Kerberos Servers for AAA

The following topics explain how to configure Kerberos servers used in AAA. You can use Kerberos servers for the authentication of management connections, network access, and VPN user access.

Guidelines for Kerberos Servers for AAA

  • You can have up to 200 server groups in single mode or 8 server groups per context in multiple mode.

  • Each group can have up to 16 servers in single mode or 8 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.

Configure Kerberos Servers for AAA

The following topics explain how to configure Kerberos server groups. You can then use these groups when configuring management access or VPNs.

Configure Kerberos AAA Server Groups

If you want to use a Kerberos server for authentication, you must first create at least one Kerberos server group and add one or more servers to each group.

Procedure


Step 1

Create the Kerberos AAA server group and enter aaa-server-group configuration mode.

aaa-server server_group_name protocol kerberos

Example:


ciscoasa(config)# aaa-server watchdog protocol kerberos

Step 2

(Optional.) Specify the maximum number of failed AAA transactions with a AAA server in the group before trying the next server.

max-failed-attempts number

Example:


ciscoasa(config-aaa-server-group)# max-failed-attempts 2

The number argument can range from 1 and 5. The default is 3.

If you configured a fallback method using the local database (for management access only), and all the servers in the group fail to respond, or their responses are invalid, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for a period of 10 minutes (by default), so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. To change the unresponsive period from the default, see the reactivation-mode command in the next step.

If you do not have a fallback method, the ASA continues to retry the servers in the group.

Step 3

(Optional.) Specify the method (reactivation policy) by which failed servers in a group are reactivated.

reactivation-mode {depletion [deadtime minutes] | timed}

Example:


ciscoasa(config-aaa-server-group)# reactivation-mode depletion deadtime 20

The depletion keyword reactivates failed servers only after all of the servers in the group are inactive. This is the default mode.

The deadtime minutes keyword-argument pair specifies the amount of time in minutes, between 0 and 1440, that elapses between the disabling of the last server in the group and the subsequent reenabling of all servers. Deadtime applies only if you configure fallback to the local database; authentication is attempted locally until the deadtime elapses. The default is 10 minutes.

The timed keyword reactivates failed servers after 30 seconds of down time.

Step 4

(Optional.) Enable Kerberos Key Distribution Center (KDC) validation

validate-kdc

Example:


ciscoasa(config-aaa-server-group)# validate-kdc

To accomplish the authentication, you must also import a keytab file that you exported from the Kerberos Key Distribution Center (KDC). By validating the KDC, you can prevent an attack where the attacker spoofs the KDC so that user credentials are authenticated against the attacker’s Kerberos server.

For information about how to upload the keytab file, see Configure Kerberos Key Distribution Center Validation.


Example

The following example creates a Kerberos server group named watchdogs, adds a server, and sets the realm to EXAMPLE.COM.


hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
hostname(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
hostname(config-aaa-server-host)# exit
hostname(config)# 

Add Kerberos Servers to a Kerberos Server Group

Before you can use a Kerberos server group, you must add at least one Kerberos server to the group.

Procedure


Step 1

Add the Kerberos server to the Kerberos server group.

aaa-server server_group [(interface_name)] host server_ip

Example:


ciscoasa(config-aaa-server-group)# aaa-server servergroup1 outside host 10.10.1.1

If you do not specify an interface, then the ASA uses the inside interface by default.

You can use an IPv4 or IPv6 address.

Step 2

Specify the timeout value for connection attempts to the server.

timeout seconds

Specify the timeout interval (1-300 seconds) for the server; the default is 10 seconds. For each AAA transaction the ASA retries connection attempts (based on the interval defined on the retry-interval command) until the timeout is reached. If the number of consecutive failed transactions reaches the limit specified on the max-failed-attempts command in the AAA server group, the AAA server is deactivated and the ASA starts sending requests to another AAA server if it is configured.

Example:


ciscoasa(config-aaa-server-host)# timeout 15

Step 3

Specify the retry interval, which is the time the system waits before retrying a connection request.

retry-interval seconds

You can specify 1-10 seconds. The default is 10.

Example:


ciscoasa(config-aaa-server-host)# retry-interval 6

Step 4

Specify the server port if it is different from the default Kerberos port, which is TCP/88. The ASA contacts the Kerberos server on this port.

server-port port_number

Example:


ciscoasa(config-aaa-server-host)# server-port 8888

Step 5

Configure the Kerberos realm.

kerberos-realm name

Kerberos realm names use numbers and upper case letters only, and can be up to 64 characters. The name should match the output of the Microsoft Windows set USERDNSDOMAIN command when it is run on the Active Directory server for the Kerberos realm. In the following example, EXAMPLE.COM is the Kerberos realm name:


C:\>set USERDNSDOMAIN
USERDNSDOMAIN=EXAMPLE.COM 

Although the ASA accepts lower case letters in the name, it does not translate lower case letters to upper case letters. Be sure to use upper case letters only.

