Uploaded byveracru1
PPT, PDF75 views

CCNA_Security_03.ppt

This document provides an overview of authentication, authorization, and accounting (AAA) and describes how to configure AAA using local and server-based methods. It covers the purpose and components of AAA, including authentication, authorization, and accounting. It also describes how to configure local AAA authentication using the command line interface or Security Device Manager and how to troubleshoot local AAA. Finally, it introduces server-based AAA, comparing it to local AAA, and provides an overview of the TACACS+ and RADIUS protocols used for server-based AAA communication.

Download to read offline
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Three Authentication, Authorization, and Accounting
2 2 2 © 2009 Cisco Learning Institute. Lesson Planning • This lesson should take 3-6 hours to present • The lesson should include lecture, demonstrations, discussion and assessment • The lesson can be taught in person or using remote instruction
3 3 3 © 2009 Cisco Learning Institute. Major Concepts • Describe the purpose of AAA and the various implementation techniques • Implement AAA using the local database • Implement AAA using TACACS+ and RADIUS protocols • Implement AAA Authorization and Accounting
4 4 4 © 2009 Cisco Learning Institute. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the importance of AAA as it relates to authentication, authorization, and accounting 2. Configure AAA authentication using a local database 3. Configure AAA using a local database in SDM 4. Troubleshoot AAA using a local database 5. Explain server-based AAA 6. Describe and compare the TACACS+ and RADIUS protocols
5 5 5 © 2009 Cisco Learning Institute. Lesson Objectives 7. Describe the Cisco Secure ACS for Windows software 8. Describe how to configure Cisco Secure ACS for Windows as a TACACS+ server 9. Configure server-based AAA authentication on Cisco Routers using CLI 10. Configure server-based AAA authentication on Cisco Routers using SDM 11. Troubleshoot server-based AAA authentication using Cisco Secure ACS 12. Configure server-based AAA Authorization using Cisco Secure ACS 13. Configure server-based AAA Accounting using Cisco Secure ACS
6 6 6 © 2009 Cisco Learning Institute. Authentication, Authorization and Accounting • Purpose of AAA • Configuring Local AAA Authentication • Introduction to Server-Based AAA
7 7 7 © 2009 Cisco Learning Institute. Purpose of AAA • AAA Overview • AAA Components
8 8 8 © 2009 Cisco Learning Institute. AAA Overview • Authentication • AAA Access Security
9 9 9 © 2009 Cisco Learning Institute. Authentication – Password-Only • Uses a login and password combination on access lines • Easiest to implement, but most unsecure method • Vulnerable to brute-force attacks • Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
10 10 10 © 2009 Cisco Learning Institute. Authentication – Local Database • Creates individual user account/password on each device • Provides accountability • User accounts must be configured locally on each device • Provides no fallback authentication method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method
11 11 11 © 2009 Cisco Learning Institute. AAA Access Security Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
12 12 12 © 2009 Cisco Learning Institute. AAA Components • AAA Access Methods • AAA Authorization • AAA Accounting
13 13 13 © 2009 Cisco Learning Institute. Access Methods • Character Mode A user sends a request to establish an EXEC mode process with the router for administrative purposes • Packet Mode A user sends a request to establish a connection through the router with a device on the network
14 14 14 © 2009 Cisco Learning Institute. Self-Contained AAA Authentication Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA Router Remote Client 1 2 3 • Used for small networks • Stores usernames and passwords locally in the Cisco router
15 15 15 © 2009 Cisco Learning Institute. Server-Based AAA Authentication • Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express • More appropriate if there are multiple routers Server-Based AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
