Thursday, August 28, 2014

ACS, radius and management access to ASA

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways.

ciscoasa# sh run aaa
aaa authentication telnet console ACS
aaa authentication enable console ACS
aaa authorization exec authentication-server
ciscoasa# sh run aaa-s
ciscoasa# sh run aaa-server
aaa-server ACS protocol radius
aaa-server ACS (inside) host 192.168.157.100
 key *****
ciscoasa#

On ACS I added user1, authorization profile (policy elements->Authorization and Permissions->Network Access) with one attribute:
 
RADIUS-IETF Service-Type = Administrative

Let’s try then access to ASA:
 
R1#telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****
Type help or '?' for a list of available commands.
ciscoasa>

on the ASA we can see radius messages:
 
ciscoasa# debug radius all
radius mkreq: 0xc
alloc_rip 0xbc2fe854
    new request 0xc --> 11 (0xbc2fe854)
got user 'user1'
got password
add_req 0xbc2fe854 session 0xc id 11
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=192.168.157.11

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 0b 00 7f 22 b3 70 e9 6e 0f 9c a5 7a 2b 88 21    |  ..".p.n...z+.!
46 07 34 5d 01 07 75 73 65 72 31 02 12 7d a5 bc    |  F.4]..user1..}..
40 e4 02 35 c1 fa 88 6b cc d6 a2 20 6b 04 06 c0    |  @..5...k... k...
a8 9d 0a 05 06 00 00 00 0b 3d 06 00 00 00 05 1a    |  .........=......
23 00 00 00 09 01 1d 69 70 3a 73 6f 75 72 63 65    |  #......ip:source
2d 69 70 3d 31 39 32 2e 31 36 38 2e 31 35 37 2e    |  -ip=192.168.157.
31 31 1f 1d 69 70 3a 73 6f 75 72 63 65 2d 69 70    |  11..ip:source-ip
3d 31 39 32 2e 31 36 38 2e 31 35 37 2e 31 31       |  =192.168.157.11

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 11 (0x0B)
Radius: Length = 127 (0x007F)
Radius: Vector: 22B370E96E0F9CA57A2B88214607345D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
7d a5 bc 40 e4 02 35 c1 fa 88 6b cc d6 a2 20 6b    |  }..@..5...k... k
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.157.10 (0xC0A89D0A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
send pkt 192.168.157.100/1645
rip 0xbc2fe854 state 7 id 11
rad_vrfy() : response message verified
rip 0xbc2fe854
 : chall_state ''
 : state 0x7
 : reqauth:
     22 b3 70 e9 6e 0f 9c a5 7a 2b 88 21 46 07 34 5d
 : info 0xbc2fe98c
     session_id 0xc
     request_id 0xb
     user 'user1'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.157.100
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 69).....
02 0b 00 45 e6 3f 50 fb f8 4b 96 9e 0d 05 a9 83    |  ...E.?P..K......
be 6d ab 95 01 07 75 73 65 72 31 06 06 00 00 00    |  .m....user1.....
06 19 18 43 41 43 53 3a 61 63 73 2f 31 39 38 33    |  ...CACS:acs/1983
38 32 31 30 31 2f 31 34 38 1a 0c 00 00 0c 04 dc    |  82101/148.......
06 00 00 00 0a                                     |  .....

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 11 (0x0B)
Radius: Length = 69 (0x0045)
Radius: Vector: E63F50FBF84B969E0D05A983BE6DAB95
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 25 (0x19) Class
Radius: Length = 24 (0x18)
Radius: Value (String) =
43 41 43 53 3a 61 63 73 2f 31 39 38 33 38 32 31    |  CACS:acs/1983821
30 31 2f 31 34 38                                  |  01/148
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 10 (0x000A)
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xbc2fe854 session 0xc id 11
free_rip 0xbc2fe854
radius: send queue empty

Next, I try to enter to the privilege mode:
 
ciscoasa> en
Password: *****
ciscoasa# sh cur
ciscoasa# sh curpriv
Username : user1
Current privilege level : 10
Current Mode/s : P_PRIV
ciscoasa#

As we see the privilege mode is accessible by user1. I changed also default privilege level to 10 by following attribute:
 
CVPN3000/ASA/PIX7.x-Priviledge-Level = 10

Below there are radius messages exchanged during ‘enable’. When you compare the logs from ‘login’ and ‘enable’ process, you will find they are the same. The reason of this fact is the radius doesn’t use ‘enable’ password and authentication looks like ‘login’ (query for user/password).
 
