At8000 s configurando_aaa

AAA - Authentication, Authorization and Accounting

AT - 8000S

AAA Services

Authentication Authorization Accounting

The Need for AAA services

• In present day networks many tools are available to access and configure devices, locally or remotely (Terminal, Telnet, EWS, SSH etc)

• It is desirable and useful to be able to limit who can view/change settings of the system

• Verification is needed for:– User authentication – will user have (any) device access?– User authorization – once user has access, what level of

access will he has?

AAA services

• AAA security services - using usernames and/or password to Authenticate user’s identity and access (authorization) level and to record what user has done.

• The AT - 8000S switches implement the Authentication and Authorization.

Secure Switch Management Local Authentication Data Flow

Device

User Telnet to the Switch

UserID: bobPassword: ge55gep

Device Database

UserID: bobPassword: ge55gepattributes: xxxx

Access-Accept

User Console to the Switch

User SSH to the Switch

Secure Switch Management Authentication Data Flow

User Database

Device

User Telnet to the Switch

UserID: bobPassword: ge55gep

UserID: bobPassword: ge55gepDevice-ID: 207.12.4.1

Select UserID=bob

Bobpassword=ge55gepTimeout=3600[other attributes]

Access-AcceptUser-Name=bob[other attributes]

RADIUS Server

User Console to the Switch

User SSH to the Switch

RADIUS Basics

• Defined by IETF standard RFC2138 & RFC2139

http://www.faqs.org/rfcs/rfc2138.htmlhttp://www.faqs.org/rfcs/rfc2139.html

• Requires Clients (normally a NAS, in our case a Switch) and servers (often called RADIUS servers)

Switches AAA

Implementation

AT - 8000S

AAA – Databases

• Access security (AAA) services on the AT - 8000S uses the following databases (or methods) for username and Password validation:– Local – Device database with the following fields: Username,

Password and Level of privilege (access)– Enable - Device general password list for gaining privileged

(high) level access– Line – Device password list for each specific line (console,

telnet and SSH) for gaining access– RADIUS server – External database with the following fields:

Username, Password and Level of privilege (access)– TACACS + - A security application that provides centralized

validation of users to gain access to a device (router or an access server). To be addressed in a separate presentation

– (None) – no database is used (username and PW not needed)

AAA – Management interfaces

• Access security (AAA) services on the device can be configured on 5 management interfaces:– Console (ASCII terminal), telnet & SSH –

• Have their own line command mode. • Lookup using any of the methods• Are associated with one or more lookup methods using method

lists – or lists of databases • Separate method lists for authentication and authorization

– HTTP & HTTPS• Do not have a line command mode• Lookup using only in local, RADIUS, TACACS+ or “none” methods• Associated directly to one or more methods (not through a list)• Lookup only for authentication (includes authorization lookup)

• One more interface is the 802.1x which is an access (not management) control– This issue will be covered in separate presentation.

AAA – Methods Lists

• Methods lists contain one or more databases (methods)• Methods lists are defined separately for Authentication

and Authorization verification• User can define many lists for each type• Each method list is assigned a list-name. • “Default” method list is a unique list which exists on the

device. This list can be configured by user like any other list (but not removed).

• Console, Telnet and SSH are associated separately to one authentication method-list and one authorization method-list

AAA – Methods Lists

• Authentication methods lists can contain one or more of the following methods: enable, line, local, RADIUS, TACACS+ and “none”.

• Authorization methods list can contain one or more of the following methods: enable, line, RADIUS, TACACS+ and “none” (but not local database)

AAA – “Default” Method List• System has 2 method lists named “default”: one for login and

one for enable (authorization)• This is the method list which applies to the lines – unless user

defines otherwise.• At system startup the default method list is different for

console or network (telnet, SSH) connections:– For login default method list is:

• Console_Default : None• Network_Default : Local

– For enable default method list is:• Console_Default : Enable None• Network_Default : Enable

– http : Local– https : Local– dot1x :

• If user modifies the “default” list (via CLI) the same method list applies for both console and network connections. Via web management both defaults can be changed separately

AAA – Method Rules

• Method lists containing only 1 method:– If username and/or PW are verified by DB - user is

granted access or the level of access required– If the method specified is “none” - user is granted

access or the level of access required without having to provide a Username or PW.

