Lab Visual Objective

P = Your pod number

All netmasks = 255.255.255.O

Perimeter rout«

PIX Firewall

P = Your pod number

All netmasks = 255.255.255.O

Perimeter rout«

PIX Firewall

Backbone server Web/FTP/TFTP

Pod DMZ server Web/FTP

Backbone server Web/FTP/TFTP

AAA server

Pod DMZ server Web/FTP

Student workstation

©2000, Cisco Systems,

Task 1: Install Cisco Secure ACS for Windows NT Server

Perform the following steps to install Cisco Secure ACS on your Windows NT server:

Step 1 Install Cisco Secure ACS on your Windows NT server from the CD-ROM or from the files on your hard drive, as indicated by the instructor.

■ When installing from the CD-ROM, complete the following:

< Windows NT will automatically start the autorun.exe program and you are prompted to install Cisco Secure ACS.

< Click Install to start the installation process.

■ When installing from files in your hard drive, complete the following:

< Open the folder where the installation files are located and double-click the setup.exe program to start installation.

< Or choose Start>Run... and enter setup.exe with a full path to the file and start installation.

Step 2 Click ACCEPT to accept the Software License Agreement.

Step 3 Read the Welcome panel. Click Nextto continue.

Step 4 Read and check all four items in the Before You Begin panel. This is a reminder of things you should do prior to installation. Click Next to continue.

Step 5 Use the default installation folder indicated in the Choose Destination Location panel. Click Next to continue.

Step 6 Verify Check the Cisco Secure ACS database only is already selected in the Authentication Database Configuration panel. Click Nextto continue.

Step 7 Enter the following information in the Cisco Secure ACS Network Access Server Detailstpanel:

■ Authenticate users: TACACS+ (Cisco)

■ Access server name: pixP (see note below)

■ TACACS+ or RADIUS key: secretkey (where P =pod number)

Step 8 Click Nextto start the f ile installation process.

Step 9 Select all six items displayed in the Advanced Options panel. Click Next to continue.

Step 10 Verify that Enable Log-in Monitoring is already selected in the Active Service Monitoring panel. Click Nextto continue.

CAUTION Do not select "Yes, I want to configure Cisco IOS software now" in the "Network Access Server Configuration" panel; this only applies to Cisco IOS ™routers.

Step 11 Click Nextto continue.

Step 12 Verify that the following are already selected in the Cisco Secure ACS Service Initiation panel:

■ Yes, I want to start the Cisco Secure ACS Service now

■ Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation

Note Do not select "Yes, I want to review the Readme file." Step 13 Click Nextto start the Cisco Secure ACS servi ce.

Step 14 Read the Setup Complete panel and then click Finish to end the installation wizard and start your web browser with Cisco Secure ACS.

Task 2: Add a User to the Cisco Secure ACS Database

Perform the following steps to add a user to the Cisco Secure ACS database in your Windows NT server:

Step 1 The Cisco Secure ACS interface should now be displayed in your web browser. Click User Setup to open the User Setup interface.

Step 2 Add a user by entering aaauser in the user field.

Step 3 Click Add/Edit to go into the user information edit window.

Step 4 Give the user a password by entering aaapass in both the Password and Confirm Password fields.

Step 5 Click Submit to add the new user to the Cisco Secure ACS database. Wait for the interface to return to the User Setup main window.

Task 3: Identify a AAA Server and Protocol

PerformtthetfollowingtstepsttotidentifytatAAAtservertandtatAAAtprotocoltontthet PIX Firewall:

Step 1 Create a group tag called MYTACACS and assign the TACACS+ protocol to it:

pixfirewall(config)# aaa-server MYTACACS protocol tacacs+

Step 2 Assign the Cisco Secure ACS IP address and the encryption key secretkey.

pixfirewall(config)# aaa-server MYTACACS (inside) host 10.0.P.3 secretkey.

