Command Authorization Using ACS

Complete the following tasks to configure and use ACS command authorization:

• Create a user profile on the TACACS+ server with all the commands that the user is permitted to execute.

• Use the aaa-server command to specify the TACACS+ server.

• Use the aaa authentication command to enable authentication with a TACACS+ server.

• Use the aaa authorization command to enable command authorization with a TACACS+ server.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0—19-17

Only enable authorization with ACS if you are absolutely sure that you have fulfilled the following requirements:

■ You have created entries for enable_1, enable_15, and any other levels to which you have assigned commands.

■ If you are enabling authentication with usernames:

— You have a user profile on the TACACS+ server with all the commands that the user is permitted to execute.

— You have tested authentication with the TACACS+ server.

■ You are logged in as a user with the necessary privileges.

■ Your TACACS+ system is completely stable and reliable. The necessary level of reliability typically requires that you have a fully redundant TACACS+ server system and fully redundant connectivity to the security appliance.

When configuring the command authorization feature, do not save your configuration until you are sure it works the way you want. If you get locked out of your security appliance, you can usually recover access by simply reloading it.

aaa authorization Command for Command Authorization with ACS

Cisco com

aaa authorization command {LOCAL | server-tag}

fw1(config)# aaa-server MYTACACS protocol tacacs+

fw1(config-aaa-server-group)# aaa-server MYTACACS (inside) host 10.0.0.2 thekey timeout 20

fw1(config-aaa-server-host)# aaa authentication enable console MYTACACS

fw1(config)# aaa authorization command MYTACACS

© 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—19-1B

Use the aaa authorization command to enable command authorization with a TACACS+ server. You must also use the aaa-server command to create the server-tag.

The syntax for the aaa authorization command, when used to configure command authorization using ACS, is as follows:

aaa authorization command {LOCAL | server-tag}

LOCAL

Specify the use of the security appliance local user database for local command authorization (using privilege levels). If LOCAL is specified after a TACACS+ server group tag, the local user database is used for command authorization only as a fallback when the TACACS+ server group is unavailable.

server-tag

Specify a predefined server group tag for the TACACS+ authorization server. The AAA server group tag as defined by the aaa-server command. You can also enter LOCAL for the group tag value and use the local command authorization privilege levels.

Viewing Your Command Authorization Configuration

1 Uscu.com 1

S- Internet ^ ^

MYTACACS 10.0.0.2

firewall#

show running-config [all] privilege [all | command | level level]

command

firewall#

show curpriv

• Displays the user account that is currently logged in

SNPA V4.0—19-19

To view the command assignments for each privilege level, use the show running-config privilege all command. The system displays the current assignment of each command-line interface (CLI) command to a privilege level. The following example illustrates the first part of the display:

fw(config)# show running-config privilege all privilege show level 15 command aaa privilege clear level 15 command aaa privilege configure level 15 command aaa privilege show level 15 command aaa-server privilege clear level 15 command aaa-server privilege configure level 15 command aaa-server privilege show level 15 command access-group privilege clear level 15 command access-group privilege configure level 15 command access-group privilege show level 15 command access-list privilege clear level 15 command access-list privilege configure level 15 command access-list privilege show level 15 command activation-key privilege configure level 15 command activation-key

Use the show running-config privilege level command with the level option to display the command assignments for a specific privilege level. Use the show running-config privilege command command to display the privilege level assignment of a specific command.

To view the user account that is currently logged in, enter the show curpriv command. The system displays the current username and privilege level, as follows:

fw(config)# show curpriv

Username : enable 15 Current privilege level : 15 Current Mode/s : P_PRIV P_CONF fw(config)# exit fw(config)# show curpriv Username : enable_15 Current privilege level : 15 Current Mode/s : P_PRIV fw(config)# exit fw(config)# show curpriv Username : enable_1 Current privilege level : 1 Current Mode/s : P_UNPR

The username indicates the name that the user entered when the user logged in, P_PRIV indicates that the user has entered the enable command, and P_CONF indicates that the user has entered the config terminal command.

The syntaxes for the show commands are as follows:

show running-config privilege [all | command command | level level ]

show curpriv show running-config privilege [all | command command | level level ]

show curpriv

all

(Optional) First occurrence—Displays the default privilege level.

all

(Optional) Second occurrence—Displays the privilege level for all commands.

command command

(Optional) Displays the privilege level for a specific command.

level level

(Optional) Displays the commands that are configured with the specified level; valid values are from 0 to 15.

