Setup Cisco ACS with Cisco ASA for command restrictions 1

[quickconnect]

I am trying to use our Cisco ACS Server and our Cisco ASA & PIX firewalls so that when a user tries to login the firewall it will authenticate with ACL and then permit a list of allowed commands and user priledges via what I have configured in ACS.. I cant find anything on how to do this, any help with this would be greatful

 

[garnetbobcat]

It sounds like you want to do two things, but correct me if I'm wrong. First you want to use an ACL to limit access to the ASA and second you want to give users access to different commands (and maybe privilege levels) once they login to the ASA.

To limit who can connect to the firewall via the command line, use the telnet or ssh commands.

ssh 172.16.1.1 255.255.255.255 inside

This command allows that sinle workstation ssh access to the inside interface of the ASA. You can specify your relevant address and mask. You can do the same thing with the telnet command. Note: You can't telnet to the outside of the firewall unless it's over a VPN tunnel. Here's a doc on configuring SSH/Telnet access to the security appliance:

http://www.cisco.com/en/US/products...s_configuration_example09186a008069bf1b.shtml

Limiting what commands users can run is called "command authorization". After users are authenticated, the security appliance checks each command that they run to make sure that they are authorized to run it. You have a couple different options here, but a good place to start is this doc:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html

One option is to use the TACACS server to authenticate users and then assign them a privilege level when they login. Locally on the ASA you can configure commands to be accessible to certain privilege levels. So if a user gets assigned to privilege level 5 you can give them access to all forms of the "filter" command like this:

hostname(config)# privilege level 5 command filter


You can also do what you describe, where the lists of commands accessible to the users are actually defined ON the TACACS server. This specific section covers how to do that:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042041

If you want to apply the same commands to multiple users or groups you might consider creating a command set in the Shared Profile Components section of Cisco ACS.

-------

When thinking about command authorization, it's important to keep in mind that some commands exist at level 0 and ALL OTHER commands exist at level 15. Level 5 has no commands of its own, level 7 has no commands of its own, etc.

It's also important to keep in mind that each privilege level has access to the commands of the levels below it. So if you assign a user to level 5, he has access to commands at level 0-4, too.

Matt
CCSP

http://www.wr-mem.com

 

[quickconnect]

garnetbobcat

Thank you for your tips.. Basically what im looking for is command authorizarion via an ACS server so that I can create a group on the ACS server and place my usernames that are allowed to login to over 80 of our ASA/PIX Firewalls. Currently its not an easy process to assign privledge level commands and be specific on a per username via the local ASA itsself without going through some pain and then having to do this on all Firewalls.

I will take a look at your interesting documents that you listed and post my results if that is what I am looking for. As to granting SSH,TELNET access to the Firewall itsself that is pretty straight forward and we are currently doing this today...

 

[GM2005]

http://www.cisco.com/warp/public/110/acs_shell_auth.pdf