Post on 26-May-2015
AAA - Authentication, Authorization and Accounting
AT - 8000S
AAA Services
Authentication Authorization Accounting
The Need for AAA services
• In present day networks many tools are available to access and configure devices, locally or remotely (Terminal, Telnet, EWS, SSH etc)
• It is desirable and useful to be able to limit who can view/change settings of the system
• Verification is needed for:– User authentication – will user have (any) device access?– User authorization – once user has access, what level of
access will he has?
AAA services
• AAA security services - using usernames and/or password to Authenticate user’s identity and access (authorization) level and to record what user has done.
• The AT - 8000S switches implement the Authentication and Authorization.
Secure Switch Management Local Authentication Data Flow
Device
User Telnet to the Switch
UserID: bobPassword: ge55gep
Device Database
UserID: bobPassword: ge55gepattributes: xxxx
Access-Accept
User Console to the Switch
User SSH to the Switch
Secure Switch Management Authentication Data Flow
User Database
Device
User Telnet to the Switch
UserID: bobPassword: ge55gep
UserID: bobPassword: ge55gepDevice-ID: 207.12.4.1
Select UserID=bob
Bobpassword=ge55gepTimeout=3600[other attributes]
Access-AcceptUser-Name=bob[other attributes]
RADIUS Server
User Console to the Switch
User SSH to the Switch
RADIUS Basics
• Defined by IETF standard RFC2138 & RFC2139
http://www.faqs.org/rfcs/rfc2138.htmlhttp://www.faqs.org/rfcs/rfc2139.html
• Requires Clients (normally a NAS, in our case a Switch) and servers (often called RADIUS servers)
Switches AAA
Implementation
AT - 8000S
AAA – Databases
• Access security (AAA) services on the AT - 8000S uses the following databases (or methods) for username and Password validation:– Local – Device database with the following fields: Username,
Password and Level of privilege (access)– Enable - Device general password list for gaining privileged
(high) level access– Line – Device password list for each specific line (console,
telnet and SSH) for gaining access– RADIUS server – External database with the following fields:
Username, Password and Level of privilege (access)– TACACS + - A security application that provides centralized
validation of users to gain access to a device (router or an access server). To be addressed in a separate presentation
– (None) – no database is used (username and PW not needed)
AAA – Management interfaces
• Access security (AAA) services on the device can be configured on 5 management interfaces:– Console (ASCII terminal), telnet & SSH –
• Have their own line command mode. • Lookup using any of the methods• Are associated with one or more lookup methods using method
lists – or lists of databases • Separate method lists for authentication and authorization
– HTTP & HTTPS• Do not have a line command mode• Lookup using only in local, RADIUS, TACACS+ or “none” methods• Associated directly to one or more methods (not through a list)• Lookup only for authentication (includes authorization lookup)
• One more interface is the 802.1x which is an access (not management) control– This issue will be covered in separate presentation.
AAA – Methods Lists
• Methods lists contain one or more databases (methods)• Methods lists are defined separately for Authentication
and Authorization verification• User can define many lists for each type• Each method list is assigned a list-name. • “Default” method list is a unique list which exists on the
device. This list can be configured by user like any other list (but not removed).
• Console, Telnet and SSH are associated separately to one authentication method-list and one authorization method-list
AAA – Methods Lists
• Authentication methods lists can contain one or more of the following methods: enable, line, local, RADIUS, TACACS+ and “none”.
• Authorization methods list can contain one or more of the following methods: enable, line, RADIUS, TACACS+ and “none” (but not local database)
AAA – “Default” Method List• System has 2 method lists named “default”: one for login and
one for enable (authorization)• This is the method list which applies to the lines – unless user
defines otherwise.• At system startup the default method list is different for
console or network (telnet, SSH) connections:– For login default method list is:
• Console_Default : None• Network_Default : Local
– For enable default method list is:• Console_Default : Enable None• Network_Default : Enable
– http : Local– https : Local– dot1x :
• If user modifies the “default” list (via CLI) the same method list applies for both console and network connections. Via web management both defaults can be changed separately
AAA – Method Rules
• Method lists containing only 1 method:– If username and/or PW are verified by DB - user is
granted access or the level of access required– If the method specified is “none” - user is granted
access or the level of access required without having to provide a Username or PW.
