implementing secure converged wide area networks (iscw)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1

Implementing Secure Converged Wide Area Networks (ISCW)


Lesson 11 – Module 5 – ‘Cisco Device Hardening’

Configuring AAA on Cisco Routers


Module Introduction

The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people.

Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete.

Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.


Objectives

At the completion of this eleventh lesson, you will be able to:

Describe what is meant by the term ‘triple A’

Explain how and why AAA should be used to secure router and switch access

Configure AAA using the IOS CLI and SDM

Describe the use of external AAA servers, including a brief overview of CSACS


Authentication, Authorisation & Accounting

It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components:

1. authentication,

2. authorisation, and

3. accounting

also known as AAA These AAA services provide a higher degree of scalability than

line-level and privileged-EXEC authentication to networking components

Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data

Using a Cisco AAA architecture enables consistent, systematic and scalable access security


The Three Components of AAA

Authentication

Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption

Authorisation

Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet

Accounting

Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes


Authentication

Authentication is the way a user is identified prior to being allowed access to the network and network services

AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces

The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed

The only exception is the default method list (“default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list.

All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA


Authorisation

Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet

AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform

These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions

The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server

As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces


Accounting

Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes

Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming

With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records

Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing

All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces


Access Control

In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions

If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server

Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA


Implementing AAA

Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment:

1. Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication)

2. Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication

3. Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication

There are also open source AAA servers available that work in conjunction with Cisco IOS devices


Implementing AAA

Administrative access: Console, Telnet, and AUX access

Remote user network access: Dialup or VPN access


Router Access Modes

All of the AAA commands (except aaa accounting system) apply to either character mode or packet mode. (The mode refers to the format of the packets that request AAA)

If the query is presented as Service-Type = Exec-User, the query is presented in character mode

If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode.

Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method

Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements.

With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server


Router Access Modes


AAA Protocols: RADIUS and TACACS+


AAA Protocols: RADIUS and TACACS+

The best-known and best-used types of AAA protocols are TACACS+ and RADIUS

TACACS+ and RADIUS have different features that make them suitable for different situations

RADIUS is maintained by a standard that was created by the IETF

TACACS+ is a proprietary Cisco Systems technology that encrypts data

TACACS+ runs over TCP - RADIUS runs over UDP

TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot

Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos


RADIUS Features

Radius is an IETF standard protocol - RFC 2865

Standard attributes can be augmented by proprietary attributes:

Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS

Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default)

It includes only two security features:

1.Encryption of passwords (MD5 encryption)

2.Authentication of packets (MD5 fingerprinting)

Authorisation is only possible as part of authentication


RADIUS Authentication and Authorisation

The example shows how RADIUS exchange starts once the NAS is in possession of the username and password

The ACS can reply with Access-Accept message, or Access-Reject if authentication is not successful


RADIUS Messages

There are four types of messages involved in a RADIUS authentication exchange:

1. Access-Request: Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port

2. Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

3. Access-Accept: The positive answer if the user information is valid

4. Access-Reject: Sent as a negative reply if the user information is invalid


RADIUS AV Pairs

RADIUS messages contain zero or more AV-pairs, for example:1. User-Name

2. User-Password (this is the only encrypted entity in RADIUS)

3. CHAP-Password

4. Service-Type

5. Framed-IP-Address

There are approximately 50 standard-based attributes (RFC 2865) RADIUS allows proprietary attributes Basic attributes are used for authentication purposes Most other attributes are used in the authorisation process Cisco has added several vendor-specific attributes on the server

side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility

Accounting information is sent within special RADIUS accounting messages


TACACS+ Attributes and Features The TACACS+ protocol is much more flexible than the RADIUS

communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collect enough information until a user is authenticated

TACACS+ messages contain AV-pairs, such as:1. ACL

2. ADDR

3. CMD

4. Interface-Config

5. Priv-Lvl

6. Route

TACACS+ uses TCP on well-known port number 49 TACACS+ establishes a dedicated TCP session for every AAA

action Cisco Secure ACS can use one persistent TCP session for all

actions Protocol security includes authentication and encryption of all

TACACS+ datagrams


TACACS+ Authentication

The example shows how TACACS+ exchange starts before the user is prompted for username and password.

The prompt text can be supplied by the TACACS+ server.


TACACS+ Network Authorisation

The example shows the process of network authorisation that starts after successful authentication.


TACACS+ Command Authorisation

The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).


Configuring the AAA Server

These are the first steps in configuring the network access server:

Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands.

Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server

Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS


Configuring the AAA Server

TACACS+

RADIUS


AAA Configuration Commands

Command Description

aaa new-model Enables AAA on the router. Prerequisite for all other AAA commands.

tacacs-server host ip-address single-connection

Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default).

tacacs-server key key Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server.

radius-server host ip-address

Specifies a RADIUS AAA server.

radius-server key key Specifies an encryption key to be used with the RADIUS AAA server.


AAA Authentication Commands

aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]]

Router(config)#

• Use this command to configure the authentication process

Router(config)#aaa authentication login default group tacacs+ local line


aaa authentication login Parameters

Parameter Description

default This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication.

list-name This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface.

group group-namegroup radiusgroup tacacs+

These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).


aaa authentication login Parameters (Cont.)

Parameter Description

method2method3method4

This command executes authentication methods in the order that the methods are listed. If an authentication method returns an error, such as a timeout, the Cisco IOS software attempts to execute the next method. If the authentication fails, access is denied. You can configure up to four methods for each operation. The method must be supported by the authentication operation that you specify. A general list of methods includes:

- enable: Uses the enable password for authentication- group: Uses server-group- krb5: Uses Kerberos Version 5 for authentication- line: Uses the line password for authentication- local: Uses the local username and password database for

authentication- local-case: Uses case-sensitive local username authentication- none: Uses no authentication


Configuring AAA Authentication Using TACACS+

Command Description

aaa authentication login default group tacacs+ local

The default login is TACACS+ server. If there is no response from the server, then use the local username and password database.

aaa authentication login my_list group tacacs+

Used for character mode username and password challenge. A new list name, my_list, is defined, and the only method is TACACS+.

line con 0 Enters console configuration mode.

login authentication my_list

Configures the console line to use the AAA list name my_list, which has been previously defined to use only TACACS+.

line 1 48 login authentication my_list

Configures lines 1 through 48 to use the AAA list name my_list, which has been previously defined to use only TACACS+.

line vty 0 4 On lines vty 0 through 4, the default list is used, which in this case specifies the aaa authentication login default tacacs+ local command.


Character Mode Login Example

Router#show running-config...aaa new-modelaaa authentication login default group tacacs+ localaaa authentication login my_list group tacacs+...line con 0line aux 0line vty 0 4 login authentication my_list

• Because the authentication has not been specified for line con 0 and aux 0, the default option is used


Enabling AAA in SDM


Confirming the AAA Activation


Defining RADIUS Servers


Defining TACACS+ Servers


Creating a Login Authentication Policy


Configuring a Login Authentication Policy


Creating an EXEC Authorisation Policy


Configuring an EXEC Authorisation Policy


Creating Local User Accounts


Configuring VTY Line Parameters


Applying Authentication Policy to VTY Lines


Applying Authorisation Policy to VTY Lines


Verifying AAA Login Authentication Commands

aaa new-model!aaa authentication login default localaaa authentication login radius_local group radius group radiusaaa authorization exec default local! username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1!tacacs-server host 10.1.1.10 single-connection key secrettacacsradius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key secretradius! line vty 0 4login authentication radius_local


Troubleshoot AAA Login Authentication on Cisco Routers

Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication

The command displays debugging messages on authentication functions

debug aaa authentication

router#


‘AAA Authorization’ Commands

The access server can be configured to restrict the user to perform certain functions only after successful authentication

Use the aaa authorization command in global configuration mode to select the function authorised and the method of authorisation

Troubleshooting Authorization

To display information on AAA authorisation, use the debug aaa authorization command in privileged-EXEC mode.

Use the no debug aaa authorization form of the command to disable this debug mode.


‘AAA Authorization’ Commands

aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...]

router(config)#

router(config)#aaa authorization exec default group radius local none

Example:


AAA Accounting Commands

Use the aaa accounting command in global configuration mode for auditing and billing purposes..

Accounting of user EXEC sessions requires that aaa new-model is enabled and that the authentication and authorisation configuration is in place.

The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality.

Accounting tracks events that occur on the network.

Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing.


AAA Accounting Commands

aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius}

router(config)#

R2(config)#aaa accounting exec default start-stop group tacacs+

Example:


AAA Accounting Example

R2#show running-config | begin aaaaaa new-model!aaa authentication login default group tacacs+ localaaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+...tacacs-server host 10.1.1.3tacacs-server key SeCrEtKeY...

The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS


TACACS+ Reports and Activity


Troubleshooting Accounting

debug aaa accounting

router#

• Use this command to help troubleshoot AAA accounting problems.

R2#debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78

cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

implementing secure converged wide area networks (iscw)

Documents