16 16 16 © 2009 Cisco Learning Institute. AAA Authorization • Typically implemented using an AAA server-based solution • Uses a set of attributes that describes user access to the network 1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization.
17 17 17 © 2009 Cisco Learning Institute. AAA Accounting • Implemented using an AAA server-based solution • Keeps a detailed log of what an authenticated user does on a device 1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.
18 18 18 © 2009 Cisco Learning Institute. Configuring Local AAA Authentication • Using a Local Database • Using a Local Database in SDM • Troubleshooting using a Local Database
19 19 19 © 2009 Cisco Learning Institute. Using a Local Database • Local AAA Authentication • CLI AAA Authentication Commands • Sample Configuration
20 20 20 © 2009 Cisco Learning Institute. Local AAA Authentication Commands To authenticate administrator access (character mode access) 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case R1(config)# aaa local authentication attempts max-fail 10
21 21 21 © 2009 Cisco Learning Institute. Additional Commands • aaa authentication enable Enables AAA for EXEC mode access • aaa authentication ppp Enables AAA for PPP network access
22 22 22 © 2009 Cisco Learning Institute. AAA Authentication Command Elements router(config)# aaa authentication login {default | list-name} method1…[method4] Command Description default Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in list-name Character string used to name the list of authentication methods activated when a user logs in password- expiry Enables password aging on a local authentication list. method1 [method2... ] Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods.
23 23 23 © 2009 Cisco Learning Institute. Method Type Keywords Keywords Description enable Uses the enable password for authentication. This keyword cannot be used. krb5 Uses Kerberos 5 for authentication. krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. line Uses the line password for authentication. local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. none Uses no authentication. cache group-name Uses a cache server group for authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
24 24 24 © 2009 Cisco Learning Institute. Additional Security R1# show aaa local user lockout Local-user Lock time JR-ADMIN 04:28:49 UTC Sat Dec 27 2008 router(config)# aaa local authentication attempts max-fail [number-of- unsuccessful-attempts] R1# show aaa sessions Total sessions since last reload: 4 Session Id: 1 Unique Id: 175 User Name: ADMIN IP Address: 192.168.1.10 Idle Time: 0 CT Call Handle: 0
25 25 25 © 2009 Cisco Learning Institute. Sample Configuration R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN
26 26 26 © 2009 Cisco Learning Institute. Using a Local Database in SDM • Verifying AAA Authentication • Using SDM • Configuring for Login Authentication
27 27 27 © 2009 Cisco Learning Institute. Verifying AAA Authentication • AAA is enabled by default in SDM • To verify or enable/disable AAA, choose Configure > Additional Tasks > AAA
28 28 28 © 2009 Cisco Learning Institute. Using SDM 1. Select Configure > Additional Tasks > Router Access > User Accounts/View 2. Click Add 3. Enter username and password 4. Choose 15 5. Check the box and select a view 6. Click OK
29 29 29 © 2009 Cisco Learning Institute. Configure Login Authentication 1. Select Configure > Additional Tasks > AAA > Authentication Policies > Login and click Add 2. Verify that Default is selected 3. Click Add 4. Choose local 5. Click OK 6. Click OK
30 30 30 © 2009 Cisco Learning Institute. Troubleshooting • The debug aaa Command • Sample Output
31 31 31 © 2009 Cisco Learning Institute. The debug aaa Command R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets R1# debug aaa
32 32 32 © 2009 Cisco Learning Institute. Sample Output R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
33 33 33 © 2009 Cisco Learning Institute. Introduction to Server-Based AAA • Server-Based AAA • AAA Communication Protocols • Cisco Secure ACS • Configuring Cisco Secure ACS • Cisco Secure ACS Administrative Tasks
34 34 34 © 2009 Cisco Learning Institute. Server-Based AAA • Comparing Local versus Server-Based AAA • Overview of TACACS+ and RADIUS
35 35 35 © 2009 Cisco Learning Institute. Local Versus Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4 Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password authenticating the user using a local database. Local Authentication
