Friday, 5 February 2016

Setting up AAA with the ASA 5505/5510

TACACS provides support for many different databases - including LDAP, Local Databases, Kerberos and quite a few more.

Although not all of them are supported when coupled with some scenerios - Cisco provides a good compatability matrix here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/access_aaa.html#wp1039490

To setup TACAS we must firstly define a server group. When defining a server group you must also specificy a protocol that all of the servers within that group will use:

aaa-server TACACSServer protocol tacacs+
reactivation-mode timed

and to define a TACACS+ server within the group we can issue:

aaa-server TACACSServer (management) host 192.168.50.254 tacacs-key timeout 3
key 0 mysharedkey

We can view the status of RADIUS with:

show aaa-server proto tacacs

When AAA is being utilized the ASA will go through the server group until it is successfully able to reach one of the servers defined. If in the event that it that it does not find any working server the server group deactivate for a set period of time - 30 seconds.

Although you can instruct AAA to fallback to the ASA's local user database with:

aaa authentication ssh console TACACSServer LOCAL
aaa authentication serial console TACACSServer LOCAL

You also need to explicitly apply management authorization for users using AAA - this is to ditinguish a typical VPN user and an administrator of the ASA:

username admin password password privilege 15
aaa authorization exec authentication-server
username myuser password mypassword
username myuser attributes
service-type nas-prompt

Note: For AAA local users that are accessing the ASA via serial do not need to be part of management authorization.


0 comments:

Post a comment