Lockout f \ Local database: admin passwOrd 15 kenny chickadee 10

f \ Local database: admin passwOrd 15 kenny chickadee 10

When you are configuring the command authorization feature, do not save your configuration until you are sure it works the way you want. If you get locked out of your security appliance, you can usually recover access by simply reloading it. If you have already saved your configuration and you find that you configured authentication using the LOCAL database but did not configure any usernames, you created a lockout problem. You can also encounter a lockout problem by configuring command authorization using a TACACS+ server if the TACACS+ server is unavailable, down, or misconfigured.

If you cannot recover access to the security appliance by restarting your PIX Security Appliance, use your web browser to access the following website: http://www.cisco.com/warp/customer/110/34.shtml

This website provides a downloadable file with instructions for using it to remove the lines in the PIX Security Appliance configuration that enable authentication and cause the lockout problem. If there are Telnet or console aaa authentication commands in PIX Security Appliance Software v6.2 or v6.3, the system will also prompt to remove them.

Note If you have configured AAA on the PIX Security Appliance, and the AAA server is down, you can access the PIX Security Appliance by entering the Telnet password initially, and then pix as the username and the enable password (password). If there is no enable password in the PIX Security Appliance configuration, enter pix for the username and press ENTER. If the enable and Telnet passwords are set but not known, you will need to continue with the password recovery process.

The PIX Password Lockout utility is based on the PIX Security Appliance software version you are running. Use one of the following files, depending on the PIX Security Appliance software version you are running:

You can encounter a different type of lockout problem if you use the aaa authorization command and server-tag argument, and you are not logged in as the correct user. For every command you enter, the PIX Security Appliance displays the following message:

Command Authorization failed

This occurs because the TACACS+ server does not have a user profile for the user account that you used for logging in. To prevent this problem, make sure that the TACACS+ server has all the users configured with the commands that they can execute. Also make sure that you are logged in as a user with the required profile on the TACACS+ server.

Password Recovery PIX

• Download the following file from Cisco.com: npXX.bin (where XX = the PIX Firewall image version number).

• Reboot the system and break the boot process when prompted to go into monitor mode.

• Set the interface, IP address, gateway, server, and file to TFTP the previously downloaded image.

• Follow the directions displayed.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0—19-21

Password recovery for the PIX Security Appliance versions through 7.0 requires a TFTP server. To perform a password recovery using Trivial File Transfer Protocol (TFTP), complete the following steps:

Step 197 Download the PIX Security Appliance password tool from Cisco.com to a TFTP server accessible from the security appliance.

Connect to the security appliance console port.

Power off the security appliance, and then power it on.

Step 198 Step 199 Step 200

Immediately after the startup messages appear, press the Escape key to enter monitor mode.

Step 201 Configure the network settings for the interface that accesses the TFTP server by entering the following commands:

monitor> interface interface id monitor> address interface ip monitor> server tftp ip monitor> file pw tool name monitor> gateway gateway ip

Step 202 Download the PIX Security Appliance password tool from the TFTP server by entering the following command:

monitor> tftp

Note If you have trouble reaching the server, you can enter the ping address command to test the connection.

Step 203 At the "Do you wish to erase the passwords?" prompt, enter Y.

You can now log in with the default login password of "cisco" and the blank enable password.

On the PIX 500 Series Security Appliance, the no service password-recovery command forces the PIX Security Appliance password tool to prompt the user to erase all Flash file systems. The user cannot use the PIX Security Appliance password tool without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available.

Password Recovery ASA

Enables password recovery On by default

fw1(config)# no service password-recovery

WARNING: Executing "no service password-recovery" has disabled the password recovery mechanism and disabled access to ROMMON. The only means of recovering from lost or forgotten passwords will be for ROMMON to erase all file systems including configuration files and images. You should make a backup of your configuration and have a mechanism to restore images from the ROMMON command line.

