© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.

© 1999, Cisco Systems, Inc. 3-1

Configuring theNetwork Access Server

for AAA Security

Configuring theNetwork Access Server

for AAA Security

© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-2

ObjectivesObjectives

Upon completion of this chapter, you will be able to perform the following tasks:

• Describe network access server port types and access control methods

• Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS

• Test the network access server AAA configuration using applicable debugging and testing commands


CA ServerPIX

Firewall

WebSurfer

RemoteBranch

InternetWeb Server

Protected DMZ

“Dirty”DMZ

NetRanger Sensor

Dialup

NAS

Client Server

Campus Router

BastionHost

BastionHost

SMTPServer

DNS Server

IS

NetRanger Director

NetSonar

WindowsNT PC

Sales

CSNT and NAS used to Perform AAA

BastionHost

BastionHost

PerimeterRouter

Internet

NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server

TACACS+ or RADIUS protocol

© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-4© 1999, Cisco Systems, Inc. www.cisco.com 3-4

AAA Secures Network Access



AAA Model—Network Security Architecture

AAA Model—Network Security Architecture

AAuthentication• Who are you? • “I am user student and my password validateme

proves it”

AAuthorization• What can you do? What can you access? • “User student can access host NT_Server with

Telnet”

AAccounting• What did you do? How long did you do it?

How often did you do it?• “User student accessed host NT_Server with

Telnet 15 times”




• Character (line) mode access

Console, Telnet (tty, vty, aux, cty)

• Packet (interface) mode access

Async, group-async, BRI, serial (PRI)

Security Server

RemoteClient

(SLIP, PPP, ARAP)

NAS

Telnet HostConsole Terminal

PSTN/ISDN


Authentication Methods

Authentication Methods


Authentication Methods and Ease of Use

Authentication Methods and Ease of Use

Token Cards/Soft Tokens (OTP)

One-Time Password (OTP)

S/Key (OTP for terminal login)

Username/Password (aging)

Username/Password (static)

No Username or Password

Strong

Weak

Au

then

tica

tio

n

Ease of Use HighLow


Authentication—Remote Client Username and Password

Authentication—Remote Client Username and Password

Windows 95 Dialup Networking screenUsername and Password fields

SecurityServer

Windows 95 Remote Client

Network Access Server

PSTN/ISDN

username/password (TCP/IP PPP)


Authentication—One-Time Passwords—S/Key

Authentication—One-Time Passwords—S/Key

• List of one-time passwords

• Generated by S/Key program hash function

• Sent in cleartext over network

• Server must support S/Key

308202A8 30820211 A0030201 020204380500301B 310B3009 06035504 061302551E170D39 39313032 32313730 3634375AC84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4

S/Key Passwords Workstation

Security ServerSupports S/Key

S/Key Password(cleartext)

308202A8 30820211 A0030201 020204380500301B 310B3009 06035504 061302551E170D39 39313032 32313730 3634375AC84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4


Authentication—Token Cards and Servers

Authentication—Token Cards and Servers

1. 2.

4.

3.

CiscoSecure

[OTP]

Token Server

Uses algorithm based on PIN or time-of-day to generate secure password

Server uses same algorithm to decrypt password

Sends password to network access server or security server to complete authentication


PAP and CHAP AuthenticationPAP and CHAP Authentication


Authentication via PPP LinkAuthentication via PPP Link

TCP/IPPPP

Client

PPPPSTN or

ISDN

PPP

• PAP = Password Authentication Protocol– Cleartext, repeated password

– Subject to eavesdropping and replay attacks

• CHAP = Challenge Handshake Authentication Protocol– Secret password, per remote user

– Challenge sent on link (random number)

– Challenge can be repeated periodically to prevent session hijacking

– The CHAP response is an MD5 hash of (challenge + secret) provides authentication

– Robust against sniffing/replay attacks



Network Access Server AAA

Configuration Process

Network Access Server AAA

Configuration Process


Authenticated NAS Port Types

Authenticated NAS Port Types

CiscoSecure ACS Server

Telnet host

vty

BRI, serial (PRI)ISDN B channels

tty, aux,async

ctyConsole Terminal

NAS

Async ISDN


Network Access Server AAA Configuration Process

Network Access Server AAA Configuration Process

General steps to configure the NAS for AAA:

• Secure access to privileged EXEC and configuration modes (enable and enable secret)

• Enable AAA globally on the network access server with the aaa new model command

• Configure AAA authentication profiles

• Configure AAA authorization for use after the user has passed authentication

• Configure the AAA accounting options for how you want to write accounting records

• Verify the configuration


Secure Privileged EXEC and Configuration Mode

Secure Privileged EXEC and Configuration Mode

CiscoSecureACS Server

NAS

10.1.1.4

Router(config)#enable password changeme

Router(config)#enable secret supersecret

Router(config)#service password-encryption lightweight_encrypt

Router(config)#enable password changeme

Router(config)#enable secret supersecret

Router(config)#service password-encryption lightweight_encrypt

Telnet to NAS

10.1.1.1


Begin the AAA ConfigurationBegin the AAA Configuration


NAS

10.1.2.4

Router(config)#aaa new-model

Router(config)#aaa authentication login default enable

Router(config)#aaa authentication login console-in local

Router(config)#aaa authentication login is-in local

Router(config)#aaa authentication login tty-in local

Router(config)#aaa authentication ppp dial-in local


AAA Security Servers

AAA Security Servers


AAA with a Local Security DatabaseAAA with a Local Security Database

1. User establishes PPP connection with NAS

3. NAS authenticates username and password in local database

5. NAS tracks user traffic and compiles accounting records as specified in local database

4. NAS authorizes user to access network based on local database

2. NAS prompts user for username/password

22

11 33

44

55

NetworkAccessServer


Remote Alternatives: TACACS+ and RADIUSRemote Alternatives:

