IEWB SC VOL I V5.Section.5.Idwedentity.management.012
-
Upload
jay-mishra -
Category
Documents
-
view
233 -
download
1
Transcript of IEWB SC VOL I V5.Section.5.Idwedentity.management.012
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
1/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.comi
Copyright Information
Copyright 2009 Internetwork Expert, Inc. All rights reserved.
The following publication, CCIE Security Lab Workbook Volume I Version 5.0, was developed byInternetwork Expert, Inc. All rights reserved. No part of this publication may be reproduced or distributed inany form or by any means without the prior written permission of Internetwork Expert, Inc.
Cisco, Cisco Systems, CCIE, and Cisco Certified Internetwork Expert, are registered trademarks ofCisco Systems, Inc. and/or its affiliates in the U.S. and certain countries.
All other products and company names are the trademarks, registered trademarks, and service marks of therespective owners. Throughout this manual, Internetwork Expert, Inc. has used its best efforts to distinguishproprietary trademarks from descriptive names by following the capitalization styles used by themanufacturer.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
2/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.comii
Disclaimer
The following publication, CCIE Security Lab Workbook Volume I Version 5.0, is designed to assistcandidates in the preparation for Cisco Systems CCIE Security Lab Exam. While every effort has beenmade to ensure that all material is as complete and accurate as possible, the enclosed material is presentedon an as is basis. Neither the authors nor Internetwork Expert, Inc. assume any liability or responsibility to
any person or entity with respect to loss or damages incurred from the information contained in thisworkbook.
This workbook was developed by Internetwork Expert, Inc. and is an original work of the aforementionedauthors. Any similarities between material presented in this workbook and actual CCIE lab material iscompletely coincidental.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
3/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.comiii
Table of Contents
Identity Management.......................................................................... 15.1 Remote Session Authentication using TACACS+ ...........................1
5.2
Exec Authorization using TACACS+ ...............................................2
5.3
IOS Local Command Authorization .................................................2
5.4
IOS Remote Command Authorization .............................................2
5.5 Using RADIUS for Session Control .................................................25.6 ASA Cut-Through Proxy ..................................................................35.7 ASA Network Authorization .............................................................45.8
LDAP Attribute Maps.......................................................................5
5.9
802.1x Authentication and Authorization .........................................5
5.10
NAC Policy Configuration ................................................................6
5.11 L3 NAC with ASA and Cisco VPN Client .........................................7
Identity Management Solutions .......................................................... 85.1
Remote Session Authentication using TACACS+ ...........................8
5.2
Exec Authorization using TACACS+ .............................................19
5.3
IOS Local Command Authorization ...............................................26
5.4
IOS Remote Command Authorization ...........................................33
5.5
Using RADIUS for Session Control ...............................................44
5.6
ASA Cut-Through Proxy ................................................................54
5.7
ASA Network Authorization ...........................................................70
5-8
LDAP Attribute Maps.....................................................................74
5.9
802.1x Authentication and Authorization .......................................77
5.10
NAC Policy Configuration ..............................................................86
5.11
L3 NAC with ASA and Cisco VPN Client .....................................100
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
4/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com1
Identity Management
Note
Reset all the devices, and load the initial Identity Managementconfiguration files.
R2
.100
10.0.0.0/24 VLAN 122
136.X.126.0/24 VLAN 126
E0/0(outside)E0/1(inside)Fa0/0
Fa0/0
R3
Lo0: 150.X.2.2/24Lo0: 150.X.6.6/24
AAA/CA
Server
R6R2
ASA1
SW2
VL122
5.1 Remote Session Authentication using TACACS+
Configure R2 to use the ACS server via TACACS+ with a password of
CISCO.o R2 should source TACACS+ packets from Loopback0.
Configure R2 so that access to the console line is authenticated using thelocal database.
Ensure the users logging into R2 remotely are authenticated using theTACACS+ server. Create an ACS user account named ADMIN with apassword of cisco.
o In case the server fails, the users should be authenticated againstthe local database.
Enable mode authentication should first attempt TACACS+ and then fall
back to the local password.
Create a user named ADMIN with a password of CISCO in the localdatabase for these configurations.
Customize the prompts for AAA user authentication and change thedefault banner message.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
5/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com2
5.2 Exec Authorization using TACACS+
User ADMIN should be automatically placed at privilege level 15 uponremote login to the router.
Create another user NOC with the password of CISCO that should be
placed at privilege level 7 upon login. Users logging in locally via console should be subject to the same
authorization policy, but the values should be taken locally.
If the remote authorization fails, the local database should be used forincoming connections.
5.3 IOS Local Command Authorization
Ensure that the user NOC can use RIP debugging commands and candisable any currently active debugging using a single command.
The same user should be able to configure any interface IP settings andadministratively enable or disable any of these interfaces.
Ensure the user can see their permitted commands in their runningconfiguration.
5.4 IOS Remote Command Authorization
Only allow the NOC user to modify the IP address of Loopback0 interface.
Make sure the range of allowed IP addresses is 150.X.0.0/16 for thisinterface
5.5 Using RADIUS for Session Control
Modify the previous scenarios to use RADIUS for remote sessionauthentication and exec authorization.
Ensure users ADMIN and NOC are placed to privilege levels 15 and 7respectively upon logging in.
Configure enable privilege authorization via RADIUS for level 7 and 15using the passwords cisco7 and cisco respectively..
Ensure fallback to local database for all AAA lists and disable consoleauthentication/authorization.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
6/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com3
5.6 ASA Cut-Through Proxy
Configure ASA1 for cut-through authentication with the following:
o Require authentication before allowing HTTP destined for R6Loopback 0 through ASA1.
o Initially authenticate against the address 136.1.126.6 using HTTP.
o After authentication, allow HTTP access to R6 Loopback 0 via anaccess-list.
o Use the ACS server for authentication.
o Traffic for authentication between the user and ASA1 should not besent in plaintext.
o Configure the AAA server with a username of HTTPUSER and apassword of CISCO.
Before authentication, the output of the packet-tracer command shouldshow that the traffic is dropped, as shown below:
ASA1(config)# packet-tracer input inside tcp
10.0.0.100 1234 150.1.6.6 80
Phase: 1Type: ACCESS- LI STSubt ype:Resul t : ALLOWConf i g:I mpl i ci t Rul e
Addi t i onal I nf or mat i on:MAC Access l i st
Phase: 2Type: FLOW- LOOKUPSubt ype:Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:Found no mat chi ng f l ow, cr eat i ng a new f l ow
Phase: 3Type: ROUTE- LOOKUPSubt ype: i nput
Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:i n 150. 1. 6. 0 255. 255. 255. 0 out si de
Phase: 4Type: ACCESS- LI STSubt ype: l ogResul t : DROP
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
7/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com4
Conf i g:access- gr oup i nsi de i n i nt er f ace i nsi deaccess- l i st i nsi de ext ended deny t cp any host 150. 1. 6. 6 eq wwwAddi t i onal I nf or mat i on:
Resul t :i nput - i nt erf ace: i nsi dei nput - st at us: upi nput - l i ne- status: upout put - i nt er f ace: out si deout put - st at us: upout put - l i ne- st at us: upAct i on: dr opDr op- r eason: ( acl - dr op) Fl ow i s deni ed by conf i gur ed r ul e
ASA1(conf i g)#
Note
Reset ASA1, and reload the startup configuration file on ASA1 only. Otherdevices require configurations from prior tasks.
5.7 ASA Network Authorization
Configure ASA1 for cut-through authentication for telnet traffic passingthrough the firewall from inside to outside.
Configure the AAA server with a user named TELNETUSER and apassword of cisco. Use TACACS for authentication.
Do not configure any access lists to accomplish any part of this task.
ASA1 should send accounting information for these sessions to the AAAserver.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
8/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com5
5.8 LDAP Attribute Maps
Configure ASA1 to work with a future LDAP server running on the ACSServer with the following:
o When searching the directory, begin at CN=User s, DC=I NE,
DC=comand include all subtreeso Auto-detect the LDAP server type and use SASL with MD5 for
security.
o The ASA should authenticate usingCN=Admi n, CN=User s, DC=I NE, DC=comwith a password ofcisco?123!
o The server address will be 10.0.0.50. Refer to this server as LDAP-1
o Associate the LDAP attribute of accessType with the Cisco attribute
of IETF-Radius-Class
5.9 802.1x Authentication and Authorization
Configure 802.1x on SW2, port Fa0/6 using the following:
o SW2 should source the AAA session from Loopback 0
o Clients who fail authentication should be assigned to VLAN 10
o Clients without a supplicant are assigned to VLAN 20
o Create a user on ACS named dot1x-user as part of this task.