– If username and/or PW are not accepted by DB –access or access level is denied
– If database is unavailable (or not configured) -access or access level is denied
AAA – Method Rules
• Method lists containing a list of methods:– If username and/or PW are verified by current DB - user is
granted access or the level of access required– If username and/or PW do not exist on current DB – access
or access level is denied (does not check next DB) – even if “none” is the next method on the list
– If current methods is unavailable (or not configured) –verification process is attempted on next methods on list
– If all methods are unavailable (checked one by one) -access or access level is denied, unless “none” method is part of the list
AAA Configuration
• When using separate security server, the device has to be configured with the RADIUS/TACACS+ server parameters and attributes
• Configure the databases (on device or RADIUS/TACACS server) with the relevant Username and/or PW
• Define the method lists for authentication and authorization using AAA commands
• Apply the method lists to a particular line (line command mode), if required
• If needed, apply the methods directly to the HTTP/HTTPS services
AAA Process
• When a particular line attempts to access the device, user authentication (or access level) is performed by checking the method list attached to that line.
• User authentication and authorization occurs in the order the methods are listed in the relevant list
• User will be authenticated by the first method on the list, and only if the first option cannot be reached - by next methods listed.
• If the first (or current) methods is functioning properly – but user is not authenticated (entry does not exit), next methods are not used
AAA
1. Creating passwords (and users) databases • Local, enable, line, RADIUS, TACACS+, none
2. Assign databases to methods • One or more database to each method (or none)
3. Attaching methods to line
login
enable
PwdPwdPwdPwd
MethodRegisratingthesystem
Console
telnet
ssh
httphttps
LocalEnableLineRadiusNone
AAA (1)console(config)# username XXX password YYY level 15
User name password level
Local1 loc1 1
Local15 loc15 15
console(config)# enable password level 15 YYY
User name password level
----- en1 1
----- en15 15
console(config)# line console/telnet/sshconsole(config-line)# password YYY
User name password level
----- linec (for console) -----
----- linet (for telnet) -----
----- lines (for ssh) -----
DataBaselocal:
enable:
line:
AAA cont’
console(config)# aaa authentication login log_tel enable none
login/enable method name Database in use
login log_cons line none
login log_tel enable none
login log_ssh local
console(config)# aaa authentication enable en_cons local
login/enable method name Database in useenable en_cons localenable en_tel line enable en_ssh Radius enable none
Assign database to methods:
AAA cont’
• Attaching methods to line:console(config)# line consoleconsole(config-line)# login authentication log_consconsole(config-line)# enable authentication en_consconsole(config-line)#console(config)# line telnetconsole(config-line)# login authentication log_telconsole(config-line)# enable authentication en_telconsole(config-line)#console(config)# line sshconsole(config-line)# login authentication log_sshconsole(config-line)# enable authentication en_sshconsole(config-line)# console(config)# console(config)# ip http authentication local noneconsole(config)# ip https authentication radius local
• console# show authentication methods
• Login Authentication Method Lists• -------------------------------------------• Console_Default : None• Network_Default : Local• log_ssh : Local• log_tel : Enable None• log_cons : Line None
• Enable Authentication Method Lists• ----------------------------------• Console_Default : Enable None• Network_Default : Enable• en_ssh : Radius Enable None• en_tel : Line• en_cons : Enable None
• Line Login Method List Enable Method List
• ---------- ------------------------ -------------------
• Console log_cons en_cons• Telnet log_tel en_tel• SSH log_ssh en_ssh• http : Local None• https : Radius Local
AAA cont’DB – local
User name password level
Local1 loc1 1
Local15 loc15 15
DB – enable
User name password level
----- en1 1
----- en15 15
DB – line
User name
password level
---- linec (for console) -----
---- linet (for telnet) -----
---- lines (for ssh) -----
AAACLI Configuration
AT - 8000S
AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands
AT - 8000S – Line Mode
• Use the following Global Mode command to enter the command line mode of console/telnet/ssh:line {console | telnet | ssh}
Example – entering telnet line mode:
console# con
console(config)# line telnet
console(config-line)#
AT - 8000S – CLI Configuration
• Entering Line configuration mode
• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands
AAA – Line Password
• Use the following Line Configuration Mode command to specify a password for a line. To remove the password, use the no form of this command:
password password [encrypted]no passwordencrypted - Encrypted password you enter, copied from
another device configuration.
