Re: radius authentication for ssh and http

vasu · ‎03-26-2009

how to differentiate between the console and http authtications in radius server while authenticating users for a pix firewall

does pix send any attributes to the radiuss server to indicate where the user is trying to login?

wong34539 · ‎04-01-2009

The ip http authentication command enables you to specify a particular authentication method for HTTP server users. The HTTP server uses the enable password method to authenticate a user at privilege level 15. The ip http authentication command now lets you specify enable, local, TACACS, or authentication, authorization, and accounting (AAA) HTTP server user authentication.

vasu · ‎04-01-2009

See these commands

aaa-server ADMIN protocol radius

reactivation-mode depletion deadtime 0

aaa-server ADMIN host 192.168.0.1

timeout 30

key XXXXXX

aaa-server HTTPCLIENTS protocol radius

reactivation-mode depletion deadtime 0

max-failed-attempts 5

aaa-server HTTPCLIENTS host 192.168.0.1

timeout 30

key XXXXXX

aaa authentication ssh console ADMIN

aaa authentication include http inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 HTTPCLIENTS

In the above example, see the radius host (192.168.0.1). We could also configure a single RADIUS entry but I am trying to differenciate between the ADMIN and HTTPCLIENTS authentication request at the RADIUS end. But, in the RADIUS server, there is no attribute that we receive which show the difference in the purpose or the level of access being attempted.

I am trying with a Microsoft Windows 2003 RADIUS server.

ksumenon · ‎04-01-2009

Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication [serial | enable | telnet | ssh] console command. While the enable and ssh options allow three tries before stopping with an access denied message, both the serial and telnet options cause the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection. The enable option requests a username and password before accessing privileged mode for serial, Telnet, or SSH connections. The ssh option requests a username and password before the first command line prompt on the SSH console connection. The ssh option allows a maximum of three authentication attempts.

8. Authenticated access to the PIX Firewall console has different types of prompts depending on the option you choose with the aaa authentication console command:

a. enable option-Allows three tries before stopping with "Access denied." The enable option requests a username and password before accessing privileged mode for serial or Telnet connections.

b. serial option-Causes the user to be prompted continually until successfully logging in. The serial option requests a username and password before the first command line prompt on the serial console connection.

c. telnet option-Causes the user to be prompted continually until successfully logging in. The telnet option forces you to specify a username and password before the first command line prompt of a Telnet console connection.

Hope this helps

-Sunil

vasu · ‎04-01-2009

My confusion is not around how pix does this. Please read this.

If I am configuring pix to support authentication for both ssh console and url auth, pix does not send different properties to the radius server.

That makes it difficult for the radius server to differenciate the users who needs to allow while url auth is being requested and ssh console is being requested.

In my case, if I allow some one to perform url auth they will automatically be able to connect to the ssh console.

We are using two seperate radius servers currently so that the ssh console requests can be handled more restrictively.

Is there a way I can use one radius server for both the purposes?

Thanks for the reply.

ksumenon · ‎04-02-2009

Dear sir,

It might be possible that Some Radius attributes might not be natively understood by some vendors.So in such cases to support authentication and authorization of the security appliance user you might have to load the security appliance attributes into the RADIUS server. Please refer the following link for details:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/extsvr.html#wp1583736.

Hope this helps.

-Sunil

vasu · ‎04-02-2009

nope .. that document does not talk much about radius authentication. it mainly talked about ldap.

thanks

ksumenon · ‎04-02-2009

Just wanted to cross check if you have referred the "Configuring an External RADIUS Server" section of the document?

-Sunil

vasu · ‎04-02-2009

Yes. I did.

itlogical · ‎04-04-2009

Hi,

Using Network Access Restrictions (NAR) in ACS will be a good idea to restrict the Telnet/SSH Console access to the network devices in either case of users from internal (ACS) or external database (AD).

Rest of the URL authentication will work fine on the same ACS.

HTH,

Ahmed

vasu · ‎04-04-2009

But I don't have an ACS. I am trying to integrate AD and PIX using RADIUS (Microsoft IAS).

Is there any other alternative to the ACS?

sahmedshahcsd · ‎04-05-2009

I think management authorization will work in your scenario which is explained in the section of "Limiting User CLI and ASDM Access with Management Authorization" with specific service-type 5(remote-access)at the following link

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

Hope this helps

Regards