iewb sc vol i v5.section.5.idwedentity.management.012

8/11/2019 IEWB SC VOL I V5.Section.5.Idwedentity.management.012

1/113

Accessed by [email protected] from 115.240.81.217 at 20:27:05 Nov 23,2009

CCIE Security Lab Workbook Volume I Version 5.0 Identity Management

Copyright 2009 Internetwork Expert www.INE.comi

Copyright Information

Copyright 2009 Internetwork Expert, Inc. All rights reserved.

The following publication, CCIE Security Lab Workbook Volume I Version 5.0, was developed byInternetwork Expert, Inc. All rights reserved. No part of this publication may be reproduced or distributed inany form or by any means without the prior written permission of Internetwork Expert, Inc.

Cisco, Cisco Systems, CCIE, and Cisco Certified Internetwork Expert, are registered trademarks ofCisco Systems, Inc. and/or its affiliates in the U.S. and certain countries.

All other products and company names are the trademarks, registered trademarks, and service marks of therespective owners. Throughout this manual, Internetwork Expert, Inc. has used its best efforts to distinguishproprietary trademarks from descriptive names by following the capitalization styles used by themanufacturer.


2/113



Copyright 2009 Internetwork Expert www.INE.comii

Disclaimer

The following publication, CCIE Security Lab Workbook Volume I Version 5.0, is designed to assistcandidates in the preparation for Cisco Systems CCIE Security Lab Exam. While every effort has beenmade to ensure that all material is as complete and accurate as possible, the enclosed material is presentedon an as is basis. Neither the authors nor Internetwork Expert, Inc. assume any liability or responsibility to

any person or entity with respect to loss or damages incurred from the information contained in thisworkbook.

This workbook was developed by Internetwork Expert, Inc. and is an original work of the aforementionedauthors. Any similarities between material presented in this workbook and actual CCIE lab material iscompletely coincidental.


3/113



Copyright 2009 Internetwork Expert www.INE.comiii

Table of Contents

Identity Management.......................................................................... 15.1 Remote Session Authentication using TACACS+ ...........................1

5.2

Exec Authorization using TACACS+ ...............................................2

5.3

IOS Local Command Authorization .................................................2

5.4

IOS Remote Command Authorization .............................................2

5.5 Using RADIUS for Session Control .................................................25.6 ASA Cut-Through Proxy ..................................................................35.7 ASA Network Authorization .............................................................45.8

LDAP Attribute Maps.......................................................................5

5.9

802.1x Authentication and Authorization .........................................5

5.10

NAC Policy Configuration ................................................................6

5.11 L3 NAC with ASA and Cisco VPN Client .........................................7

Identity Management Solutions .......................................................... 85.1

Remote Session Authentication using TACACS+ ...........................8

5.2

Exec Authorization using TACACS+ .............................................19

5.3

IOS Local Command Authorization ...............................................26

5.4

IOS Remote Command Authorization ...........................................33

5.5

Using RADIUS for Session Control ...............................................44

5.6

ASA Cut-Through Proxy ................................................................54

5.7

ASA Network Authorization ...........................................................70

5-8

LDAP Attribute Maps.....................................................................74

5.9

802.1x Authentication and Authorization .......................................77

5.10

NAC Policy Configuration ..............................................................86

5.11

L3 NAC with ASA and Cisco VPN Client .....................................100


4/113



Copyright 2009 Internetwork Expert www.INE.com1

Identity Management

Note

Reset all the devices, and load the initial Identity Managementconfiguration files.

R2

.100

10.0.0.0/24 VLAN 122

136.X.126.0/24 VLAN 126

E0/0(outside)E0/1(inside)Fa0/0

Fa0/0

R3

Lo0: 150.X.2.2/24Lo0: 150.X.6.6/24

AAA/CA

Server

R6R2

ASA1

SW2

VL122

5.1 Remote Session Authentication using TACACS+

Configure R2 to use the ACS server via TACACS+ with a password of

CISCO.o R2 should source TACACS+ packets from Loopback0.

Configure R2 so that access to the console line is authenticated using thelocal database.

Ensure the users logging into R2 remotely are authenticated using theTACACS+ server. Create an ACS user account named ADMIN with apassword of cisco.

o In case the server fails, the users should be authenticated againstthe local database.

Enable mode authentication should first attempt TACACS+ and then fall

back to the local password.

Create a user named ADMIN with a password of CISCO in the localdatabase for these configurations.

Customize the prompts for AAA user authentication and change thedefault banner message.


5/113




5.2 Exec Authorization using TACACS+

User ADMIN should be automatically placed at privilege level 15 uponremote login to the router.

Create another user NOC with the password of CISCO that should be

placed at privilege level 7 upon login. Users logging in locally via console should be subject to the same

authorization policy, but the values should be taken locally.

If the remote authorization fails, the local database should be used forincoming connections.

5.3 IOS Local Command Authorization

Ensure that the user NOC can use RIP debugging commands and candisable any currently active debugging using a single command.

The same user should be able to configure any interface IP settings andadministratively enable or disable any of these interfaces.

Ensure the user can see their permitted commands in their runningconfiguration.

5.4 IOS Remote Command Authorization

Only allow the NOC user to modify the IP address of Loopback0 interface.

Make sure the range of allowed IP addresses is 150.X.0.0/16 for thisinterface

5.5 Using RADIUS for Session Control

Modify the previous scenarios to use RADIUS for remote sessionauthentication and exec authorization.

Ensure users ADMIN and NOC are placed to privilege levels 15 and 7respectively upon logging in.

Configure enable privilege authorization via RADIUS for level 7 and 15using the passwords cisco7 and cisco respectively..

Ensure fallback to local database for all AAA lists and disable consoleauthentication/authorization.


6/113




5.6 ASA Cut-Through Proxy

Configure ASA1 for cut-through authentication with the following:

o Require authentication before allowing HTTP destined for R6Loopback 0 through ASA1.

o Initially authenticate against the address 136.1.126.6 using HTTP.

o After authentication, allow HTTP access to R6 Loopback 0 via anaccess-list.

o Use the ACS server for authentication.

o Traffic for authentication between the user and ASA1 should not besent in plaintext.

o Configure the AAA server with a username of HTTPUSER and apassword of CISCO.

Before authentication, the output of the packet-tracer command shouldshow that the traffic is dropped, as shown below:

ASA1(config)# packet-tracer input inside tcp

10.0.0.100 1234 150.1.6.6 80

Phase: 1Type: ACCESS- LI STSubt ype:Resul t : ALLOWConf i g:I mpl i ci t Rul e

Addi t i onal I nf or mat i on:MAC Access l i st

Phase: 2Type: FLOW- LOOKUPSubt ype:Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:Found no mat chi ng f l ow, cr eat i ng a new f l ow

Phase: 3Type: ROUTE- LOOKUPSubt ype: i nput

Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:i n 150. 1. 6. 0 255. 255. 255. 0 out si de

Phase: 4Type: ACCESS- LI STSubt ype: l ogResul t : DROP


7/113




Conf i g:access- gr oup i nsi de i n i nt er f ace i nsi deaccess- l i st i nsi de ext ended deny t cp any host 150. 1. 6. 6 eq wwwAddi t i onal I nf or mat i on:

Resul t :i nput - i nt erf ace: i nsi dei nput - st at us: upi nput - l i ne- status: upout put - i nt er f ace: out si deout put - st at us: upout put - l i ne- st at us: upAct i on: dr opDr op- r eason: ( acl - dr op) Fl ow i s deni ed by conf i gur ed r ul e

ASA1(conf i g)#

Note

Reset ASA1, and reload the startup configuration file on ASA1 only. Otherdevices require configurations from prior tasks.

5.7 ASA Network Authorization

Configure ASA1 for cut-through authentication for telnet traffic passingthrough the firewall from inside to outside.

Configure the AAA server with a user named TELNETUSER and apassword of cisco. Use TACACS for authentication.

Do not configure any access lists to accomplish any part of this task.

ASA1 should send accounting information for these sessions to the AAAserver.


8/113




5.8 LDAP Attribute Maps

Configure ASA1 to work with a future LDAP server running on the ACSServer with the following:

o When searching the directory, begin at CN=User s, DC=I NE,

DC=comand include all subtreeso Auto-detect the LDAP server type and use SASL with MD5 for

security.

o The ASA should authenticate usingCN=Admi n, CN=User s, DC=I NE, DC=comwith a password ofcisco?123!

o The server address will be 10.0.0.50. Refer to this server as LDAP-1

o Associate the LDAP attribute of accessType with the Cisco attribute

of IETF-Radius-Class

5.9 802.1x Authentication and Authorization

Configure 802.1x on SW2, port Fa0/6 using the following:

o SW2 should source the AAA session from Loopback 0

o Clients who fail authentication should be assigned to VLAN 10

o Clients without a supplicant are assigned to VLAN 20

o Create a user on ACS named dot1x-user as part of this task.

