chapter3homepages.warwick.ac.uk/~masgaj/book/fulltext/chapter3.pdf · Title: chapter3.dvi
Ccnasec Chapter3 Aaa
-
Upload
noestoy-niahiconnadie -
Category
Documents
-
view
5 -
download
4
Transcript of Ccnasec Chapter3 Aaa
Cisco Networking AcademyCCNA Security
Configuring AAA on a Cisco Router Using the Local Database
Pedro González Mercado – CCNA,CCNP - CCAI
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-2
AAA Model—Network Security Architecture
Authentication
– Who are you?
– “I am user student and my password validateme proves it.”
Authorization
– What can you do? What can you access?
– “User student can access host serverXYZ using Telnet.”
Accounting
– What did you do? How long did you do it? How often did you do it?
– “User student accessed host serverXYZ using Telnet for 15 minutes.”
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-3
Implementing Cisco AAA
Administrative access: console, Telnet, and auxiliary access Remote user network access: dial-up or VPN access
Cisco Secure ACS for Windows ServerRemote Client
(Dial-Up Client) NAS
Console
Remote Client(VPN Client)
Router Cisco Secure ACS Solution Engine
PSTN = public switched telephone network
Cisco Secure ACS Express
PSTN, ISDN
Internet
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-4
Implementing Authentication Using Local Services
1. The client establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database.
PerimeterRouter
Remote Client1
23
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-5
Authenticating Router Access
Telnet Host
LAN
Remote LANNetworkAccess
Console
Router
Remote Router Administrative
Access
Internet
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-6
Router Local Authentication Configuration Steps
The following are the general steps to configure a Cisco router to support local authentication: Add usernames and passwords to the local router database
Enable AAA globally on the router
Configure AAA parameters on the router
Confirm and troubleshoot the AAA configuration
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-7
Configuring User Accounts Using Cisco SDM
Configure > Additional Tasks > Router Access > User Accounts/View
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-8
Enabling and Disabling AAA Using Cisco SDM
AAA is enabled by default in Cisco SDM.
If you attempt to disable AAA, a warning message appears.
Choose Configure > Additional Tasks > AAA to view or modify AAA settings.
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-9
Configuring AAA Authentication Using Cisco SDM
Configure > Additional Tasks > AAA > Authentication Policies > Login
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-10
Additional AAA CLI Commands
aaa local authentication attempts max-fail number-of-unsuccessful-attempts
router(config)#
Secures AAA user accounts by locking out accounts that have excessive failed attempts
show aaa local user lockout
router#
Identifies locked user accounts
clear aaa local user lockout router#
Clears locked user accounts
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-11
Additional AAA CLI Commands (Cont.)
show aaa user all
router#
Displays statistics of logged in users
show aaa sessions
router#
Displays the current AAA sessions and their unique IDs
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-12
AAA Configuration Example
aaa new-modelaaa local authentication attempts max-fail 10!!aaa authentication login default local
enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3.enable password 7 15141905172924!username admin1 password 7 14161606050A7B7974786Busername admin2 secret 5 $1$ErWl$b5rDNK7Y5RHkxX/Ks7Hr00username AAAadmin privilege 15 view root secret 5 $1$0GGC$1Y.WBhh7UQso8cJSkvv2N0!
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-13
Troubleshooting AAA Using the debug aaa authentication Command
router# debug aaa authentication113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''action=LOGIN service=LOGIN113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login(user='(undef)')113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login(user='diallocal')113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
debug aaa authentication
router#
Helps troubleshoot AAA authentication problems
Cisco Networking AcademyCCNA Security
Configuring AAA on a Cisco Router to Use Cisco Secure ACS
Pedro González Mercado - CCAI
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-15
Why Use Cisco Secure ACS?
Using the local database for AAA implementation on a Cisco router does not scale well.
Cisco Secure ACS systems can manage the user and administrative access for an entire network.
Cisco Secure ACS systems can work with external databases to authenticate users to leverage the work already invested in building the external database.