AAA – Line Password
• Notes:– Each line (console, telnet, ssh) is configured with its own
password and only that PW will apply for that line. – Each line has only 1 PW – entering a new PW will cancel
previous one– There is no “show” command to view line PW
AT - 8000S – Line PW Example
• Example – configuring a PW for each of the lines (console; telnet and SSH)
console(config)# line console
console(config-line)# password PW_Console
console(config-line)# exit
console(config)# line telnet
console(config-line)# password PW_Telnet
console(config-line)# exit
console(config)# line SSH
console(config-line)# password PW_SSH
console(config-line)#
AAA – Enable Password
• Use the following Global Mode command to set a local password for different privilege levels. Use the no form of this command to remove the password requirement.
enable password [ level level ] password [encrypted]no enable password [ level level ]• level - Level for which the password applies. If not specified
the level is 15.• Encrypted - Encrypted password you enter, copied from
another device configuration
AAA – Enable Password
• Notes: – Only 1 PW can be defined for each level (new PW settings for a level will
erase previous entry)– Only levels 15 and 1 are implemented in current version– There is no “show” command to view enable PW– If enable is the method used for login (authentication), the user
must enter the PW for level 1. If user will use PW for level 15 –access will be denied.
AAA – Local User Name
• Use the following Global Mode command to establish a username-based authentication system. Use the no form to remove a user name:
username name [password password] [Level level] [encrypted]no username name • name & password - The name and authentication
password of the user. • level - Specifies the user level. If not specified the
privilege level is 15.
Enable & User Example
• Example – Configuring enable PW level 15 and level 1– Configuring local DB user name and PW
console(config)#
console(config)# enable password level 15 high
console(config)# enable password level 1 low
console(config)# username david password david level 15
console(config)# username george password george level 1
console(config)#
AAA - RADIUS Server
• Use the following Global Mode command to specify a RADIUS server host. To delete the specified host, use the no form of command:
radius-server host ip-address [auth-port auth-port-number] [timeout timeout] [retransmit retries] [deadtime deadtime] [keykey-string] [source source] [priority priority] [usage type]
no radius-server host ip-address
• Each of the parameters in the radius server host command can be used as individual commands to configure Global Radius configuration (Applied to a server if host command did not include this parameter):
radius-server keyradius-server retransmit (default 3)radius-server source-ip (default 0.0.0.0)radius-server timeout (default 3)radius-server deadtime (default 0)• “no” form of command can be used with each command
type to return value to default
RADIUS – Global Parameters
AT - 8000S - Radius Example
• Example – Configuring a radius server with IP 10.1.1.100 port 1645 and
priority 1– Defining Global retransmit value of 5
console(config)#
console(config)# radius-server host 10.1.1.100 auth-port 1645 priority 1
console(config)# radius-server retransmit 5
AT - 8000S – CLI Configuration
• Entering Line configuration mode• Configuring databases
• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands
Login Authentication Method
• Use the following Global Mode command to define authentication methods lists at login. use the no form of this command to erase defined name
aaa authentication login {default | list-name} method1 [method2...]no aaa authentication login {default | list-name}• default - The device’s default list of methods. Using the
“no” option on “default” returns it to the device default• list-name - name of a (user defined) list of authentication
methods which can be activated when a user logs in.
Login Authentication Method• method1 [method2...] - at least one of the following:
Login Authentication Method
• The additional methods in a list (if such were defined) are used only if the previous method returns an error, not if it denies login. To ensure that the login succeeds even if all methods return an error (but not if they denied access), specify none as the final method.
• The default and optional list names defined with the aaa authentication login command are attached to a line using the login authentication command (line mode)
Enable Authentication Method
• Use the following Global Mode command to set Authorization when the user attempts to access a higher privilege level. To remove a list (or return “default” list to original setting) use the no form of this command:
aaa authentication enable {default | list-name} method1 [method2...]
no aaa authentication enable {default | list-name}
Enable Authentication Method
method1 [method2...] - At least one of the following:
Enable Authen. Method
• The additional methods on a list (if such were defined) are used only if the previous method returns an error, not if it authentication fails. To ensure that the authentication succeeds even if all methods return an error, specify noneas the final method
• All aaa authentication enable requests sent by the router to a RADIUS or TACACS server include the username "$enabx$.", where x is the requested privilege level (15 for the highest)
• The default and optional list names that you define with the aaa authentication enable command are applied to a line with the enable authentication (line configuration mode)command.
