This blog is the first of a series of articles on the new security features of IOS 15.0 code. Our focus will be on what we view as the more significant and complex singular aspects of this major rollout with regards to the security components. One such major improvement is in the area of the AAA authorization and authentication cache.
Administrators of the PIX and ASA, which support the AAA cut-thru proxy as well as the console access features, are well aware of the user-authentication caching capabilities of these appliances. A drawback in the current implementation of code on these firewalls, however, is the requirement for maintaining local user accounts (especially those for administrators) in case of a RADIUS or TACACS+ server outage.
The new AAA Authentication and Authorization cache feature in the 15.0 mainline IOS provides a slick alternative to this scenario by offering a configurable local database for not only users, but also entire user groups. Rather than provide the details of this implementation here, the reference provided below gives the exact syntax required. The major steps required for configuring the cache are:
- Creating the cache profile groups and rules
- Assigning the cache profile to specific TACACS+ and RADIUS server groups
- Updating the aaa authentication and authorization lists to use these profiles
In step #2 above, the administrator can configure an expiration time for the cached user groups, configured in the .*@domainname regex syntax with the units expressed in hours! The intent here is clearly provide a mechanism for administrative groups of users to have their TACACS+ credentials and privileges preserved for sufficient time as would be required to effect repairs or restoration to an inaccessible server.
This feature should not be confused with the global configuration aaa cache filter and aaa cache filterserver commands, which are intended for maintaining or purging information for users which are authenticated and authorized for access to network resources. The primary purpose of these commands is to conserve router resources utilized by such components as downloaded access control lists.
As mentioned at the beginning of this blog, it remains to be seen if this administrative aaa caching functionality for the IOS Router will eventually be extended to the ASA security appliance as well.
Author: Doug McKillip