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-16
Implementing Authentication Using External Servers
1. The client establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database.
PerimeterRouter
Remote Client
Cisco Secure ACS for Windows
Server
Cisco Secure ACS
Solution Engine
1
2
3
4
Cisco Secure ACS Express
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-17
Cisco Secure ACS
Cisco Secure ACS is a AAA system with these features:
Used with firewalls, dial-up access servers, and routers
Implemented at network access points to authenticate remote users
Used with extranet connections to audit activities and control authentication and authorization for business partners
1 2 3
4 5 67
098
369
147
25
08
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-18
Cisco Secure ACS Features
Easy-to-use web GUI
Scalable data replication and redundancy services
Support for LDAP, Active Directory, Novell Directory Services, and ODBC databases
Full accounting and user reporting features
Easy and flexible control of changes to the security policy over all of the devices in a network
Support for RADIUS and TACACS+
Tight integration with Cisco IOS routers and Cisco VPN solutions
Support for third-party OTPs
Dynamic quotas to restrict access
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-19
Cisco Secure ACS Express 5.0
Entry-level ACS
TACACS+ and RADIUS support
Simplified feature set
Support for up to 50 AAA devices
Support for up to 350 unique user ID logins in a 24-hour period
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-20
Cisco Secure ACS View 4.0
Advanced reporting and alerting solution for Cisco Secure ACS Version 4.x
– Interactive reports
– Canned and custom reports
– Scheduled reports
– Threshold-based alerts
Views for administrative access control
Web-based user interface
Centralized data management
– Correlation of data from multiple Cisco Secure ACS servers
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-21
TACACS+ and RADIUS AAA Protocols
TACACS+ and RADIUS are used to communicate between the AAA security servers and authenticating devices.
Cisco Secure ACS supports both TACACS+ and RADIUS:
– TACACS+ remains more secure than RADIUS.
– RADIUS has a robust application programming interface and strong accounting.
Cisco Secure ACS
Firewall Router NAS
TACACS+ RADIUS
Security Server
Switch
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-22
TACACS+ Overview
Is not compatible with its predecessors TACACS and XTACACS
Separates authentication and authorization
Supports a large number of features
Encrypts all communication
Utilizes TCP port 49
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-23
RADIUS Overview
RADIUS was developed by Livingston Enterprises.
RADIUS proxy servers are used for scalability.
RADIUS combines authentication and authorization as one process.
DIAMETER is the planned replacement.
Technologies that use RADIUS include
– Remote access (i.e., dial-up and DSL)
– 802.1X
– SIP
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-24
TACACS+/RADIUS Comparison
Campus
TACACS+ Server
Dial
TACACS+ ClientRADIUS Client
RADIUS Server
TACACS+ RADIUS
Functionality Separates AAACombines
authentication and authorization
Standard Mostly Cisco supported Open/RFC
Transport Protocol TCP UDP
CHAP Bidirectional Unidirectional
Protocol Support Multiprotocol support No ARA, no
NetBEUI
Confidentiality Entire packet encrypted
Password encrypted
Customization
Provides authorization of router commands on
a per-user or per-group basis.
Has no option to authorize router commands on a
per-user or per-group basis.
Accounting Limited Extensive
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-25
Cisco Secure ACS Prerequisites
Cisco IOS AAA clients must run Cisco IOS Release 11.2 or later.
Cisco devices that do not run Cisco IOS Software must be configured with TACACS+, RADIUS, or both.
Dial-up, VPN, or wireless clients must be able to connect to the applicable AAA clients.
The Cisco Secure ACS server must be able to ping all AAA clients.
Gateway devices in the path to the Cisco ACS server must permit the necessary protocols and ports.
The Cisco Secure ACS server must have a supported web browser installed.
All NICs in the Cisco Secure ACS server must be enabled.
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-32
Creating a AAA Login Authentication Policy
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-33
Applying an Authentication Policy
Router(config)#line vty 0 4Router(config-line)#login authentication TACACS_SERVER
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-34
Creating a AAA Exec Authorization Policy
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-35
Creating a AAA Network Authorization Policy
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-36
AAA Accounting Configuration
aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]]
router(config)#
© 2008 Cisco Systems, Inc. All rights reserved. IINS v1.0—2-37
AAA Configuration for TACACS+ Example
aaa new-model!aaa authentication login TACACS_SERVER tacacs+ localaaa authorization exec tacacs+aaa authorization network tacacs+aaa accounting exec start-stop tacacs+aaa accounting network start-stop tacacs+!!tacacs-server host 10.0.1.11tacacs-server key ciscosecure!line vty 0 4 login authentication TACACS_SERVER