– If username and/or PW are not accepted by DB –access or access level is denied

– If database is unavailable (or not configured) -access or access level is denied

AAA – Method Rules

• Method lists containing a list of methods:– If username and/or PW are verified by current DB - user is

granted access or the level of access required– If username and/or PW do not exist on current DB – access

or access level is denied (does not check next DB) – even if “none” is the next method on the list

– If current methods is unavailable (or not configured) –verification process is attempted on next methods on list

– If all methods are unavailable (checked one by one) -access or access level is denied, unless “none” method is part of the list

AAA Configuration

• When using separate security server, the device has to be configured with the RADIUS/TACACS+ server parameters and attributes

• Configure the databases (on device or RADIUS/TACACS server) with the relevant Username and/or PW

• Define the method lists for authentication and authorization using AAA commands

• Apply the method lists to a particular line (line command mode), if required

• If needed, apply the methods directly to the HTTP/HTTPS services

AAA Process

• When a particular line attempts to access the device, user authentication (or access level) is performed by checking the method list attached to that line.

• User authentication and authorization occurs in the order the methods are listed in the relevant list

• User will be authenticated by the first method on the list, and only if the first option cannot be reached - by next methods listed.

• If the first (or current) methods is functioning properly – but user is not authenticated (entry does not exit), next methods are not used

AAA

1. Creating passwords (and users) databases • Local, enable, line, RADIUS, TACACS+, none

2. Assign databases to methods • One or more database to each method (or none)

3. Attaching methods to line

login

enable

PwdPwdPwdPwd

MethodRegisratingthesystem

Console

telnet

ssh

httphttps

LocalEnableLineRadiusNone

AAA (1)console(config)# username XXX password YYY level 15

User name password level

Local1 loc1 1

Local15 loc15 15

console(config)# enable password level 15 YYY


----- en1 1

----- en15 15

console(config)# line console/telnet/sshconsole(config-line)# password YYY


----- linec (for console) -----

----- linet (for telnet) -----

----- lines (for ssh) -----

DataBaselocal:

enable:

line:

AAA cont’

console(config)# aaa authentication login log_tel enable none

login/enable method name Database in use

login log_cons line none

login log_tel enable none

login log_ssh local

console(config)# aaa authentication enable en_cons local

login/enable method name Database in useenable en_cons localenable en_tel line enable en_ssh Radius enable none

Assign database to methods:

AAA cont’

• Attaching methods to line:console(config)# line consoleconsole(config-line)# login authentication log_consconsole(config-line)# enable authentication en_consconsole(config-line)#console(config)# line telnetconsole(config-line)# login authentication log_telconsole(config-line)# enable authentication en_telconsole(config-line)#console(config)# line sshconsole(config-line)# login authentication log_sshconsole(config-line)# enable authentication en_sshconsole(config-line)# console(config)# console(config)# ip http authentication local noneconsole(config)# ip https authentication radius local

• console# show authentication methods

• Login Authentication Method Lists• -------------------------------------------• Console_Default : None• Network_Default : Local• log_ssh : Local• log_tel : Enable None• log_cons : Line None

• Enable Authentication Method Lists• ----------------------------------• Console_Default : Enable None• Network_Default : Enable• en_ssh : Radius Enable None• en_tel : Line• en_cons : Enable None

• Line Login Method List Enable Method List

• ---------- ------------------------ -------------------

• Console log_cons en_cons• Telnet log_tel en_tel• SSH log_ssh en_ssh• http : Local None• https : Radius Local

AAA cont’DB – local


Local1 loc1 1

Local15 loc15 15

DB – enable


----- en1 1

----- en15 15

DB – line

User name

password level

---- linec (for console) -----

---- linet (for telnet) -----

---- lines (for ssh) -----

AAACLI Configuration

AT - 8000S

AT - 8000S AAA – CLI Configuration

• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands

AT - 8000S – Line Mode

• Use the following Global Mode command to enter the command line mode of console/telnet/ssh:line {console | telnet | ssh}

Example – entering telnet line mode:

console# con

console(config)# line telnet

console(config-line)#

AT - 8000S – CLI Configuration

• Entering Line configuration mode

• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands

AAA – Line Password

• Use the following Line Configuration Mode command to specify a password for a line. To remove the password, use the no form of this command:

password password [encrypted]no passwordencrypted - Encrypted password you enter, copied from

another device configuration.