Assign the dot1x-user to VLAN 30 if authenticated.


9/113




Note

Clear all device configurations and load the Remote Access VPNInitialConfiguration files. You the following diagram as you reference when workingwith the scenarios below.

S0/1

S1/3

Fa0/0 Fa0/1

Fa0/0.121

Inside

Outside

136.X.23.0/24

136.X.121.0/24 VLAN121

136.X.123.0/24 VLA N123

136.X.1

00.0

/24VLAN100

.200

AAA/CA

Server

10.0.0.0/24 VLAN200

Fa0/0

RIPv2

Lo0: 150.X.1.1/24

Fa0/0.11

136.X.1

1.0

/24VLAN1

1

ASA 1

Test PC

R1

R2

R3

5.10 NAC Policy Conf iguration

Configure a Network Admission Policy in the ACS per the followingrequirements

Generate a NAP named NAC_L3_IP based on the stock NAC L3 IPtemplate.

Assign Healthyposture to the host if the client OS type is Windows.

Only allow the hosts in Quarantineposture state to perform thefollowing:

o Ping any host

o Connect via HTTP to the host 10.0.0.100.

Redirect the hosts in Quarantinestate to http://10.0.0.100.


10/113




5.11 L3 NAC with ASA and Cisco VPN Client

Configure the ASA firewall to accept remote VPN connection from CiscoEasy VPN Clients using group ID EZVPN

Use address pool 20.0.0.0/24 to allocate IP addresses for remote clients Allow for split tunneling to network 136.X.121.0/24. Remote user should be authenticated using the name CISCO along with

the password CISCO1234. Configure the ASA firewall to perform Network Admission Control for the

Cisco VPN Clients.

o Use the RADIUS server at 10.0.0.100 with the key of CISCO.o Enforce NAC for the VPN tunnel group.

Configure the Test PC for NAC with the ACS server.


11/113


12/113


13/113




When using a remote AAA server for user authentication, you need a useraccount created in the AAA server and the authenticating router added to the listof known AAA clients. The router should be configured with the tacacs-server IPaddress using the command tacacs-server . The servers

defined via this command are referenced to as the default server group, selectedwhen using the option group tacacs+in AAA list configuration. When

communicating with the AAA server the router will source the packets out of theinterface used to route packets to the server. It is usually recommended to use avirtual interface, such as a Loopback, by using the command ip tacacs

source-interfaceor ip radius source-interface. This command

applies to the default TACACS+ group or any group not explicitly configuredwithin the system.

For the enable authentication with the TACACS+ server, there are two options.

First, if you want to give enable privilege to a user that has logged in but notauthenticated (no identity, no username) you need to create a special usernamed $enable$ in the AAA server. The router uses this username whenrequesting the enable privilege authentication from the AAA server for the userwith no name. For every level you could create a special user $enab$ e.g.$enab7$ for level seven. If the user has logged in with a username andpassword, the router will use the same username for enable mode authenticationbut using the service enable. You need to configure the respective user settingunder the Advanced TACACS+ Settings section of the profile. This includes theMax. Privilege Level for Any AAA Client and TACACS+ Enable Password.These two values define the maximum privilege level allowed for this user and

the password required for authentication. You cannot set custom enable levelassociated with the named user, and it will always be the maximum levelconfigured. If you want per-user privilege-level flexibility, edit the exec serviceattributes for the particular user.

If you want custom groups of TACACS+ servers available in the system, you maycreate those by using the command aaa group server tacacs+ .

Every group could have its own source interface for tacacs+ communication anda custom list of servers defined. The group name could be later referenced in an

AAA list configuration using the option group , e.g. aaaauthentication login group CUSTOM.


14/113




R2:

!! Define enable password and a local user!enabl e secret ci scouser name ADMI N passwor d CI SCO

!! Init AAA and configure AAA lists for Console/VTY logins! Configure the use of TACACS+ for enable authentication and! provide a fallback to local enable password!aaa new- modelaaa aut hent i cat i on l ogi n CONSOLE l ocalaaa aut hent i cat i on l ogi n VTY gr oup t acacs+ l ocalaaa aut hent i cat i on enabl e def aul t gr oup t acacs+ enabl e

!! Customize prompts!

! Tacacs authentication does not submit the username-prompt config,! Radius does. So to present a unique username prompt, we need a! login banner.

banner l ogi n @ Pl ease Ent er Your I D:

@aaa aut hent i cat i on password- pr ompt "Pl ease Ent er Your Password: "aaa aut hent i cat i on username- pr ompt " Pl ease Ent er Your I D: "

!! Add a new authentication banner!aaa aut hent i cat i on banner #

Thi s sys t em r equi r es you t o i dent i f y yoursel f .#! Conf i gur e f ai l - messageaaa aut hent i cat i on f ai l - message #Aut hent i cat i on Fai l ed, Sor r y.#

!! TACACS+ source interface!i p t acacs sour ce- i nt er f ace l oopback 0!

t acacs- ser ver host 10. 0. 0. 100t acacs- server key CI SCO!l i ne con 0l ogi n aut hent i cat i on CONSOLE


15/113




!! Apply the AAA list to the line!l i ne vt y 0 4l ogi n aut hent i cat i on VTYpassword ci sco

ACS:

Step 1:

Add R2 as an AAA client to the ACS. ClickNetwork ConfigurationthenAdd

Entryand enter the information for R2 as follows:

Click Submit +Applywhen youre done.


16/113




Step 2:

Add a new user named ADMIN with the password of CISCO in the ACS. Clickthe User Setupbutton and then enter the name ADMIN and click the

Add/Editbutton. Change the Passwordvalue to CISCO for this user.

Next, configure enable privilege settings for this user, per the screenshot below.Set the enable password to CISCO (custom enable password specifically forthis user).

Click the Submitbutton when youre done.


17/113




Verification

Note

When you have the TACACS+ server configured, issue the following commands

to make sure the router may authenticate the users with the AAA server. Alsoverify that logging is enabled so you can see the results!

Rack1R2#test aaa group tacacs+ ADMIN CISCO legacyAt t empt i ng aut hent i cat i on t est t o ser ver - gr oup tacacs+ usi ng t acacs+User was successf ul l y aut hent i cat ed.

Note

Now you can try connecting to R2 using telnet and try enable authentication.Prior to this, configure some debugging in R2 to observe the process in details.

Rack1R2#debug aaa authenticationAAA Aut hent i cat i on debuggi ng i s on

Rack1R2#debug tacacs packetTACACS+ packet s debuggi ng i s on

Rack1R2#debug aaa authorizationAAA Aut hor i zat i on debuggi ng i s on

Rack1R6#telnet 150.1.2.2Tr yi ng 150. 1. 2. 2 . . . Open

Pl ease Ent er Your I D:

User name: ADMI NPassword: CI SCO

Rack1R2>enablePassword: CI SCORack1R2#

Note

Observe the debugging output for this process. Initially, R2 sends the STARTmessage to the server (service = login) and the server responds with REPLY anda prompt Username.


18/113




AAA/ AUTHEN/ LOGI N ( 00000008) : Pi ck met hod l i st ' VTY'TPLUS: Queui ng AAA Aut hent i cat i on r equest 8 f or process i ngTPLUS: processi ng authent i cat i on st ar t r equest i d 8TPLUS: Aut hent i cat i on st ar t packet cr eat ed f or 8( )TPLUS: Usi ng ser ver 10. 0. 0. 100TPLUS( 00000008) / 0/ NB_WAI T/ 83A941C8: St ar t ed 5 sec t i meoutTPLUS( 00000008) / 0/ NB_WAI T: socket event 2

T+: Ver si on 192 ( 0xC0) , t ype 1, seq 1, encr ypt i on 1T+: sessi on_i d 3329617854 ( 0xC675EFBE) , dl en 22 ( 0x16)T+: t ype: AUTHEN/ START, pr i v_l vl : 1 act i on: LOGI N asci iT+: svc: LOGI N user _l en: 0 por t _l en: 5 ( 0x5) r addr _l en: 9 ( 0x9) dat a_l en: 0T+: user :T+: port : t t y67T+: r em_addr : 150. 1. 2. 2T+: data:T+: End Packet

TPLUS( 00000007) / 0/ READ: r ead ent i r e 28 byt es r esponse

T+: Ver si on 192 ( 0xC0) , t ype 1, seq 2, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 16 ( 0x10)T+: AUTHEN/ REPLY st at us: 4 f l ags: 0x0 msg_l en: 10, data_l en: 0T+: msg: User name:T+: data:T+: End Packet

Note

The router collects the name and sends it to the server in CONTINUE message.The server responds with the Password prompt instructing the router to requesta password.