Assign the dot1x-user to VLAN 30 if authenticated.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
9/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com6
Note
Clear all device configurations and load the Remote Access VPNInitialConfiguration files. You the following diagram as you reference when workingwith the scenarios below.
S0/1
S1/3
Fa0/0 Fa0/1
Fa0/0.121
Inside
Outside
136.X.23.0/24
136.X.121.0/24 VLAN121
136.X.123.0/24 VLA N123
136.X.1
00.0
/24VLAN100
.200
AAA/CA
Server
10.0.0.0/24 VLAN200
Fa0/0
RIPv2
Lo0: 150.X.1.1/24
Fa0/0.11
136.X.1
1.0
/24VLAN1
1
ASA 1
Test PC
R1
R2
R3
5.10 NAC Policy Conf iguration
Configure a Network Admission Policy in the ACS per the followingrequirements
Generate a NAP named NAC_L3_IP based on the stock NAC L3 IPtemplate.
Assign Healthyposture to the host if the client OS type is Windows.
Only allow the hosts in Quarantineposture state to perform thefollowing:
o Ping any host
o Connect via HTTP to the host 10.0.0.100.
Redirect the hosts in Quarantinestate to http://10.0.0.100.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
10/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com7
5.11 L3 NAC with ASA and Cisco VPN Client
Configure the ASA firewall to accept remote VPN connection from CiscoEasy VPN Clients using group ID EZVPN
Use address pool 20.0.0.0/24 to allocate IP addresses for remote clients Allow for split tunneling to network 136.X.121.0/24. Remote user should be authenticated using the name CISCO along with
the password CISCO1234. Configure the ASA firewall to perform Network Admission Control for the
Cisco VPN Clients.
o Use the RADIUS server at 10.0.0.100 with the key of CISCO.o Enforce NAC for the VPN tunnel group.
Configure the Test PC for NAC with the ACS server.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
11/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
12/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
13/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com10
When using a remote AAA server for user authentication, you need a useraccount created in the AAA server and the authenticating router added to the listof known AAA clients. The router should be configured with the tacacs-server IPaddress using the command tacacs-server . The servers
defined via this command are referenced to as the default server group, selectedwhen using the option group tacacs+in AAA list configuration. When
communicating with the AAA server the router will source the packets out of theinterface used to route packets to the server. It is usually recommended to use avirtual interface, such as a Loopback, by using the command ip tacacs
source-interfaceor ip radius source-interface. This command
applies to the default TACACS+ group or any group not explicitly configuredwithin the system.
For the enable authentication with the TACACS+ server, there are two options.
First, if you want to give enable privilege to a user that has logged in but notauthenticated (no identity, no username) you need to create a special usernamed $enable$ in the AAA server. The router uses this username whenrequesting the enable privilege authentication from the AAA server for the userwith no name. For every level you could create a special user $enab$ e.g.$enab7$ for level seven. If the user has logged in with a username andpassword, the router will use the same username for enable mode authenticationbut using the service enable. You need to configure the respective user settingunder the Advanced TACACS+ Settings section of the profile. This includes theMax. Privilege Level for Any AAA Client and TACACS+ Enable Password.These two values define the maximum privilege level allowed for this user and
the password required for authentication. You cannot set custom enable levelassociated with the named user, and it will always be the maximum levelconfigured. If you want per-user privilege-level flexibility, edit the exec serviceattributes for the particular user.
If you want custom groups of TACACS+ servers available in the system, you maycreate those by using the command aaa group server tacacs+ .
Every group could have its own source interface for tacacs+ communication anda custom list of servers defined. The group name could be later referenced in an
AAA list configuration using the option group , e.g. aaaauthentication login group CUSTOM.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
14/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com11
R2:
!! Define enable password and a local user!enabl e secret ci scouser name ADMI N passwor d CI SCO
!! Init AAA and configure AAA lists for Console/VTY logins! Configure the use of TACACS+ for enable authentication and! provide a fallback to local enable password!aaa new- modelaaa aut hent i cat i on l ogi n CONSOLE l ocalaaa aut hent i cat i on l ogi n VTY gr oup t acacs+ l ocalaaa aut hent i cat i on enabl e def aul t gr oup t acacs+ enabl e
!! Customize prompts!
! Tacacs authentication does not submit the username-prompt config,! Radius does. So to present a unique username prompt, we need a! login banner.
banner l ogi n @ Pl ease Ent er Your I D:
@aaa aut hent i cat i on password- pr ompt "Pl ease Ent er Your Password: "aaa aut hent i cat i on username- pr ompt " Pl ease Ent er Your I D: "
!! Add a new authentication banner!aaa aut hent i cat i on banner #
Thi s sys t em r equi r es you t o i dent i f y yoursel f .#! Conf i gur e f ai l - messageaaa aut hent i cat i on f ai l - message #Aut hent i cat i on Fai l ed, Sor r y.#
!! TACACS+ source interface!i p t acacs sour ce- i nt er f ace l oopback 0!
t acacs- ser ver host 10. 0. 0. 100t acacs- server key CI SCO!l i ne con 0l ogi n aut hent i cat i on CONSOLE
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
15/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com12
!! Apply the AAA list to the line!l i ne vt y 0 4l ogi n aut hent i cat i on VTYpassword ci sco
ACS:
Step 1:
Add R2 as an AAA client to the ACS. ClickNetwork ConfigurationthenAdd
Entryand enter the information for R2 as follows:
Click Submit +Applywhen youre done.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
16/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com13
Step 2:
Add a new user named ADMIN with the password of CISCO in the ACS. Clickthe User Setupbutton and then enter the name ADMIN and click the
Add/Editbutton. Change the Passwordvalue to CISCO for this user.
Next, configure enable privilege settings for this user, per the screenshot below.Set the enable password to CISCO (custom enable password specifically forthis user).
Click the Submitbutton when youre done.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
17/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com14
Verification
Note
When you have the TACACS+ server configured, issue the following commands
to make sure the router may authenticate the users with the AAA server. Alsoverify that logging is enabled so you can see the results!
Rack1R2#test aaa group tacacs+ ADMIN CISCO legacyAt t empt i ng aut hent i cat i on t est t o ser ver - gr oup tacacs+ usi ng t acacs+User was successf ul l y aut hent i cat ed.
Note
Now you can try connecting to R2 using telnet and try enable authentication.Prior to this, configure some debugging in R2 to observe the process in details.
Rack1R2#debug aaa authenticationAAA Aut hent i cat i on debuggi ng i s on
Rack1R2#debug tacacs packetTACACS+ packet s debuggi ng i s on
Rack1R2#debug aaa authorizationAAA Aut hor i zat i on debuggi ng i s on
Rack1R6#telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open
Pl ease Ent er Your I D:
User name: ADMI NPassword: CI SCO
Rack1R2>enablePassword: CI SCORack1R2#
Note
Observe the debugging output for this process. Initially, R2 sends the STARTmessage to the server (service = login) and the server responds with REPLY anda prompt Username.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
18/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com15
AAA/ AUTHEN/ LOGI N ( 00000008) : Pi ck met hod l i st ' VTY'TPLUS: Queui ng AAA Aut hent i cat i on r equest 8 f or process i ngTPLUS: processi ng authent i cat i on st ar t r equest i d 8TPLUS: Aut hent i cat i on st ar t packet cr eat ed f or 8( )TPLUS: Usi ng ser ver 10. 0. 0. 100TPLUS( 00000008) / 0/ NB_WAI T/ 83A941C8: St ar t ed 5 sec t i meoutTPLUS( 00000008) / 0/ NB_WAI T: socket event 2
T+: Ver si on 192 ( 0xC0) , t ype 1, seq 1, encr ypt i on 1T+: sessi on_i d 3329617854 ( 0xC675EFBE) , dl en 22 ( 0x16)T+: t ype: AUTHEN/ START, pr i v_l vl : 1 act i on: LOGI N asci iT+: svc: LOGI N user _l en: 0 por t _l en: 5 ( 0x5) r addr _l en: 9 ( 0x9) dat a_l en: 0T+: user :T+: port : t t y67T+: r em_addr : 150. 1. 2. 2T+: data:T+: End Packet
TPLUS( 00000007) / 0/ READ: r ead ent i r e 28 byt es r esponse
T+: Ver si on 192 ( 0xC0) , t ype 1, seq 2, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 16 ( 0x10)T+: AUTHEN/ REPLY st at us: 4 f l ags: 0x0 msg_l en: 10, data_l en: 0T+: msg: User name:T+: data:T+: End Packet
Note
The router collects the name and sends it to the server in CONTINUE message.The server responds with the Password prompt instructing the router to requesta password.