Step 3 Verify your configuration:

pixfirewall(config)# show aaa-server aaa-server MYTACACS protocol tacacs+

aaa-server MYTACACS (inside) host 10.0.P.3 secretkey timeout 5 (P=yourpodnumber) aaa-server RADIUS protocol radius

(where P =pod number, and Q =peer pod number)

Task 4: Configure and Test Inbound Authentication

Perform the following steps to enable the use of inbound authentication on the PIX Firewall:

Step 1 Configure the PIX Firewall to require authentication for all inbound traffic:

pixfirewall(config)# aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+

Step 2 Verify your configuration:

pixfirewall(config)# show aaa authentication aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACÄCS+

Step 3 Enable console logging of all messages:

pixfirewall(config)# logging console debug

Note If your web browser is open, close it. Choose File>Close from the web browser's menu.

Step 4 You must now test a peer pod inbound web authentication. Open your web browser, and go to a peer's DMZ web server:

http://192.168.Q.ll

(where Q = peer pod number)

Step 5 When the web browser prompts you, ener aaauser for the username and aaapass for the password. On your PIX Firewall console, you should see the following:

109001: Auth start for user '???' from 192.168.Q.10/1726 to 10.0.P.2/80 109011: Authen Session Start: user 'aaauser', sid 0

109005: Authentication succeeded for user 'aaauser' frcm 10.0.P.2/80 to

192.168.Q.10/1921 on interface outside 302001: Built outbound TCP connection 3928 for faddr 192.168.Q.10/1921 gaddr 192.168.P.10/80 laddr 10.0.P.3/80 (aaauser)

Step 6 After a peer successfully authenticates to your PIX Firewall, display your PIX Firewall authentication statistics:

pixfirewall(config)# show uauth

Current Most Seen Authenticated Users 1 1

Authen In Progress 0 1

user 'pixuser' at 192.168.Q.10, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00

Task 5: Configure and Test Outbound Authentication

Perform the following steps to enable the use of outbound authentication on the PIX Firewall:

Step 1 Configure the PIX Firewall to require authentication for all outbound traffic:

pixfirewall(config)# aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Step 2 Verify your configuration:

Step 4

pixfirewall(config)# show aaa authentication aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0. aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.C

0 MYTACACS MYTACACS

Step 3 Test FTP outbound authentication from your Windows NT server:

[email protected] ftp 172.30.1.50

Connected to 172.30.1.50 220-FTP authentication : 220

Password: [email protected]

230-220 172.30.1.50 FTP server ready. 331-Password required for ftpuser 230-User ftpuser logged in. 230 ftp^>

On your PIX Firewall console, you should see the following:

109001: Auth start for user '???' from 10.0.P.3/1726 to 172.30.1.50/21 109011: Authen Session Start: user 'aaauser', sid 11

109005: Authentication succeeded for user 'aaauser' frcm 10.0.P.3/1726 to

172.30.1.50/21 on interface inside 302001: Built outbound TCP connection 3928 for faddr 172.30.1.50/21 gaddr 192.168.P.10/1726 laddr 10.0.P.3/1726 (aaauser)

(whereP = pod number)

Display authentication statistics on the PIX Firewall:

pixfirewall(config)# show uauth

Current Most Seen Authenticated Users 1 1

Authen In Progress 0 1

user 'pixuser' at 10.0.P.2, authenticated (P= yourpod number) absolute timeout: 0:05:00 inactivity timeout: 0:00:00

Step 5 Clear the uauth timer:

pixfirewall(config)# clear uauth pixf irewall(config)# show uauth

Current Most Seen Authenticated Users 0 1

Authen In Progress 0

Note If your web browser is open, close it. Choose File>Exit from the web browser's menu.