TPLUS( 00000007) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Recei ved aut hen r esponse st at us GET_USER ( 7)TPLUS: Queui ng AAA Aut hent i cat i on r equest 7 f or processi ngTPLUS: process i ng aut hent i cat i on cont i nue r equest i d 7TPLUS: Aut hent i cat i on cont i nue packet gener at ed f or 7TPLUS( 00000007) / 0/ WRI TE/ 84498D84: St ar t ed 5 sec t i meoutT+: Ver si on 192 ( 0xC0) , t ype 1, seq 3, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 10 ( 0xA)T+: AUTHEN/ CONT msg_ l en: 5 ( 0x5) , data_l en: 0 ( 0x0) f l ags: 0x0T+: User msg: T+: User data:

T+: End PacketTPLUS( 00000007) / 0/ WRI TE: wr ot e ent i r e 22 byt es r equestTPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 12 header byt es ( expect 16 byt esdat a)

TPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 28 byt es r esponse


19/113




T+: Ver si on 192 ( 0xC0) , t ype 1, seq 4, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 16 ( 0x10)T+: AUTHEN/ REPLY st at us: 5 f l ags: 0x1 msg_l en: 10, data_l en: 0T+: msg: Passwor d:T+: data:T+: End Packet

Note

The router collects the password and sends it to the AAA server. The serverreturns a reply with the PASS state.

TPLUS( 00000007) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Recei ved aut hen r esponse st at us GET_PASSWORD ( 8)TPLUS: Queui ng AAA Aut hent i cat i on r equest 7 f or processi ngTPLUS: process i ng aut hent i cat i on cont i nue r equest i d 7TPLUS: Aut hent i cat i on cont i nue packet gener at ed f or 7TPLUS( 00000007) / 0/ WRI TE/ 84498D84: St ar t ed 5 sec t i meout

T+: Ver si on 192 ( 0xC0) , t ype 1, seq 5, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 10 ( 0xA)T+: AUTHEN/ CONT msg_ l en: 5 ( 0x5) , data_l en: 0 ( 0x0) f l ags: 0x0T+: User msg: T+: User data:T+: End Packet

TPLUS( 00000007) / 0/ WRI TE: wr ot e ent i r e 22 byt es r equestTPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 12 header byt es ( expect 6 byt esdat a)


T+: Ver si on 192 ( 0xC0) , t ype 1, seq 6, encr ypt i on 1T+: sessi on_i d 2976998213 ( 0xB1716345) , dl en 6 ( 0x6)T+: AUTHEN/ REPLY st at us: 1 f l ags: 0x0 msg_l en: 0, data_l en: 0T+: msg:T+: data:T+: End Packet

TPLUS( 00000007) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Recei ved aut hen r esponse st at us PASS ( 2)AAA/ AUTHOR ( 00000007) : Method l i st i d=0 not conf i gur ed. Ski p aut horAAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0

AAA/ MEMORY: cr eate_user ( 0x843720E4) user=' ADMI N' r user=' NULL' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=ENABLEpr i v=15 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)


20/113


21/113


22/113


23/113




The other interesting attributes are:

a) Access-List = . Specifies the access-list to be applied to the usersoutgoing connections. Helpful to restrict the hosts that the user may bounce to offthis router.

b) Auto-Command = IOS CLI command. Specifies the command to be executedupon users login. The session is terminated after the command has beenexecuted and the user is disconnected.b) Idle-time = . Specifies the time a users connection originated fromthis router could stay idle before terminating it. This applies to the outboundconnections, not the inbound one to the router itself.c) No-escape. When enabled, disallows the user to enter the escape characterand returning back to the routers shell. Commonly used with the auto-commandthat connects the user to another router. This option will disallow the userreturning back to this router.d) No-hangup. When enabled, changes the shell termination behavior. Usually

the users session is disconnected when the shell terminates. With this option,the connection remains active, allowing the user to login once again. Commonlyused with auto-commands to allow the user to login to the router under a differentname.e) Privilege-Level or priv-lvl is the exec enable privilege level mentionedpreviously.

2) Consult the local username database.If the local database is used for execauthorization, the auto-commands and privilege levels are taken from the valuesassociated with the usernames configured in the router. You enable local execauthorization using the command similar to the following:

aaa authorization exec default local

For example, username cisco privilege 3assigns user cisco to privilege

level 3 upon login when local authorization is enabled.

3) Use default settings, for example, the default privilege level assigned to theterminal line (privilege level x), if the authorization settings permit this.

This is commonly used when you disable authorization (method none) orauthorize settings for any authenticated users (method if-authenticated).

Notice the difference between the method none and if-authenticated from thefollowing example:

Scenario 1:aaa aut hent i cat i on l ogi n def aul t gr oup tacacs+ none

aaa aut hori zat i on exec def aul t none

!


24/113




l i ne consol e 0

pr i vi l ege l evel 15

Scenario 2:aaa aut hent i cat i on l ogi n def aul t gr oup tacacs+ none

aaa aut hor i zat i on exec def aul t i f - aut hent i cat ed!

l i ne consol e 0

pri vi l ege l evel 15

In the first case, if the TACACS+ server is not available, the router will allowincoming console connections without authentication. Since there is no execauthorization, the user will be granted the exec shell with privilege 15. In thesecond case, if the TACACS+ server is not available, the system grants accesswithout authentication but fails authorization of exec shell.

Thus, the difference between none and if-authenticated authorization cases isthat the former always applies the desired authorization parameters without anyverification. The latter requires the user to be authenticated, but does not consultthe user database to check authorization attributes.

As mentioned previously, by default, exec authorization is set to none, so youmay need to change it to accomplish your needs.

A note on the console line authorization. By default, console line authorization isdisabled, regardless of the configured default authorization list for service exec.The privilege level set for the line using the commandprivilege levelis

used for exec authorization by default. However, if you enable console lineauthorization using the command aaa authorizationconsolethen the AAA

lists will take their effect on the console users as well. Notice that this behaviorwas different for IOS running on Catalyst switches (console authorization on bydefault), but the behavior has been made unified in the recent Catalyst IOSreleases.


25/113




R2:username ADMI N pr i vi l ege 15username NOC pr i vi l ege 7!aaa aut hor i zat i on exec VTY group t acacs+ l ocalaaa aut hor i zat i on exec def aul t l ocal

!l i ne vt y 0 4aut hori zat i on exec VTY

ACS:

Step 1:

Modify the existing ADMIN user TACACS+ Settings. Edit the account and setthe TACACS+ settings according to the screenshot below. Notice that checkingShell is important to enable this service for the user.

Step 2:

Create new user named NOC with the password of CISCO. Assign thePrivilege Level of 7 to this user under TACACS+ Settings.


26/113




Verification

Note

Enable the following debugging commands in R2 and connect to this router fromR6. Authenticate using the name ADMIN/CISCO and check the privilege levelassigned upon login.


Rack1R2#debug tacacs authorizationTACACS+ author i zat i on debuggi ng i s on

Rack1R2#debug tacacs packetTACACS+ packet s debuggi ng i s on


User name: ADMI NPassword: CI SCO

Rack1R2#show privilegeCur r ent pr i vi l ege l evel i s 15

Note

Check the debugging output next. The first part of the packet exchange isauthentication related.

AAA/ BI ND( 0000000B) : Bi nd i / fT+: Ver si on 192 ( 0xC0) , t ype 1, seq 1, encr ypt i on 1T+: sessi on_i d 725205646 ( 0x2B39C28E) , dl en 23 ( 0x17)T+: t ype: AUTHEN/ START, pr i v_l vl : 1 act i on: LOGI N asci iT+: svc: LOGI N user _l en: 0 por t _l en: 5 ( 0x5) r addr _l en: 10 ( 0xA) dat a_l en: 0T+: user :T+: port : t t y66T+: r em_addr : 136. 1. 126. 6T+: data:

T+: End PacketT+: Ver si on 192 ( 0xC0) , t ype 1, seq 2, encr ypt i on 1T+: sessi on_i d 725205646 ( 0x2B39C28E) , dl en 16 ( 0x10)T+: AUTHEN/ REPLY st at us: 4 f l ags: 0x0 msg_l en: 10, data_l en: 0T+: msg: User name:T+: data:T+: End Packet


27/113


28/113




Note

The server responds with priv-lvl=15 and authorization ends here.