ciscoasa# 
radius mkreq: 0xd
alloc_rip 0xbc2fe854
    new request 0xd --> 12 (0xbc2fe854)
got user 'user1'
got password
add_req 0xbc2fe854 session 0xd id 12
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=192.168.157.11

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 0c 00 7f d2 a3 a0 59 1e ff cc 15 2a 1b b8 91    |  .....Y....*...
f6 f7 64 cd 01 07 75 73 65 72 31 02 12 ee db 07    |  ..d...user1.....
5c f4 78 5d 4b 2f f9 b8 75 c5 0e 0f 8e 04 06 c0    |  \.x]K/..u.......
a8 9d 0a 05 06 00 00 00 0c 3d 06 00 00 00 05 1a    |  .........=......
23 00 00 00 09 01 1d 69 70 3a 73 6f 75 72 63 65    |  #......ip:source
2d 69 70 3d 31 39 32 2e 31 36 38 2e 31 35 37 2e    |  -ip=192.168.157.
31 31 1f 1d 69 70 3a 73 6f 75 72 63 65 2d 69 70    |  11..ip:source-ip
3d 31 39 32 2e 31 36 38 2e 31 35 37 2e 31 31       |  =192.168.157.11

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 12 (0x0C)
Radius: Length = 127 (0x007F)
Radius: Vector: D2A3A0591EFFCC152A1BB891F6F764CD
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
ee db 07 5c f4 78 5d 4b 2f f9 b8 75 c5 0e 0f 8e    |  ...\.x]K/..u....
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.157.10 (0xC0A89D0A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xC
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
send pkt 192.168.157.100/1645
rip 0xbc2fe854 state 7 id 12
rad_vrfy() : response message verified
rip 0xbc2fe854
 : chall_state ''
 : state 0x7
 : reqauth:
     d2 a3 a0 59 1e ff cc 15 2a 1b b8 91 f6 f7 64 cd
 : info 0xbc2fe98c
     session_id 0xd
     request_id 0xc
     user 'user1'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.157.100
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 69).....
02 0c 00 45 61 a0 b3 2e a8 6a b2 ee 97 f1 38 33    |  ...Ea....j....83
c3 54 02 64 01 07 75 73 65 72 31 06 06 00 00 00    |  .T.d..user1.....
06 19 18 43 41 43 53 3a 61 63 73 2f 31 39 38 33    |  ...CACS:acs/1983
38 32 31 30 31 2f 31 34 39 1a 0c 00 00 0c 04 dc    |  82101/149.......
06 00 00 00 0a                                     |  .....

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 12 (0x0C)
Radius: Length = 69 (0x0045)
Radius: Vector: 61A0B32EA86AB2EE97F13833C3540264
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 25 (0x19) Class
Radius: Length = 24 (0x18)
Radius: Value (String) =
43 41 43 53 3a 61 63 73 2f 31 39 38 33 38 32 31    |  CACS:acs/1983821
30 31 2f 31 34 39                                  |  01/149
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 10 (0x000A)
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xbc2fe854 session 0xd id 12
free_rip 0xbc2fe854
radius: send queue empty

Next service type is ‘outbound’, used mainly for end users (for example: VPN):
 
Service-Type=Outbound           <--- console access only, no telnet, no asdm

Let’s test it:
 
R1#telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****

[ user1 ] You do NOT have Admin Rights to the console !

[Connection to 192.168.157.10 closed by foreign host]
R1#

As you see I can’t login via telnet.
 
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5

The last service type I test today is ‘nas-prompt’:
 
Service-Type=nas-prompt           <--- asdm monitor only and cli without privilege mode

from cisco doc:

“The nas-prompt keyword allows access to the CLI when you configure the aaa authentication {telnet | ssh | serial} console LOCAL command, but denies ASDM configuration access if you configure the aaa authentication http console LOCAL command. ASDM monitoring access is allowed. If you enable authentication with the aaa authentication enable console LOCAL command, the user cannot access privileged EXEC mode using the enable command (or the login command). ”

source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_aaa.html

Let’s try this one:
 
R1#telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****
Type help or '?' for a list of available commands.
ciscoasa>
ciscoasa>
ciscoasa> en
Password: *****

[ user1 ] You do NOT have enable Admin Rights to the console
Password:
Password:
Access denied.
ciscoasa>

We are able to login but access to privilege mode is not allowed.

No comments:

Post a Comment