Chapter 5. Managing Firewall Users Refer to the following sections for information about these topics: 5-1: Managing Generic Users Covers how default "generic" or ambiguous users can be allowed to connect to a firewall and execute commands or make configuration changes. 5-2: Managing Users with a Local Database Presents methods to configure unique usernames locally on the firewall. You can then manage these users' privileges and monitor their activity. 5-3: Defining AAA Servers for User Management Discusses external servers that can be used to authenticate, authorize, and keep accounting records about user activity on and through a firewall. 5-4: Configuring AAA to Manage Administrative Users Explains the configuration steps needed to offload user management functions when administrative users connect to a firewall. 5-5: Configuring AAA for End-User Cut-Through Proxy Covers the methods that can be used to authenticate users initiating connections through a firewall and to authorize their ability to do so. 5-6: Firewall Password Recovery Discusses procedures that can be used to recover or bypass a firewall's privileged user password when it is lost or forgotten. Although its primary function is to provide and enforce security policies at the boundaries of networks, a Cisco firewall also supports several methods to manage users who interact with it. Firewall users fall into the following general categories: Administrative users Users who can open administrative sessions with the firewall to make configuration changes or to monitor activity. These users can connect to the firewall through the console, Telnet, Secure Shell (SSH), or the PIX Device Manager (PDM)/Adaptive Security Device Manager (ASDM) application. End users These are users who need to open connections through the firewall. These connections can use various protocols, which are all ultimately inspected by the firewall. When the user first initiates a connection, the firewall intervenes with an authentication challenge. If the user successfully authenticates, that connection is opened. Through the cut-through proxy feature, the firewall opens future connections for that user without any intervention. VPN users Remote-access users who need to open VPN client connections to the firewall. The firewall can use extended authentication (xauth) to authenticate the users before the VPN connections are completed. Firewalls can perform three basic operations to manage any user's access: Authentication A user's identity is verified against known credentials. Authorization A user's privileges are predefined and approved by a third party. Accounting A user's activity is recorded for auditing or billing purposes. Finally, a Cisco firewall can support several levels of user management, based on the amount of control and security that is required. For example, a firewall can authenticate a user based on a generic password only, against a local or internal user database, or against databases maintained on external servers. When users log into a firewall, they are assigned a privilege level from 1 to 15 (0 is available, but is not used). User authentication and privilege levels are used for all management interfaces: By default, users begin at level 1 and move to level 15 only when they successfully enter privileged EXEC or enable mode. Firewall commands are also given various privilege levels, so users can run only commands that are at the same level as or at a lower level than their own. By default, all firewall commands (both EXEC and configuration) are given privilege level 0 (the lowest) or 15 (the highest). Additional levels between 0 and 15 can be defined if the user community needs to be segmented further. |