TPLUS( 00000007) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Recei ved aut hen r esponse st at us GET_USER ( 7)TPLUS: Queui ng AAA Aut hent i cat i on r equest 7 f or processi ngTPLUS: process i ng aut hent i cat i on cont i nue r equest i d 7TPLUS: Aut hent i cat i on cont i nue packet gener at ed f or 7TPLUS( 00000007) / 0/ WRI TE/ 84498D84: St ar t ed 5 sec t i meoutT+: Ver si on 192 ( 0xC0) , t ype 1, seq 3, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 10 ( 0xA)T+: AUTHEN/ CONT msg_ l en: 5 ( 0x5) , data_l en: 0 ( 0x0) f l ags: 0x0T+: User msg: T+: User data:
T+: End PacketTPLUS( 00000007) / 0/ WRI TE: wr ot e ent i r e 22 byt es r equestTPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 12 header byt es ( expect 16 byt esdat a)
TPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 28 byt es r esponse
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
19/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com16
T+: Ver si on 192 ( 0xC0) , t ype 1, seq 4, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 16 ( 0x10)T+: AUTHEN/ REPLY st at us: 5 f l ags: 0x1 msg_l en: 10, data_l en: 0T+: msg: Passwor d:T+: data:T+: End Packet
Note
The router collects the password and sends it to the AAA server. The serverreturns a reply with the PASS state.
TPLUS( 00000007) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Recei ved aut hen r esponse st at us GET_PASSWORD ( 8)TPLUS: Queui ng AAA Aut hent i cat i on r equest 7 f or processi ngTPLUS: process i ng aut hent i cat i on cont i nue r equest i d 7TPLUS: Aut hent i cat i on cont i nue packet gener at ed f or 7TPLUS( 00000007) / 0/ WRI TE/ 84498D84: St ar t ed 5 sec t i meout
T+: Ver si on 192 ( 0xC0) , t ype 1, seq 5, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 10 ( 0xA)T+: AUTHEN/ CONT msg_ l en: 5 ( 0x5) , data_l en: 0 ( 0x0) f l ags: 0x0T+: User msg: T+: User data:T+: End Packet
TPLUS( 00000007) / 0/ WRI TE: wr ot e ent i r e 22 byt es r equestTPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 12 header byt es ( expect 6 byt esdat a)
TPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 18 byt es r esponse
T+: Ver si on 192 ( 0xC0) , t ype 1, seq 6, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 6 ( 0x6)T+: AUTHEN/ REPLY st at us: 1 f l ags: 0x0 msg_l en: 0, data_l en: 0T+: msg:T+: data:T+: End Packet
TPLUS( 00000007) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Recei ved aut hen r esponse st at us PASS ( 2)AAA/ AUTHOR ( 00000007) : Method l i st i d=0 not conf i gur ed. Ski p aut horAAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0
AAA/ MEMORY: cr eate_user ( 0x843720E4) user=' ADMI N' r user=' NULL' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=ENABLEpr i v=15 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
20/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
21/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
22/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
23/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com20
The other interesting attributes are:
a) Access-List = . Specifies the access-list to be applied to the usersoutgoing connections. Helpful to restrict the hosts that the user may bounce to offthis router.
b) Auto-Command = IOS CLI command. Specifies the command to be executedupon users login. The session is terminated after the command has beenexecuted and the user is disconnected.b) Idle-time = . Specifies the time a users connection originated fromthis router could stay idle before terminating it. This applies to the outboundconnections, not the inbound one to the router itself.c) No-escape. When enabled, disallows the user to enter the escape characterand returning back to the routers shell. Commonly used with the auto-commandthat connects the user to another router. This option will disallow the userreturning back to this router.d) No-hangup. When enabled, changes the shell termination behavior. Usually
the users session is disconnected when the shell terminates. With this option,the connection remains active, allowing the user to login once again. Commonlyused with auto-commands to allow the user to login to the router under a differentname.e) Privilege-Level or priv-lvl is the exec enable privilege level mentionedpreviously.
2) Consult the local username database.If the local database is used for execauthorization, the auto-commands and privilege levels are taken from the valuesassociated with the usernames configured in the router. You enable local execauthorization using the command similar to the following:
aaa authorization exec default local
For example, username cisco privilege 3assigns user cisco to privilege
level 3 upon login when local authorization is enabled.
3) Use default settings, for example, the default privilege level assigned to theterminal line (privilege level x), if the authorization settings permit this.
This is commonly used when you disable authorization (method none) orauthorize settings for any authenticated users (method if-authenticated).
Notice the difference between the method none and if-authenticated from thefollowing example:
Scenario 1:aaa aut hent i cat i on l ogi n def aul t gr oup tacacs+ none
aaa aut hori zat i on exec def aul t none
!
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
24/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com21
l i ne consol e 0
pr i vi l ege l evel 15
Scenario 2:aaa aut hent i cat i on l ogi n def aul t gr oup tacacs+ none
aaa aut hor i zat i on exec def aul t i f - aut hent i cat ed!
l i ne consol e 0
pri vi l ege l evel 15
In the first case, if the TACACS+ server is not available, the router will allowincoming console connections without authentication. Since there is no execauthorization, the user will be granted the exec shell with privilege 15. In thesecond case, if the TACACS+ server is not available, the system grants accesswithout authentication but fails authorization of exec shell.
Thus, the difference between none and if-authenticated authorization cases isthat the former always applies the desired authorization parameters without anyverification. The latter requires the user to be authenticated, but does not consultthe user database to check authorization attributes.
As mentioned previously, by default, exec authorization is set to none, so youmay need to change it to accomplish your needs.
A note on the console line authorization. By default, console line authorization isdisabled, regardless of the configured default authorization list for service exec.The privilege level set for the line using the commandprivilege levelis
used for exec authorization by default. However, if you enable console lineauthorization using the command aaa authorizationconsolethen the AAA
lists will take their effect on the console users as well. Notice that this behaviorwas different for IOS running on Catalyst switches (console authorization on bydefault), but the behavior has been made unified in the recent Catalyst IOSreleases.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
25/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com22
R2:username ADMI N pr i vi l ege 15username NOC pr i vi l ege 7!aaa aut hor i zat i on exec VTY group t acacs+ l ocalaaa aut hor i zat i on exec def aul t l ocal
!l i ne vt y 0 4aut hori zat i on exec VTY
ACS:
Step 1:
Modify the existing ADMIN user TACACS+ Settings. Edit the account and setthe TACACS+ settings according to the screenshot below. Notice that checkingShell is important to enable this service for the user.
Step 2:
Create new user named NOC with the password of CISCO. Assign thePrivilege Level of 7 to this user under TACACS+ Settings.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
26/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com23
Verification
Note
Enable the following debugging commands in R2 and connect to this router fromR6. Authenticate using the name ADMIN/CISCO and check the privilege levelassigned upon login.
Rack1R2#debug aaa authorizationAAA Aut hor i zat i on debuggi ng i s on
Rack1R2#debug tacacs authorizationTACACS+ author i zat i on debuggi ng i s on
Rack1R2#debug tacacs packetTACACS+ packet s debuggi ng i s on
Rack1R6#telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open
User name: ADMI NPassword: CI SCO
Rack1R2#show privilegeCur r ent pr i vi l ege l evel i s 15
Note
Check the debugging output next. The first part of the packet exchange isauthentication related.