36 36 36 © 2009 Cisco Learning Institute. Overview of TACACS+ and RADIUS Perimeter Router Remote User Cisco Secure ACS for Windows Server Cisco Secure ACS Express TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers.
37 37 37 © 2009 Cisco Learning Institute. AAA Communication Protocols • TACACS/RADIUS Comparison • TACACS+ Authentication Process • RADIUS Authentication Process
38 38 38 © 2009 Cisco Learning Institute. TACACS+/RADIUS Comparison TACACS+ RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP CHAP Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) Unidirectional challenge and response from the RADIUS security server to the RADIUS client. Protocol Support Multiprotocol support No ARA, no NetBEUI Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis Confidentiality Limited Extensive
39 39 39 © 2009 Cisco Learning Institute. TACACS+ Authentication Process • Provides separate AAA services • Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
40 40 40 © 2009 Cisco Learning Institute. RADIUS Authentication Process • Works in both local and roaming situations • Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0rd Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
41 41 41 © 2009 Cisco Learning Institute. Cisco Secure ACS • Benefits • Advanced Features • Overview • Installation Options
42 42 42 © 2009 Cisco Learning Institute. Benefits • Extends access security by combining authentication, user access, and administrator access with policy control • Allows greater flexibility and mobility, increased security, and user-productivity gains • Enforces a uniform security policy for all users • Reduces the administrative and management efforts
43 43 43 © 2009 Cisco Learning Institute. Advanced Features • Automatic service monitoring • Database synchronization and importing of tools for large-scale deployments • Lightweight Directory Access Protocol (LDAP) user authentication support • User and administrative access reporting • Restrictions to network access based on criteria • User and device group profiles
44 44 44 © 2009 Cisco Learning Institute. Overview • Centrally manages access to network resources for a growing variety of access types, devices, and user groups • Addresses the following: - Support for a range of protocols including Extensible Authentication Protocol (EAP) and non-EAP - Integration with Cisco products for device administration access control allows for centralized control and auditing of administrative actions - Support for external databases, posture brokers, and audit servers centralizes access policy control
45 45 45 © 2009 Cisco Learning Institute. Installation Options Cisco Secure ACS for Windows can be installed on: - Windows 2000 Server with Service Pack 4 - Windows 2000 Advanced Server with Service Pack 4 - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition Cisco Secure ACS Solution Engine - A highly scalable dedicated platform that serves as a high- performance ACS - 1RU, rack-mountable - Preinstalled with a security-hardened Windows software, Cisco Secure ACS software - Support for more than 350 users Cisco Secure ACS Express 5.0 - Entry-level ACS with simplified feature set - Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period
46 46 46 © 2009 Cisco Learning Institute. Configuring Cisco Secure ACS • Deploying ACS • Cisco Secure ACS Homepage • Network Configuration • Interface Configuration • External User Database • Windows User Database Configuration
47 47 47 © 2009 Cisco Learning Institute. Deploying ACS • Consider Third-Party Software Requirements • Verify Network and Port Prerequisites - AAA clients must run Cisco IOS Release 11.2 or later. - Cisco devices that are not Cisco IOS AAA clients must be configured with TACACS+, RADIUS, or both. - Dial-in, VPN, or wireless clients must be able to connect to AAA clients. - The computer running ACS must be able to reach all AAA clients using ping. - Gateway devices must permit communication over the ports that are needed to support the applicable feature or protocol. - A supported web browser must be installed on the computer running ACS. - All NICs in the computer running Cisco Secure ACS must be enabled. • Configure Secure ACS via the HTML interface