Step 6 Test web outbound authentication. Open your web browser and go to the following URL:

http://172.30.1.50

Step 7 When the web browser prompts you for a username and password, enter aaauser:

User Name: aaauser Password: aaauser

Step 8 Display authentication statistics on the PIX Firewall:

pixfirewall(config)# show uauth

Current Most Seen Authenticated Users 1 1

Authen In Progress 0 1

user 'pixuser' at 10.0.P.2, authenticated absolute timeout: 0:05:00 inactivity timeout: 0:00:00

Task 6: Configure and Test Console Access Authentication

Perform the following steps to enable console Telnet authentication at the PIX Firewall:

Step 1 Configure the PIX Firewall to require authentication for Telnet console connections:

pixfirewall(config)# aaa authentication telnet console MYTACACS Step 2 Verify your configuration:

pixfirewall(config)# show aaa authentication aaa authentication include any outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS aaa authentication include any inbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS aaa authentication include any any 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0

Step 3 Configure the PIX Firewall to allow console Telnet logins:

pixfirewall(config)# telnet 10.0.P.1 255.255.255.0 inside

Step 4 Verify your configuration:

pixfirewall(config)# show telnet 10.0.P.1 255.255.255.0 inside

(where P = pod number) Step 5 Clear the uauth timer:

pixfirewall(config)# clear uauth pixfirewall(config)# show uauth

Current Most Seen

Authenticated Users 0 1

Authen In Progress 0 1

Step 6 Telnet to the PIX Firewall console:

telnet 10.O.P.I

PIX passwd: cisco

Welccme to the PIX firewall

Copyright (c) 1996-1999 by Cisco Systems, Inc.

Restricted Rights Legend

Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Carmercial Ccmputer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Eata and Ccmputer Software clause at DFARS sec. 252.227-7013.

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, California 95134-1706

Username: aaauser Password: aaapass

Type help or '?' for a list of available ccmnands. pixfirewall^

(whereP = pod number)

On your PIX Firewall console, you should see the following:

307002: Permitted Telnet login session from 10.0.P.3 111006: Console Login frcm aaauser at console

Task 7: Configure and Test Virtual Telnet Authentication

Perform the following steps to enable the use of authentication with virtual Telnet on the PIX Firewall:

Step 1 Configure the PIX Firewall to accept authentication to a virtual Telnet service:

pixfirewall(config)# virtual telnet 192.168.P.5

(where P=pod number, and Q=peer pod number)

Step 2 Verify the virtual Telnet configuration:

pixfirewall(config)# show virtual telnet virtual telnet 192.168.P.5

Step 3 Clear the uauth timer:

pixfirewall(config)# clear uauth pixfirewall(config)# show uauth

Current Most Seen Authenticated Users 0 1

Authen In Progress 0 1

Step 4 Telnet to the virtual Telnet IP address to authenticate from your Windows NT server:

telnet 192.168.P.5

LOGIN Authentication

Username: aaauser Password: aaapass

Authentication Successful

Note If your web browser is open, close it. Choose File>Close from the web browser's menu.

Step 5 Test that you are authenticated. Open your web browser and go to the following URL:

http://172.30.1.50

You should not be prompted to authenticate.

Step 6 Clear the uauth timer:

pixfirewall(config)# clear uauth pixfirewall(config)# show uauth Current Authenticated Users 0

Authen In Progress 0

Most Seen 1 1

Note If your web browser is open, close it. Choose FileClose from the web browser's menu.

Step 7 Test that you are not authenticated and need to reauthenticate. Open your web browser and go to the following URL:

http://172.30.1.50

Step 8 When the web browser prompts, enter aaauser for the username and aaapass for the password.

