5-2. Managing Users with a Local Database You can configure a firewall to control user access by defining users in its local database. This approach assigns usernames and passwords to each end user, allowing access rights and accounting trails to be granular and specific. Each user must use a unique username when accessing or passing through the firewall. For administrative users, privilege levels can be defined to authorize their ability to access firewall commands. User activity can also be tracked and identified by the unique usernames. You can define usernames locally on the firewall if external user management servers (RADIUS, TACACS+, and so on) are unavailable or impractical. However, local user management does have some limitations. For example, each user's password must be configured and updated on the firewall. Usernames must be added or deleted as users come and go from the enterprise. If a consistent user management framework must be used across the network, each user's credentials and access rights must be maintained at every location. Without a central point of management, local user databases don't scale very well and can become difficult to administer. Best practice is to use external user management servers first and then fall back on a local user database as a last resort. Authenticating with Local Usernames You can use the following configuration steps to define usernames locally on the firewall. 1. | Define each firewall user: Firewall(config)# username username [{nopassword | password password} [encrypted]] privilege level The user identified as username (a text string of up to 15 characters) can have a password configured with the password keyword. After password is entered, it is encrypted automatically so that the cleartext string is never displayed in the configuration. If this command is copied and pasted from one firewall to another, the encrypted keyword specifies that the password string is already encrypted before the command is executed. If you choose to configure the user with no password, using the nopassword option, the blank password is still displayed as an encrypted string. However, you should carefully consider this, because anyone will be able to log in to the firewall (and potentially make configuration changes) by knowing only the username. A privilege level must be given as level (1 to 15), where 15 is the highest level the user is allowed to reach. This limit applies only when enable authentication is configured. (See Step 3.) Privilege level 1 is the lowest and offers the user the least capability. At level 15, the user can access and use any command on the firewall platform. All users begin at level 1 when they successfully authenticate. To move to a higher privilege level, users must issue the enable command. | 2. | Enable local user authentication: Firewall(config)# aaa authentication {serial | telnet | ssh | http} console LOCAL You can enable user authentication locally on the firewall for any of the following access methods: - serial (console connection) - telnet (Telnet) - ssh (SSH sessions) - http (Web-based management with PDM or ASDM)
You can repeat this command to define local authentication for more than one connection type. You must always use the console keyword, indicating that firewall management sessions are being authenticated. The LOCAL keyword causes the firewall's local username database to be used for authentication. TIP It might seem odd to use the aaa command here, even though external AAA servers are not used for the local user database. The firewall processes all user management functions involving usernames as AAA functions. A predefined AAA server group called LOCAL uses the LOCAL "protocol," as if the following command were used: Firewall(config)# aaa-server LOCAL protocol local Requests that would go out to an external AAA server are intercepted and handled internally according to the local username database. | 3. | (Optional) Authenticate users for enable mode: Firewall(config)# aaa authentication enable console LOCAL By default, privilege level 15 is defined with the enable password configuration command. Any user who can successfully authenticate with the firewall can also use the enable command to move to level 15regardless of the privilege level set for the username. As well, all users share the same password for privilege level 15. You can configure enable authentication so that each user must enter an independent enable password to reach a higher privilege level. With local authentication, the enable password is the same as the username password for each user. After a user is authenticated with his or her enable password, the privilege level is changed to the level configured for the username. In other words, the privileged EXEC level is set on a per-user basis; not every user automatically arrives at level 15. |