TPLUS( 0000000B) / 0/ NB_WAI T: wr ot e ent i r e 59 byt es r equestTPLUS( 0000000B) / 0/ READ: socket event 1TPLUS( 0000000B) / 0/ READ: Woul d bl ock whi l e r eadi ngTPLUS( 0000000B) / 0/ READ: socket event 1TPLUS( 0000000B) / 0/ READ: r ead ent i r e 12 header byt es ( expect 18 byt esdat a)

TPLUS( 0000000B) / 0/ READ: socket event 1TPLUS( 0000000B) / 0/ READ: r ead ent i r e 30 byt es r esponseT+: Ver si on 192 ( 0xC0) , t ype 2, seq 2, encr ypt i on 1T+: sessi on_i d 4235601696 ( 0xFC762720) , dl en 18 ( 0x12)T+: AUTHOR/ REPLY st at us: 1 msg_l en: 0, dat a_l en: 0 ar g_cnt : 1T+: msg:T+: data:

T+: ar g[ 0] si ze: 11T+: pr i v- l vl =15T+: End PacketTPLUS( 0000000B) / 0/ 84498D84: Pr ocessi ng t he r epl y packetTPLUS: Pr ocessed AV pr i v- l vl =15TPLUS: r ecei ved aut hor i zat i on r esponse f or 11: PASSAAA/ AUTHOR/ EXEC( 0000000B) : pr ocessi ng AV cmd=AAA/ AUTHOR/ EXEC( 0000000B) : processi ng AV pr i v- l vl =15AAA/ AUTHOR/ EXEC( 0000000B) : Author i zat i on successf ulRack1R2#

Note

Now confirm that the use NOC is placed at the exec privilege level 7 upon login.


User name: NOCPassword:

Rack1R2#sh privilegeCur r ent pr i vi l ege l evel i s 7Rack1R2#


29/113


30/113




Local authorization is always on by default, and works accordingly to the privilegelevels assigned to the users and commands associated with the levels. In orderto create custom command sets, you can do one of the following:

1) Assign some level 15 commands to level 1, effectively making them available

to all users that may log in to the router (if they use the default privilege levelsettings). You may want to use this option if you need to allow all users the useof some special features, e.g. using certain debug commands.

2) Re-assign some commands from level 1 to a higher level, thus disallowing allunprivileged users the use of this command. For example, you may want todisallow the use of the show ip access-listcommand for all default

privilege users.

3) Assign some level 15 commands to a new custom level, e.g. level 7. By doingthis, you still make commands available to level 15, but do not allow any userwith the default privilege to use them. After that, you can assign the customprivilege level to a specific user, allowing the use of some privileged commandsto this particular user only.

To understand the command authorization process, you should recall that at anytime the IOS exec shell works in one of the interpreter modes. The two most wellknown modes are exec mode and global configuration mode. The interpretersmode is displayed via the routers prompt, such as router#for exec mode or

router(config)#for global configuration mode. In addition to that, the shell

contains many other interpreter modes, such as interface configuration, vpdn

configuration, ip extended ACL, map-class, and so on. Each mode has itsown subset of commands, which are only visible in the particular mode.

In order to understand how IOS performs command authorization, lets look atthe generalized command structure:

command sub-command [arguments] [argument-values] [options]

Here commandis the first portion of the command string, for example, ip in the

ip address command entered under the interface configuration mode. The

sub-commandfield makes command more specific and might be present in some

commands, e.g. ip proxy-arp, compress stac etc. The argumentslistcovers all mandatory named parameters that might have values assigned. Forexample, in the ip address command, the address field is an argument

and it may take a value such as 1.2.3.4. The optionsmay cover various

command attributes that are not mandatory.


31/113




From the local command authorization standpoint, you can only match themandatory fields such as command, sub-command, and arguments. Thesystem will automatically allow any argument values and options if the commandthat user enters match the configured pattern.

The syntax to re-assign a particular command is as follows:

privilege level

This command tells the router shell to assign the command matching the stringcommand to the level specified by the level argument. The match occursagainst all mandatory parts of the command that a user enters in a particularexec mode. For example, if you assigned the command snmp-serverbut not

the command snmp-server host to the privilege level 7, then a user will not

be able to configure the SNMP traps destination, since host is a mandatory(non-optional) part of the command. The following features ease the the localcommand authorization configuration:

1) When you enter commands as a shortcut, such asprivilege exec level

7 conf t, the shell automatically expands it to the full syntax, e.g. to the string

privilege exec level 7 configure terminal in our example.

2) When you assign a compound command to a particular level, e.g.privilege

interface level 7 ip addressthe shell automatically adds extra lines

assigning all initial components of the compound command to the same level,e.g. adds theprivilege interface level 7 ipcommand.


32/113


33/113




Verification

Note

Log in to the router as user NOC and authenticate using the password of CISCO.The user should be placed at privilege level 7.

Rack1R2 con0 i s now avai l abl e

Press RETURN t o get st ar t ed.

Thi s sys t em r equi r es you t o i dent i f y yoursel f .

Pl ease Enter Your I D: NOCPl ease Enter Your Password: CI SCO

Rack1R2#show privilegeCur r ent pr i vi l ege l evel i s 7

Rack1R2#?Exec commands:

access- enabl e Cr eate a t emporar y Access- Li st ent r yaccess- pr of i l e Appl y user - pr of i l e t o i nt er f acecal l Voi ce cal lcl ear Reset f unct i onsconf i gur e Ent er conf i gur at i on mode

Rack1R2#debug ?al l Enabl e al l debuggi ng

cal l Cal l I nf ormat i oncal l - mgmt Cal l Managementces- conn Connect i on Manager CES Cl i ent I nf oconn Connect i on Manager i nf ormat i ondspapi Gener i c DSP APIf l ow- sampl er Debug f l ow sampl erhpi HPI ( 54x) DSP messages


34/113


35/113


36/113




5.4 IOS Remote Command Authorization

Only allow the NOC user to modify the IP address of Loopback0 interface.

Make sure the range of allowed IP addresses is 150.X.0.0/16 for thisinterface.

Configuration

Note

As mentioned in the previous task, remote command authorization works on per-command basis, requesting authorization for every command entered by user.Every time a user presses Enter, the router sends fully expanded command lineto the TACACS+ server in the context of the current users authorization session.The server compares the string with the policy configuration (actually, a list ofregular expression) for the particular user, and responds whether the command

is permitted or denied.

In order to enable per-command authorization at a particular exec privilege level,use the command aaa authorization commands

{|default} group {tacacs+|}. It makes no sense

to use the local database for per-command authorization as local configurationsare always in effect. Thus, the only two meaningful options are either tacacs+ orcustom TACACS+ server group. However, you may specify local authorization asthe fallback method in addition to the primary TACACS+ authorization.

Command authorization is enabled per-level, and by default applies only to the

exec mode commands, not the configuration commands. To enable configurationmode commands authorization enter the command aaa authorization

config-commands. This command instructs the router to send the command

strings entered in the configuration mode to the AAA server for authorization aswell. Notice that this may result in command names collision, as the router sendsboth the exec and configuration mode in the same format, without anydiscriminator to distinguish those.

As usual, the console line will not be affected by authorization settings unlessyou enter the command aaa authorization console. In addition to that, if

you are using the default authorization list, you may re-define it per-line using theline-level command authorization commands

{default|}and configuring the method using the command

aaa authorization commands . In this case, the level

numbers must match for the new authorization list to take effect.


37/113


38/113




For the purpose of the regular expression matching all arguments are treated asa single line with arguments separated by spaces. The use of regularexpressions allow for very flexible set of arguments. For example, you may usesyntax similar to the following to permit either ip redirects or ip unreachables:

command = i pper mi t r edi r ect s| unr eachabl es

or

command=i pper mi t r edi r ect spermi t unr eachabl es

Setting command authorization in users profile does not allow for reusing

authorization set among different profiles. If you want to use a sharedcomponent, navigate to the Shared Profile Components > Shell

Command Authorization Setssection of the ACS configuration menu.


39/113




The new commands are added in the input field below. After you have added acommand you may specify its arguments in the separate window using thesyntax described above. After the set has been created, you may go to theuser/group profile and assign the profile as illustrated on the screenshot below.

