Authenticating FTP users in FWSM 3.1(4)

Answered Question
Apr 15th, 2010
User Badges:


Hi,


I get the users to authenticate when using FTP through the FWSM (multiple  context mode) but I have a few questions that I can't seem to find the exact  answers to in the documentation (I presume I'm just missing something when  reading it).


At the moment we have the users match the ACL, login using a local  account and then they are allowed to login to the end FTP server, all pretty  standard stuff. This works fine for the users but some of the FTP connections  are scripted and set as timed jobs on servers. These scripted FTP  connections have no idea which username prompt (FWSM or FTP server) is being  presented which becomes an issue when connections are made and closed in rapid  succession as it appears that the firewall keeps the authenticated session open  and allows a new connection straight through.


The config I have is as follows (BTW - we use CSM).


access-list CSM_AAA_AUTHE_INSIDE_LOCAL  remark Authenticate outbound FTP access
access-list  CSM_AAA_AUTHE_INSIDE_LOCAL extended permit tcp any any eq ftp
!
timeout  uauth 0:00:00 absolute uauth 0:05:00 inactivity
timeout xlate  3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp  0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp  0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
!
aaa  authentication match CSM_AAA_AUTHE_INSIDE_LOCAL INSIDE LOCAL
!
username  *********** password **************** encrypted privilege 0


Is there a way to get the scripted FTP  sessions to require authentication to the firewall every time they are run,  regardless of how often or how frequently they are run? We have some scripted  FTP that transfer several MB every few minutes and others that may transfer GB  every few hours or each day. Unless the firewall prompt is displayed every time  the scripts fail.


Regards

Mel

Correct Answer by Jennifer Halim about 7 years 3 months ago

If all the connection is that random, the answer is no.


The idea of uauth is to get user to just authenticate once, and get access after the authentication. If normal user gets prompted for authentication all the time, that will just annoy them.


So unfortunately, in your ftp script scenario, there is nothing to force the authentication everytime the ftp connection is triggered especially when the server is still sending other traffic through the firewall at the same time.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Thu, 04/15/2010 - 05:26
User Badges:
  • Cisco Employee,

Unfortunately no. The authentication from the FWSM is only prompted as the user/host establish the FTP connection (control connection, ie: TCP/21). If your script is run within the data connection, then the answer is no, you can't invoke the fwsm authentication within your ftp data connection.

Mel Popple Thu, 04/15/2010 - 05:43
User Badges:

Thanks for the quick response but we are not trying to initiate the authentication from the data connection, the control connection initiates it.


What I was trying to say is that we need the authenticated session through the firewall to remain open no matter how long the data transfers take, then  to close immediately the FTP downloads/uploads have finished and the 'bye' command is sent across the control connection from the client (our end) to the server (out on the internet). Then the next time the script runs it is presented with the firewall uauth logon prompt and not connected directly to the FTP server's logon prompt (otherwise the script sends the FWSM uath username to the FTP server!).


Hope that explains it better.

Jennifer Halim Thu, 04/15/2010 - 05:49
User Badges:
  • Cisco Employee,

Ahh.. got it.

How often is your script run?


From the timeout output, it seems that the inactivity timeout is set to 5 minutes, so if it doesn't see any traffic from that server for 5 minutes, the uauth should have expired, and the next time you run the script, it would have prompted for the fwsm username and password again.

Mel Popple Thu, 04/15/2010 - 06:23
User Badges:

The connections are made from many different sources on our network to many different destinations on the internet. Some make connections very frequently, transfer a few Megabytes in a couple of seconds and then close, others open connections less frequently but take much longer because they are transferring Gigabytes of data. Some transfers are triggered when files are updated on servers. Then there are the users doing what they need to do whenever they need to do it.


All a bit random really.

Correct Answer
Jennifer Halim Thu, 04/15/2010 - 06:31
User Badges:
  • Cisco Employee,

If all the connection is that random, the answer is no.


The idea of uauth is to get user to just authenticate once, and get access after the authentication. If normal user gets prompted for authentication all the time, that will just annoy them.


So unfortunately, in your ftp script scenario, there is nothing to force the authentication everytime the ftp connection is triggered especially when the server is still sending other traffic through the firewall at the same time.

Mel Popple Thu, 04/15/2010 - 08:46
User Badges:

Cheers for your help.


After a bit more testing we are seeing the same as you explained. Pity though, we were hoping we had just misunderstood something in the docs. We are migrating from another vendors firewall that authenticates each FTP session that is opened and we were hoping there was a way to get the FWSM to do the same.


This issue does raise an interesting question - If many users are logged in to a single terminal server and one of them initiates an FTP session that requires authenticating through the FWSM, do all the others also get granted FTP access as well? Seems a little insecure to me.


Mel

Jennifer Halim Thu, 04/15/2010 - 15:22
User Badges:
  • Cisco Employee,

Yes, unfortunately it is more per ip address authentication. Therefore, if you have a terminal server, and multiple users are using it, the first connection through the FWSM will invoke the authentication, and all users will have access from that terminal server.


Again, the uauth is a very simple security feature that was introduced long time ago. If you require more security, you should be looking into different advance technology (Clean Access solution, etc). Uauth was introduced when security is still at its early stage.

Actions

This Discussion

Related Content