Task 8: Change and Test Authentication Timeouts and Prompts

Perform the following steps to change the authentication timeouts and prompts: Step 1 View the current uauth timeout settings:

pixfirewall(config)# show timeout uauth timeout uauth 0:05:00 absolute uauth 0:00:00 inactivity

Step 2 Set the uauth absolute timeout to 3 hours:

pixfirewall(config)# timeout uauth 3 absolute

Step 3 Set the uauth inactivity timeout to 30 minutes:

pixfirewall(config)# timeout uauth 0:30 inactivity

Step 4 Verify the new uauth timeout settings:

pixfirewall(config)# show timeout uauth timeout uauth 3:00:00 absolute uauth 0:30:00 inactivity

Step 5 View the current authentication prompt settings:

pixf irewall (conf ig) # show auth-prcnpt

Nothing should be displayed. Step 6 Set the prompt that users get when authenticating:

pixfirewall(config)# auth-prcnpt prcnpt Please Authenticate to the Firewall

Step 7 Set the message that users get when successfully authenticating:

pixf irewall (conf ig) # auth-prcnpt accept You've been Authenticated

Step 8 Set the message that users get when their authentication is rejected:

pixfirewall(config)# auth-prcnpt reject Authentication Failed, Try Again

Step 9 Verify the new prompt settings:

pixf irewall (conf ig) # show auth-prcnpt auth-prcnpt prcnpt Please Authenticate to the Firewall auth-prcnpt accept You've been Authenticated auth-prcnpt reject Authentication Failed, Try Again

Step 10 Clear the uauth timer:

pixfirewall(config)# clear uauth pixf irewall(config)# show uauth

Current Most Seen Authenticated Users 0 1

Authen In Progress 0 1

Step 11 Telnet to the virtual Telnet IP address to test your new authentication prompts. From your Windows NT server, enter the following:

LOGIN Authentication

Please Authenticate to the Firewall

Username: wronguser

Password: wrongpass Authentication Failed, Try Again LOGIN Authentication

Please Authenticate to the Firewall Username: aaauser

Password: aaapass You've been Authenticated

Authentication Successful

Task 9: Configure and Test Authorization

Perform the following steps to enable the use of authorization on the PIX Firewall:

Step 1 Configure the PIX Firewall to require authorization for all outbound FTP traffic:

pixfirewall(config)# aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Step 2 Configure the PIX Firewall to require authorization for all outbound ICMP traffic:

pixfirewall(config)# aaa authorization include icnp/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Step 3 Verify your configuration:

pixfirewall(config)# show aaa authorization aaa authorization include ftp outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS aaa authorization include 1/8 outbound 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 MYTACACS

Step 4 Test ICMP Echo Request failure from your Windows NT server:

ping 172.30.1.50

Pinging 172.30.1.50 with 32 bytes of data:

Request timed out. Request timed out. Request timed out. Request timed out.

OntyourtPIXtFirewalltconsole,tyoutshouldtseetthetfollowing:t

109001: Auth start for user 'aaauser' from 10.0.P.3/0 to 172.30.0.50/0 109008: Authorization denied for user 'aaauser' from 10.0.P.2/0 to 172.30.0.50/0 on interface inside

(wheretPt=tpodtnumber)t Step 5 Test FTP authorization failure from your Windows NT server:

ftp 172.30.1.50

Connected to 172.30.1.50 220-FTP authentication : 220

User (172.30.1.50:(none)): [email protected]

331-Password: 331

Password: [email protected]

530-Authorization Eenied 530

Error: Connection closed by foreign host.

OntyourtPIXtFirewalltconsole,tyoutshouldtseetthetfollowing:t

109001: Auth start for user '???' from 10.0.P.3/1364 to 172.30.1.50/21 109011: Authen Session Start: user 'aaauser', sid 5

109005: Authentication succeeded for user 'aaauser' from 10.0.P.3/1364 to

172.30.1.50/21 on interface inside 109008: Authorization denied for user 'aaauser' from 10.0.P.3/1364 to

172.30.1.50/21 on interface inside (whereP = pod number)

Step 6 Click Group Setup to open the Group Setup interface.

Step 7 Choose default group (user) from the Group pull-down menu.

Step 8 Verify that your user belongs to the selected group. Click Users in Group to display the users under that group. The following information should be shown for the user:

0 0

Post a comment