a window ...
Define and Apply Authentication Proxy Rules <ul><ul><li>Creates an authorization proxy rule </li></ul></ul><ul><ul><li>App...
Authentication Proxy Rules with ACLs <ul><ul><li>Creates an authorization proxy rule with an access list </li></ul></ul>ip...
Create auth-proxy Service  in the Cisco Secure ACS Enter the new service: auth-proxy .
Create a User Authentication Profile in the Cisco Secure ACS
User Authorization Profiles
Test and Verify the Configuration
What the User Sees
Clear the Authentication Proxy Cache clear ip auth-proxy cache * |  ip_addr <ul><ul><li>Clears authentication proxy entrie...
show   Commands show ip auth-proxy cache show ip auth-proxy configuration show ip auth-proxy statistics <ul><ul><li>Displa...
debug   Commands debug ip auth-proxy ftp debug ip auth-proxy function-trace debug ip auth-proxy http debug ip auth-proxy o...
Module 6 – Configure Trust and Identity at Layer 3 6.2 Introduction to PIX Security Appliance AAA Features
Types of Authentication
Types of Authorization
Types of Accounting
Module 6 – Configure Trust and Identity at Layer 3 6.3 Configure AAA on the PIX Security Appliance
Types of Access Authentication
Authentication Configuration Steps
Add Users to the Local User Database
AAA Local Authentication Attempts Max-Fail Command
Authentication Prompts
Authentication Timeouts
Cut-Through Proxy
PIX Cut-Through Proxy – Three Ways to Authenticate  <ul><ul><li>telnet </li></ul></ul><ul><ul><li>http </li></ul></ul><ul>...
Login Method for Telnet  <ul><ul><li>A prompt is generated by the PIX Firewall. </li></ul></ul><ul><ul><li>The user has up...
Login Method for FTP  <ul><ul><li>If an incorrect password is entered, the connection is dropped immediately. </li></ul></...
Login Method for HTTP <ul><ul><li>The browser generates a username and password pop-up window.  </li></ul></ul><ul><ul><li...
Login Method for HTTPS <ul><ul><li>The user gets a prompt generated by the PIX.  </li></ul></ul><ul><ul><li>The user has u...
Enable Authentication – Manually Designating AAA Authentication Parameters <ul><ul><li>Defines traffic to be authenticated...
aaa authentication  Example pixfirewall(config)#  nat  (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# aaa authenti...
aaa authentication command parameters  <ul><ul><li>include – create a new rule with the specified service to include. </li...
Virtual Telnet and HTTP
Authentication of Non-Telnet, FTP, or HTTP Traffic
Virtual Telnet
Virtual HTTP
Tunnel User Authentication
Authorization Configuration
User Authorization
Enable Authorization <ul><ul><li>Defines traffic that requires AAA server authorization </li></ul></ul><ul><ul><li>author_...
User Authorization
 
Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic
Authorization of Non-Telnet,  FTP, or HTTP Traffic  <ul><ul><li>author_service  = protocol or port </li></ul></ul><ul><ul>...
Downloadable ACLs
Accounting Configuration
Configuring Accounting for Traffic Through the Firewall <ul><ul><ul><li>Accounting can be configured for traffic through t...
Enable Accounting <ul><ul><li>Defines traffic that requires AAA server accounting </li></ul></ul><ul><ul><li>acctg_service...
Enable Accounting Match
 
Admin Accounting
Command Accounting
Accounting of Non-Telnet,  FTP, or HTTP Traffic <ul><ul><ul><li>When configuring aaa accounting of non-Telnet, FTP, or HTT...
Accounting of Non-Telnet,  FTP, or HTTP Traffic <ul><ul><li>acctg_service  = protocol or port </li></ul></ul><ul><ul><ul><...
How to View Accounting  Information in CSACS-NT In the navigation bar select  Reports and  Activity .  The  Reports and Ac...
© 2005, Cisco Systems, Inc. All rights reserved.
