Using ACS with PIX/ASA

Unanswered Question
Apr 12th, 2008

Hi there,

We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.

We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.

Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):

aaa-server XXXXX protocol tacacs+

accounting-mode simultaneous

reactivation-mode depletion deadtime 1

max-failed-attempts 1

aaa-server XXXXX inside host <SERVER>

key <SECRET>

timeout 5

aaa authentication telnet console XXXXX LOCAL

aaa authentication enable console XXXXX LOCAL

aaa authentication ssh console XXXXX LOCAL

aaa authentication http console XXXXX LOCAL

aaa authentication serial console XXXXX LOCAL

aaa accounting command XXXXX

aaa accounting telnet console XXXXX

aaa accounting ssh console XXXXX

aaa accounting enable console XXXXX

aaa accounting serial console XXXXX

aaa authorization command XXXXX LOCAL

Problems:

Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.

Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.

PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attempt….e.g.

1st Attempt = Server 1

2nd Attempt = Server 2

3rd Attempt = Server 3

4th Attempt = Server 4

This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:

With “depletion timed” configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:

“WARNING: Fallback authentication is configured, but reactivation mode is set to

timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth

mechanism.”

The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE".

The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.

As RSA SecurID token can only be used once this fails and locks the account.

Any ideas on how to make two of Ciscos leading security products work together better?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mike Bailey Sat, 04/12/2008 - 00:47

Just re-reading the PIX/ASA 7.2 command reference guide below:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf

It appears some of the above are known issues.

PASSCODE issue, page 2-17 states:

We recommend that you use the same username and password in the local database as the

AAA server because the security appliance prompt does not give any indication which method is being used.

Failure to LOCAL, page 2-42 states:

You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.

AAA Accounting, page 2-2 states:

To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.

ASDM issue, page 2-17 states:

HTTP management authentication does not support the SDI protocol for AAA server group

So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?

Is there a roadmap to improve this with later versions of the OS?

Will the PIX/ASA code ever properly support the same features as IOS?

Would it be better to look at using something like CSM instead of ASDM?

cisco24x7 Sat, 04/12/2008 - 11:29

"The next issue is that of accounting.....AAA Accounting does not record “SHOW” commands or session accounting records (start/stop) or “ENABLE"."

You must have mis-configured something on either the ACS or the ASA. I can see accounting just fine.

The 0.0.0.0 you see is the bug in the Pix.7.0.6 code that i am running:

Sat Apr 12 17:15:39 2008 192.168.15.25 cciesec 22 0.0.0.0 stop task_id=00000003 cmd=configure terminal service=shell elapsed_time=0

Sat Apr 12 17:15:43 2008 192.168.15.25 cciesec 22 0.0.0.0 stop task_id=00000004 cmd=interface Ethernet 1 service=shell elapsed_time=0

Sat Apr 12 17:15:44 2008 192.168.15.25 cciesec 22 0.0.0.0 stop task_id=00000005 cmd=shutdown service=shell elapsed_time=0

Sat Apr 12 17:15:46 2008 192.168.15.25 cciesec 22 0.0.0.0 stop task_id=00000006 cmd=no shutdown service=shell elapsed_time=0

"Any ideas on how to make two of Ciscos leading security products work together better?"

I would not call ASA and ACS leading security products. May be from the bottom up.

Mike Bailey Sat, 04/12/2008 - 22:21

I get the accounting records you do (e.g. interface configuration) what I don't get is is session accounting or show commands.

e.g. you can log onto the PIX (session start) and execute "show run" without any accounting being logged.

Its not the end of the world, but it would be nice to know when someone is logging onto and inspecting the configuration of security devices!

Actions

This Discussion