Example:


ciscoasa(config-asa-server-group)# kerberos-realm EXAMPLE.COM

Example


hostname(config)# aaa-server watchdogs protocol kerberos
hostname(config-aaa-server-group)# aaa-server watchdogs host 192.168.3.4
ciscoasa(config-aaa-server-host)# timeout 9
ciscoasa(config-aaa-server-host)# retry 7
ciscoasa(config-aaa-server-host)# kerberos-realm EXAMPLE.COM
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# 

Configure Kerberos Key Distribution Center Validation

You can configure a Kerberos AAA server group to authenticate the servers in the group. To accomplish the authentication, you must import a keytab file that you exported from the Kerberos Key Distribution Center (KDC). By validating the KDC, you can prevent an attack where the attacker spoofs the KDC so that user credentials are authenticated against the attacker’s Kerberos server.

When you enable KDC validation, after obtaining the ticket-granting ticket (TGT) and validating the user, the system also requests a service ticket on behalf of the user for host/ASA_hostname. The system then validates the returned service ticket against the secret key for the KDC, which is stored in a keytab file that you generated from the KDC and then uploaded to the ASA. If KDC authentication fails, the server is considered untrusted and the user is not authenticated.

The following procedure explains how to accomplish KDC authentication.

Before you begin

You cannot use KDC validation in conjunction with Kerberos Constrained Delegation (KCD). The validate-kdc command will be ignored if the server group is used for KCD.

Procedure


Step 1

(On the KDC.) Create a user account in the Microsoft Active Directory for the ASA (go to Start > Programs > Administrative Tools > Active Directory Users and Computers). For example, if the fully-qualified domain name (FQDN) of the ASA is asahost.example.com, create a user named asahost.

Step 2

(On the KDC.) Create a host service principal name (SPN) for the ASA using the FQDN and user account:


C:> setspn -A HOST/asahost.example.com asahost 

Step 3

(On the KDC.) Create a keytab file for the ASA (line feeds added for clarity):


C:\Users\Administrator> ktpass /out new.keytab +rndPass 
/princ host/asahost@EXAMPLE.COM 
/mapuser asahost@example.com 
/ptype KRB5_NT_SRV_HST 
/mapop set 

Step 4

(On the ASA.) Import the keytab (in this example, new.keytab) to the ASA using the aaa kerberos import-keytab command.


ciscoasa(config)# aaa kerberos import-keytab ftp://ftpserver.example.com/new.keytab 
ftp://ftpserver.example.com/new.keytab imported successfully 

Step 5

(On the ASA.) Add the validate-kdc command to the Kerberos AAA server group configuration. The keytab file is used only by server groups that contain this command.


ciscoasa(config)# aaa-server svrgrp1 protocol kerberos 
ciscoasa(config-aaa-server-group)# validate-kdc 

Monitor Kerberos Servers for AAA

You can use the following commands to monitor and clear Kerberos-related information.

  • show aaa-server

    Shows the AAA server statistics. Use the clear aaa-server statistics command to clear the server statistics.

  • show running-config aaa-server

    Shows the AAA servers that are configured for the system. Use the clear configure aaa-server command to remove the AAA server configuration.

  • show aaa kerberos [ username user]

    Shows all Kerberos tickets, or tickets for a given username.

  • clear aaa kerberos tickets [ username user]

    Clears all Kerberos tickets, or tickets for a given username.

  • show aaa kerberos keytab

    Shows information about the Kerberos keytab file.

  • clear aaa kerberos keytab

    Clears the Kerberos keytab file.

History for Kerberos Servers for AAA

Feature Name

Platform Releases

Description

Kerberos Servers

7.0(1)

Support for Kerberos servers for AAA.

We introduced the following commands:

aaa-server protocol , max-failed-attempts , reactivation-mode , aaa-server host , kerberos-realm , server-port, clear aaa-server statistics, clear configure aaa-server, show aaa-server, show running-config aaa-server, timeout.

IPv6 addresses for AAA

9.7(1)

You can now use either an IPv4 or IPv6 address for the AAA server.

Increased limits for AAA server groups and servers per group.

9.13(1)

You can configure more AAA server groups. In single context mode, you can configure 200 AAA server groups (the former limit was 100). In multiple context mode, you can configure 8 (the former limit was 4).

In addition, in multiple context mode, you can configure 8 servers per group (the former limit was 4 servers per group). The single context mode per-group limit of 16 remains unchanged.

We modified the following commands to accept these new limits: aaa-server , aaa-server host .

Kerberos Key Distribution Center (KDC) authentication.

9.8(4) and subsequent interim releases until 9.14(1)

You can import a keytab file from a Kerberos Key Distribution Center (KDC), and the system can authenticate that the Kerberos server is not being spoofed before using it to authenticate users. To accomplish KDC authentication, you must set up a host/ASA_hostname service principal name (SPN) on the Kerberos KDC, then export a keytab for that SPN. You then must upload the keytab to the ASA, and configure the Kerberos AAA server group to validate the KDC.

We added the following commands: aaa kerberos import-keytab , clear aaa kerberos keytab , show aaa kerberos keytab , validate-kdc .