R2:aaa aut hor i zat i on commands 7 VTY_LI ST group tacacs+ l ocalaaa aut hor i zat i on conf i g- commands!l i ne vt y 0 4aut hor i zat i on commands 7 VTY_LI ST


40/113




ACS:

Configure command authorization for user NOC. Enable Per User CommandAuthorizationand select Denyfor Unmatched IOS commands. For every

of the following commands select Denyfor Unlisted Arguments. Enter thefollowing authorization commands along with the permitted arguments:

command=conf i gur eargument s:

per mi t t er mi nal

command=i nt er f aceargument s:

per mi t Loopback 0

command=i pargument s:

per mi t addr ess 150\ . 1\ . . * 255\ . 255\ . . *

Submit your changes after every command, so that the input from the newcommand configuration appears.


41/113




Verification

Note

Enable command authorization debugging in R2 and connect to R2 via telnet.Login as user NOC with the password of CISCO and attempt entering some execor configuration commands. Notice that you can only configure interfaceLoopback0 and specify an address within 150.X.0.0/16 range.


Rack1R2#debug tacacs authorizationTACACS+ author i zat i on debuggi ng i s on

Rack1R2#debug tacacspacketTACACS+ packet s debuggi ng i s on


User name: NOCPassword: CI SCO

Rack1R2#show privCommand aut hor i zat i on f ai l ed.

Rack1R2#conf tEnt er conf i gur at i on commands, one per l i ne. End wi t h CNTL/ Z.Rack1R2( conf i g)#interface Loopback 0

Rack1R2( conf i g- i f ) #ip proxy-arpCommand aut hor i zat i on f ai l ed.

Rack1R2( conf i g- i f ) #ip address 150.2.2.2 255.255.0.0Command aut hor i zat i on f ai l ed.

Rack1R2( conf i g- i f ) #ip address 150.1.2.2 255.255.255.0

Rack1R2( conf i g- i f ) #interface FastEthernet 0/0Command aut hor i zat i on f ai l ed.


42/113




Note

Observe the debugging output for per-command authorization in R2. The firstauthorization request is being made for exec privilege level authorization. The

level assigned to the shell is 7.

AAA/ AUTHOR ( 0x7) : Pi ck method l i st ' VTY'TPLUS: Queui ng AAA Aut hor i zat i on r equest 7 f or processi ngTPLUS: process i ng aut hor i zat i on r equest i d 7TPLUS: Pr ot ocol set t o None . . . . . Ski ppi ngTPLUS: Sendi ng AV servi ce=shel lTPLUS: Sendi ng AV cmd*TPLUS: Aut hor i zat i on r equest cr eat ed f or 7( NOC)TPLUS: usi ng previ ousl y set ser ver 10. 0. 0. 100 f r om group t acacs+TPLUS( 00000007) / 0/ NB_WAI T/ 83B13590: St ar t ed 5 sec t i meoutTPLUS( 00000007) / 0/ NB_WAI T: socket event 2

T+: Ver si on 192 ( 0xC0) , t ype 2, seq 1, encr ypt i on 1T+: sessi on_i d 89736254 ( 0x559443E) , dl en 45 ( 0x2D)T+: AUTHOR, pr i v_l vl : 1, authen: 1 met hod: t acacs+T+: svc: 1 user _l en: 3 por t _l en: 5 r em_addr _l en: 10 ar g_cnt : 2T+: user : NOCT+: port : t t y66T+: r em_addr : 136. 1. 126. 6T+: ar g[ 0] : si ze: 13 ser vi ce=shel lT+: ar g[ 1] : si ze: 4 cmd*T+: End Packet

TPLUS( 00000007) / 0/ NB_WAI T: wr ot e ent i r e 57 byt es r equestTPLUS( 00000007) / 0/ READ: socket event 1

TPLUS( 00000007) / 0/ READ: Woul d bl ock whi l e r eadi ngTPLUS( 00000007) / 0/ READ: socket event 1TPLUS( 00000007) / 0/ READ: r ead ent i r e 12 header byt es ( expect 17 byt esdat a)


T+: Ver si on 192 ( 0xC0) , t ype 2, seq 2, encr ypt i on 1T+: sessi on_i d 89736254 ( 0x559443E) , dl en 17 ( 0x11)T+: AUTHOR/ REPLY st at us: 1 msg_l en: 0, dat a_l en: 0 ar g_cnt : 1T+: msg:T+: data:T+: ar g[ 0] si ze: 10

T+: pr i v- l vl =7T+: End PacketTPLUS( 00000007) / 0/ 83B13590: Pr ocessi ng t he r epl y packetTPLUS: Pr ocessed AV pr i v- l vl =7TPLUS: r ecei ved aut hor i zat i on r esponse f or 7: PASSAAA/ AUTHOR/ EXEC( 00000007) : pr ocessi ng AV cmd=AAA/ AUTHOR/ EXEC( 00000007) : process i ng AV pr i v- l vl =7AAA/ AUTHOR/ EXEC( 00000007) : Author i zat i on successf ul


43/113




AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er =0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)

Note

This is the authorization request for the command show priv. As you can see, ithas been fully expanded and has three arguments the last one is the CRcharacter. The server returns a FAIL status to the client.

t t y66 AAA/ AUTHOR/ CMD( 2932705943) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMDAAA/ AUTHOR/ CMD: t t y66(2932705943) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV ser vi ce=shel l

t t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV cmd=showt t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV cmd- ar g=pr i vi l eget t y66 AAA/ AUTHOR/ CMD( 2932705943) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 2932705943) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 2932705943) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 2932705943) : user =NOCAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV cmd=showAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV cmd- ar g=pr i vi l egeAAA/ AUTHOR/ TAC+: ( 2932705943) : send AV cmd- ar g=

AAA/ AUTHOR ( 2932705943) : Post aut hor i zat i on st at us = FAI LAAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONE

pr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 1833110997) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD

Note

The next command is conf t expanded to configure terminal. This commandis permitted by the server.


44/113




AAA/ AUTHOR/ CMD: t t y66( 1833110997) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV cmd=conf i guret t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV cmd- ar g=t ermi nalt t y66 AAA/ AUTHOR/ CMD( 1833110997) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 1833110997) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 1833110997) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 1833110997) : user =NOCAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV cmd=conf i gureAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV cmd- ar g=t er mi nalAAA/ AUTHOR/ TAC+: ( 1833110997) : send AV cmd- ar g=AAA/ AUTHOR ( 1833110997) : Post author i zat i on st at us = PASS_ADDAAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er =0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0

port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 416252970) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD

Note

Notice how the command interface Loopback 0 is parsed the interfacenumber is a separate argument of the command.

AAA/ AUTHOR/ CMD: t t y66(416252970) user =' NOC'

t t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd=i nt er f acet t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd- ar g=Loopbackt t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd- ar g=0t t y66 AAA/ AUTHOR/ CMD( 416252970) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 416252970) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 416252970) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 416252970) : user =NOCAAA/ AUTHOR/ TAC+: ( 416252970) : send AV servi ce=shel lAAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd=i nt er f aceAAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd- ar g=LoopbackAAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd- ar g=0AAA/ AUTHOR/ TAC+: ( 416252970) : send AV cmd- ar g=AAA/ AUTHOR ( 416252970) : Post aut hori zat i on st at us = PASS_ADD

Note

The rest of the commands entered by the user are parsed and authorized in thesimilar manner.


45/113




AAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er =0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 2043835259) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD

AAA/ AUTHOR/ CMD: t t y66(2043835259) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd=i pt t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=addresst t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=150. 2. 2. 2t t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=255. 255. 0. 0t t y66 AAA/ AUTHOR/ CMD( 2043835259) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 2043835259) : f ound l i st "VTY_LI ST"

t t y66 AAA/ AUTHOR/ CMD( 2043835259) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 2043835259) : user =NOCAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd=i pAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=addressAAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=150. 2. 2. 2AAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=255. 255. 0. 0AAA/ AUTHOR/ TAC+: ( 2043835259) : send AV cmd- ar g=AAA/ AUTHOR ( 2043835259) : Post aut hor i zat i on st at us = FAI L

AAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)t t y66 AAA/ AUTHOR/ CMD( 1956646445) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD

AAA/ AUTHOR/ CMD: t t y66(1956646445) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd=i pt t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=addresst t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=150. 1. 2. 2

t t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=255. 255. 255. 0t t y66 AAA/ AUTHOR/ CMD( 1956646445) : send AV cmd- ar g=


46/113




t t y66 AAA/ AUTHOR/ CMD( 1956646445) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 1956646445) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 1956646445) : user =NOCAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV ser vi ce=shel lAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd=i pAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=addressAAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=150. 1. 2. 2AAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=255. 255. 255. 0AAA/ AUTHOR/ TAC+: ( 1956646445) : send AV cmd- ar g=AAA/ AUTHOR ( 1956646445) : Post author i zat i on st at us = PASS_ADD

AAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)AAA: par se name=t t y66 i db t ype=- 1 t t y=- 1AAA: name=t t y66 f l ags=0x11 t ype=5 shel f =0 sl ot =0 adapt er=0 por t =66channel =0AAA/ MEMORY: cr eat e_user ( 0x8474A4A0) user =' NOC' r user =' Rack1R2' ds0=0port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 i ni t i al _t ask_i d=' 0' , vr f = ( i d=0)

t t y66 AAA/ AUTHOR/ CMD( 795760187) : Por t =' t t y66' l i st =' VTY_LI ST'ser vi ce=CMD

AAA/ AUTHOR/ CMD: t t y66(795760187) user =' NOC't t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV ser vi ce=shel lt t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd=i nt er f acet t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd- ar g=Fast Et hernett t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd- ar g=0/ 0t t y66 AAA/ AUTHOR/ CMD( 795760187) : send AV cmd- ar g=t t y66 AAA/ AUTHOR/ CMD( 795760187) : f ound l i st "VTY_LI ST"t t y66 AAA/ AUTHOR/ CMD( 795760187) : Met hod=t acacs+ ( t acacs+)AAA/ AUTHOR/ TAC+: ( 795760187) : user =NOCAAA/ AUTHOR/ TAC+: ( 795760187) : send AV servi ce=shel lAAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd=i nt er f aceAAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd- ar g=Fast Et hernetAAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd- ar g=0/ 0AAA/ AUTHOR/ TAC+: ( 795760187) : send AV cmd- ar g=AAA/ AUTHOR ( 795760187) : Post aut hor i zat i on st at us = FAI LAAA/ MEMORY: f r ee_user ( 0x8474A4A0) user=' NOC' r user=' Rack1R2'port =' t t y66' r em_addr =' 136. 1. 126. 6' aut hen_t ype=ASCI I servi ce=NONEpr i v=7 vr f = ( i d=0)


47/113




5.5 Using RADIUS for Session Control

Modify the previous scenarios to use RADIUS for remote sessionauthentication and exec authorization.

Ensure users ADMIN and NOC are placed to privilege levels 15 and 7

respectively upon logging in. Configure enable privilege authorization via RADIUS for level 7 and 15

using the passwords cisco7 and cisco respectively..

Ensure fallback to local database for all AAA lists and disable consoleauthentication/authorization.

Configuration

Note

Unlike TACACS+ protocol, RADIUS does not implement separate authenticationand authorization phases. When a client sends authentication request to the AAAserver, the server returns a set of RADIUS attributes that are used to authorizethe particular service. Many Cisco TACACS+ attributes have been mapped toRADIUS using the vendor-specific-attribute known as Cisco AV Pair. You mayassociate a number of Cisco AV Pair with the users profile in RADIUS databaseand simulate behavior similar to the TACACS+ shell authorization. Cisco AV Pairsyntax is usually in the format : for exampleshell:priv-lvl or ip:inacl. For example, if you want exec authorization viaRADIUS, you may use the AAA command aaa authorization execdefault radiusand associate the AV-pair shell:priv-lvl=15 with the

respective user profile. From the purpose of the exec shell authorization, youmay also set the IETF RADIUS attribute Service-Typeto the value

Administrative. This will automatically authorize the respective user to login withprivilege level of 15.

As for the enable privilege authentication, the router will use names $enab$to authenticate the enable password with the RADIUS server. For example,create user $enab15$ to authenticate the maximum enable privilege level.RADIUS does not support per-user enable password as TACACS+ does, notdoes it support per-command authorization. Additionally, the RADIUS serverdoes not supply its own AAA banner messages, so the ones configured locally

would take effect even with remote authentication.

Similar to the TACACS+ protocol settings you may configure named AAA listsand define groups of RADIUS servers using the command aaa-server group.

The default RADIUS server group is the one configured using the commandsradius-serverand ip radius source-interfacein the global

configuration mode.


48/113




Lastly, when configuring RADIUS settings in the ACS server keep in mind thatRADIUS attributes are not available in user profiles by default, only in groupprofiles. To enable the attributes in user profiles, navigate to InterfaceConfigurationsand select the respective protocol, e.g. RADIUS (Cisco

IOS/PIX 6.X). On the page that appears, click the check-boxes next to theneeded RADIUS attributes under the User column.

Now the scenarios final configuration.


49/113




R2:aaa aut hent i cat i on l ogi n CONSOLE noneno aaa aut hori zat i on consol e

!! Make sure to provide fallback to the local database

!aaa aut hent i cat i on l ogi n def aul t gr oup radi us l ocalaaa aut hent i cat i on enabl e def aul t gr oup r adi us enabl eaaa aut hori zat i on exec def aul t gr oup r adi us l ocal

!! Configure local enable secrets!enabl e secret l evel 7 ci sco7enabl e secret l evel 15 ci sco!r adi us- server host 10. 0. 0. 100 key CI SCOi p radi us sour ce- i nt er f ace Loopback0!

l i ne con 0l ogi n aut hent i cat i on CONSOLEpr i vi l ege l evel 15

!! Remove old lists off the VTY lines!l i ne vt y 0 4no aut hori zat i on commands 7 VTY_LI STno aut hor i zat i on exec VTYno l ogi n aut hent i cat i on VTY


50/113




ACS:

Step 1:

Add R2 as RADIUS client to the ACS server. Click theNetwork

ConfigurationtheAdd Entryand fill the settings according to thescreenshot below.

Step 2:

Add new users named $enab7$and $enab15$with the passwords cisco7 andcisco respectively.


51/113




Step 3:

Modify accounts for users NOC and ADMIN. For the user NOC make surethe RADIUS attribute Cisco-AV-Pairis set as on the screenshot below:


52/113




For the user ADMIN modify the IETF RADIUS attribute Service-Typeper thescreenshot below:


53/113


54/113


55/113


56/113




Note

This part of the output corresponds to enable 7 authentication.

AAA/ AUTHEN/ START ( 2810935764) : usi ng "def aul t " l i stAAA/ AUTHEN/ START ( 2810935764) : Met hod=r adi us ( r adi us)AAA/ AUTHEN( 2810935764) : St at us=GETPASSAAA/ AUTHEN/ CONT ( 2810935764) : cont i nue_l ogi n ( user=' NOC' )AAA/ AUTHEN( 2810935764) : St at us=GETPASSAAA/ AUTHEN( 2810935764) : Met hod=r adi us ( r adi us)RADI US: Authent i cat i ng usi ng $enab7$RADI US: Pi ck NAS I P f or u=0x846F5FAC t abl ei d=0 cf g_addr=150. 1. 2. 2RADI US: ust r uct sharecount=1Radi us: r adi us_por t _i nf o( ) success=1 r adi us_nas_por t =1

RADI US(00000000) : Send Access- Request t o 10. 0. 0. 100: 1645 i d 1645/ 13,l en 83

RADI US: authent i cat or 0F D9 9F 6F 6B E1 12 0B - 6E B1 05 EC E0 85 3CDERADI US: NAS- I P- Address [ 4] 6 150. 1. 2. 2RADI US: NAS- Port [ 5] 6 66RADI US: NAS- Por t - Type [ 61] 6 Vi r t ual [ 5]RADI US: User - Name [ 1] 9 "$enab7$"RADI US: Cal l i ng- St at i on- I d [ 31] 12 "136. 1. 126. 6"RADI US: User - Password [ 2] 18 *RADI US: Ser vi ce- Type [ 6] 6 Admi ni st r at i ve [ 6]

RADI US: Recei ved f r omi d 1645/ 13 10. 0. 0. 100: 1645, Access- Accept , l en 52RADI US: aut hent i cat or B1 2E EB ED B5 F7 A6 99 - 83 6C F7 60 16 A0 3B15

RADI US: Fr amed- I P- Addr ess [ 8] 6 255. 255. 255. 255RADI US: Cl ass [ 25] 26RADI US: 43 41 43 53 3A 30 2F 31 38 65 34 32 2F 39 36 30[ CACS: 0/ 18e42/ 960]RADI US: 31 30 32 30 32 2F 36 36 [ 10202/ 66]RADI US: saved aut hor i zat i on dat a f or user 846F5FAC at 83850B70AAA/ AUTHEN( 2810935764) : St at us=PASSAAA/ MEMORY: f r ee_user ( 0x846F5FAC) user=' NOC' r user =' NULL' por t =' t t y66'r em_addr=' 136. 1. 126. 6' aut hen_t ype=ASCI I ser vi ce=ENABLE pr i v=7 vrf =( i d=0)


57/113




5.6 ASA Cut-Through Proxy

Configure ASA1 for cut-through authentication with the following:

o Require authentication before allowing HTTP destined for R6Loopback 0 through ASA1.

o Initially authenticate against the address 136.1.126.6 using HTTP.

o After authentication, allow HTTP access to R6 Loopback 0 via anaccess-list.

o Use the ACS server for authentication.

o Traffic for authentication between the user and ASA1 should not besent in plaintext.

o Configure the AAA server with a username of HTTPUSER and apassword of CISCO.