For example, suppose the username userjoe is created with a privilege level limit of 15. A second user, userbob, has a privilege level limit of 5. Local authentication is used for SSH sessions. Enable authentication is configured locally so that each user can enter his or her password to move into the respective privilege level, as demonstrated with the following commands: Firewall(config)# username userjoe password joespasswd privilege 15 Firewall(config)# username userbob password bobspasswd privilege 5 Firewall(config)# aaa authentication ssh console LOCAL Firewall(config)# aaa authentication enable console LOCAL User userjoe logs in to the firewall and moves into his privileged EXEC level (15). Each time, userjoe's username password is used for authentication. The show curpriv command verifies the user's current identity and privilege level, as shown in the following output: login as: userjoe userjoe@192.168.77.14's password: Type help or '?' for a list of available commands. Firewall> show curpriv Username : userjoe Current privilege level : 1 Current Mode/s : P_UNPR Firewall> enable Password: ******** Firewall# show curpriv Username : userjoe Current privilege level : 15 Current Mode/s : P_PRIV Firewall# Authorizing Users to Access Firewall Commands Users are authorized to execute firewall commands based on a comparison of their current privilege level and each command's privilege level. If the user's level is greater than or equal to the command's level, the user is allowed to use the command. If not, an error is returned. By default, only a simple authorization test is used. Users at privilege level 1 can use only commands that are set at level 1. If a user can move to any level greater than 1, he or she can access any other commandeven commands set for level 15. You can use local command authorization to achieve more granularity. When it is enabled, strict privilege level comparisons are done for each command that is entered. Users who have privilege levels lower than the commands they try to use are rejected. Each firewall command has a privilege level associated with it. Some command keywords can be used in several different modes, such as show (as in show pager), clear (as in clear pager), and configure (as in pager 24 in configuration mode). Each of these is considered a separate command, having a unique privilege level. Therefore, the privilege levels are assigned according to the command keyword and the mode in which it is used. EXEC mode commands that can be run without the show or clear keywords are referenced in configure mode. An example is the help command. By default, the commands shown in Table 5-1 are accessed with privilege level 0; all other commands default to level 15. Table 5-1. Commands Accessed with Privilege Level 0Command | PIX 6.x | PIX 7.x |
|---|
Firewall> enable | Yes | Yes | Firewall> exit | Yes | Yes | Firewall> quit | Yes | Yes | Firewall> help | Yes | Yes[*] | Firewall> login | Yes | Yes | Firewall> logout | Yes | Yes | Firewall> pager Firewall> clear pager Firewall> show pager | Yes | No | Firewall> ping | No | Yes | Firewall> show checksum | Yes | Yes[*] | Firewall> show curpriv | Yes | Yes[*] | Firewall> show history | Yes | Yes[*] | Firewall> show version | Yes | Yes[*] | Firewall> show flash: | No | Yes | Firewall> show debug | No | Yes[*] |
[*] Beginning with PIX 7.x, these commands have a default privilege level of 1. Users at the lowest privilege level (1) can still access and use these commands. Local user authorization is configured using the following steps: 1. | (Optional) Display the current privilege levels for commands: FWSM 2.x | Firewall# show privilege {all | command command | level level} | PIX 6.x | Firewall# show privilege {all | command command | level level} | PIX 7.x | Firewall# show run all privilege {all | command command | level level} |
You can see the current privilege level configured for all possible firewall commands, or for only a single command command (only the first keyword). You can also see all the commands available to a user at a given privilege level level (0 to 15). (The default privilege levels are not shown in the configuration file. Beginning with PIX 7.x, you can see default settings for any command with the show run all command.) | 2. | Set a command's privilege level: FWSM 2.x | Firewall# show privilege {all | command command | level level} | PIX 6.x | Firewall(config)# privilege {show | clear | configure} level level [mode {enable | configure}] command command | PIX 7.x | Firewall(config)# privilege [show | clear | cmd] level level [mode mode] command command |