AAA/ BI ND( 0000000B) : Bi nd i / fT+: Ver si on 192 ( 0xC0) , t ype 1, seq 1, encr ypt i on 1T+: sessi on_i d 725205646 ( 0x2B39C28E) , dl en 23 ( 0x17)T+: t ype: AUTHEN/ START, pr i v_l vl : 1 act i on: LOGI N asci iT+: svc: LOGI N user _l en: 0 por t _l en: 5 ( 0x5) r addr _l en: 10 ( 0xA) dat a_l en: 0T+: user :T+: port : t t y66T+: r em_addr : 136. 1. 126. 6T+: data:
T+: End PacketT+: Ver si on 192 ( 0xC0) , t ype 1, seq 2, encr ypt i on 1T+: sessi on_i d 725205646 ( 0x2B39C28E) , dl en 16 ( 0x10)T+: AUTHEN/ REPLY st at us: 4 f l ags: 0x0 msg_l en: 10, data_l en: 0T+: msg: User name:T+: data:T+: End Packet
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
27/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
28/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com25
Note
The server responds with priv-lvl=15 and authorization ends here.
TPLUS( 0000000B) / 0/ NB_WAI T: wr ot e ent i r e 59 byt es r equestTPLUS( 0000000B) / 0/ READ: socket event 1TPLUS( 0000000B) / 0/ READ: Woul d bl ock whi l e r eadi ngTPLUS( 0000000B) / 0/ READ: socket event 1TPLUS( 0000000B) / 0/ READ: r ead ent i r e 12 header byt es ( expect 18 byt esdat a)
TPLUS( 0000000B) / 0/ READ: socket event 1TPLUS( 0000000B) / 0/ READ: r ead ent i r e 30 byt es r esponseT+: Ver si on 192 ( 0xC0) , t ype 2, seq 2, encr ypt i on 1T+: sessi on_i d 4235601696 ( 0xFC762720) , dl en 18 ( 0x12)T+: AUTHOR/ REPLY st at us: 1 msg_l en: 0, dat a_l en: 0 ar g_cnt : 1T+: msg:T+: data:
T+: ar g[ 0] si ze: 11T+: pr i v- l vl =15T+: End PacketTPLUS( 0000000B) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Pr ocessed AV pr i v- l vl =15TPLUS: r ecei ved aut hor i zat i on r esponse f or 11: PASSAAA/ AUTHOR/ EXEC( 0000000B) : pr ocessi ng AV cmd=AAA/ AUTHOR/ EXEC( 0000000B) : processi ng AV pr i v- l vl =15AAA/ AUTHOR/ EXEC( 0000000B) : Author i zat i on successf ulRack1R2#
Note
Now confirm that the use NOC is placed at the exec privilege level 7 upon login.
Rack1R6#telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open
User name: NOCPassword:
Rack1R2#sh privilegeCur r ent pr i vi l ege l evel i s 7Rack1R2#
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
29/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
30/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com27
Local authorization is always on by default, and works accordingly to the privilegelevels assigned to the users and commands associated with the levels. In orderto create custom command sets, you can do one of the following:
1) Assign some level 15 commands to level 1, effectively making them available
to all users that may log in to the router (if they use the default privilege levelsettings). You may want to use this option if you need to allow all users the useof some special features, e.g. using certain debug commands.
2) Re-assign some commands from level 1 to a higher level, thus disallowing allunprivileged users the use of this command. For example, you may want todisallow the use of the show ip access-listcommand for all default
privilege users.
3) Assign some level 15 commands to a new custom level, e.g. level 7. By doingthis, you still make commands available to level 15, but do not allow any userwith the default privilege to use them. After that, you can assign the customprivilege level to a specific user, allowing the use of some privileged commandsto this particular user only.
To understand the command authorization process, you should recall that at anytime the IOS exec shell works in one of the interpreter modes. The two most wellknown modes are exec mode and global configuration mode. The interpretersmode is displayed via the routers prompt, such as router#for exec mode or
router(config)#for global configuration mode. In addition to that, the shell
contains many other interpreter modes, such as interface configuration, vpdn
configuration, ip extended ACL, map-class, and so on. Each mode has itsown subset of commands, which are only visible in the particular mode.
In order to understand how IOS performs command authorization, lets look atthe generalized command structure:
command sub-command [arguments] [argument-values] [options]
Here commandis the first portion of the command string, for example, ip in the
ip address command entered under the interface configuration mode. The
sub-commandfield makes command more specific and might be present in some
commands, e.g. ip proxy-arp, compress stac etc. The argumentslistcovers all mandatory named parameters that might have values assigned. Forexample, in the ip address command, the address field is an argument
and it may take a value such as 1.2.3.4. The optionsmay cover various
command attributes that are not mandatory.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
31/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com28
From the local command authorization standpoint, you can only match themandatory fields such as command, sub-command, and arguments. Thesystem will automatically allow any argument values and options if the commandthat user enters match the configured pattern.
The syntax to re-assign a particular command is as follows:
privilege level
This command tells the router shell to assign the command matching the stringcommand to the level specified by the level argument. The match occursagainst all mandatory parts of the command that a user enters in a particularexec mode. For example, if you assigned the command snmp-serverbut not
the command snmp-server host to the privilege level 7, then a user will not
be able to configure the SNMP traps destination, since host is a mandatory(non-optional) part of the command. The following features ease the the localcommand authorization configuration:
1) When you enter commands as a shortcut, such asprivilege exec level
7 conf t, the shell automatically expands it to the full syntax, e.g. to the string
privilege exec level 7 configure terminal in our example.
2) When you assign a compound command to a particular level, e.g.privilege
interface level 7 ip addressthe shell automatically adds extra lines
assigning all initial components of the compound command to the same level,e.g. adds theprivilege interface level 7 ipcommand.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
32/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
33/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com30
Verification
Note
Log in to the router as user NOC and authenticate using the password of CISCO.The user should be placed at privilege level 7.
Rack1R2 con0 i s now avai l abl e
Press RETURN t o get st ar t ed.
Thi s sys t em r equi r es you t o i dent i f y yoursel f .
Pl ease Enter Your I D: NOCPl ease Enter Your Password: CI SCO
Rack1R2#show privilegeCur r ent pr i vi l ege l evel i s 7
Rack1R2#?Exec commands:
access- enabl e Cr eate a t emporar y Access- Li st ent r yaccess- pr of i l e Appl y user - pr of i l e t o i nt er f acecal l Voi ce cal lcl ear Reset f unct i onsconf i gur e Ent er conf i gur at i on mode
Rack1R2#debug ?al l Enabl e al l debuggi ng
cal l Cal l I nf ormat i oncal l - mgmt Cal l Managementces- conn Connect i on Manager CES Cl i ent I nf oconn Connect i on Manager i nf ormat i ondspapi Gener i c DSP APIf l ow- sampl er Debug f l ow sampl erhpi HPI ( 54x) DSP messages
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
34/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
35/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
36/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com33
5.4 IOS Remote Command Authorization
Only allow the NOC user to modify the IP address of Loopback0 interface.
Make sure the range of allowed IP addresses is 150.X.0.0/16 for thisinterface.
Configuration
Note
As mentioned in the previous task, remote command authorization works on per-command basis, requesting authorization for every command entered by user.Every time a user presses Enter, the router sends fully expanded command lineto the TACACS+ server in the context of the current users authorization session.The server compares the string with the policy configuration (actually, a list ofregular expression) for the particular user, and responds whether the command
is permitted or denied.
In order to enable per-command authorization at a particular exec privilege level,use the command aaa authorization commands
{|default} group {tacacs+|}. It makes no sense
to use the local database for per-command authorization as local configurationsare always in effect. Thus, the only two meaningful options are either tacacs+ orcustom TACACS+ server group. However, you may specify local authorization asthe fallback method in addition to the primary TACACS+ authorization.
Command authorization is enabled per-level, and by default applies only to the
exec mode commands, not the configuration commands. To enable configurationmode commands authorization enter the command aaa authorization
config-commands. This command instructs the router to send the command
strings entered in the configuration mode to the AAA server for authorization aswell. Notice that this may result in command names collision, as the router sendsboth the exec and configuration mode in the same format, without anydiscriminator to distinguish those.
