We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
aaa-server XXXXX protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server XXXXX inside host <SERVER>
aaa authentication telnet console XXXXX LOCAL
aaa authentication enable console XXXXX LOCAL
aaa authentication ssh console XXXXX LOCAL
aaa authentication http console XXXXX LOCAL
aaa authentication serial console XXXXX LOCAL
aaa accounting command XXXXX
aaa accounting telnet console XXXXX
aaa accounting ssh console XXXXX
aaa accounting enable console XXXXX
aaa accounting serial console XXXXX
aaa authorization command XXXXX LOCAL
Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attemptâ¦.e.g.
1st Attempt = Server 1
2nd Attempt = Server 2
3rd Attempt = Server 3
4th Attempt = Server 4
This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
With âdepletion timedâ configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
âWARNING: Fallback authentication is configured, but reactivation mode is set to
timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
The next issue is that of accounting.....AAA Accounting does not record âSHOWâ commands or session accounting records (start/stop) or âENABLE".
The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
As RSA SecurID token can only be used once this fails and locks the account.
Any ideas on how to make two of Ciscos leading security products work together better?
We recommend that you use the same username and password in the local database as the
AAA server because the security appliance prompt does not give any indication which method is being used.
Failure to LOCAL, page 2-42 states:
You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
AAA Accounting, page 2-2 states:
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
ASDM issue, page 2-17 states:
HTTP management authentication does not support the SDI protocol for AAA server group
So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
Is there a roadmap to improve this with later versions of the OS?
Will the PIX/ASA code ever properly support the same features as IOS?
Would it be better to look at using something like CSM instead of ASDM?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...