AAA – Line Password

• Notes:– Each line (console, telnet, ssh) is configured with its own

password and only that PW will apply for that line. – Each line has only 1 PW – entering a new PW will cancel

previous one– There is no “show” command to view line PW

AT - 8000S – Line PW Example

• Example – configuring a PW for each of the lines (console; telnet and SSH)

console(config)# line console

console(config-line)# password PW_Console

console(config-line)# exit


console(config-line)# password PW_Telnet


console(config)# line SSH

console(config-line)# password PW_SSH

console(config-line)#

AAA – Enable Password

• Use the following Global Mode command to set a local password for different privilege levels. Use the no form of this command to remove the password requirement.

enable password [ level level ] password [encrypted]no enable password [ level level ]• level - Level for which the password applies. If not specified

the level is 15.• Encrypted - Encrypted password you enter, copied from

another device configuration

AAA – Enable Password

• Notes: – Only 1 PW can be defined for each level (new PW settings for a level will

erase previous entry)– Only levels 15 and 1 are implemented in current version– There is no “show” command to view enable PW– If enable is the method used for login (authentication), the user

must enter the PW for level 1. If user will use PW for level 15 –access will be denied.

AAA – Local User Name

• Use the following Global Mode command to establish a username-based authentication system. Use the no form to remove a user name:

username name [password password] [Level level] [encrypted]no username name • name & password - The name and authentication

password of the user. • level - Specifies the user level. If not specified the

privilege level is 15.

Enable & User Example

• Example – Configuring enable PW level 15 and level 1– Configuring local DB user name and PW

console(config)#

console(config)# enable password level 15 high

console(config)# enable password level 1 low

console(config)# username david password david level 15

console(config)# username george password george level 1

console(config)#

AAA - RADIUS Server

• Use the following Global Mode command to specify a RADIUS server host. To delete the specified host, use the no form of command:

radius-server host ip-address [auth-port auth-port-number] [timeout timeout] [retransmit retries] [deadtime deadtime] [keykey-string] [source source] [priority priority] [usage type]

no radius-server host ip-address

• Each of the parameters in the radius server host command can be used as individual commands to configure Global Radius configuration (Applied to a server if host command did not include this parameter):

radius-server keyradius-server retransmit (default 3)radius-server source-ip (default 0.0.0.0)radius-server timeout (default 3)radius-server deadtime (default 0)• “no” form of command can be used with each command

type to return value to default

RADIUS – Global Parameters

AT - 8000S - Radius Example

• Example – Configuring a radius server with IP 10.1.1.100 port 1645 and

priority 1– Defining Global retransmit value of 5

console(config)#

console(config)# radius-server host 10.1.1.100 auth-port 1645 priority 1

console(config)# radius-server retransmit 5


• Entering Line configuration mode• Configuring databases

• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands

Login Authentication Method

• Use the following Global Mode command to define authentication methods lists at login. use the no form of this command to erase defined name

aaa authentication login {default | list-name} method1 [method2...]no aaa authentication login {default | list-name}• default - The device’s default list of methods. Using the

“no” option on “default” returns it to the device default• list-name - name of a (user defined) list of authentication

methods which can be activated when a user logs in.

Login Authentication Method• method1 [method2...] - at least one of the following:

Login Authentication Method

• The additional methods in a list (if such were defined) are used only if the previous method returns an error, not if it denies login. To ensure that the login succeeds even if all methods return an error (but not if they denied access), specify none as the final method.