Upcoming SlideShare
Loading in...5
×

Module 6: Configure Trust and Identity at Layer 3 - Modified

718

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
718
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Authentication Proxy Configuration
  • Transcript of "Module 6: Configure Trust and Identity at Layer 3 - Modified"

    1. 1. © 2004, Cisco Systems, Inc. All rights reserved.
    2. 2. Network Security 1 Module 6 – Configure Trust and Identity at Layer 3
    3. 3. Learning Objectives <ul><ul><li>6.1 Cisco IOS Firewall Authentication Proxy </li></ul></ul><ul><ul><li>6.2 Introduction to PIX Security Appliance AAA Features </li></ul></ul><ul><ul><li>6.3 Configure AAA on the PIX Security Appliance </li></ul></ul>
    4. 4. Module 6 – Configure Trust and Identity at Layer 3 6.1 Cisco IOS Firewall Authentication Proxy
    5. 5. What Is the Authentication Proxy? <ul><li>Provides dynamic, per-user HTTP, HTTPS, FTP, and Telnet authentication and authorization via TACACS+ and RADIUS protocols </li></ul><ul><li>Once authenticated, all types of application traffic can be authorized </li></ul><ul><li>The user profiles are active only when there is active traffic from the authenticated users. </li></ul><ul><li>Works on any interface type for inbound or outbound traffic </li></ul>
    6. 6. Authentication Proxy Operation <ul><li>When a user initiates an HTTP, HTTPS, FTP, or Telnet session through the firewall, it triggers the authentication proxy . </li></ul><ul><li>The authentication proxy first checks to see if the user has been authenticated. </li></ul><ul><li>If a valid authentication entry exists for the user, the session is allowed and no further intervention is required by the authentication proxy. </li></ul><ul><li>If no entry exists, the authentication proxy responds to the connection request by prompting the user for a username and password. </li></ul>
    7. 7. Authentication Proxy Operation (Cont.) <ul><li>Users must successfully authenticate with the authentication server by entering a valid username and password. </li></ul><ul><li>If the authentication succeeds, the user’s authorization profile is retrieved from the authentication, authorization, and accounting (AAA) server. </li></ul><ul><li>The authentication proxy uses the information in this profile to create dynamic access control entries (ACEs) and add them to the inbound ACL of an input interface, and to the outbound ACL of an output interface if an output ACL exists at the interface. </li></ul><ul><li>By doing this, the firewall allows authenticated users access to the network as permitted by the authorization profile. </li></ul>
    8. 8. Authentication Proxy Operation (Cont.) <ul><li>If the authentication fails, the authentication proxy reports the failure to the user and prompts the user for a configurable number of retries. </li></ul><ul><li>The authentication proxy sets up an inactivity, or idle, timer for each user profile. As long as there is activity through the firewall, new traffic initiated from the user’s host does not trigger the authentication proxy, and all authorized user traffic is permitted access through the firewall. </li></ul><ul><li>If the idle timer expires, the authentication proxy removes the user’s profile information and dynamic ACL entries. When this happens, traffic from the client host is blocked. The user must initiate another HTTP, HTTPS, FTP, or Telnet connection to trigger the authentication proxy. </li></ul>
    9. 9. <ul><li>RADIUS </li></ul><ul><li>TACACS+ </li></ul>Supported AAA Servers Cisco Secure ACS UNIX Cisco Secure ACS NT/2000 TACACS+ Freeware Lucent Cisco Secure ACS UNIX Cisco Secure ACS NT/2000
