For small businesses, using an external user database such as Cisco ACS is not always feasible. Fortunately, Cisco ASA software includes the ability to use a local user database for authenticating administrators and remote access users.
The commands are pretty straight forward: to add a user, enter the username command. For example:
Firewall(config)# username bgeorge password b3lucky
By default, the ASA assigns users a privilege level of 2. On a scale of 0 to 15, this sounds harmless. However, this is enough to allow access to all commands within privileged EXEC mode! Those coming from an IOS background assume the enable password will prevent users from gaining access to privileged mode - not the case. By default, a user can enter the login command from user EXEC mode which allows them privileged EXEC access with their assigned level. For example, the user bgeorge accesses the ASA user EXEC mode:
Firewall> login
Username: bgeorge
Password: b3lucky
Firewall# show curpriv
Username : bgeorge
Current privilege level : 2
Current Mode/s : P_PRIV
Firewall#
The user bgeorge now has full access to the ASA!
The simple way to prevent this is make sure you assign a privilege level to each user. If bgeorge is a remote-access user, assign a privilege of 0. Also, enabling local command authorization will mean even users with a default privilege level of 2 won’t have access to practically any command from within privileged EXEC mode. To activate local command authorization, enter the following:
Firewall(config)# aaa authorization command LOCAL
You can view the commands and their default privilege level as follows:
Firewall# sh run all privilege all
Administrators may wish to keep the enable password different from the user password (similar to IOS). If you wish to do this, ensure all user accounts are set to privilege level 0. To access privileged mode, use the enable command followed by the enable password. This places you at level 15 as user ‘enable_15′. The recommended method is to configure authentication for the enable command as follows:
Firewall(config)# aaa authentication enable console LOCAL
This forces users into their assigned privileged level by requiring their own password instead of the enable one. For example, typing the enable command from user EXEC mode now requires the user’s password, not the enable password. There is no indication of this to the user as the prompt is the same. Used in conjunction with local command authorization, this provides a basic level of security to the administration of your ASA.
Finally, if you do add users to the local database for remote-access, you can restrict them access to a specific group using the group-lock command. By default, the users are allowed to access any group as they inherit this from the default group policy. The following is an example of how to configure this:
Firewall(config)# username johnd password c1sc0 privilege 0
Firewall(config)# username johnd attributes
Firewall(config-username)# group-lock value vpn-admin
This will limit user johnd to the vpn-admin group.
Entries (RSS)
January 11th, 2008 at 8:41 pm
John,
I noticed you mentioned in the Title ASA v7.x I take it these commands and findings also relate to the ASA v8.x software?
January 11th, 2008 at 9:20 pm
Hi Simon,
Yes, you can also apply this to version 8 as well. There is even the option to assign a user a ‘type’ such as remote-access or admin using the service-type command within the username attributes:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/aaa.html#wpxref64390
January 12th, 2008 at 7:43 pm
Thanks I have noticed there are more aaa commands added in 8.0(2) command line reference guide aswell, however I’m unable to find 8.0(3) commandline ref guide as yet on the cisco site.