48 48 48 © 2009 Cisco Learning Institute. Cisco Secure ACS Homepage add, delete, modify settings for AAA clients (routers) set menu display options for TACACS and RADIUS configure database settings
49 49 49 © 2009 Cisco Learning Institute. Network Configuration 1. Click Network Configuration on the navigation bar 2. Click Add Entry 3. Enter the hostname 4. Enter the IP address 5. Enter the secret key 6. Choose the appropriate protocols 7. Make any other necessary selections and click Submit and Apply
50 50 50 © 2009 Cisco Learning Institute. Interface Configuration The selection made in the Interface Configuration window controls the display of options in the user interface
51 51 51 © 2009 Cisco Learning Institute. External User Database 1. Click the External User Databases button on the navigation bar 2. Click Database Configuration 3. Click Windows Database
52 52 52 © 2009 Cisco Learning Institute. Windows User Database Configuration 4. Click configure 5. Configure options
53 53 53 © 2009 Cisco Learning Institute. Configuring a TACACS+ Server • Configuring the Unknown User Policy • Configuring Database Group Mappings • Configuring Users
54 54 54 © 2009 Cisco Learning Institute. Configuring the Unknown User Policy 1. Click External User Databases on the navigation bar 2. Click Unknown User Policy 3. Place a check in the box 4. Choose the database in from the list and click the right arrow to move it to the Selected list 6. Click Submit 5. Manipulate the databases to reflect the order in which each will be checked
55 55 55 © 2009 Cisco Learning Institute. Group Setup Database group mappings - Control authorizations for users authenticated by the Windows server in one group and those authenticated by the LDAP server in another 1. Click Group Setup on the navigation bar 2. Choose the group to edit and click Edit Settings 3. Click Permit in the Unmatched Cisco IOS commands option 4. Check the Command check box and select an argument 5. For the Unlisted Arguments option, click Permit
56 56 56 © 2009 Cisco Learning Institute. User Setup 1. Click User Setup on the navigation bar 2. Enter a username and click Add/Edit 3. Enter the data to define the user account 4. Click Submit
57 57 57 © 2009 Cisco Learning Institute. Server-Based AAA Authentication • Overview • Using SDM • Troubleshooting
58 58 58 © 2009 Cisco Learning Institute. Overview • CLI aaa authentication Command • Sample Configuration
59 59 59 © 2009 Cisco Learning Institute. Configuring Server-Based AAA Authentication 1. Globally enable AAA to allow the user of all AAA elements (a prerequisite) 2. Specify the Cisco Secure ACS that will provide AAA services for the network access server 3. Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS 4. Configure the AAA authentication method list
60 60 60 © 2009 Cisco Learning Institute. aaa authentication Command R1(config)# aaa authentication type { default | list-name } method1 … [method4] R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group
61 61 61 © 2009 Cisco Learning Institute. Sample Configuration • Multiple RADIUS servers can be identified by entering a radius-server command for each • For TACACS+, the single-connection command maintains a single TCP connection for the life of the session R1 TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. 192.168.1.100 192.168.1.101 Cisco Secure ACS Solution Engine using TACACS+ Cisco Secure ACS for Windows using RADIUS R1(config)# aaa new-model R1(config)# R1(config)# radius-server host 192.168.1.100 R1(config)# radius-server key RADIUS-Pa55w0rd R1(config)# R1(config)# tacacs-server host 192.168.1.101 R1(config)# tacacs-server key TACACS+Pa55w0rd single-connection R1(config)# R1(config)# aaa authentication login default group tacacs+ group radius local-case R1(config)#
62 62 62 © 2009 Cisco Learning Institute. Using SDM • Add TACACS Support • Create an AAA Login Method • Apply Authentication Policy
63 63 63 © 2009 Cisco Learning Institute. Add TACACS Support 192.168.1.101 1. Choose Configure > Additional Tasks > AAA > AAA Servers and Groups > AAA Servers 2. Click Add 3. Choose TACACS+ 4. Enter the IP address (or hostname) of the AAA server 5. Check the Single Connection check box to maintain a single connection 6. Check the Configure Key to encrypt traffic 7. Click OK
