Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
446
Views
0
Helpful
3
Replies

Can we enable AAA in FWSM System Execution Space?

limtohsoon
Level 1
Level 1

‎05-20-2008 02:54 AM - edited ‎03-11-2019 05:47 AM

Hi Sir,

I have an FWSM version 3.1(8) installed in a Catalyst 6513 (with Sup720). It is configured in multiple context mode.

All the contexts (admin + user) initially have AAA Authentication configured to authenticate CLI access against a TACACS+ server(ACS v3.2).

Users typically telnet to the Admin context, switch to system execution space, and from there switch to other contexts. The whole FWSM is under one common administrative control.

Lately I configured AAA Accounting on all the contexts to account for the commands executed by the users. It works. I can see the logs in TACACS+ Administration in the ACS.

I have the following concerns:

1. Can we enable AAA accounting for the system execution space? I notice AAA commands are not available there. This is to counter for users who telnet to the Admin context, get authenticated, and then switch to the system execution space. Also to counter for the scenario whereby users log in to the switch and session into the FWSM. I need to authenticate and account them against the same TACACS+ server.

2. How to prevent users from sessioning into the FWSM from the switch CLI? I can think of changing the enable password of the system execution space. They will be forced to execute the "login" command and be prompted for username. Then again, I think the usernames are only kept in local database since we can configure AAA here.

Any suggestions are most welcome.

Thank you.

B.Rgds,

Lim TS

Labels:
0 Helpful
3 Replies 3

c.hulcher
Level 1
Level 1

‎05-21-2008 12:41 PM

1. No, there does not seem to be a way to account for commands entered within the system execution space. The admin context is the "gateway" for the system execution space so access to there will always get you to the other.

2. Setup command authorization for the host switch and restrict access to the "session slot X" command.

0 Helpful

limtohsoon
Level 1
Level 1
In response to c.hulcher

‎05-21-2008 09:13 PM

Hi Carson,

I tested this:

Telnet to admin context and log in. "changeto system" and made changes there. My commands were not accounted in the ACS. Then switched to other contexts and made some changes. Those commands were accounted in the ACS, clearly showing my username and the commands I executed in those contexts.

I agree with you, we can set up command authorization for the host switch and restrict access to the "session slot X" command. However as my test shows, we can't avoid a user from doing "changeto system" from the admin context.

Any insight? Configure command authorization?

Thank you.

B.Rgds,

Lim TS

0 Helpful

c.hulcher
Level 1
Level 1
In response to limtohsoon

‎05-22-2008 05:54 AM

That was kind of my point, anyone that you trust to be within the admin context is going to be able to control the entire firewall including being able to get into the system execution space. The admin context (along with sessioning from the host device) is your gateway and where you have to restrict access.

Is your admin context used strictly for access to the firewall and not for actively passing traffic? If so, remove everyone that you don't want getting into the system execution space from the allowed list of users. If not, then command authorization within the admin context would definitely do the trick.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card