© 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—19-22

On the ASA, if you forget the passwords, you can boot the security appliance into ROMMON by pressing the Escape key on the terminal keyboard when prompted during startup. Then set the security appliance to ignore the startup configuration by changing the configuration register (see the config-register command). For example, if your configuration register is the default 0x1, then change the value to 0x41 by entering the confreg 0x41 command. After reloading the security appliance, it loads a default configuration, and you can enter privileged EXEC mode using the default passwords. Then load the startup configuration by copying it to the running configuration and reset the passwords. Finally, set the security appliance to boot as before by setting the configuration register to the original setting. For example, enter the config-register 0x1 command in global configuration mode.

On the ASA, the no version of the service password-recovery command prevents a user from entering ROMMON with the configuration intact. When a user enters ROMMON, the security appliance prompts the user to erase all Flash file systems. The user cannot enter ROMMON without first performing this erasure. If a user chooses not to erase the Flash file system, the security appliance reloads. Because password recovery depends on using ROMMON and maintaining the existing configuration, this erasure prevents you from recovering a password. However, disabling password recovery prevents unauthorized users from viewing the configuration or inserting different passwords. In this case, to recover the system to an operating state, load a new image and a backup configuration file, if available. The service password-recovery command appears in the configuration file for informational purposes only; when you enter the command at the CLI prompt, the setting is saved in non-volatile random-access memory (NVRAM). The only way to change the setting is to enter the command at the CLI prompt. Loading a new configuration with a different version of the command does not change the setting. If you disable password recovery when the security appliance is configured to ignore the startup configuration at startup (in preparation for password recovery), the security appliance changes the setting to boot the startup configuration as usual. If you use failover, and the standby unit is configured to ignore the startup configuration, the same change is made to the configuration register when the no service password recovery command replicates to the standby unit.

The following example shows when to enter ROMMON at startup and how to complete a password recovery operation:

Use BREAK or ESC to interrupt boot. Use SPACE to begin boot immediately. Boot interrupted. Use ? for help. rommon #0> confreg

Current Configuration Register: 0x00000001

Configuration Summary:

boot default image from Flash

Do you wish to change this configuration? y/n [n]: n rommon #1> confreg 0x41

Update Config Register (0x41) in NVRAM... rommon #2> boot Launching BootLoader...

Boot configuration file contains 1 entry.

Loading disk0:/ASA 7.0.bin... Booting... ###################

Ignoring startup configuration as instructed by configuration register.

Type help or '?' for a list of available commands.

hostname> enable

Password:

hostname! configure terminal hostname(config)# copy startup-config running-config

Destination filename [running-config]?

Cryptochecksum(unchanged): 7708b94c e0e3f0d5 c94dde05 594fbee9 892 bytes copied in 6.300 secs (148 bytes/sec) hostname(config)# enable password NewPassword hostname(config)# config-register 0x1

Managing Software, Licenses, and Configurations

This topic describes how to manage software, licenses, and configuration files on the security appliance.

Viewing Directory Contents

Cisco com

Cisco com dir [/all] [all-filesystems] [/recursive] [diskO: | diskl: | flash: | system:] [path.]

dir [/all] [all-filesystems] [/recursive] [diskO: | diskl: | flash: | system:] [path.]

• Displays the directory contents.

• The pwd command displays the current working directory. fw1# dir

Directory of disk:/

8 -rw- 5124096 13:01:10 Apr 19 2005 pix701.bin

9 -rw- 4908 12:52:39 Mar 16 2005 old_running2.cfg 10-rw- 4087 10:03:57 Apr 04 2005 old_running.cfg 15998976 bytes total (5573632 bytes free)_

© 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0—19-24

Use the dir command to display the directory contents. The dir command without keywords or arguments displays the directory contents of the current directory.

The syntax for the dir command is as follows:

dir [/all] [all-filesystems] [/recursive] [disk0: | disk1: | flash: | system:] [path]

/all

(Optional) Displays all files.

all-filesystems

(Optional) Displays the files of all filesystems.

diskO:

(Optional) Specifies the internal Flash memory, followed by a colon.

diskl:

(Optional) Specifies the external Flash memory card, followed by a colon.

/recursive

(Optional) Displays the directory contents recursively.

system:

(Optional) Displays the directory contents of the file system.

flash:

(Optional) Displays the directory contents of the default Flash partition.

path

(Optional) Specifies a specific path.