TACACS+ and RADIUS

• Two different protocols used to communicate between the security server and router, NAS, or firewall

• CiscoSecure supports both TACACS+ and RADIUS

–TACACS+ remains more secure and more scalable than RADIUS

–RADIUS has a robust API, strong accounting

CiscoSecure ACS

Firewall

Router NeworkAccessServer

TACACS+ RADIUS

Security Server


AAA Authentication CommandsAAA Authentication Commands

(config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]]

(config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]]

login

enablekrb5linelocalnonetacacs+radiuskrb5-telnet

enablekrb5linelocalnonetacacs+radiuskrb5-telnet

enabledefault

enablelinenonetacacs+radius

enablelinenonetacacs+radius

arap

guestauth-guestlinelocaltacacs+radius

guestauth-guestlinelocaltacacs+radius

ppp

if–neededkrb5localnonetacacs+radius

if–neededkrb5localnonetacacs+radius

nasi

enablelinelocalnonetacacs+

enablelinelocalnonetacacs+


AAA Authentication Example Configuration

AAA Authentication Example Configuration

aaa authen login tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+

aaa authen login tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+

(config)#line console 0(config-line)#login authen tech-pubs(config)#int s3/0(config-line)#ppp authen chap mktg

(config)#line console 0(config-line)#login authen tech-pubs(config)#int s3/0(config-line)#ppp authen chap mktg


AAA Authorization Commands

AAA Authorization Commands

aaa authorization {network | exec | command level | reverse-access} {default | list-name}{if-authenticated | local | none | radius | tacacs+ | krb5-instance}

aaa authorization {network | exec | command level | reverse-access} {default | list-name}{if-authenticated | local | none | radius | tacacs+ | krb5-instance}



router(config)#


CiscoSecureACS Server (Orion)

AAA Authorization Example Configuration

AAA Authorization Example Configuration

aaa author command 1 Orion localaaa author command 15 Andromeda localaaa author network Pisces local noneaaa author exec Virgo if-authenticated

router(config)#



AAA Accounting CommandsAAA Accounting Commands

aaa accounting {system | network | exec | connection | commands level}{default | list-name}{start-stop | wait-start | stop-only | none}[method 1 [method2…]]

aaa accounting {system | network | exec | connection | commands level}{default | list-name}{start-stop | wait-start | stop-only | none}[method 1 [method2…]]

router(config)#




AAA Accounting Example Configuration

AAA Accounting Example Configuration

aaa account system wait-start localaaa account network stop-only localaaa account exec start-stop localaaa acc command 15 wait-start local

router(config)#




AAA TroubleshootingAAA Troubleshooting

router#debug aaa authenticationrouter#debug aaa authorizationrouter#debug aaa accounting

Displays detailed AAA information


Lab Exercise


Lab ObjectivesLab Objectives

Upon completion of this lab, you will be able to perform the following tasks:

• Configure the network access server to secure enable mode access to the network access server

• Configure AAA services using the local security database

• Test the network access server AAA configuration using applicable debugging and testing commands


PIX1Firewall Protected

DMZ

“Dirty” DMZ

192.168.X.0 /24.2

Outside .1

192.168.1X.0/24

.1 DMZ Inside .3

NAS1

IS .1

10.X.2.1 /24

10.X.2.2 to 10.X.2.10 /24

WindowsNT PC

NT1 NT Server:CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server,

TFTP Server

.4

Instructor NT Server:FTP, HTTP, CA192.168.255.2/24

172.16.X.1 /30

Perimeter1Router

10.X.1.0 /24

Bastion Host:Web ServerFTP Server

.3

.3

Sales Dialup

Frame Relay(Internet)

Telco Simulator

100X

MCNS Lab Environment GenericMCNS Lab Environment Generic

.1

.2

X = POD #


Summary and Review

Questions


SummarySummary

• In local-server AAA, the local NAS performs AAA services.

• Character and packet modes can be secured with AAA.

• Network access server AAA configuration should follow an orderly progression.

• Use the aaa authentication command to specify the authentication process and method.

• Use aaa debug commands selectively to troubleshoot AAA.

• Use the no aaa new-model command to remove AAA commands from the configuration.


Review QuestionsReview Questions

1. What are the two network access server modes that can be secured by AAA commands?

A. Character (line mode) with tty, vty, aux, and cty ports

B. Packet (interface mode) with async, group-async, BRI, and serial (PRI) ports


Review Questions (cont.)Review Questions (cont.)

2. What is being configured in each of the fields of the following command?

aaa authentication ppp sales if-needed local

A. aaa authen ppp–Specifies the PPP operation for this authentication process

B. sales–Assigns the profile name sales to this process

C. if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated

D. local–If the if-needed method fails, uses the local database method for PPP authentication

© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.

Documents

Transcript of © 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.