implementing secure converged wide area networks (iscw)
DESCRIPTION
Implementing Secure Converged Wide Area Networks (ISCW). Configuring AAA on Cisco Routers. Lesson 11 – Module 5 – ‘Cisco Device Hardening’. Module Introduction. - PowerPoint PPT PresentationTRANSCRIPT
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1
Implementing Secure Converged Wide Area Networks (ISCW)
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 2
Lesson 11 – Module 5 – ‘Cisco Device Hardening’
Configuring AAA on Cisco Routers
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 3
Module Introduction
The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.
Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.
Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 4
Objectives
At the completion of this eleventh lesson, you will be able to:
Describe what is meant by the term ‘triple A’
Explain how and why AAA should be used to secure router and switch access
Configure AAA using the IOS CLI and SDM
Describe the use of external AAA servers, including a brief overview of CSACS
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 5
Authentication, Authorisation & Accounting
It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components:
1. authentication,
2. authorisation, and
3. accounting
also known as AAA These AAA services provide a higher degree of scalability than
line-level and privileged-EXEC authentication to networking components
Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data
Using a Cisco AAA architecture enables consistent, systematic and scalable access security
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 6
The Three Components of AAA
Authentication
Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption
Authorisation
Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet
Accounting
Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 7
Authentication
Authentication is the way a user is identified prior to being allowed access to the network and network services
AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces
The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed
The only exception is the default method list (“default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.
All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 8
Authorisation
Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet
AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform
These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions
The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server
As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 9
Accounting
Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes
Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming
With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records
Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing
All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 10
Access Control
In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions
If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server
Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 11
Implementing AAA
Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment:
1. Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication)
2. Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication
3. Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication
There are also open source AAA servers available that work in conjunction with Cisco IOS devices
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 12
Implementing AAA
Administrative access: Console, Telnet, and AUX access
Remote user network access: Dialup or VPN access
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 13
Router Access Modes
All of the AAA commands (except aaa accounting system) apply to either character mode or packet mode. (The mode refers to the format of the packets that request AAA)
If the query is presented as Service-Type = Exec-User, the query is presented in character mode
If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode.
Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method
Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements.
With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 14
Router Access Modes
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 15
AAA Protocols: RADIUS and TACACS+
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 16
AAA Protocols: RADIUS and TACACS+
The best-known and best-used types of AAA protocols are TACACS+ and RADIUS
TACACS+ and RADIUS have different features that make them suitable for different situations
RADIUS is maintained by a standard that was created by the IETF
TACACS+ is a proprietary Cisco Systems technology that encrypts data
TACACS+ runs over TCP - RADIUS runs over UDP
TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot
Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 17
RADIUS Features
Radius is an IETF standard protocol - RFC 2865
Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS
Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default)
It includes only two security features:
1.Encryption of passwords (MD5 encryption)
2.Authentication of packets (MD5 fingerprinting)
Authorisation is only possible as part of authentication
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 18
RADIUS Authentication and Authorisation
The example shows how RADIUS exchange starts once the NAS is in possession of the username and password
The ACS can reply with Access-Accept message, or Access-Reject if authentication is not successful
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 19
RADIUS Messages
There are four types of messages involved in a RADIUS authentication exchange:
1. Access-Request: Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port
2. Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)
3. Access-Accept: The positive answer if the user information is valid
4. Access-Reject: Sent as a negative reply if the user information is invalid
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 20
RADIUS AV Pairs
RADIUS messages contain zero or more AV-pairs, for example:1. User-Name
2. User-Password (this is the only encrypted entity in RADIUS)
3. CHAP-Password
4. Service-Type
5. Framed-IP-Address
There are approximately 50 standard-based attributes (RFC 2865) RADIUS allows proprietary attributes Basic attributes are used for authentication purposes Most other attributes are used in the authorisation process Cisco has added several vendor-specific attributes on the server
side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility
Accounting information is sent within special RADIUS accounting messages
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 21
TACACS+ Attributes and Features The TACACS+ protocol is much more flexible than the RADIUS
communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collect enough information until a user is authenticated
TACACS+ messages contain AV-pairs, such as:1. ACL
2. ADDR
3. CMD
4. Interface-Config
5. Priv-Lvl
6. Route
TACACS+ uses TCP on well-known port number 49 TACACS+ establishes a dedicated TCP session for every AAA
action Cisco Secure ACS can use one persistent TCP session for all
actions Protocol security includes authentication and encryption of all
TACACS+ datagrams
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 22
TACACS+ Authentication
The example shows how TACACS+ exchange starts before the user is prompted for username and password.
The prompt text can be supplied by the TACACS+ server.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 23
TACACS+ Network Authorisation
The example shows the process of network authorisation that starts after successful authentication.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 24
TACACS+ Command Authorisation
The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 25
Configuring the AAA Server
These are the first steps in configuring the network access server:
Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.
Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server
Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 26
Configuring the AAA Server
TACACS+
RADIUS
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 27
AAA Configuration Commands
Command Description
aaa new-model Enables AAA on the router. Prerequisite for all other AAA commands.
tacacs-server host ip-address single-connection
Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default).
tacacs-server key key Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server.
radius-server host ip-address
Specifies a RADIUS AAA server.
radius-server key key Specifies an encryption key to be used with the RADIUS AAA server.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 28
AAA Authentication Commands
aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]]
Router(config)#
• Use this command to configure the authentication process
Router(config)#aaa authentication login default group tacacs+ local line
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 29
aaa authentication login Parameters
Parameter Description
default This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication.
list-name This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface.
group group-namegroup radiusgroup tacacs+
These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 30
aaa authentication login Parameters (Cont.)
Parameter Description
method2method3method4
This command executes authentication methods in the order that the methods are listed. If an authentication method returns an error, such as a timeout, the Cisco IOS software attempts to execute the next method. If the authentication fails, access is denied. You can configure up to four methods for each operation. The method must be supported by the authentication operation that you specify. A general list of methods includes:
- enable: Uses the enable password for authentication- group: Uses server-group- krb5: Uses Kerberos Version 5 for authentication- line: Uses the line password for authentication- local: Uses the local username and password database for
authentication- local-case: Uses case-sensitive local username authentication- none: Uses no authentication
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 31
Configuring AAA Authentication Using TACACS+
Command Description
aaa authentication login default group tacacs+ local
The default login is TACACS+ server. If there is no response from the server, then use the local username and password database.
aaa authentication login my_list group tacacs+
Used for character mode username and password challenge. A new list name, my_list, is defined, and the only method is TACACS+.
line con 0 Enters console configuration mode.
login authentication my_list
Configures the console line to use the AAA list name my_list, which has been previously defined to use only TACACS+.
line 1 48 login authentication my_list
Configures lines 1 through 48 to use the AAA list name my_list, which has been previously defined to use only TACACS+.
line vty 0 4 On lines vty 0 through 4, the default list is used, which in this case specifies the aaa authentication login default tacacs+ local command.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 32
Character Mode Login Example
Router#show running-config...aaa new-modelaaa authentication login default group tacacs+ localaaa authentication login my_list group tacacs+...line con 0line aux 0line vty 0 4 login authentication my_list
• Because the authentication has not been specified for line con 0 and aux 0, the default option is used
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 33
Enabling AAA in SDM
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 34
Confirming the AAA Activation
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 35
Defining RADIUS Servers
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 36
Defining TACACS+ Servers
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 37
Creating a Login Authentication Policy
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 38
Configuring a Login Authentication Policy
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 39
Creating an EXEC Authorisation Policy
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 40
Configuring an EXEC Authorisation Policy
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 41
Creating Local User Accounts
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 42
Configuring VTY Line Parameters
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 43
Applying Authentication Policy to VTY Lines
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 44
Applying Authorisation Policy to VTY Lines
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 45
Verifying AAA Login Authentication Commands
aaa new-model!aaa authentication login default localaaa authentication login radius_local group radius group radiusaaa authorization exec default local! username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1!tacacs-server host 10.1.1.10 single-connection key secrettacacsradius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key secretradius! line vty 0 4login authentication radius_local
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 46
Troubleshoot AAA Login Authentication on Cisco Routers
Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication
The command displays debugging messages on authentication functions
debug aaa authentication
router#
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 47
‘AAA Authorization’ Commands
The access server can be configured to restrict the user to perform certain functions only after successful authentication
Use the aaa authorization command in global configuration mode to select the function authorised and the method of authorisation
Troubleshooting Authorization
To display information on AAA authorisation, use the debug aaa authorization command in privileged-EXEC mode.
Use the no debug aaa authorization form of the command to disable this debug mode.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 48
‘AAA Authorization’ Commands
aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...]
router(config)#
router(config)#aaa authorization exec default group radius local none
Example:
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 49
AAA Accounting Commands
Use the aaa accounting command in global configuration mode for auditing and billing purposes..
Accounting of user EXEC sessions requires that aaa new-model is enabled and that the authentication and authorisation configuration is in place.
The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality.
Accounting tracks events that occur on the network.
Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 50
AAA Accounting Commands
aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius}
router(config)#
R2(config)#aaa accounting exec default start-stop group tacacs+
Example:
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 51
AAA Accounting Example
R2#show running-config | begin aaaaaa new-model!aaa authentication login default group tacacs+ localaaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+...tacacs-server host 10.1.1.3tacacs-server key SeCrEtKeY...
The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 52
TACACS+ Reports and Activity
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 53
Troubleshooting Accounting
debug aaa accounting
router#
• Use this command to help troubleshoot AAA accounting problems.
R2#debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78
cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 54