64 64 64 © 2009 Cisco Learning Institute. Create AAA Login Method 1. Choose Configure>Additional Tasks>AAA>Authentication Policies>Login 2. Click Add 3. Choose User Defined 4. Enter the name 5. Click Add 6. Choose group tacacs+ from the list 7. Click OK 8. Click Add to add a backup method 9. Choose enable from the list Click OK twice
65 65 65 © 2009 Cisco Learning Institute. Apply Authentication Policy 1. Choose Configure>Additional Tasks>Router Access>VTY 2. Click Edit 3. Choose the authentication policy to apply
66 66 66 © 2009 Cisco Learning Institute. Troubleshooting Server-Based AAA Authentication • Sample debug aaa authentication • Sample debug tacacs|radius Command
67 67 67 © 2009 Cisco Learning Institute. Sample Commands • The debug aaa authentication command provides a view of login activity • For successful TACACS+ login attempts, a status message of PASS results R1# debug aaa authentication AAA Authentication debugging is on R1# 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS
68 68 68 © 2009 Cisco Learning Institute. Sample Commands R1# debug radius ? accounting RADIUS accounting packets only authentication RADIUS authentication packets only brief Only I/O transactions are recorded elog RADIUS event logging failover Packets sent upon fail-over local-server Local RADIUS server retransmit Retransmission of packets verbose Include non essential RADIUS debugs <cr> R1# debug radius R1# debug tacacs ? accounting TACACS+ protocol accounting authentication TACACS+ protocol authentication authorization TACACS+ protocol authorization events TACACS+ protocol events packet TACACS+ packets <cr>
69 69 69 © 2009 Cisco Learning Institute. Sever-Based AAA Authorization and Accounting • Configuring Server-Based AAA Authorization • Configuring Server-Based AAA Accounting
70 70 70 © 2009 Cisco Learning Institute. Server-Based AAA Authorization • Overview • AAA Authorization Command • Configuring Authorization Using SDM-Character Mode • Configuring Authorization Using SDM-Packet Mode
71 71 71 © 2009 Cisco Learning Institute. AAA Authorization Overview • The TACACS+ protocol allows the separation of authentication from authorization. • Can be configured to restrict the user to performing only certain functions after successful authentication. • Authorization can be configured for - character mode (exec authorization) - packet mode (network authorization) • RADIUS does not separate the authentication from the authorization process show version Command authorization for user JR-ADMIN, command “show version”? Accept Display “show version” output configure terminal Command authorization for user JR-ADMIN, command “config terminal”? Reject Do not permit “configure terminal”
72 72 72 © 2009 Cisco Learning Institute. AAA Authorization Commands • To configure command authorization, use: aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] • Service types of interest include: - commands level For exec (shell) commands - exec For starting an exec (shell) - network For network services. (PPP, SLIP, ARAP) R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z
73 73 73 © 2009 Cisco Learning Institute. Using SDM to Configure Authorization Character Mode 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization window
74 74 74 © 2009 Cisco Learning Institute. Using SDM to Configure Authorization Packet Mode 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization pane
75 75 75 © 2009 Cisco Learning Institute. Configure Server-Based AAA Accounting • Overview • AAA Accounting Commands
76 76 76 © 2009 Cisco Learning Institute. AAA Accounting Overview • Provides the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered • To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] • Supports six different types of accounting: network, connection, exec, system, commands level, and resource.
77 77 77 © 2009 Cisco Learning Institute. AAA Accounting Commands • aaa accounting exec default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for user EXEC terminal sessions. • aaa accounting network default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for all network-related service requests. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z
78 78 78 © 2009 Cisco Learning Institute.