    10. 10. Authentication Proxy Configuration <ul><li>The authentication proxy is applied in the inward direction at any interface on the router where per-user authentication and authorization occurs. </li></ul><ul><li>Applying the authentication proxy inward at an interface causes it to intercept a user’s initial connection request before that request is subjected to any other processing by the firewall. </li></ul><ul><li>If the user fails to authenticate with the AAA server, the connection request is dropped. </li></ul>
    11. 11. Authentication Proxy Configuration (Cont.) <ul><li>All traffic through an interface can be blocked, and then the authentication proxy feature can be enabled to require authentication and authorization for all user-initiated HTTP, HTTPS, FTP, or Telnet connections. </li></ul><ul><li>Users are authorized for services only after successful authentication with the AAA server. </li></ul>
    12. 12. Enable AAA <ul><ul><li>Enables the AAA functionality on the router (default = disabled) </li></ul></ul>aaa new-model Router(config)#
    13. 13. Specify Authentication Protocols <ul><ul><li>Defines the list of authentication methods that will be used </li></ul></ul><ul><ul><li>Methods: TACACS+, RADIUS, or both </li></ul></ul>aaa authentication login default method1 [ method2 ] Router(config)# aaa authentication login default group tacacs+ Router(config)#
    14. 14. Specify Authorization Protocols <ul><ul><li>Use the auth-proxy keyword to enable authorization proxy for AAA methods </li></ul></ul><ul><ul><li>Methods: TACACS+, RADIUS, or both </li></ul></ul>aaa authorization auth-proxy default method1 [ method2 ] Router(config)# Router(config)# aaa authorization auth-proxy default group tacacs+
    15. 15. Define a TACACS+ Server and Its Key <ul><ul><li>Specifies the TACACS+ server IP address </li></ul></ul><ul><ul><li>Specifies the TACACS+ server key </li></ul></ul>tacacs-server host ip_addr Router(config)# Router(config)# tacacs-server host 10.0.1.12 Router(config)# tacacs-server key secretkey tacacs-server key string Router(config)#
    16. 16. Define a RADIUS Server and Its Key <ul><ul><li>Specifies the RADIUS server IP address </li></ul></ul><ul><ul><li>Specifies the RADIUS server key </li></ul></ul>Router(config)# radius-server host 10.0.1.12 Router(config)# radius-server key secretkey radius-server host ip_addr Router(config)# radius-server key string Router(config)#
    17. 17. Allow AAA Traffic to the Router <ul><ul><li>Create an ACL to permit TACACS+ traffic from the AAA server to the firewall </li></ul></ul><ul><ul><ul><li>Source address = AAA server </li></ul></ul></ul><ul><ul><ul><li>Destination address = interface where the AAA server resides </li></ul></ul></ul><ul><ul><li>May want to permit ICMP </li></ul></ul><ul><ul><li>Deny all other traffic </li></ul></ul><ul><ul><li>Apply the ACL to the interface on the side where the AAA server resides </li></ul></ul>Router(config)# access-list 111 permit tcp host 10.0.1.12 eq tacacs host 10.0.1.1 Router(config)# access-list 111 permit icmp any any Router(config)# access-list 111 deny ip any any Router(config)# interface ethernet0/0 Router(config-if)# ip access-group 111 in
    18. 18. Allow AAA Traffic to the Router (Cont.) <ul><li>All traffic requiring authentication and authorization should be denied by the router using extended ACLs. </li></ul><ul><li>Upon successful authentication, dynamic ACEs will be inserted into the ACLs to permit only the traffic authorized by the user profile. </li></ul><ul><li>The authentication proxy customizes each of the ACEs in the user profile by replacing the source IP addresses in the downloaded ACL with the source IP address of the authenticated host. </li></ul>