As usual, the console line will not be affected by authorization settings unlessyou enter the command aaa authorization console. In addition to that, if
you are using the default authorization list, you may re-define it per-line using theline-level command authorization commands
{default|}and configuring the method using the command
aaa authorization commands . In this case, the level
numbers must match for the new authorization list to take effect.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
37/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
38/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com35
For the purpose of the regular expression matching all arguments are treated asa single line with arguments separated by spaces. The use of regularexpressions allow for very flexible set of arguments. For example, you may usesyntax similar to the following to permit either ip redirects or ip unreachables:
command = i pper mi t r edi r ect s| unr eachabl es
or
command=i pper mi t r edi r ect spermi t unr eachabl es
Setting command authorization in users profile does not allow for reusing
authorization set among different profiles. If you want to use a sharedcomponent, navigate to the Shared Profile Components > Shell
Command Authorization Setssection of the ACS configuration menu.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
39/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com36
The new commands are added in the input field below. After you have added acommand you may specify its arguments in the separate window using thesyntax described above. After the set has been created, you may go to theuser/group profile and assign the profile as illustrated on the screenshot below.
R2:aaa aut hor i zat i on commands 7 VTY_LI ST group tacacs+ l ocalaaa aut hor i zat i on conf i g- commands!l i ne vt y 0 4aut hor i zat i on commands 7 VTY_LI ST
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
40/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com37
ACS:
Configure command authorization for user NOC. Enable Per User CommandAuthorizationand select Denyfor Unmatched IOS commands. For every
of the following commands select Denyfor Unlisted Arguments. Enter thefollowing authorization commands along with the permitted arguments:
command=conf i gur eargument s:
per mi t t er mi nal
command=i nt er f aceargument s:
per mi t Loopback 0
command=i pargument s:
per mi t addr ess 150\ . 1\ . . * 255\ . 255\ . . *
Submit your changes after every command, so that the input from the newcommand configuration appears.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
41/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com38
Verification
Note
Enable command authorization debugging in R2 and connect to R2 via telnet.Login as user NOC with the password of CISCO and attempt entering some execor configuration commands. Notice that you can only configure interfaceLoopback0 and specify an address within 150.X.0.0/16 range.
Rack1R2#debug aaa authorizationAAA Aut hor i zat i on debuggi ng i s on
Rack1R2#debug tacacs authorizationTACACS+ author i zat i on debuggi ng i s on
Rack1R2#debug tacacspacketTACACS+ packet s debuggi ng i s on
Rack1R6#telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open
User name: NOCPassword: CI SCO
Rack1R2#show privCommand aut hor i zat i on f ai l ed.
Rack1R2#conf tEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Rack1R2( conf i g)#interface Loopback 0
Rack1R2( conf i g- i f ) #ip proxy-arpCommand aut hor i zat i on f ai l ed.
Rack1R2( conf i g- i f ) #ip address 150.2.2.2 255.255.0.0Command aut hor i zat i on f ai l ed.
Rack1R2( conf i g- i f ) #ip address 150.1.2.2 255.255.255.0
Rack1R2( conf i g- i f ) #interface FastEthernet 0/0Command aut hor i zat i on f ai l ed.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
42/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com39
Note
Observe the debugging output for per-command authorization in R2. The firstauthorization request is being made for exec privilege level authorization. The
level assigned to the shell is 7.
AAA/ AUTHOR ( 0x7) : Pi ck method l i st ' VTY'TPLUS: Queui ng AAA Aut hor i zat i on r equest 7 f or processi ngTPLUS: process i ng aut hor i zat i on r equest i d 7TPLUS: Pr ot ocol set t o None . . . . . Ski ppi ngTPLUS: Sendi ng AV servi ce=shel lTPLUS: Sendi ng AV cmd*TPLUS: Aut hor i zat i on r equest cr eat ed f or 7( NOC)TPLUS: usi ng previ ousl y set ser ver 10. 0. 0. 100 f r om group t acacs+TPLUS( 00000007) / 0/ NB_WAI T/ 83B13590: St ar t ed 5 sec t i meoutTPLUS( 00000007) / 0/ NB_WAI T: socket event 2
T+: Ver si on 192 ( 0xC0) , t ype 2, seq 1, encr ypt i on 1T+: sessi on_i d 89736254 ( 0x559443E) , dl en 45 ( 0x2D)T+: AUTHOR, pr i v_l vl : 1, authen: 1 met hod: t acacs+T+: svc: 1 user _l en: 3 por t _l en: 5 r em_addr _l en: 10 ar g_cnt : 2T+: user : NOCT+: port : t t y66T+: r em_addr : 136. 1. 126. 6T+: ar g[ 0] : si ze: 13 ser vi ce=shel lT+: ar g[ 1] : si ze: 4 cmd*T+: End Packet
TPLUS( 00000007) / 0/ NB_WAI T: wr ot e ent i r e 57 byt es r equestTPLUS( 00000007) / 0/ READ: socket event 1
TPLUS( 00000007) / 0/ READ: Woul d bl ock whi l e r eadi ngTPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 12 header byt es ( expect 17 byt esdat a)
TPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 29 byt es r esponse
T+: Ver si on 192 ( 0xC0) , t ype 2, seq 2, encr ypt i on 1T+: sessi on_i d 89736254 ( 0x559443E) , dl en 17 ( 0x11)T+: AUTHOR/ REPLY st at us: 1 msg_l en: 0, dat a_l en: 0 ar g_cnt : 1T+: msg:T+: data:T+: ar g[ 0] si ze: 10
T+: pr i v- l vl =7T+: End PacketTPLUS( 00000007) / 0/ 83B13590: Pr ocessi ng t he r epl y packetTPLUS: Pr ocessed AV pr i v- l vl =7TPLUS: r ecei ved aut hor i zat i on r esponse f or 7: PASSAAA/ AUTHOR/ EXEC( 00000007) : pr ocessi ng AV cmd=AAA/ AUTHOR/ EXEC( 00000007) : process i ng AV pr i v- l vl =7AAA/ AUTHOR/ EXEC( 00000007) : Author i zat i on successf ul
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
43/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com40
AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er =0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)
Note
This is the authorization request for the command show priv. As you can see, ithas been fully expanded and has three arguments the last one is the CRcharacter. The server returns a FAIL status to the client.
t t y66 AAA/ AUTHOR/ CMD( 2932705943) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMDAAA/ AUTHOR/ CMD: t t y66(2932705943) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV ser vi ce=shel l
t t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV cmd=showt t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV cmd- ar g=pr i vi l eget t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 2932705943) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 2932705943) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 2932705943) : user =NOCAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV cmd=showAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV cmd- ar g=pr i vi l egeAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV cmd- ar g=
AAA/ AUTHOR ( 2932705943) : Post aut hor i zat i on st at us = FAI LAAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONE
pr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 1833110997) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD
Note
The next command is conf t expanded to configure terminal. This commandis permitted by the server.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
44/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com41
AAA/ AUTHOR/ CMD: t t y66( 1833110997) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV cmd=conf i guret t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV cmd- ar g=t ermi nalt t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 1833110997) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 1833110997) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 1833110997) : user =NOCAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV cmd=conf i gureAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV cmd- ar g=t er mi nalAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV cmd- ar g=AAA/ AUTHOR ( 1833110997) : Post author i zat i on st at us = PASS_ADDAAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er =0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0
port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 416252970) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD
Note
Notice how the command interface Loopback 0 is parsed the interfacenumber is a separate argument of the command.
