Skip to main content

ACS, radius and management access to ASA

There are couple of ways how to configure management access to ASA. One of them is configuring users in ACS database. Depending on radius attributes the user can have access to specific management ways.

ciscoasa# sh run aaa
aaa authentication telnet console ACS
aaa authentication enable console ACS
aaa authorization exec authentication-server
ciscoasa# sh run aaa-s
ciscoasa# sh run aaa-server
aaa-server ACS protocol radius
aaa-server ACS (inside) host 192.168.157.100
 key *****
ciscoasa#

On ACS I added user1, authorization profile (policy elements->Authorization and Permissions->Network Access) with one attribute:
 
RADIUS-IETF Service-Type = Administrative

Let’s try then access to ASA:
 
R1#telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****
Type help or '?' for a list of available commands.
ciscoasa>

on the ASA we can see radius messages:
 
ciscoasa# debug radius all
radius mkreq: 0xc
alloc_rip 0xbc2fe854
    new request 0xc --> 11 (0xbc2fe854)
got user 'user1'
got password
add_req 0xbc2fe854 session 0xc id 11
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=192.168.157.11

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 0b 00 7f 22 b3 70 e9 6e 0f 9c a5 7a 2b 88 21    |  ..".p.n...z+.!
46 07 34 5d 01 07 75 73 65 72 31 02 12 7d a5 bc    |  F.4]..user1..}..
40 e4 02 35 c1 fa 88 6b cc d6 a2 20 6b 04 06 c0    |  @..5...k... k...
a8 9d 0a 05 06 00 00 00 0b 3d 06 00 00 00 05 1a    |  .........=......
23 00 00 00 09 01 1d 69 70 3a 73 6f 75 72 63 65    |  #......ip:source
2d 69 70 3d 31 39 32 2e 31 36 38 2e 31 35 37 2e    |  -ip=192.168.157.
31 31 1f 1d 69 70 3a 73 6f 75 72 63 65 2d 69 70    |  11..ip:source-ip
3d 31 39 32 2e 31 36 38 2e 31 35 37 2e 31 31       |  =192.168.157.11

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 11 (0x0B)
Radius: Length = 127 (0x007F)
Radius: Vector: 22B370E96E0F9CA57A2B88214607345D
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
7d a5 bc 40 e4 02 35 c1 fa 88 6b cc d6 a2 20 6b    |  }..@..5...k... k
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.157.10 (0xC0A89D0A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xB
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
send pkt 192.168.157.100/1645
rip 0xbc2fe854 state 7 id 11
rad_vrfy() : response message verified
rip 0xbc2fe854
 : chall_state ''
 : state 0x7
 : reqauth:
     22 b3 70 e9 6e 0f 9c a5 7a 2b 88 21 46 07 34 5d
 : info 0xbc2fe98c
     session_id 0xc
     request_id 0xb
     user 'user1'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.157.100
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 69).....
02 0b 00 45 e6 3f 50 fb f8 4b 96 9e 0d 05 a9 83    |  ...E.?P..K......
be 6d ab 95 01 07 75 73 65 72 31 06 06 00 00 00    |  .m....user1.....
06 19 18 43 41 43 53 3a 61 63 73 2f 31 39 38 33    |  ...CACS:acs/1983
38 32 31 30 31 2f 31 34 38 1a 0c 00 00 0c 04 dc    |  82101/148.......
06 00 00 00 0a                                     |  .....

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 11 (0x0B)
Radius: Length = 69 (0x0045)
Radius: Vector: E63F50FBF84B969E0D05A983BE6DAB95
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 25 (0x19) Class
Radius: Length = 24 (0x18)
Radius: Value (String) =
43 41 43 53 3a 61 63 73 2f 31 39 38 33 38 32 31    |  CACS:acs/1983821
30 31 2f 31 34 38                                  |  01/148
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 10 (0x000A)
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xbc2fe854 session 0xc id 11
free_rip 0xbc2fe854
radius: send queue empty

Next, I try to enter to the privilege mode:
 
ciscoasa> en
Password: *****
ciscoasa# sh cur
ciscoasa# sh curpriv
Username : user1
Current privilege level : 10
Current Mode/s : P_PRIV
ciscoasa#

