Configuring Authentication of Administrative Sessions

Cisco ASA supports authentication of administrative sessions using a local user database, a RADIUS server, or a TACACS+ server. An administrator can connect to the Cisco ASA via

• Telnet
• Secure Shell (SSH)
• Serial console connection
• Cisco ASA Device Manager (ASDM)

If connecting via Telnet or SSH, the user can retry authentication three times in case of user error. After the third time, the authentication session and connection to the Cisco ASA are closed. Authentication sessions via the console prompt the user continuously until the correct username and password are entered.

Before you start the configuration, you must decide which user database you will use (local or external AAA server). If you are using an external AAA server, configure the AAA server group and host, as covered in the previous section. You can use the aaa authentication command to require authentication verification when accessing Cisco ASA for administration. This section teaches you how to configure authentication for each type of connection.

Authenticating Telnet Connections

You can enable Telnet access to the Cisco ASA to any internal interface or to the outside (if an IPSec connection is established). Telnet sessions are allowed to the outside interface only over an IPSec connection. Example 7-9 includes the commands necessary to configure Telnet access using a local username and password.

Example 7-9. Authenticating Telnet Connections

Chicago# configure terminal Chicago(config)# username admin password cisco Chicago(config)# aaa authentication telnet console LOCAL Chicago(config)# telnet 192.168.10.0 255.255.255.0 inside Chicago(config)# exit

In Example 7-9, a user called admin will be able to be successfully authenticated when connecting via Telnet to the inside interface only from network 192.168.10.0/24. The keyword LOCAL can be used specify that the local user database on the Cisco ASA is used. This keyword can also be used to enable fallback to the local database if the configured authentication server is unavailable.

Note

administrative sessions:Telnet:authenticating;authentication:of Telnet administrative sessions;Telnet connections:authentication Do not confuse the keyword console with the serial console on the Cisco ASA. This keyword is used to force the Cisco ASA to require AAA authentication for any client trying to connect to it via Telnet, serial console, HTTP, or SSH. Telnet is used in Example 7-9.

Authenticating SSH Connections

To enable SSH on Cisco ASA, you configure a host name and domain name before generating the RSA key pair used by SSH. Example 7-10 shows how to generate the RSA key pair and enable SSH version 2 connections from any systems on the inside interface.

Example 7-10. Generating RSA Key Pair and Enabling SSH Version 2

Chicago# configure terminal Chicago(config)# hostname ASA Chicago(config)# domain-name cisco.com Chicago(config)# crypto key generate rsa modulus 2048 INFO: The name for the keys will be: ASA.cisco.com Keypair generation process begin. Chicago(config)# ssh 0.0.0.0 0.0.0.0 inside Chicago(config)# ssh version 2

After the RSA key pair has been generated and SSH has been enabled, complete your AAA server group and host configuration. In this example, a CiscoSecure ACS server (configured for TACACS+) is used for authentication. Enable SSH authentication as shown in Example 7-11.

Example 7-11. Configuring SSH Authentication to a TACACS+ Server

Chicago# configure terminal Chicago(config)# aaa-server mygroup protocol tacacs+ Chicago(config-aaa-server)# max-failed-attempts 2 Chicago(config-aaa-server)# reactivation-mode timed Chicago(config-aaa-server)# exit Chicago(config)# aaa-server mygroup host 172.18.173.109 Chicago(config-aaa-server)# key cisco123 Chicago(config-aaa-server)# exit Chicago(config)# aaa authentication ssh console mygroup Chicago(config)# exit

In Example 7-11, the AAA server group is labeled as mygroup. The TACACS+ server's IP address is 172.18.173.109 and is configured with a shared secret of cisco123.

Complete the following steps to add Cisco ASA as a NAS in the CiscoSecure ACS:

The AAA Client Hostname is the name given to the AAA client. The IP address of the interface that the Cisco ASA will source the TACACS+ packet (172.18.173.8) is entered under the AAA Client IP Address section. The Key is the shared secret that the Cisco ASA and CiscoSecure ACS use to encrypt their communication.

Tip

The shared key must be configured identically in both devices (key is case sensitive).

Authenticating Serial Console Connections

To configure authentication of serial console connections, use the aaa authentication serial console command. Be aware that you can get locked out of the Cisco ASA easily with any misconfiguration. Example 7-12 demonstrates how to configure serial console authentication using the AAA server group previously configured.

Example 7-12. Configuring Serial Console Authentication

Chicago(config)# aaa authentication serial console mygroup

Tip

Establishing two separate sessions to the Cisco ASA is always recommended when configuring AAA authentication. The purpose of this procedure is to avoid getting locked out of the CLI. Open one session using a Telnet or SSH connection and connect to the serial console of the Cisco ASA. One of the sessions can be disconnected once the configuration is verified and tested.

If the administrator is locked out of the security appliance, follow the password recovery procedure discussed in Chapter 4, "Initial Setup and System Maintenance."

Authenticating Cisco ASDM Connections

The aaa authentication http console command can be configured to require authentication for Cisco ASDM users. Example 7-13 demonstrates how to configure ASDM authentication using the AAA server group previously configured.

Example 7-13. Configuring HTTP Authentication for ASDM Users

Chicago(config)# aaa authentication http console mygroup

If this command is not configured, Cisco ASDM users can gain access to the ASA by entering only the enable password, and no username, at the authentication prompt.