AAA/ AUTHOR/ CMD: t t y66(416252970) user =' NOC'
t t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd=i nt er f acet t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd- ar g=Loopbackt t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd- ar g=0t t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 416252970) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 416252970) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 416252970) : user =NOCAAA/ AUTHOR/ TAC+: ( 416252970) : send AV servi ce=shel lAAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd=i nt er f aceAAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd- ar g=LoopbackAAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd- ar g=0AAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd- ar g=AAA/ AUTHOR ( 416252970) : Post aut hori zat i on st at us = PASS_ADD
Note
The rest of the commands entered by the user are parsed and authorized in thesimilar manner.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
45/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com42
AAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er =0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 2043835259) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD
AAA/ AUTHOR/ CMD: t t y66(2043835259) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd=i pt t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=addresst t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=150. 2. 2. 2t t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=255. 255. 0. 0t t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 2043835259) : f ound l i st "VTY_LI ST"
t t y66 AAA/ AUTHOR/ CMD( 2043835259) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 2043835259) : user =NOCAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd=i pAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=addressAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=150. 2. 2. 2AAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=255. 255. 0. 0AAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=AAA/ AUTHOR ( 2043835259) : Post aut hor i zat i on st at us = FAI L
AAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 1956646445) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD
AAA/ AUTHOR/ CMD: t t y66(1956646445) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd=i pt t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=addresst t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=150. 1. 2. 2
t t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=255. 255. 255. 0t t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
46/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com43
t t y66 AAA/ AUTHOR/ CMD( 1956646445) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 1956646445) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 1956646445) : user =NOCAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd=i pAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=addressAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=150. 1. 2. 2AAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=255. 255. 255. 0AAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=AAA/ AUTHOR ( 1956646445) : Post author i zat i on st at us = PASS_ADD
AAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)
t t y66 AAA/ AUTHOR/ CMD( 795760187) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD
AAA/ AUTHOR/ CMD: t t y66(795760187) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd=i nt er f acet t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd- ar g=Fast Et hernett t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd- ar g=0/ 0t t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 795760187) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 795760187) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 795760187) : user =NOCAAA/ AUTHOR/ TAC+: ( 795760187) : send AV servi ce=shel lAAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd=i nt er f aceAAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd- ar g=Fast Et hernetAAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd- ar g=0/ 0AAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd- ar g=AAA/ AUTHOR ( 795760187) : Post aut hor i zat i on st at us = FAI LAAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
47/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com44
5.5 Using RADIUS for Session Control
Modify the previous scenarios to use RADIUS for remote sessionauthentication and exec authorization.
Ensure users ADMIN and NOC are placed to privilege levels 15 and 7
respectively upon logging in. Configure enable privilege authorization via RADIUS for level 7 and 15
using the passwords cisco7 and cisco respectively..
Ensure fallback to local database for all AAA lists and disable consoleauthentication/authorization.
Configuration
Note
Unlike TACACS+ protocol, RADIUS does not implement separate authenticationand authorization phases. When a client sends authentication request to the AAAserver, the server returns a set of RADIUS attributes that are used to authorizethe particular service. Many Cisco TACACS+ attributes have been mapped toRADIUS using the vendor-specific-attribute known as Cisco AV Pair. You mayassociate a number of Cisco AV Pair with the users profile in RADIUS databaseand simulate behavior similar to the TACACS+ shell authorization. Cisco AV Pairsyntax is usually in the format : for exampleshell:priv-lvl or ip:inacl. For example, if you want exec authorization viaRADIUS, you may use the AAA command aaa authorization execdefault radiusand associate the AV-pair shell:priv-lvl=15 with the
respective user profile. From the purpose of the exec shell authorization, youmay also set the IETF RADIUS attribute Service-Typeto the value
Administrative. This will automatically authorize the respective user to login withprivilege level of 15.
As for the enable privilege authentication, the router will use names $enab$to authenticate the enable password with the RADIUS server. For example,create user $enab15$ to authenticate the maximum enable privilege level.RADIUS does not support per-user enable password as TACACS+ does, notdoes it support per-command authorization. Additionally, the RADIUS serverdoes not supply its own AAA banner messages, so the ones configured locally
would take effect even with remote authentication.
Similar to the TACACS+ protocol settings you may configure named AAA listsand define groups of RADIUS servers using the command aaa-server group.
The default RADIUS server group is the one configured using the commandsradius-serverand ip radius source-interfacein the global
configuration mode.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
48/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com45
Lastly, when configuring RADIUS settings in the ACS server keep in mind thatRADIUS attributes are not available in user profiles by default, only in groupprofiles. To enable the attributes in user profiles, navigate to InterfaceConfigurationsand select the respective protocol, e.g. RADIUS (Cisco
IOS/PIX 6.X). On the page that appears, click the check-boxes next to theneeded RADIUS attributes under the User column.
Now the scenarios final configuration.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
49/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com46
R2:aaa aut hent i cat i on l ogi n CONSOLE noneno aaa aut hori zat i on consol e
!! Make sure to provide fallback to the local database
!aaa aut hent i cat i on l ogi n def aul t gr oup radi us l ocalaaa aut hent i cat i on enabl e def aul t gr oup r adi us enabl eaaa aut hori zat i on exec def aul t gr oup r adi us l ocal
!! Configure local enable secrets!enabl e secret l evel 7 ci sco7enabl e secret l evel 15 ci sco!r adi us- server host 10. 0. 0. 100 key CI SCOi p radi us sour ce- i nt er f ace Loopback0!
l i ne con 0l ogi n aut hent i cat i on CONSOLEpr i vi l ege l evel 15
!! Remove old lists off the VTY lines!l i ne vt y 0 4no aut hori zat i on commands 7 VTY_LI STno aut hor i zat i on exec VTYno l ogi n aut hent i cat i on VTY
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
50/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com47
ACS:
Step 1:
Add R2 as RADIUS client to the ACS server. Click theNetwork
ConfigurationtheAdd Entryand fill the settings according to thescreenshot below.
Step 2:
Add new users named $enab7$and $enab15$with the passwords cisco7 andcisco respectively.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
51/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com48
Step 3:
Modify accounts for users NOC and ADMIN. For the user NOC make surethe RADIUS attribute Cisco-AV-Pairis set as on the screenshot below:
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
52/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com49
For the user ADMIN modify the IETF RADIUS attribute Service-Typeper thescreenshot below:
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
53/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
54/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
55/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
56/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com53
Note
This part of the output corresponds to enable 7 authentication.
AAA/ AUTHEN/ START ( 2810935764) : usi ng "def aul t " l i stAAA/ AUTHEN/ START ( 2810935764) : Met hod=r adi us ( r adi us)AAA/ AUTHEN( 2810935764) : St at us=GETPASSAAA/ AUTHEN/ CONT ( 2810935764) : cont i nue_l ogi n ( user=' NOC' )AAA/ AUTHEN( 2810935764) : St at us=GETPASSAAA/ AUTHEN( 2810935764) : Met hod=r adi us ( r adi us)RADI US: Authent i cat i ng usi ng $enab7$RADI US: Pi ck NAS I P f or u=0x846F5FAC t abl ei d=0 cf g_addr=150. 1. 2. 2RADI US: ust r uct sharecount=1Radi us: r adi us_por t _i nf o( ) success=1 r adi us_nas_por t =1
RADI US(00000000) : Send Access- Request t o 10. 0. 0. 100: 1645 i d 1645/ 13,l en 83
RADI US: authent i cat or 0F D9 9F 6F 6B E1 12 0B - 6E B1 05 EC E0 85 3CDERADI US: NAS- I P- Address [ 4] 6 150. 1. 2. 2RADI US: NAS- Port [ 5] 6 66RADI US: NAS- Por t - Type [ 61] 6 Vi r t ual [ 5]RADI US: User - Name [ 1] 9 "$enab7$"RADI US: Cal l i ng- St at i on- I d [ 31] 12 "136. 1. 126. 6"RADI US: User - Password [ 2] 18 *RADI US: Ser vi ce- Type [ 6] 6 Admi ni st r at i ve [ 6]
RADI US: Recei ved f r omi d 1645/ 13 10. 0. 0. 100: 1645, Access- Accept , l en 52RADI US: aut hent i cat or B1 2E EB ED B5 F7 A6 99 - 83 6C F7 60 16 A0 3B15
RADI US: Fr amed- I P- Addr ess [ 8] 6 255. 255. 255. 255RADI US: Cl ass [ 25] 26RADI US: 43 41 43 53 3A 30 2F 31 38 65 34 32 2F 39 36 30[ CACS: 0/ 18e42/ 960]RADI US: 31 30 32 30 32 2F 36 36 [ 10202/ 66]RADI US: saved aut hor i zat i on dat a f or user 846F5FAC at 83850B70AAA/ AUTHEN( 2810935764) : St at us=PASSAAA/ MEMORY: f r ee_user ( 0x846F5FAC) user=' NOC' r user =' NULL' por t =' t t y66'r em_addr=' 136. 1. 126. 6' aut hen_t ype=ASCI I ser vi ce=ENABLE pr i v=7 vrf =( i d=0)
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
57/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com54
5.6 ASA Cut-Through Proxy
Configure ASA1 for cut-through authentication with the following:
o Require authentication before allowing HTTP destined for R6Loopback 0 through ASA1.
o Initially authenticate against the address 136.1.126.6 using HTTP.
o After authentication, allow HTTP access to R6 Loopback 0 via anaccess-list.
o Use the ACS server for authentication.
o Traffic for authentication between the user and ASA1 should not besent in plaintext.
o Configure the AAA server with a username of HTTPUSER and apassword of CISCO.