    19. 19. Allow AAA Traffic to the Router (Cont.) <ul><li>An extended ACL should be applied to the inbound direction of the interface that is configured for proxy authentication. </li></ul><ul><li>All other ACLs that restrict traffic in the direction of authenticated traffic flow should be extended ACLs so that proxy authentication can dynamically update the ACEs as necessary to permit authorized traffic to pass. </li></ul>
    20. 20. Enable the Router HTTP or HTTPS Server <ul><ul><li>Enables the HTTP server on the router </li></ul></ul><ul><ul><li>Sets the HTTP server authentication method to AAA </li></ul></ul><ul><ul><li>Proxy uses HTTP server for communication with a client </li></ul></ul>Router(config)# ip http server Router(config)# ip http authentication aaa ip http server Router(config)# ip http authentication aaa Router(config)# ip http secure-server Router(config)# <ul><ul><li>Enables the HTTPS server on the router </li></ul></ul>
    21. 21. HTTP and HTTPS <ul><li>The HTTPS feature requires a Cisco IOS crypto image. </li></ul><ul><li>HTTP-initiated sessions normally exchange the username and password in clear text. This exchange is encrypted when using HTTPS. </li></ul><ul><li>To use the authentication proxy with HTTPS, use the ip http secure-server command to enable the HTTP secure server on the router. Then use the ip http authentication aaa command to require the HTTP server to use AAA for authentication. </li></ul>
    22. 22. <ul><ul><li>Authentication inactivity timer in minutes (default = 60 minutes) </li></ul></ul><ul><ul><li>Absolute activity timer in minutes (default = 0 minutes) </li></ul></ul>Set Global Timers ip auth-proxy {inactivity-timer min | absolute-timer min } Router(config)# Router(config)# ip auth-proxy inactivity-timer 120
    23. 23. Set Global Timers – Inactivity Timeout <ul><li>The inactivity timeout value is the length of time that an authentication cache entry, along with its associated dynamic user ACL, is managed after a period of inactivity. </li></ul><ul><li>To set the global authentication proxy inactivity timeout value, use the ip auth-proxy inactivity-timer global configuration command . </li></ul>
    24. 24. Set Global Timers – Absolute Timeout <ul><li>The absolute-timer min option allows administrators to configure a window during which the authentication proxy on the enabled interface is active. </li></ul><ul><li>Once the absolute timer expires, the authentication proxy will be disabled regardless of any activity. </li></ul><ul><li>The global absolute timeout value can be overridden by the local value, which is enabled via the ip auth-proxy name command (next slide). </li></ul>
    25. 25. Define and Apply Authentication Proxy Rules <ul><ul><li>Creates an authorization proxy rule </li></ul></ul><ul><ul><li>Applies an authorization proxy rule to an interface </li></ul></ul><ul><ul><ul><li>For outbound authentication, apply to inside interface </li></ul></ul></ul><ul><ul><ul><li>For inbound authentication, apply to outside interface </li></ul></ul></ul>Router(config)# ip auth-proxy name aprule http Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule ip auth-proxy name auth-proxy-name {ftp | http | telnet} [inactivity-time min ] [absolute-timer min ][list {acl | acl-name}] Router(config)# ip auth-proxy auth-proxy-name Router(config-if)#
    26. 26. Authentication Proxy Rules with ACLs <ul><ul><li>Creates an authorization proxy rule with an access list </li></ul></ul>ip auth-proxy name auth-proxy-name http list { acl-num | acl-name } Router(config)# Router(config)# ip auth-proxy name aprule http list 10 Router(config)# access-list 10 permit 10.0.1.0 0.0.0.255 Router(config)# interface ethernet0 Router(config-if)# ip auth-proxy aprule
    27. 27. Create auth-proxy Service in the Cisco Secure ACS Enter the new service: auth-proxy .