More Related Content

PPTX
AAA Implementation
byAhmad El Tawil
 
PPTX
en_CCNAS_v11_Ch03(Authentication, Authorization, and Accounting).pptx
byMadideNtavhanyeniJak
 
PPT
Chapter 3 overview
byali raza
 
PDF
Ch3-Authentication, Authorization, and Accounting.pdf
byOhmRon
 
PPTX
Network Security v1.0 -network Module 7.pptx
byroanmhammed
 
PPTX
Ccna sv2 instructor_ppt_ch3
bySalmenHAJJI1
 
PDF
Computer Security - CCNA Security - Lecture 2
byMohamed Loey
 
PPT
CCNA Security 06- AAA
byAhmed Habib
 
AAA Implementation
byAhmad El Tawil
 
en_CCNAS_v11_Ch03(Authentication, Authorization, and Accounting).pptx
byMadideNtavhanyeniJak
 
Chapter 3 overview
byali raza
 
Ch3-Authentication, Authorization, and Accounting.pdf
byOhmRon
 
Network Security v1.0 -network Module 7.pptx
byroanmhammed
 
Ccna sv2 instructor_ppt_ch3
bySalmenHAJJI1
 
Computer Security - CCNA Security - Lecture 2
byMohamed Loey
 
CCNA Security 06- AAA
byAhmed Habib
 

Similar to CCNA_Security_03.ppt

DOCX
AAA server
byhetvi naik
 
PPT
Implementing Cisco AAA
bydkaya
 
PPT
CCNA Security - Chapter 3
byIrsandi Hasan
 
PPTX
access controtggffffffffffffffdddddl.pptx
byt01151009418
 
PPTX
010 sa302 aaa+ldap
byBabaa Naya
 
PPTX
010 sa302 aaa+ldap
byBabaa Naya
 
PPTX
CCNP Switching Chapter 7
byChaing Ravuth
 
PPT
CCNA_Security_02.ppt
byveracru1
 
PPT
Curso de Seguridad de Redes Inalambricas CCNA
byVictorTonio
 
PPT
Installation et configuration de système
bykhadijaguebsi45
 
PDF
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
PPTX
Security
byAkram Salih
 
PPTX
Securing management, control & data plane
byNetProtocol Xpert
 
PPSX
SwitchSecurity SwitchSecurity SwitchSecurity SwitchSecurity
byVahidMouasvi
 
PPTX
Ccna sv2 instructor_ppt_ch2
bySalmenHAJJI1
 
PPT
Chapter 2 overview
byali raza
 
PPTX
CCNASv2_InstructorPPT_CH2.pptx
bymohamedabdelwahed68
 
PPTX
4. Secure Device Accessssssssssssssss.pptx
byMrNobody757939
 
PDF
Cisco Router and Switch Security Hardening Guide
byHarris Andrea
 
PDF
5 ip security asa-partb
bySagarR24
 
AAA server
byhetvi naik
 
Implementing Cisco AAA
bydkaya
 
CCNA Security - Chapter 3
byIrsandi Hasan
 
access controtggffffffffffffffdddddl.pptx
byt01151009418
 
010 sa302 aaa+ldap
byBabaa Naya
 
010 sa302 aaa+ldap
byBabaa Naya
 
CCNP Switching Chapter 7
byChaing Ravuth
 
CCNA_Security_02.ppt
byveracru1
 
Curso de Seguridad de Redes Inalambricas CCNA
byVictorTonio
 
Installation et configuration de système
bykhadijaguebsi45
 
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
Security
byAkram Salih
 
Securing management, control & data plane
byNetProtocol Xpert
 
SwitchSecurity SwitchSecurity SwitchSecurity SwitchSecurity
byVahidMouasvi
 
Ccna sv2 instructor_ppt_ch2
bySalmenHAJJI1
 
Chapter 2 overview
byali raza
 
CCNASv2_InstructorPPT_CH2.pptx
bymohamedabdelwahed68
 
4. Secure Device Accessssssssssssssss.pptx
byMrNobody757939
 
Cisco Router and Switch Security Hardening Guide
byHarris Andrea
 
5 ip security asa-partb
bySagarR24
 

Recently uploaded

PDF
Resonating 25 years of service- 1988 exam batch.pdf
byRajesh Prasad
 
PDF
Unit - III Analysis of Pin Jointed Plane Trusses / Frames
bynmmorkane
 
PDF
High performance liquid chromatography.pdf
byatharvjpk21
 
PPT
Base Line Information Collection for IEE & EIA.pptProject description Stages ...
bypokharamunurbandevel
 
PDF
JWT_Authentication_MERN_Stack_Assignment.pdf
byJaydeep Kale
 
PDF
Certified Cloud Security Professional (CCSP): Unit 6
byVICTOR MAESTRE RAMIREZ
 
PPTX
Presentation "Risk Assessment of Essential Product Requirements by Example" a...
byBurkhard Stubert
 
PDF
GDG+GDE: AI thought leader summit @ CIB group feat MongoDB & Tech-5 - October...
byLuiz Carneiro
 
PPTX
Green-ICT-and-Sustainable-Technology-Powering-a-Greener-Digital-Future.pptx
byRAJVEEPATEL13
 