Before authentication, the output of the packet-tracer command shouldshow that the traffic is dropped, as shown below:
ASA1(config)# packet-tracer input inside tcp
10.0.0.100 1234 150.1.6.6 80
Phase: 1Type: ACCESS- LI STSubtype:Resul t : ALLOWConf i g:I mpl i ci t Rul eAddi t i onal I nf or mat i on:
MAC Access l i st
Phase: 2Type: FLOW- LOOKUPSubtype:Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:Found no mat chi ng f l ow, cr eat i ng a new f l ow
Phase: 3Type: ROUTE- LOOKUPSubt ype: i nput
Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:i n 150. 1. 6. 0 255. 255. 255. 0 out si de
Phase: 4Type: ACCESS- LI STSubt ype: l ogResul t : DROPConf i g:
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
58/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com55
access- gr oup i nsi de i n i nt er f ace i nsi deaccess- l i st i nsi de ext ended deny t cp any host 150. 1. 6. 6 eq wwwAddi t i onal I nf or mat i on:
Resul t :i nput - i nt erf ace: i nsi dei nput - st at us: upi nput - l i ne- status: upout put - i nt er f ace: out si deout put - st at us: upout put - l i ne- st at us: upAct i on: dr opDr op- r eason: ( acl - dr op) Fl ow i s deni ed by conf i gur ed r ul e
ASA1(conf i g)#
Configuration
Note
When doing cut through proxy, there are different ways we can match traffic. Wecan use the include statement, which is legacy, or we can use the matchstatement along with an access list. Either way works, however we cant use bothmethods at the same time on the same firewall.
In our example below, our access list is going to match the interesting traffic,which will cause the firewall to check authentication against the AAA server, andthen in turn will download an access list from the AAA server. Because theaccess list on the interface is in conflict with the access list that will bedownloaded from the AAA server, we want to include the per user override option
at the end of our access group statement. We can also use the test aaacommand from the firewall to verify that communication is good between thefirewall and the AAA server.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
59/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com56
ASA1:
aaa- server RADI US pr otocol r adi usaaa- server RADI US ( i nsi de) host 10. 0. 0. 100key ci sco
!! Access list used for matching traffic to be authenticated.!access- l i st CUT- THROUGH- AUTH per mi t t cp any host 136. 1. 126. 6 eq ht t p!! AAA statement identifying that traffic matching the ACL "CUT-THROUGH-! AUTH" will be authenticated using the RADIUS server group!aaa aut hent i cat i on mat ch CUT- THROUGH- AUTH i nsi de RADI US
!! To enable SSL and secure username and password exchange between HTTP! clients and the ASA.!
aaa aut hent i cat i on secur e- ht t p- cl i ent
!! Apply access group to inside interface with per-user-override keyword! to allow ACL's to be downloaded from ACS server!
access- gr oup i nsi de i n i nt er f ace i nsi de per - user - over r i de
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
60/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com57
ACS:
Step 1
Add ASA1 as RADIUS client. Go toNetwork Configuration, and click the
Add Entrybutton
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
61/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com58
Note
Even though not called for in the task, we may want to consider adding oneadditional entry in the downloadable access list. Here is why. If we do not includethe protocol that we use to authenticate with, in the downloadable access list, theuser may get an error message that is benign. You will still see theauthentication with the show uauth command in the firewall, you will still see thedownloadable access list, the only negative is that theres a pesky error messagethat the user may see.
Step2:
On the AAA server, configure a downloadable ACL with an entry to allow HTTPaccess to R6 Loopback 0.
Go to Shared Profile Components > Downloadable IP ACLs, and clicktheAddbutton. By including the entry for the authentication protocol as well, weavoid the error message being seen by the user.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
62/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com59
Notice that you must click on Submit, as well as Submitagain on the followingscreen if you want the access-list to be saved.
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
63/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
64/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
65/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com62
Verification
Note
Test authentication from the ACS PC, using a browser, by connecting to FastEthernet interface of R6. After authentication, verify that the output of packettracer shows access to the Loopback 0 on R6 via TCP port 80. By using theper-user-override option of the access-group on the interface, ACL entries thatare pushed from the ACS server will allow traffic that is not permitted in the inside
ACL.
ASA1(config)# packet-tracer input inside tcp 10.0.0.100
1234 150.1.6.6 80
Phase: 1Type: FLOW- LOOKUPSubt ype:Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:Found no mat chi ng f l ow, cr eat i ng a new f l ow
Phase: 2Type: ROUTE- LOOKUPSubt ype: i nputResul t : ALLOWConf i g:
Addi t i onal I nf or mat i on:i n 150. 1. 6. 0 255. 255. 255. 0 out si de
Phase: 3Type: ACCESS- LI STSubt ype:Resul t : ALLOWConf i g:I mpl i ci t Rul eAddi t i onal I nf or mat i on:
Phase: 4Type: ACCESS- LI ST
Subt ype: aaa- userResul t : ALLOWConf i g:Addi t i onal I nf or mat i on:
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
66/113
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
67/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com64
ASA1(config)#show uauthCurr ent Most Seen
Aut hent i cated Users 1 1Authen I n Progr ess 0 1user ' ht t puser ' at 10. 0. 0. 100, aut hent i cat ed
access- l i st #ACSACL#- I P- ASA1DL- 4af cd634 ( *)
absol ut e t i meout : 0: 01: 00i nacti vi t y t i meout : 0: 00: 00
ASA1(config)# show access-list #ACSACL#-IP-ASA1DL-4afcd634access- l i st #ACSACL#- I P- ASA1DL- 4af cd634; 2 el ement s ( dynami c)access- l i st #ACSACL#- I P- ASA1DL- 4af cd634 l i ne 1 ext ended permi t t cp any host150. 1. 6. 6 eq www ( hi t cnt =1) 0x07bf e5d6ASA1(conf i g)#
Note
You can also look at the output of debug radius, and see the ACL downloaded
from the AAA server.