• The default and optional list names defined with the aaa authentication login command are attached to a line using the login authentication command (line mode)

Enable Authentication Method

• Use the following Global Mode command to set Authorization when the user attempts to access a higher privilege level. To remove a list (or return “default” list to original setting) use the no form of this command:

aaa authentication enable {default | list-name} method1 [method2...]

no aaa authentication enable {default | list-name}

Enable Authentication Method

method1 [method2...] - At least one of the following:

Enable Authen. Method

• The additional methods on a list (if such were defined) are used only if the previous method returns an error, not if it authentication fails. To ensure that the authentication succeeds even if all methods return an error, specify noneas the final method

• All aaa authentication enable requests sent by the router to a RADIUS or TACACS server include the username "$enabx$.", where x is the requested privilege level (15 for the highest)

• The default and optional list names that you define with the aaa authentication enable command are applied to a line with the enable authentication (line configuration mode)command.

Method Lists - Example

• Example – Configuring 3 different login method lists– Changing login “default” method list– Configuring 3 different enable method lists

console(config)# aaa authentication login log1 local none

console(config)# aaa authentication login log2 radius enable

console(config)# aaa authentication login log3 line

console(config)# aaa authentication login default line

console(config)# aaa authentication enable en1 enable none

console(config)# aaa authentication enable en2 line

console(config)# aaa authentication enable en3 radius none


• Entering Line configuration mode• Configuring databases• Creating method lists

• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands

Assigning Login Authentication-list to Line

• Use the following Line Configuration Modecommand to specify login authentication method list. To return to the default list use the no form of this command:

login authentication {default | list-name}no login authentication• default / list-name – as specified in the Global Mode aaa

authentication login command.• Command is applied separately to each line (console,

telnet, SSH) via its own command line

Assigning Enable Authentication-list to a Line

• Use the following Line Configuration Modecommand to specify an autherization method list when the user requests to access a higher privilege level. To return to the default list use the no form of this command.enable authentication {default | list-name}no enable authentication

• default / list-name – as specified in the Global Mode aaa authentication enable command.

• Command is applied separately to each line (console, telnet, SSH) via its own command line

Method Lists - Example

• Example - Assigning login and enable method lists to lines (assign default list to console login)

console(config)# line console

console(config-line)# login authentication default

console(config-line)# enable authentication en1



console(config-line)# login authentication log2




console(config-line)# login authentication log3



• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines

• Applying methods to HTTP/HTTPS• Show commands

HTTP Authentication List

• Use the following Global Mode command to specify authentication method(s) for http server users. To return to the default (local), use the noform of this command:

ip http authentication method1 [method2...]no ip http authentication

• method1 [method2...] - At least one from: Local, Radius, TACACS, None.

• Default method is “local”

HTTPS Authentication List

• Use the following Global Mode command to specify authentication methods for https server users. To return to the default (local), use the noform of this command:

ip https authentication method1 [method2...]no ip https authentication

• method1 [method2...] - At least one from: Local, Radius, TACACS, None.

• Default method is “local”

HTTP/HTTPS AAA - Example

• Example:– Apply radius method on HTTPS for AAA services– Apply TACACS method on HTTP for AAA services

console(config)#

console(config)# ip https authentication radius

console(config)# ip http authentication tacacs


• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS• Show commands


• Entering Line configuration mode• Configuring databases• Creating method lists• Applying method lists to lines• Applying methods to HTTP/HTTPS

• Show commands

AAA – Show commands

• Use the following EXEC mode command to display information about the authentication methods

show authentication methods• The command will show:

– Login method list– Enable method list– Line – method list association– HTTP/HTTPS/dot1x-method association


console# sh authentication methods

Login Authentication Method Lists----------------------------------Default : Enablelogm : Enable

Enable Authentication Method Lists----------------------------------Default : Enableenm : Enable

…See next slide


…from previous slide

Line Login Method List Enable Method List------- ----------------- -------------------Console logm enmTelnet Default DefaultSSH Default Default

http : Localhttps : Localdot1x :

• Use the following EXEC mode command to display the RADIUS servers settings:

show radius-servers

Show RADIUS Server

console# sh radius-servers

IP address Auth. TimeOut Retran. DeadTime source IP Prio. Usage--------------- ----- ------- ------- -------- --------------- ----- -----

9.1.1.1 1812 Global Global Global Global 0 all

Global values--------------

TimeOut : 3Retransmit : 3Deadtime : 0Source IP : 0.0.0.0console#

Thank You!!!

At8000 s configurando_aaa

Technology

Transcript of At8000 s configurando_aaa