As we see the privilege mode is accessible by user1. I changed also default privilege level to 10 by following attribute:
 
CVPN3000/ASA/PIX7.x-Priviledge-Level = 10

Below there are radius messages exchanged during ‘enable’. When you compare the logs from ‘login’ and ‘enable’ process, you will find they are the same. The reason of this fact is the radius doesn’t use ‘enable’ password and authentication looks like ‘login’ (query for user/password).
 
ciscoasa# 
radius mkreq: 0xd
alloc_rip 0xbc2fe854
    new request 0xd --> 12 (0xbc2fe854)
got user 'user1'
got password
add_req 0xbc2fe854 session 0xd id 12
RADIUS_REQUEST
radius.c: rad_mkpkt
rad_mkpkt: ip:source-ip=192.168.157.11

RADIUS packet decode (authentication request)

--------------------------------------
Raw packet data (length = 127).....
01 0c 00 7f d2 a3 a0 59 1e ff cc 15 2a 1b b8 91    |  .....Y....*...
f6 f7 64 cd 01 07 75 73 65 72 31 02 12 ee db 07    |  ..d...user1.....
5c f4 78 5d 4b 2f f9 b8 75 c5 0e 0f 8e 04 06 c0    |  \.x]K/..u.......
a8 9d 0a 05 06 00 00 00 0c 3d 06 00 00 00 05 1a    |  .........=......
23 00 00 00 09 01 1d 69 70 3a 73 6f 75 72 63 65    |  #......ip:source
2d 69 70 3d 31 39 32 2e 31 36 38 2e 31 35 37 2e    |  -ip=192.168.157.
31 31 1f 1d 69 70 3a 73 6f 75 72 63 65 2d 69 70    |  11..ip:source-ip
3d 31 39 32 2e 31 36 38 2e 31 35 37 2e 31 31       |  =192.168.157.11

Parsed packet data.....
Radius: Code = 1 (0x01)
Radius: Identifier = 12 (0x0C)
Radius: Length = 127 (0x007F)
Radius: Vector: D2A3A0591EFFCC152A1BB891F6F764CD
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 2 (0x02) User-Password
Radius: Length = 18 (0x12)
Radius: Value (String) =
ee db 07 5c f4 78 5d 4b 2f f9 b8 75 c5 0e 0f 8e    |  ...\.x]K/..u....
Radius: Type = 4 (0x04) NAS-IP-Address
Radius: Length = 6 (0x06)
Radius: Value (IP Address) = 192.168.157.10 (0xC0A89D0A)
Radius: Type = 5 (0x05) NAS-Port
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0xC
Radius: Type = 61 (0x3D) NAS-Port-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 35 (0x23)
Radius: Vendor ID = 9 (0x00000009)
Radius: Type = 1 (0x01) Cisco-AV-pair
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
Radius: Type = 31 (0x1F) Calling-Station-Id
Radius: Length = 29 (0x1D)
Radius: Value (String) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 39 32    |  ip:source-ip=192
2e 31 36 38 2e 31 35 37 2e 31 31                   |  .168.157.11
send pkt 192.168.157.100/1645
rip 0xbc2fe854 state 7 id 12
rad_vrfy() : response message verified
rip 0xbc2fe854
 : chall_state ''
 : state 0x7
 : reqauth:
     d2 a3 a0 59 1e ff cc 15 2a 1b b8 91 f6 f7 64 cd
 : info 0xbc2fe98c
     session_id 0xd
     request_id 0xc
     user 'user1'
     response '***'
     app 0
     reason 0
     skey 'cisco'
     sip 192.168.157.100
     type 1

RADIUS packet decode (response)

--------------------------------------
Raw packet data (length = 69).....
02 0c 00 45 61 a0 b3 2e a8 6a b2 ee 97 f1 38 33    |  ...Ea....j....83
c3 54 02 64 01 07 75 73 65 72 31 06 06 00 00 00    |  .T.d..user1.....
06 19 18 43 41 43 53 3a 61 63 73 2f 31 39 38 33    |  ...CACS:acs/1983
38 32 31 30 31 2f 31 34 39 1a 0c 00 00 0c 04 dc    |  82101/149.......
06 00 00 00 0a                                     |  .....