PPTX
Chapter 1 introduction to Operating systems
byRitikSharma297999
 
PPTX
Motor control in Electric Vehicles .pptx
bySahasranshuSA
 
PPT
15-Ozone-pt-1-web-2010.pptSolar panel with sun position tracking
bychiragv1411005
 
PDF
Praesentation Australian-Network-Mediachannel.pdf
byAustralian-Network-Mediachannel
 
PPTX
EcoSath Hackathon Final Presentation Based on ESG Data
byshashirwr2016
 
PDF
Digitel.pdfelectric power digital&&&&&&&&&
by5d4mn6gzmk
 
PDF
Lab06-Containerized applications deployment and management using Kubernetes.pdf
byKhucBaoMinhB2105709
 
PPTX
Bus_Buddy_Digital_Bus_Pass_and_Tracking_System_Web_Technology_Project_Present...
byJaydeep Kale
 
PDF
OpenStack on Autopilot with K8s & ArgoCD in OpenInfra Days France 2024
byVadim Ponomarev
 
PDF
AI-DRIVEN CTI FOR BUSINESS: EMERGING THREATS, ATTACK STRATEGIES, AND DEFENSIV...
byAIRCC Publishing Corporation
 
PDF
Impact of Different Curing Techniques in Evaluating the Strength of the Rolle...
byAbdullah Al-Ani
 
Resonating 25 years of service- 1988 exam batch.pdf
byRajesh Prasad
 
Unit - III Analysis of Pin Jointed Plane Trusses / Frames
bynmmorkane
 
High performance liquid chromatography.pdf
byatharvjpk21
 
Base Line Information Collection for IEE & EIA.pptProject description Stages ...
bypokharamunurbandevel
 
JWT_Authentication_MERN_Stack_Assignment.pdf
byJaydeep Kale
 
Certified Cloud Security Professional (CCSP): Unit 6
byVICTOR MAESTRE RAMIREZ
 
Presentation "Risk Assessment of Essential Product Requirements by Example" a...
byBurkhard Stubert
 
GDG+GDE: AI thought leader summit @ CIB group feat MongoDB & Tech-5 - October...
byLuiz Carneiro
 
Green-ICT-and-Sustainable-Technology-Powering-a-Greener-Digital-Future.pptx
byRAJVEEPATEL13
 
Chapter 1 introduction to Operating systems
byRitikSharma297999
 
Motor control in Electric Vehicles .pptx
bySahasranshuSA
 
15-Ozone-pt-1-web-2010.pptSolar panel with sun position tracking
bychiragv1411005
 
Praesentation Australian-Network-Mediachannel.pdf
byAustralian-Network-Mediachannel
 
EcoSath Hackathon Final Presentation Based on ESG Data
byshashirwr2016
 
Digitel.pdfelectric power digital&&&&&&&&&
by5d4mn6gzmk
 
Lab06-Containerized applications deployment and management using Kubernetes.pdf
byKhucBaoMinhB2105709
 
Bus_Buddy_Digital_Bus_Pass_and_Tracking_System_Web_Technology_Project_Present...
byJaydeep Kale
 
OpenStack on Autopilot with K8s & ArgoCD in OpenInfra Days France 2024
byVadim Ponomarev
 
AI-DRIVEN CTI FOR BUSINESS: EMERGING THREATS, ATTACK STRATEGIES, AND DEFENSIV...
byAIRCC Publishing Corporation
 
Impact of Different Curing Techniques in Evaluating the Strength of the Rolle...
byAbdullah Al-Ani
 