Before authentication, the output of the packet-tracer command shouldshow that the traffic is dropped, as shown below:

ASA1(config)# packet-tracer input inside tcp

10.0.0.100 1234 150.1.6.6 80

Phase: 1Type: ACCESS- LI STSubtype:Resul t : ALLOWConf i g:I mpl i ci t Rul eAddi t i onal I nf or mat i on:

MAC Access l i st

Phase: 2Type: FLOW- LOOKUPSubtype:Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:Found no mat chi ng f l ow, cr eat i ng a new f l ow

Phase: 3Type: ROUTE- LOOKUPSubt ype: i nput

Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:i n 150. 1. 6. 0 255. 255. 255. 0 out si de

Phase: 4Type: ACCESS- LI STSubt ype: l ogResul t : DROPConf i g:


58/113




access- gr oup i nsi de i n i nt er f ace i nsi deaccess- l i st i nsi de ext ended deny t cp any host 150. 1. 6. 6 eq wwwAddi t i onal I nf or mat i on:

Resul t :i nput - i nt erf ace: i nsi dei nput - st at us: upi nput - l i ne- status: upout put - i nt er f ace: out si deout put - st at us: upout put - l i ne- st at us: upAct i on: dr opDr op- r eason: ( acl - dr op) Fl ow i s deni ed by conf i gur ed r ul e

ASA1(conf i g)#

Configuration

Note

When doing cut through proxy, there are different ways we can match traffic. Wecan use the include statement, which is legacy, or we can use the matchstatement along with an access list. Either way works, however we cant use bothmethods at the same time on the same firewall.

In our example below, our access list is going to match the interesting traffic,which will cause the firewall to check authentication against the AAA server, andthen in turn will download an access list from the AAA server. Because theaccess list on the interface is in conflict with the access list that will bedownloaded from the AAA server, we want to include the per user override option

at the end of our access group statement. We can also use the test aaacommand from the firewall to verify that communication is good between thefirewall and the AAA server.


59/113




ASA1:

aaaserver RADI US pr otocol r adi usaaa- server RADI US ( i nsi de) host 10. 0. 0. 100key ci sco

!! Access list used for matching traffic to be authenticated.!access- l i st CUT- THROUGH- AUTH per mi t t cp any host 136. 1. 126. 6 eq ht t p!! AAA statement identifying that traffic matching the ACL "CUT-THROUGH-! AUTH" will be authenticated using the RADIUS server group!aaa aut hent i cat i on mat ch CUT- THROUGH- AUTH i nsi de RADI US

!! To enable SSL and secure username and password exchange between HTTP! clients and the ASA.!

aaa aut hent i cat i on secur e- ht t p- cl i ent

!! Apply access group to inside interface with per-user-override keyword! to allow ACL's to be downloaded from ACS server!

access- gr oup i nsi de i n i nt er f ace i nsi de per - user - over r i de


60/113




ACS:

Step 1

Add ASA1 as RADIUS client. Go toNetwork Configuration, and click the

Add Entrybutton


61/113




Note

Even though not called for in the task, we may want to consider adding oneadditional entry in the downloadable access list. Here is why. If we do not includethe protocol that we use to authenticate with, in the downloadable access list, theuser may get an error message that is benign. You will still see theauthentication with the show uauth command in the firewall, you will still see thedownloadable access list, the only negative is that theres a pesky error messagethat the user may see.

Step2:

On the AAA server, configure a downloadable ACL with an entry to allow HTTPaccess to R6 Loopback 0.

Go to Shared Profile Components > Downloadable IP ACLs, and clicktheAddbutton. By including the entry for the authentication protocol as well, weavoid the error message being seen by the user.


62/113




Notice that you must click on Submit, as well as Submitagain on the followingscreen if you want the access-list to be saved.


63/113


64/113


65/113




Verification

Note

Test authentication from the ACS PC, using a browser, by connecting to FastEthernet interface of R6. After authentication, verify that the output of packettracer shows access to the Loopback 0 on R6 via TCP port 80. By using theper-user-override option of the access-group on the interface, ACL entries thatare pushed from the ACS server will allow traffic that is not permitted in the inside

ACL.

ASA1(config)# packet-tracer input inside tcp 10.0.0.100

1234 150.1.6.6 80

Phase: 1Type: FLOW- LOOKUPSubt ype:Resul t : ALLOWConf i g:Addi t i onal I nf or mat i on:Found no mat chi ng f l ow, cr eat i ng a new f l ow

Phase: 2Type: ROUTE- LOOKUPSubt ype: i nputResul t : ALLOWConf i g:

Addi t i onal I nf or mat i on:i n 150. 1. 6. 0 255. 255. 255. 0 out si de

Phase: 3Type: ACCESS- LI STSubt ype:Resul t : ALLOWConf i g:I mpl i ci t Rul eAddi t i onal I nf or mat i on:

Phase: 4Type: ACCESS- LI ST

Subt ype: aaa- userResul t : ALLOWConf i g:Addi t i onal I nf or mat i on:


66/113


67/113




ASA1(config)#show uauthCurr ent Most Seen

Aut hent i cated Users 1 1Authen I n Progr ess 0 1user ' ht t puser ' at 10. 0. 0. 100, aut hent i cat ed

access- l i st #ACSACL#- I P- ASA1DL- 4af cd634 ( *)

absol ut e t i meout : 0: 01: 00i nacti vi t y t i meout : 0: 00: 00

ASA1(config)# show access-list #ACSACL#-IP-ASA1DL-4afcd634access- l i st #ACSACL#- I P- ASA1DL- 4af cd634; 2 el ement s ( dynami c)access- l i st #ACSACL#- I P- ASA1DL- 4af cd634 l i ne 1 ext ended permi t t cp any host150. 1. 6. 6 eq www ( hi t cnt =1) 0x07bf e5d6ASA1(conf i g)#

Note

You can also look at the output of debug radius, and see the ACL downloaded

from the AAA server.

r adi us mkr eq: 0xeal l oc_r i p 0xd590de68

new r equest 0xe - - > 24 (0xd590de68)got user ' ht t puser 'got passwordadd_r eq 0xd590de68 sess i on 0xe i d 24RADI US_REQUESTr adi us. c: r ad_mkpkt

RADI US packet decode ( aut hent i cat i on r equest )

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Raw packet data ( l engt h = 122) . . . . .01 18 00 7a 1a 4b 28 41 e6 27 d4 7d 72 c3 40 79 | . . . z. K( A. ' . }r . @ybe 1f 6c 35 01 0a 68 74 74 70 75 73 65 72 02 12 | . . l 5. . ht t puser . .ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b 7b 57 2d | . . . . . . . . v. %2{{W-04 06 0a 00 00 0c 05 06 00 00 00 0d 3d 06 00 00 | . . . . . . . . . . . . =. . .00 05 1a 1f 00 00 00 09 01 19 69 70 3a 73 6f 75 | . . . . . . . . . . i p: sou72 63 65 2d 69 70 3d 31 30 2e 30 2e 30 2e 31 30 | r ce- i p=10. 0. 0. 1030 1f 19 69 70 3a 73 6f 75 72 63 65 2d 69 70 3d | 0. . i p: source- i p=31 30 2e 30 2e 30 2e 31 30 30 | 10. 0. 0. 100

Par sed packet dat a. . . . .Radi us: Code = 1 (0x01)

Radi us: I dent i f i er = 24 ( 0x18)Radi us: Lengt h = 122 (0x007A)Radi us: Vect or : 1A4B2841E627D47D72C34079BE1F6C35Radi us: Type = 1 (0x01) User - NameRadi us: Length = 10 ( 0x0A)Radi us: Val ue (St r i ng) =68 74 74 70 75 73 65 72 | ht t puser


