Ccnasec Chapter3 Aaa

Cisco Networking AcademyCCNA Security

Configuring AAA on a Cisco Router Using the Local Database

Pedro González Mercado – CCNA,CCNP - CCAI

© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-2

AAA Model—Network Security Architecture

Authentication

– Who are you?

– “I am user student and my password validateme proves it.”

Authorization

– What can you do? What can you access?

– “User student can access host serverXYZ using Telnet.”

Accounting

– What did you do? How long did you do it? How often did you do it?

– “User student accessed host serverXYZ using Telnet for 15 minutes.”


Implementing Cisco AAA

Administrative access: console, Telnet, and auxiliary access Remote user network access: dial-up or VPN access

Cisco Secure ACS for Windows ServerRemote Client

(Dial-Up Client) NAS

Console

Remote Client(VPN Client)

Router Cisco Secure ACS Solution Engine

PSTN = public switched telephone network

Cisco Secure ACS Express

PSTN, ISDN

Internet


Implementing Authentication Using Local Services

1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.

3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database.

PerimeterRouter

Remote Client1

23


Authenticating Router Access

Telnet Host

LAN

Remote LANNetworkAccess

Console

Router

Remote Router Administrative

Access

Internet


Router Local Authentication Configuration Steps

The following are the general steps to configure a Cisco router to support local authentication: Add usernames and passwords to the local router database

Enable AAA globally on the router

Configure AAA parameters on the router

Confirm and troubleshoot the AAA configuration


Configuring User Accounts Using Cisco SDM

Configure > Additional Tasks > Router Access > User Accounts/View


Enabling and Disabling AAA Using Cisco SDM

AAA is enabled by default in Cisco SDM.

If you attempt to disable AAA, a warning message appears.

Choose Configure > Additional Tasks > AAA to view or modify AAA settings.


Configuring AAA Authentication Using Cisco SDM

Configure > Additional Tasks > AAA > Authentication Policies > Login


Additional AAA CLI Commands

aaa local authentication attempts max-fail number-of-unsuccessful-attempts

router(config)#

Secures AAA user accounts by locking out accounts that have excessive failed attempts

show aaa local user lockout

router#

Identifies locked user accounts

clear aaa local user lockout router#

Clears locked user accounts


Additional AAA CLI Commands (Cont.)

show aaa user all

router#

Displays statistics of logged in users

show aaa sessions

router#

Displays the current AAA sessions and their unique IDs


AAA Configuration Example

aaa new-modelaaa local authentication attempts max-fail 10!!aaa authentication login default local

enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3.enable password 7 15141905172924!username admin1 password 7 14161606050A7B7974786Busername admin2 secret 5 $1$ErWl$b5rDNK7Y5RHkxX/Ks7Hr00username AAAadmin privilege 15 view root secret 5 $1$0GGC$1Y.WBhh7UQso8cJSkvv2N0!


Troubleshooting AAA Using the debug aaa authentication Command

router# debug aaa authentication113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''action=LOGIN service=LOGIN113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login(user='(undef)')113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login(user='diallocal')113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

debug aaa authentication

router#

Helps troubleshoot AAA authentication problems

Cisco Networking AcademyCCNA Security

Configuring AAA on a Cisco Router to Use Cisco Secure ACS

Pedro González Mercado - CCAI


Why Use Cisco Secure ACS?

Using the local database for AAA implementation on a Cisco router does not scale well.

Cisco Secure ACS systems can manage the user and administrative access for an entire network.

Cisco Secure ACS systems can work with external databases to authenticate users to leverage the work already invested in building the external database.


Implementing Authentication Using External Servers

1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.

3. The router passes the username and password to the Cisco Secure ACS (server or engine).

4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database.