    28. 28. Create a User Authentication Profile in the Cisco Secure ACS
    29. 29. User Authorization Profiles
    30. 30. Test and Verify the Configuration
    31. 31. What the User Sees
    32. 32. Clear the Authentication Proxy Cache clear ip auth-proxy cache * | ip_addr <ul><ul><li>Clears authentication proxy entries from the router </li></ul></ul><ul><li>Router(config)# </li></ul>
    33. 33. show Commands show ip auth-proxy cache show ip auth-proxy configuration show ip auth-proxy statistics <ul><ul><li>Displays statistics, configurations, and cache entries of authentication proxy subsystem </li></ul></ul><ul><li>Router(config)# </li></ul>
    34. 34. debug Commands debug ip auth-proxy ftp debug ip auth-proxy function-trace debug ip auth-proxy http debug ip auth-proxy object-creation debug ip auth-proxy object-deletion debug ip auth-proxy tcp debug ip auth-proxy telnet debug ip auth-proxy timer <ul><ul><li>Helps with troubleshooting </li></ul></ul><ul><li>Router(config)# </li></ul>
    35. 35. Module 6 – Configure Trust and Identity at Layer 3 6.2 Introduction to PIX Security Appliance AAA Features
    36. 36. Types of Authentication
    37. 37. Types of Authorization
    38. 38. Types of Accounting
    39. 39. Module 6 – Configure Trust and Identity at Layer 3 6.3 Configure AAA on the PIX Security Appliance
    40. 40. Types of Access Authentication
    41. 41. Authentication Configuration Steps
    42. 42. Add Users to the Local User Database
    43. 43. AAA Local Authentication Attempts Max-Fail Command
    44. 44. Authentication Prompts
    45. 45. Authentication Timeouts
    46. 46. Cut-Through Proxy
    47. 47. PIX Cut-Through Proxy – Three Ways to Authenticate <ul><ul><li>telnet </li></ul></ul><ul><ul><li>http </li></ul></ul><ul><ul><li>ftp </li></ul></ul>
    48. 48. Login Method for Telnet <ul><ul><li>A prompt is generated by the PIX Firewall. </li></ul></ul><ul><ul><li>The user has up to four chances to log in. </li></ul></ul><ul><ul><li>If authentication and authorization are successful, the user is prompted for a username and password if required by the destination server. </li></ul></ul>PIX: Server:
    49. 49. Login Method for FTP <ul><ul><li>If an incorrect password is entered, the connection is dropped immediately. </li></ul></ul><ul><ul><li>If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via FTP, enter the username and password in the following format: </li></ul></ul><ul><ul><ul><li>aaa_user@remote_user and </li></ul></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul>
    50. 50. Login Method for HTTP <ul><ul><li>The browser generates a username and password pop-up window. </li></ul></ul><ul><ul><li>If an incorrect password is entered, the user is prompted again (and again). </li></ul></ul><ul><ul><li>If the username or password on the authentication database differs from the username or password on the remote host which is being accessed via HTTP, use virtual http. </li></ul></ul>
    51. 51. Login Method for HTTPS <ul><ul><li>The user gets a prompt generated by the PIX. </li></ul></ul><ul><ul><li>The user has up to three chances to log in. </li></ul></ul><ul><ul><li>If the username or password fails after the third attempt, the PIX drops the connection. </li></ul></ul>
    52. 52. Enable Authentication – Manually Designating AAA Authentication Parameters <ul><ul><li>Defines traffic to be authenticated </li></ul></ul><ul><ul><li>authen_service = any, ftp, http, or telnet </li></ul></ul><ul><ul><li>any = all TCP traffic </li></ul></ul>aaa authentication include|exclude authen_service inbound|outbound| if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authentication include telnet outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authentication include ftp dmz 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
    53. 53. aaa authentication Example pixfirewall(config)# nat (inside) 1 10.0.0.0 255.255.255.0 pixfirewall(config)# aaa authentication include any outbound 0 0 MYTACACS pixfirewall(config)# aaa authentication exclude any outbound 10.0.0.42 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
    54. 54. aaa authentication command parameters <ul><ul><li>include – create a new rule with the specified service to include. </li></ul></ul><ul><ul><li>authen_service – the application with which a user is accessing a network. Use any, ftp, http , or telnet . </li></ul></ul><ul><ul><li>inbound – authenticate inbound connections. Inbound means that the connection originates on the outside interface and is being directed to the inside interface. </li></ul></ul><ul><ul><li>outbound – authenticate outbound connections. Outbound means that the connection originates on the inside and is being directed to the outside interface. </li></ul></ul><ul><ul><li>if_name – interface name from which users require authentication. </li></ul></ul>