68/113




Radi us: Type = 2 ( 0x02) User - PasswordRadi us: Length = 18 ( 0x12)Radi us: Val ue (St r i ng) =ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b 7b 57 2d | . . . . . . . . v. %2{{W-Radi us: Type = 4 ( 0x04) NAS- I P- Addr essRadi us: Length = 6 (0x06)Radi us: Val ue ( I P Addr ess) = 10. 0. 0. 12 ( 0x0A00000C)Radi us: Type = 5 (0x05) NAS- Por tRadi us: Length = 6 (0x06)%ASA- 2- 109011: Aut hen Sessi on St art : user ' ht t puser' , si d 23Radi us: Val ue ( Hex) = 0xDRadi us: Type = 61 ( 0x3D) NAS- Por t - TypeRadi us: Length = 6 (0x06)Radi us: Val ue ( Hex) = 0x5Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 31 ( 0x1F)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =

69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | i p: sour ce- i p=10.30 2e 30 2e 31 30 30 | 0. 0. 100Radi us: Type = 31 ( 0x1F) Cal l i ng- St at i on- I dRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | i p: sour ce- i p=10.30 2e 30 2e 31 30 30 | 0. 0. 100send pkt 10. 0. 0. 100/ 1645r i p 0xd590de68 st at e 7 i d 24r ad_vr f y( ) : r esponse message ver i f i edr i p 0xd5912788: chal l _ state ' ': st at e 0x7: t i mer 0x0: r eqaut h:

1a 4b 28 41 e6 27 d4 7d 72 c3 40 79 be 1f 6c 35: i nf o 0xe

sessi on_i d 0xer equest _i d 0x18user ' ht t puser 'r esponse ' ***'app 443r eason 0skey ' ci sco'si p 10. 0. 0. 100t ype 1


69/113




RADI US packet decode ( r esponse)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Raw packet data ( l engt h = 114) . . . . .02 18 00 72 4f 0e 73 98 2d 78 ba 19 a9 16 69 ef | . . . r O. s. - x. . . . i .31 c7 f f f 2 1a 3f 00 00 00 09 01 39 41 43 53 3a | 1. . . . ?. . . . . 9ACS:43 69 73 63 6f 53 65 63 75 72 65 2d 44 65 66 69 | Ci scoSecure- Def i6e 65 64 2d 41 43 4c 3d 23 41 43 53 41 43 4c 23 | ned- ACL=#ACSACL#2d 49 50 2d 41 53 41 31 44 4c 2d 34 61 66 63 64 | - I P- ASA1DL- 4af cd36 33 34 08 06 f f f f f f f f 19 19 43 41 43 53 3a | 634. . . . . . . . CACS:30 2f 31 37 35 37 62 2f 61 30 30 30 30 30 63 2f | 0/ 1757b/ a00000c/31 33 | 13

Par sed packet dat a. . . . .Radi us: Code = 2 (0x02)Radi us: I dent i f i er = 24 ( 0x18)Radi us: Lengt h = 114 ( 0x0072)Radi us: Vect or : 4F0E73982D78BA19A91669EF31C7FFF2Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 63 ( 0x3F)

Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 57 ( 0x39)Radi us: Val ue (St r i ng) =41 43 53 3a 43 69 73 63 6f 53 65 63 75 72 65 2d | ACS: Ci scoSecur e-44 65 66 69 6e 65 64 2d 41 43 4c 3d 23 41 43 53 | Def i ned- ACL=#ACS41 43 4c 23 2d 49 50 2d 41 53 41 31 44 4c 2d 34 | ACL#- I P- ASA1DL- 461 66 63 64 36 33 34 | af cd634Radi us: Type = 8 ( 0x08) Fr amed- I P- Addr essRadi us: Length = 6 (0x06)Radi us: Val ue ( I P Addr ess) = 255. 255. 255. 255 ( 0xFFFFFFFF)Radi us: Type = 25 ( 0x19) Cl assRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =43 41 43 53 3a 30 2f 31 37 35 37 62 2f 61 30 30 | CACS: 0/ 1757b/ a0030 30 30 63 2f 31 33 | 000c/ 13r ad_procpkt : ACCEPTRADI US_REQUESTr adi us. c: r ad_mkpkt

RADI US packet decode ( aut hent i cat i on r equest )


70/113




- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Raw packet data ( l engt h = 212) . . . . .01 19 00 d4 1a 4b 28 41 e6 27 d4 7d 72 c3 40 79 | . . . . . K( A. ' . }r . @ybe 1f 6c 35 01 1d 23 41 43 53 41 43 4c 23 2d 49 | . . l 5. . #ACSACL#- I50 2d 41 53 41 31 44 4c 2d 34 61 66 63 64 36 33 | P- ASA1DL- 4af cd6334 02 12 ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b | 4. . . . . . . . . . v. %2{7b 57 2d 04 06 0a 00 00 0c 05 06 00 00 00 0e 3d | {W- . . . . . . . . . . . . =06 00 00 00 05 1a 17 00 00 00 09 01 11 61 61 61 | . . . . . . . . . . . . . aaa3a 73 65 72 76 69 63 65 3d 76 70 6e 1a 1e 00 00 | : ser vi ce=vpn. . . .00 09 01 18 61 61 61 3a 65 76 65 6e 74 3d 61 63 | . . . . aaa: event =ac6c 2d 64 6f 77 6e 6c 6f 61 64 50 12 48 e3 85 df | l - downl oadP. H. . .60 38 a4 ac 55 bc 35 68 29 5d 85 d8 1a 1f 00 00 | `8. . U. 5h) ] . . . . . .00 09 01 19 69 70 3a 73 6f 75 72 63 65 2d 69 70 | . . . . i p: sour ce- i p3d 31 30 2e 30 2e 30 2e 31 30 30 1f 19 69 70 3a | =10. 0. 0. 100. . i p:73 6f 75 72 63 65 2d 69 70 3d 31 30 2e 30 2e 30 | sour ce- i p=10. 0. 02e 31 30 30 | . 100

Par sed packet dat a. . . . .Radi us: Code = 1 (0x01)

Radi us: I dent i f i er = 25 ( 0x19)Radi us: Lengt h = 212 ( 0x00D4)Radi us: Vect or : 1A4B2841E627D47D72C34079BE1F6C35Radi us: Type = 1 (0x01) User - NameRadi us: Lengt h = 29 ( 0x1D)Radi us: Val ue (St r i ng) =23 41 43 53 41 43 4c 23 2d 49 50 2d 41 53 41 31 | #ACSACL#- I P- ASA144 4c 2d 34 61 66 63 64 36 33 34 | DL- 4af cd634Radi us: Type = 2 ( 0x02) User - PasswordRadi us: Length = 18 ( 0x12)Radi us: Val ue (St r i ng) =ef ae 05 e4 85 00 c5 a6 76 bd 25 32 7b 7b 57 2d | . . . . . . . . v. %2{{W-Radi us: Type = 4 ( 0x04) NAS- I P- Addr essRadi us: Length = 6 (0x06)Radi us: Val ue ( I P Addr ess) = 10. 0. 0. 12 (0x0A00000C)Radi us: Type = 5 (0x05) NAS- Por tRadi us: Length = 6 (0x06)Radi us: Val ue ( Hex) = 0xERadi us: Type = 61 ( 0x3D) NAS- Por t - TypeRadi us: Length = 6 (0x06)Radi us: Val ue ( Hex) = 0x5Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 23 ( 0x17)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 17 ( 0x11)Radi us: Val ue (St r i ng) =

61 61 61 3a 73 65 72 76 69 63 65 3d 76 70 6e | aaa: ser vi ce=vpnRadi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 30 ( 0x1E)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 24 ( 0x18)


71/113




Radi us: Val ue (St r i ng) =61 61 61 3a 65 76 65 6e 74 3d 61 63 6c 2d 64 6f | aaa: event =acl - do77 6e 6c 6f 61 64 | wnl oadRadi us: Type = 80 ( 0x50) Message- Authent i cat orRadi us: Length = 18 ( 0x12)Radi us: Val ue (St r i ng) =48 e3 85 df 60 38 a4 ac 55 bc 35 68 29 5d 85 d8 | H. . . `8. . U. 5h) ] . .Radi us: Type = 26 (0x1A) Vendor- Speci f i cRadi us: Length = 31 ( 0x1F)Radi us: Vendor I D = 9 ( 0x00000009)Radi us: Type = 1 ( 0x01) Ci sco- AV- pai rRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =69 70 3a 73 6f 75 72 63 65 2d 69 70 3d 31 30 2e | i p: sour ce- i p=10.30 2e 30 2e 31 30 30 | 0. 0. 100Radi us: Type = 31 ( 0x1F) Cal l i ng- St at i on- I dRadi us: Length = 25 ( 0x19)Radi us: Val ue (St r i ng) =69 70 3a 73 6f 75 72 63

iewb sc vol i v5.section.5.idwedentity.management.012

Documents