Parsed packet data.....
Radius: Code = 2 (0x02)
Radius: Identifier = 12 (0x0C)
Radius: Length = 69 (0x0045)
Radius: Vector: 61A0B32EA86AB2EE97F13833C3540264
Radius: Type = 1 (0x01) User-Name
Radius: Length = 7 (0x07)
Radius: Value (String) =
75 73 65 72 31                                     |  user1
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x6
Radius: Type = 25 (0x19) Class
Radius: Length = 24 (0x18)
Radius: Value (String) =
43 41 43 53 3a 61 63 73 2f 31 39 38 33 38 32 31    |  CACS:acs/1983821
30 31 2f 31 34 39                                  |  01/149
Radius: Type = 26 (0x1A) Vendor-Specific
Radius: Length = 12 (0x0C)
Radius: Vendor ID = 3076 (0x00000C04)
Radius: Type = 220 (0xDC) Privilege Level
Radius: Length = 6 (0x06)
Radius: Value (Integer) = 10 (0x000A)
rad_procpkt: ACCEPT
RADIUS_ACCESS_ACCEPT: normal termination
RADIUS_DELETE
remove_req 0xbc2fe854 session 0xd id 12
free_rip 0xbc2fe854
radius: send queue empty

Next service type is ‘outbound’, used mainly for end users (for example: VPN):
 
Service-Type=Outbound           <--- console access only, no telnet, no asdm

Let’s test it:
 
R1#telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****

[ user1 ] You do NOT have Admin Rights to the console !

[Connection to 192.168.157.10 closed by foreign host]
R1#

As you see I can’t login via telnet.
 
Radius: Type = 6 (0x06) Service-Type
Radius: Length = 6 (0x06)
Radius: Value (Hex) = 0x5

The last service type I test today is ‘nas-prompt’:
 
Service-Type=nas-prompt           <--- asdm monitor only and cli without privilege mode

from cisco doc:

“The nas-prompt keyword allows access to the CLI when you configure the aaa authentication {telnet | ssh | serial} console LOCAL command, but denies ASDM configuration access if you configure the aaa authentication http console LOCAL command. ASDM monitoring access is allowed. If you enable authentication with the aaa authentication enable console LOCAL command, the user cannot access privileged EXEC mode using the enable command (or the login command). ”

source: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_aaa.html

Let’s try this one:
 
R1#telnet 192.168.157.10
Trying 192.168.157.10 ... Open


User Access Verification

Username: user1
Password: *****
Type help or '?' for a list of available commands.
ciscoasa>
ciscoasa>
ciscoasa> en
Password: *****

[ user1 ] You do NOT have enable Admin Rights to the console
Password:
Password:
Access denied.
ciscoasa>

We are able to login but access to privilege mode is not allowed.
Labels:

Comments

Post a Comment

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an
8 comments
Read more

MAC Authentication Bypass

One of the method to control your network is using MAB feature. It is helpful in case you have devices without dot1x functionality. Today I will try to implement basic configuration and analyze log messages. There is only one switch SW1 and one device attached to port Fa1/0/2.   ! aaa new - model aaa authentication dot1x default group radius ! ! int Fas1 / 0 / 2 authentication host - mode single - host authentication port - control auto mab ! I haven’t configured ACS yet but let’s see what error message I receive:   SW1 ( config - if ) # mab - ev ( Fa1 / 0 / 2 ): Received MAB context create from AuthMgr mab - ev ( Fa1 / 0 / 2 ): Created MAB client context 0x1100000F mab : initial state mab_initialize has enter mab - ev ( Fa1 / 0 / 2 ): Sending create new context event to EAP from MAB for 0x1100000F ( 0000.0000 . 0000 ) mab - sm ( Fa1 / 0 / 2 ): Received event 'MAB_START' on handle 0x1100000F mab : during state mab_initia
Post a Comment
Read more

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze the packet flo
1 comment
Read more