    55. 55. Virtual Telnet and HTTP
    56. 56. Authentication of Non-Telnet, FTP, or HTTP Traffic
    57. 57. Virtual Telnet
    58. 58. Virtual HTTP
    59. 59. Tunnel User Authentication
    60. 60. Authorization Configuration
    61. 61. User Authorization
    62. 62. Enable Authorization <ul><ul><li>Defines traffic that requires AAA server authorization </li></ul></ul><ul><ul><li>author_service = any, ftp, http, or telnet </li></ul></ul><ul><ul><li>any = All TCP traffic </li></ul></ul>aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authorization exclude ftp outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
    63. 63. User Authorization
    64. 65. Authorization of Non-Telnet, FTP, HTTP, or HTTPS Traffic
    65. 66. Authorization of Non-Telnet, FTP, or HTTP Traffic <ul><ul><li>author_service = protocol or port </li></ul></ul><ul><ul><ul><li>protocol—tcp (6), udp (17), icmp (1), or others (protocol #) </li></ul></ul></ul><ul><ul><ul><li>port: </li></ul></ul></ul><ul><ul><ul><ul><li>single port (e.g., 53), port range (e.g., 2000-2050), or port 0 (all ports) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>ICMP message type (8 = echo request, 0 = echo reply) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>port is not used for protocols other than TCP, UDP, or ICMP </li></ul></ul></ul></ul>aaa authorization include | exclude author_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa authorization include udp/0 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authorization include tcp/30-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa authorization include icmp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS
    66. 67. Downloadable ACLs
    67. 68. Accounting Configuration
    68. 69. Configuring Accounting for Traffic Through the Firewall <ul><ul><ul><li>Accounting can be configured for traffic through the firewall. </li></ul></ul></ul><ul><ul><ul><li>The syntax for this command is very similar to that of the aaa authentication command. </li></ul></ul></ul><ul><ul><ul><li>All parameters are the same except for the acct_service . Possible values for the acct_service parameter are any, ftp, http, telnet , or <protocol/port>. </li></ul></ul></ul><ul><ul><ul><li>You do not need to perform any configuration tasks on the Cisco Secure ACS server for it to be able to receive accounting data from a PIX firewall. </li></ul></ul></ul>
    69. 70. Enable Accounting <ul><ul><li>Defines traffic that requires AAA server accounting </li></ul></ul><ul><ul><li>acctg_service = any, ftp, http, or telnet </li></ul></ul><ul><ul><li>any = All TCP traffic </li></ul></ul>aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag pixfirewall (config)# pixfirewall(config)# aaa accounting include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa accounting exclude any outbound 10.0.0.33 255.255.255.255 0.0.0.0 0.0.0.0 MYTACACS
    70. 71. Enable Accounting Match
    71. 73. Admin Accounting
    72. 74. Command Accounting
    73. 75. Accounting of Non-Telnet, FTP, or HTTP Traffic <ul><ul><ul><li>When configuring aaa accounting of non-Telnet, FTP, or HTTP traffic, the syntax of the command is slightly different from Telnet, FTP, or HTTP-specific traffic. </li></ul></ul></ul><ul><ul><ul><li>The syntax for acctg_service is specified in the format protocol/port . </li></ul></ul></ul>
    74. 76. Accounting of Non-Telnet, FTP, or HTTP Traffic <ul><ul><li>acctg_service = protocol or port </li></ul></ul><ul><ul><ul><li>protocol: tcp (6), udp (17), or others (protocol #) </li></ul></ul></ul><ul><ul><ul><li>port = single port (e.g., 53), port range (e.g., 2000 – 2050), or port 0 (all ports) (port is not used for protocols other than TCP or UDP) </li></ul></ul></ul>pixfirewall (config)# pixfirewall(config)# aaa accounting include udp/53 inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS pixfirewall(config)# aaa accounting include udp/54-100 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS aaa accounting include | exclude acctg_service inbound | outbound | if_name local_ip local_mask foreign_ip foreign_mask group_tag
    75. 77. How to View Accounting Information in CSACS-NT In the navigation bar select Reports and Activity . The Reports and Activity window opens. Under Reports first select TACACS+ Accounting and then select TACACS+ Accounting active.csv under Select a TACACS+ Accounting file to display the accounting records.
    76. 78. © 2005, Cisco Systems, Inc. All rights reserved.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×