r adi us mkr eq: 0xeal l oc_r i p 0xd590de68
new r equest 0xe - - > 24 (0xd590de68)got user ' ht t puser 'got passwordadd_r eq 0xd590de68 sess i on 0xe i d 24RADI US_REQUESTr adi us. c: r ad_mkpkt
RADI US packet decode ( aut hent i cat i on r equest )
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Raw packet data ( l engt h = 122) . . . . .01 18 00 7a 1a 4b 28 41 e6 27 d4 7d 72 c3 40 79 | . . . z. K( A. ' . }r . @ybe 1f 6c 35 01 0a 68 74 74 70 75 73 65 72 02 12 | . . l 5. . ht t puser . .ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b 7b 57 2d | . . . . . . . . v. %2{{W-04 06 0a 00 00 0c 05 06 00 00 00 0d 3d 06 00 00 | . . . . . . . . . . . . =. . .00 05 1a 1f 00 00 00 09 01 19 69 70 3a 73 6f 75 | . . . . . . . . . . i p: sou72 63 65 2d 69 70 3d 31 30 2e 30 2e 30 2e 31 30 | r ce- i p=10. 0. 0. 1030 1f 19 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d | 0. . i p: source- i p=31 30 2e 30 2e 30 2e 31 30 30 | 10. 0. 0. 100
Par sed packet dat a. . . . .Radi us: Code = 1 (0x01)
Radi us: I dent i f i er = 24 ( 0x18)Radi us: Lengt h = 122 (0x007A)Radi us: Vect or : 1A4B2841E627D47D72C34079BE1F6C35Radi us: Type = 1 (0x01) User - NameRadi us: Length = 10 ( 0x0A)Radi us: Val ue (St r i ng) =68 74 74 70 75 73 65 72 | ht t puser
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
68/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com65
Radi us: Type = 2 ( 0x02) User - PasswordRadi us: Length = 18 ( 0x12)Radi us: Val ue (St r i ng) =ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b 7b 57 2d | . . . . . . . . v. %2{{W-Radi us: Type = 4 ( 0x04) NAS- I P- Addr essRadi us: Length = 6 (0x06)Radi us: Val ue ( I P Addr ess) = 10. 0. 0. 12 ( 0x0A00000C)Radi us: Type = 5 (0x05) NAS- Por tRadi us: Length = 6 (0x06)%ASA- 2- 109011: Aut hen Sessi on St art : user ' ht t puser' , si d 23Radi us: Val ue ( Hex) = 0xDRadi us: Type = 61 ( 0x3D) NAS- Por t - TypeRadi us: Length = 6 (0x06)Radi us: Val ue ( Hex) = 0x5Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 31 ( 0x1F)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =
69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | i p: sour ce- i p=10.30 2e 30 2e 31 30 30 | 0. 0. 100Radi us: Type = 31 ( 0x1F) Cal l i ng- St at i on- I dRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | i p: sour ce- i p=10.30 2e 30 2e 31 30 30 | 0. 0. 100send pkt 10. 0. 0. 100/ 1645r i p 0xd590de68 st at e 7 i d 24r ad_vr f y( ) : r esponse message ver i f i edr i p 0xd5912788: chal l _ state ' ': st at e 0x7: t i mer 0x0: r eqaut h:
1a 4b 28 41 e6 27 d4 7d 72 c3 40 79 be 1f 6c 35: i nf o 0xe
sessi on_i d 0xer equest _i d 0x18user ' ht t puser 'r esponse ' ***'app 443r eason 0skey ' ci sco'si p 10. 0. 0. 100t ype 1
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
69/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com66
RADI US packet decode ( r esponse)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Raw packet data ( l engt h = 114) . . . . .02 18 00 72 4f 0e 73 98 2d 78 ba 19 a9 16 69 ef | . . . r O. s. - x. . . . i .31 c7 f f f 2 1a 3f 00 00 00 09 01 39 41 43 53 3a | 1. . . . ?. . . . . 9ACS:43 69 73 63 6f 53 65 63 75 72 65 2d 44 65 66 69 | Ci scoSecure- Def i6e 65 64 2d 41 43 4c 3d 23 41 43 53 41 43 4c 23 | ned- ACL=#ACSACL#2d 49 50 2d 41 53 41 31 44 4c 2d 34 61 66 63 64 | - I P- ASA1DL- 4af cd36 33 34 08 06 f f f f f f f f 19 19 43 41 43 53 3a | 634. . . . . . . . CACS:30 2f 31 37 35 37 62 2f 61 30 30 30 30 30 63 2f | 0/ 1757b/ a00000c/31 33 | 13
Par sed packet dat a. . . . .Radi us: Code = 2 (0x02)Radi us: I dent i f i er = 24 ( 0x18)Radi us: Lengt h = 114 ( 0x0072)Radi us: Vect or : 4F0E73982D78BA19A91669EF31C7FFF2Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 63 ( 0x3F)
Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 57 ( 0x39)Radi us: Val ue (St r i ng) =41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS: Ci scoSecur e-44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Def i ned- ACL=#ACS41 43 4c 23 2d 49 50 2d 41 53 41 31 44 4c 2d 34 | ACL#- I P- ASA1DL- 461 66 63 64 36 33 34 | af cd634Radi us: Type = 8 ( 0x08) Fr amed- I P- Addr essRadi us: Length = 6 (0x06)Radi us: Val ue ( I P Addr ess) = 255. 255. 255. 255 ( 0xFFFFFFFF)Radi us: Type = 25 ( 0x19) Cl assRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =43 41 43 53 3a 30 2f 31 37 35 37 62 2f 61 30 30 | CACS: 0/ 1757b/ a0030 30 30 63 2f 31 33 | 000c/ 13r ad_procpkt : ACCEPTRADI US_REQUESTr adi us. c: r ad_mkpkt
RADI US packet decode ( aut hent i cat i on r equest )
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
70/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com67
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Raw packet data ( l engt h = 212) . . . . .01 19 00 d4 1a 4b 28 41 e6 27 d4 7d 72 c3 40 79 | . . . . . K( A. ' . }r . @ybe 1f 6c 35 01 1d 23 41 43 53 41 43 4c 23 2d 49 | . . l 5. . #ACSACL#- I50 2d 41 53 41 31 44 4c 2d 34 61 66 63 64 36 33 | P- ASA1DL- 4af cd6334 02 12 ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b | 4. . . . . . . . . . v. %2{7b 57 2d 04 06 0a 00 00 0c 05 06 00 00 00 0e 3d | {W- . . . . . . . . . . . . =06 00 00 00 05 1a 17 00 00 00 09 01 11 61 61 61 | . . . . . . . . . . . . . aaa3a 73 65 72 76 69 63 65 3d 76 70 6e 1a 1e 00 00 | : ser vi ce=vpn. . . .00 09 01 18 61 61 61 3a 65 76 65 6e 74 3d 61 63 | . . . . aaa: event =ac6c 2d 64 6f 77 6e 6c 6f 61 64 50 12 48 e3 85 df | l - downl oadP. H. . .60 38 a4 ac 55 bc 35 68 29 5d 85 d8 1a 1f 00 00 | `8. . U. 5h) ] . . . . . .00 09 01 19 69 70 3a 73 6f 75 72 63 65 2d 69 70 | . . . . i p: sour ce- i p3d 31 30 2e 30 2e 30 2e 31 30 30 1f 19 69 70 3a | =10. 0. 0. 100. . i p:73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 30 2e 30 | sour ce- i p=10. 0. 02e 31 30 30 | . 100
Par sed packet dat a. . . . .Radi us: Code = 1 (0x01)
Radi us: I dent i f i er = 25 ( 0x19)Radi us: Lengt h = 212 ( 0x00D4)Radi us: Vect or : 1A4B2841E627D47D72C34079BE1F6C35Radi us: Type = 1 (0x01) User - NameRadi us: Lengt h = 29 ( 0x1D)Radi us: Val ue (St r i ng) =23 41 43 53 41 43 4c 23 2d 49 50 2d 41 53 41 31 | #ACSACL#- I P- ASA144 4c 2d 34 61 66 63 64 36 33 34 | DL- 4af cd634Radi us: Type = 2 ( 0x02) User - PasswordRadi us: Length = 18 ( 0x12)Radi us: Val ue (St r i ng) =ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b 7b 57 2d | . . . . . . . . v. %2{{W-Radi us: Type = 4 ( 0x04) NAS- I P- Addr essRadi us: Length = 6 (0x06)Radi us: Val ue ( I P Addr ess) = 10. 0. 0. 12 (0x0A00000C)Radi us: Type = 5 (0x05) NAS- Por tRadi us: Length = 6 (0x06)Radi us: Val ue ( Hex) = 0xERadi us: Type = 61 ( 0x3D) NAS- Por t - TypeRadi us: Length = 6 (0x06)Radi us: Val ue ( Hex) = 0x5Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 23 ( 0x17)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 17 ( 0x11)Radi us: Val ue (St r i ng) =
61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e | aaa: ser vi ce=vpnRadi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 30 ( 0x1E)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 24 ( 0x18)
-
8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012
71/113
Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009
CCIE Security Lab Workbook Volume I Version 5.0 Identity Management
Copyright 2009 Internetwork Expert www.INE.com68
Radi us: Val ue (St r i ng) =61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f | aaa: event =acl - do77 6e 6c 6f 61 64 | wnl oadRadi us: Type = 80 ( 0x50) Message- Authent i cat orRadi us: Length = 18 ( 0x12)Radi us: Val ue (St r i ng) =48 e3 85 df 60 38 a4 ac 55 bc 35 68 29 5d 85 d8 | H. . . `8. . U. 5h) ] . .Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 31 ( 0x1F)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | i p: sour ce- i p=10.30 2e 30 2e 31 30 30 | 0. 0. 100Radi us: Type = 31 ( 0x1F) Cal l i ng- St at i on- I dRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =69 70 3a 73 6f 75 72 63