PerimeterRouter

Remote Client

Cisco Secure ACS for Windows

Server

Cisco Secure ACS

Solution Engine

1

2

3

4

Cisco Secure ACS Express


Cisco Secure ACS

Cisco Secure ACS is a AAA system with these features:

Used with firewalls, dial-up access servers, and routers

Implemented at network access points to authenticate remote users

Used with extranet connections to audit activities and control authentication and authorization for business partners

1 2 3

4 5 67

098

369

147

25

08


Cisco Secure ACS Features

Easy-to-use web GUI

Scalable data replication and redundancy services

Support for LDAP, Active Directory, Novell Directory Services, and ODBC databases

Full accounting and user reporting features

Easy and flexible control of changes to the security policy over all of the devices in a network

Support for RADIUS and TACACS+

Tight integration with Cisco IOS routers and Cisco VPN solutions

Support for third-party OTPs

Dynamic quotas to restrict access


Cisco Secure ACS Express 5.0

Entry-level ACS

TACACS+ and RADIUS support

Simplified feature set

Support for up to 50 AAA devices

Support for up to 350 unique user ID logins in a 24-hour period


Cisco Secure ACS View 4.0

Advanced reporting and alerting solution for Cisco Secure ACS Version 4.x

– Interactive reports

– Canned and custom reports

– Scheduled reports

– Threshold-based alerts

Views for administrative access control

Web-based user interface

Centralized data management

– Correlation of data from multiple Cisco Secure ACS servers


TACACS+ and RADIUS AAA Protocols

TACACS+ and RADIUS are used to communicate between the AAA security servers and authenticating devices.

Cisco Secure ACS supports both TACACS+ and RADIUS:

– TACACS+ remains more secure than RADIUS.

– RADIUS has a robust application programming interface and strong accounting.

Cisco Secure ACS

Firewall Router NAS

TACACS+ RADIUS

Security Server

Switch


TACACS+ Overview

Is not compatible with its predecessors TACACS and XTACACS

Separates authentication and authorization

Supports a large number of features

Encrypts all communication

Utilizes TCP port 49


RADIUS Overview

RADIUS was developed by Livingston Enterprises.

RADIUS proxy servers are used for scalability.

RADIUS combines authentication and authorization as one process.

DIAMETER is the planned replacement.

Technologies that use RADIUS include

– Remote access (i.e., dial-up and DSL)

– 802.1X

– SIP


TACACS+/RADIUS Comparison

Campus

TACACS+ Server

Dial

TACACS+ ClientRADIUS Client

RADIUS Server

TACACS+ RADIUS

Functionality Separates AAACombines

authentication and authorization

Standard Mostly Cisco supported Open/RFC

Transport Protocol TCP UDP

CHAP Bidirectional Unidirectional

Protocol Support Multiprotocol support No ARA, no

NetBEUI

Confidentiality Entire packet encrypted

Password encrypted

Customization

Provides authorization of router commands on

a per-user or per-group basis.

Has no option to authorize router commands on a

per-user or per-group basis.

Accounting Limited Extensive


Cisco Secure ACS Prerequisites

Cisco IOS AAA clients must run Cisco IOS Release 11.2 or later.

Cisco devices that do not run Cisco IOS Software must be configured with TACACS+, RADIUS, or both.

Dial-up, VPN, or wireless clients must be able to connect to the applicable AAA clients.

The Cisco Secure ACS server must be able to ping all AAA clients.

Gateway devices in the path to the Cisco ACS server must permit the necessary protocols and ports.

The Cisco Secure ACS server must have a supported web browser installed.

All NICs in the Cisco Secure ACS server must be enabled.


Cisco Secure ACS 4.1 Homepage


Network Configuration


Interface Configuration


External Databases


Windows Database


Adding a AAA Server


Creating a AAA Login Authentication Policy


Applying an Authentication Policy

Router(config)#line vty 0 4Router(config-line)#login authentication TACACS_SERVER


Creating a AAA Exec Authorization Policy


Creating a AAA Network Authorization Policy


AAA Accounting Configuration

aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]]

router(config)#


AAA Configuration for TACACS+ Example

aaa new-model!aaa authentication login TACACS_SERVER tacacs+ localaaa authorization exec tacacs+aaa authorization network tacacs+aaa accounting exec start-stop tacacs+aaa accounting network start-stop tacacs+!!tacacs-server host 10.0.1.11tacacs-server key ciscosecure!line vty 0 4 login authentication TACACS_SERVER

Ccnasec Chapter3 Aaa

Documents

Transcript of Ccnasec Chapter3 Aaa