Solved: Authenticating FTP users in FWSM 3.1(4)

Mel Popple · ‎04-15-2010

Hi,

I get the users to authenticate when using FTP through the FWSM (multiple context mode) but I have a few questions that I can't seem to find the exact answers to in the documentation (I presume I'm just missing something when reading it).

At the moment we have the users match the ACL, login using a local account and then they are allowed to login to the end FTP server, all pretty standard stuff. This works fine for the users but some of the FTP connections are scripted and set as timed jobs on servers. These scripted FTP connections have no idea which username prompt (FWSM or FTP server) is being presented which becomes an issue when connections are made and closed in rapid succession as it appears that the firewall keeps the authenticated session open and allows a new connection straight through.

The config I have is as follows (BTW - we use CSM).

access-list CSM_AAA_AUTHE_INSIDE_LOCAL remark Authenticate outbound FTP access
access-list CSM_AAA_AUTHE_INSIDE_LOCAL extended permit tcp any any eq ftp
!
timeout uauth 0:00:00 absolute uauth 0:05:00 inactivity
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
!
aaa authentication match CSM_AAA_AUTHE_INSIDE_LOCAL INSIDE LOCAL
!
username *********** password **************** encrypted privilege 0

Is there a way to get the scripted FTP sessions to require authentication to the firewall every time they are run, regardless of how often or how frequently they are run? We have some scripted FTP that transfer several MB every few minutes and others that may transfer GB every few hours or each day. Unless the firewall prompt is displayed every time the scripts fail.

Regards

Mel

Jennifer Halim · ‎04-15-2010

If all the connection is that random, the answer is no.

The idea of uauth is to get user to just authenticate once, and get access after the authentication. If normal user gets prompted for authentication all the time, that will just annoy them.

So unfortunately, in your ftp script scenario, there is nothing to force the authentication everytime the ftp connection is triggered especially when the server is still sending other traffic through the firewall at the same time.

View solution in original post

Jennifer Halim · ‎04-15-2010

Unfortunately no. The authentication from the FWSM is only prompted as the user/host establish the FTP connection (control connection, ie: TCP/21). If your script is run within the data connection, then the answer is no, you can't invoke the fwsm authentication within your ftp data connection.

Mel Popple · ‎04-15-2010

Thanks for the quick response but we are not trying to initiate the authentication from the data connection, the control connection initiates it.

What I was trying to say is that we need the authenticated session through the firewall to remain open no matter how long the data transfers take, then to close immediately the FTP downloads/uploads have finished and the 'bye' command is sent across the control connection from the client (our end) to the server (out on the internet). Then the next time the script runs it is presented with the firewall uauth logon prompt and not connected directly to the FTP server's logon prompt (otherwise the script sends the FWSM uath username to the FTP server!).

Hope that explains it better.

Jennifer Halim · ‎04-15-2010

Ahh.. got it.

How often is your script run?

From the timeout output, it seems that the inactivity timeout is set to 5 minutes, so if it doesn't see any traffic from that server for 5 minutes, the uauth should have expired, and the next time you run the script, it would have prompted for the fwsm username and password again.

Mel Popple · ‎04-15-2010

The connections are made from many different sources on our network to many different destinations on the internet. Some make connections very frequently, transfer a few Megabytes in a couple of seconds and then close, others open connections less frequently but take much longer because they are transferring Gigabytes of data. Some transfers are triggered when files are updated on servers. Then there are the users doing what they need to do whenever they need to do it.

All a bit random really.

Jennifer Halim · ‎04-15-2010

If all the connection is that random, the answer is no.

The idea of uauth is to get user to just authenticate once, and get access after the authentication. If normal user gets prompted for authentication all the time, that will just annoy them.

So unfortunately, in your ftp script scenario, there is nothing to force the authentication everytime the ftp connection is triggered especially when the server is still sending other traffic through the firewall at the same time.

Mel Popple · ‎04-15-2010

Cheers for your help.

After a bit more testing we are seeing the same as you explained. Pity though, we were hoping we had just misunderstood something in the docs. We are migrating from another vendors firewall that authenticates each FTP session that is opened and we were hoping there was a way to get the FWSM to do the same.

This issue does raise an interesting question - If many users are logged in to a single terminal server and one of them initiates an FTP session that requires authenticating through the FWSM, do all the others also get granted FTP access as well? Seems a little insecure to me.

Mel

Jennifer Halim · ‎04-15-2010

Yes, unfortunately it is more per ip address authentication. Therefore, if you have a terminal server, and multiple users are using it, the first connection through the FWSM will invoke the authentication, and all users will have access from that terminal server.

Again, the uauth is a very simple security feature that was introduced long time ago. If you require more security, you should be looking into different advance technology (Clean Access solution, etc). Uauth was introduced when security is still at its early stage.