Viewing File Contents

© 2005 Cisco Systems, Inc. All rights reserved. SNPA V4.0—19-25

Use the more command to display the contents of a file. The syntax for the more command is as follows:

more {/ascii | /binaryl /ebcdic | diskO: | diskl: | flash: | ftp: | http: | https: | system: | tftp:}filename

Use the more command to display the contents of a file. The syntax for the more command is as follows:

more {/ascii | /binaryl /ebcdic | diskO: | diskl: | flash: | ftp: | http: | https: | system: | tftp:}filename

/ascii

(Optional) Displays a binary file in binary mode and an ASCII file in binary mode.

/binary

(Optional) Displays any file in binary mode.

/ebcdic

(Optional) Displays binary files in extended binary coded decimal interchange code (EBCDIC).

diskO:

(Optional) Displays a file on the internal Flash memory.

diskl:

(Optional) Displays a file on the external Flash memory card.

flash:

(Optional) Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to diskO.

ftp:

(Optional) Displays a file on an FTP server.

http:

(Optional) Displays a file on a website.

https:

(Optional) Displays a file on a secure website.

system:

(Optional) Displays the file system.

tftp:

(Optional) Displays a file on a TFTP server.

filename

Specifies the name of the file to display.

Directory Management

mkdir [/noconfirm]

[disk0:

disk1: |

flash:]path

• Creates a new directory

firewall#

rmdir [/noconfirm]

[disk0:

disk1: |

flash:]path

• Removes a directory

firewall#

cd [disk0: | disk1:

| flash:

] [path]

• Changes the current working directory to the one specified.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-26

• Changes the current working directory to the one specified.

© 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—19-26

Use the mkdir command to create a new directory. If a directory with the same name already exists, the new directory is not created. To remove the existing directory, use the rmdir command. If the directory is not empty, the rmdir command fails. Use the cd command to change the current working directory to the one specified. If you do not specify a directory, the directory is changed to the root directory.

The syntax for the mkdir, rmdir, and cd commands is as follows:

mkdir [/noconfirm] [disk0: | disk1: | flash:]path rmdir [/noconfirm] [disk0: | disk1: | flash:]path cd [disk0: | disk1: | flash:] [path]

noconfirm

(Optional) Suppresses the confirmation prompt.

disk0:

(Optional) Specifies the internal Flash memory, followed by a colon.

disk1:

(Optional) Specifies the external Flash memory card, followed by a colon.

flash:

(Optional) Specifies the internal Flash memory, followed by a colon. In the ASA 5500 series, the flash keyword is aliased to disk0.

path

The name and path of the directory to create.

Copying Files

copy [/options] {url | local:[path] | running-config | startup-config} {running-config | startup-config | url | local:[path]}

Copies a file from one location to another fw1(config)# copy disk0:my_context/my_context.cfg startup-config fw1(config)# copy disk0:my_context/my_context.cfg running-config

© 2005 Cisco Systems, Inc. All rights reservecl.SNPA v4.0—19-27

Use the copy command to copy a file from one location to another.

copy [/options] {url | local:[path] | running-config | startup-config} {running-config | startup-config | url | local:[path]}

/options

Options used for the copy command:

■ noconfirm—Copies the file without a confirmation

prompt.

■ pcap—Specifies the defaults of the preconfigured

TFTP server.

url

Sets the context configuration URL All remote URLs must

be accessible from the admin context. The options are as

follows:

■ disk0:/[path/]filename

— This option is only available for the ASA platform,

and indicates the internal Flash memory. You can

also use flash instead of diskO; they are aliased.

■ disk1:/[path/]filename

— This option is only available for the ASA platform,

and indicates the external Flash memory card.

■ flash :/[path/]f7ename

— This option indicates the internal Flash card. For

the ASA platform, flash is an alias for diskO.

■ ftp:l/[user[:password]@]server[:port]/[path/]filename[;t

ype=xx]

The type can be one of the following keywords:

— ap—ASCII passive mode

— an—ASCII normal mode

— ip—(Default) Binary passive mode

— in—Binary normal mode

■ http[s]:l/[user[:password]@]server[:port]/[path/]filenam e

■ tftp:l/[user[:password]@]server[:port]/[path/]f7ename[;

int=interface_name]

— Specifies the interface name if you want to

override the route to the server address.

path

Path name that indicates the last component of the path to

the file on the server.

Was this article helpful?

0 0

Post a comment