For the mode (show, clear, or configure) of the command keyword command, a new privilege level (0 to 15) is assigned. Beginning with PIX 7.x, the configure mode is known only as cmd mode. Some commands can also be used in several submodes within a single mode. In PIX 6.3, for example, the clear logging command can be run from enable mode or configure mode. In either case, the contents of the logging buffer are cleared, but you might want to restrict that command when a user is in one mode versus another. Beginning with PIX 7.x, you can set command privilege levels with a greater granularity. You can use the mode keyword to identify a specific mode or submode where the command keyword is used. The mode parameter can be given as any one of the keywords shown in Table 5-2, usually shown in the firewall configuration mode prompt. Table 5-2. PIX 7.x Privileged Command Mode Valuesmode Keyword | Mode Description |
|---|
aaa-server-group | AAA server group configuration mode | aaa-server-host | AAA server host configuration mode | config-group-webvpn | group-policy webvpn configuration mode | config-username-webvpn | username webvpn configuration mode | configure | Global configuration mode | context | Context configuration mode | crypto-ca-cert-chain | Crypto certificate entry mode | crypto-ca-cert-map | Certificate map entry mode | crypto-ca-crl | Certificate authority trustpoint CRL entry mode | crypto-ca-trustpoint | Certificate authority trustpoint entry mode | crypto-pubkey | Crypto subsystem public key entry mode | enable | EXEC mode (the keyword is converted to exec) | exec | EXEC mode | fover_group | Failover user group configuration mode | ftp-map | ftp-map configuration mode | group-policy | group-policy attribute configuration mode | gtpmap | GTP class map configuration mode | http-map | http-map configuration mode | icmp-object-group | ICMPtype object group configuration mode | imaps | imap4s configuration mode | interface | Interface configuration mode | mgcp-map | mgcp-map configuration mode | network-object-group | Network object group configuration mode | pop3s | pop3s configuration mode | priority-queue | priority-queue configuration mode | protocol-object-group | Protocol object group configuration mode | qosclassmap | QoS class map configuration mode | qospolicymap | QoS policy map configuration mode | qospolicymapclass | QoS policy map class configuration mode | route-map | Route map configuration mode | router | Router configuration mode | routing | Routing configuration mode | service-object-group | Service object group configuration mode | smtps | smtps configuration mode | snmp-map | snmp-map configuration mode | subinterface | Subinterface configuration mode | tcp-map | tcp-map configuration mode | trange | time-range configuration mode | tunnel-group-general | tunnel-group general attribute configuration mode | tunnel-group-ipsec | tunnel-group IPSec attribute configuration mode | tunnel-group-ppp | tunnel-group PPP attribute configuration mode | username | username attribute configuration mode | vpn-load-balancing | Configure VPN load balancing | webvpn | WebVPN configuration mode |
For example, users at or above level 8 can be allowed to show the connection table entries: Firewall(config)# privilege show level 8 command conn PIX 7.x can also accept this command as Firewall(config)# privilege show level 8 mode exec command conn | 3. | Enable local command authorization: Firewall(config)# aaa authorization command LOCAL Each time a user attempts to use a firewall command, the firewall authorizes the user based on the local privilege configuration commands. |
Accounting of Local User Activity With local user authentication and authorization, user accounting can be performed only through the logging function. You should make sure that the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses: 611101 (6) Successful user authentication 611102 (6) Failed user authentication 502103 (5) User changed privilege levels 111008 (5) User executed the command text 111009 (7) User executed the command show text 611103 (5) User logged out
For example, suppose someone managed to log in to a firewall, clear its configuration, and reload it. If Syslog were configured on the firewall, you might be able to find an audit trail with clues as to who took those actions. In the following output, a user named userjane has authenticated, used the enable command to move into privilege level 15, cleared the configuration, and reloaded the firewall: %ASA-6-109005: Authentication succeeded for user 'userjane' from 172.28.4.41/0 to 10.1.1.10/24 on interface outside %ASA-6-611101: User authentication succeeded: Uname: userjane %ASA-5-502103: User priv level changed: Uname: userjane From: 1 To: 15 %ASA-5-111008: User 'userjane' executed the 'enable' command. %ASA-7-111009: User 'userjane' executed cmd: show clock %ASA-5-111008: User 'userjane' executed the 'write erase' command. %ASA-5-111008: User 'userjane' executed the 'reload' command. |