Method Lists - Example
• Example – Configuring 3 different login method lists– Changing login “default” method list– Configuring 3 different enable method lists
console(config)# aaa authentication login log1 local none
console(config)# aaa authentication login log2 radius enable
console(config)# aaa authentication login log3 line
console(config)# aaa authentication login default line
console(config)# aaa authentication enable en1 enable none
console(config)# aaa authentication enable en2 line
console(config)# aaa authentication enable en3 radius none
AT - 8000S – CLI Configuration
• Entering Line configuration mode• Configuring databases• Creating method lists
• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands
Assigning Login Authentication-list to Line
• Use the following Line Configuration Modecommand to specify login authentication method list. To return to the default list use the no form of this command:
login authentication {default | list-name}no login authentication• default / list-name – as specified in the Global Mode aaa
authentication login command.• Command is applied separately to each line (console,
telnet, SSH) via its own command line
Assigning Enable Authentication-list to a Line
• Use the following Line Configuration Modecommand to specify an autherization method list when the user requests to access a higher privilege level. To return to the default list use the no form of this command.enable authentication {default | list-name}no enable authentication
• default / list-name – as specified in the Global Mode aaa authentication enable command.
• Command is applied separately to each line (console, telnet, SSH) via its own command line
Method Lists - Example
• Example - Assigning login and enable method lists to lines (assign default list to console login)
console(config)# line console
console(config-line)# login authentication default
console(config-line)# enable authentication en1
console(config-line)# exit
console(config)# line telnet
console(config-line)# login authentication log2
console(config-line)# enable authentication en2
console(config-line)# exit
console(config)# line telnet
console(config-line)# login authentication log3
console(config-line)# enable authentication en3
AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines
• Applying methods to HTTP/HTTPS• Show commands
HTTP Authentication List
• Use the following Global Mode command to specify authentication method(s) for http server users. To return to the default (local), use the noform of this command:
ip http authentication method1 [method2...]no ip http authentication
• method1 [method2...] - At least one from: Local, Radius, TACACS, None.
• Default method is “local”
HTTPS Authentication List
• Use the following Global Mode command to specify authentication methods for https server users. To return to the default (local), use the noform of this command:
ip https authentication method1 [method2...]no ip https authentication
• method1 [method2...] - At least one from: Local, Radius, TACACS, None.
• Default method is “local”
HTTP/HTTPS AAA - Example
• Example:– Apply radius method on HTTPS for AAA services– Apply TACACS method on HTTP for AAA services
console(config)#
console(config)# ip https authentication radius
console(config)# ip http authentication tacacs
AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands
AT - 8000S AAA – CLI Configuration
• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS
• Show commands
AAA – Show commands
• Use the following EXEC mode command to display information about the authentication methods
show authentication methods• The command will show:
– Login method list– Enable method list– Line – method list association– HTTP/HTTPS/dot1x-method association
AAA – Show commands
console# sh authentication methods
Login Authentication Method Lists----------------------------------Default : Enablelogm : Enable
Enable Authentication Method Lists----------------------------------Default : Enableenm : Enable
…See next slide
AAA – Show commands
…from previous slide
Line Login Method List Enable Method List------- ----------------- -------------------Console logm enmTelnet Default DefaultSSH Default Default
http : Localhttps : Localdot1x :
• Use the following EXEC mode command to display the RADIUS servers settings:
show radius-servers
Show RADIUS Server
console# sh radius-servers
IP address Auth. TimeOut Retran. DeadTime source IP Prio. Usage--------------- ----- ------- ------- -------- --------------- ----- -----
9.1.1.1 1812 Global Global Global Global 0 all
Global values--------------
TimeOut : 3Retransmit : 3Deadtime : 0Source IP : 0.0.0.0console#
Thank You!!!