CCNA_Security_03.ppt

  • 1.
    1 © 2009 CiscoLearning Institute. CCNA Security Chapter Three Authentication, Authorization, and Accounting
  • 2.
    2 2 2 © 2009 CiscoLearning Institute. Lesson Planning • This lesson should take 3-6 hours to present • The lesson should include lecture, demonstrations, discussion and assessment • The lesson can be taught in person or using remote instruction
  • 3.
    3 3 3 © 2009 CiscoLearning Institute. Major Concepts • Describe the purpose of AAA and the various implementation techniques • Implement AAA using the local database • Implement AAA using TACACS+ and RADIUS protocols • Implement AAA Authorization and Accounting
  • 4.
    4 4 4 © 2009 CiscoLearning Institute. Lesson Objectives Upon completion of this lesson, the successful participant will be able to: 1. Describe the importance of AAA as it relates to authentication, authorization, and accounting 2. Configure AAA authentication using a local database 3. Configure AAA using a local database in SDM 4. Troubleshoot AAA using a local database 5. Explain server-based AAA 6. Describe and compare the TACACS+ and RADIUS protocols
  • 5.
    5 5 5 © 2009 CiscoLearning Institute. Lesson Objectives 7. Describe the Cisco Secure ACS for Windows software 8. Describe how to configure Cisco Secure ACS for Windows as a TACACS+ server 9. Configure server-based AAA authentication on Cisco Routers using CLI 10. Configure server-based AAA authentication on Cisco Routers using SDM 11. Troubleshoot server-based AAA authentication using Cisco Secure ACS 12. Configure server-based AAA Authorization using Cisco Secure ACS 13. Configure server-based AAA Accounting using Cisco Secure ACS
  • 6.
    6 6 6 © 2009 CiscoLearning Institute. Authentication, Authorization and Accounting • Purpose of AAA • Configuring Local AAA Authentication • Introduction to Server-Based AAA
  • 7.
    7 7 7 © 2009 CiscoLearning Institute. Purpose of AAA • AAA Overview • AAA Components
  • 8.
    8 8 8 © 2009 CiscoLearning Institute. AAA Overview • Authentication • AAA Access Security
  • 9.
    9 9 9 © 2009 CiscoLearning Institute. Authentication – Password-Only • Uses a login and password combination on access lines • Easiest to implement, but most unsecure method • Vulnerable to brute-force attacks • Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
  • 10.
    10 10 10 © 2009 CiscoLearning Institute. Authentication – Local Database • Creates individual user account/password on each device • Provides accountability • User accounts must be configured locally on each device • Provides no fallback authentication method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method
  • 11.
    11 11 11 © 2009 CiscoLearning Institute. AAA Access Security Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
  • 12.
    12 12 12 © 2009 CiscoLearning Institute. AAA Components • AAA Access Methods • AAA Authorization • AAA Accounting
  • 13.
    13 13 13 © 2009 CiscoLearning Institute. Access Methods • Character Mode A user sends a request to establish an EXEC mode process with the router for administrative purposes • Packet Mode A user sends a request to establish a connection through the router with a device on the network
  • 14.
    14 14 14 © 2009 CiscoLearning Institute. Self-Contained AAA Authentication Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA Router Remote Client 1 2 3 • Used for small networks • Stores usernames and passwords locally in the Cisco router
  • 15.
    15 15 15 © 2009 CiscoLearning Institute. Server-Based AAA Authentication • Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express • More appropriate if there are multiple routers Server-Based AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
  • 16.
    16 16 16 © 2009 CiscoLearning Institute. AAA Authorization • Typically implemented using an AAA server-based solution • Uses a set of attributes that describes user access to the network 1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization.
  • 17.
    17 17 17 © 2009 CiscoLearning Institute. AAA Accounting • Implemented using an AAA server-based solution • Keeps a detailed log of what an authenticated user does on a device 1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.
  • 18.
    18 18 18 © 2009 CiscoLearning Institute. Configuring Local AAA Authentication • Using a Local Database • Using a Local Database in SDM • Troubleshooting using a Local Database
  • 19.
    19 19 19 © 2009 CiscoLearning Institute. Using a Local Database • Local AAA Authentication • CLI AAA Authentication Commands • Sample Configuration
  • 20.
    20 20 20 © 2009 CiscoLearning Institute. Local AAA Authentication Commands To authenticate administrator access (character mode access) 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case R1(config)# aaa local authentication attempts max-fail 10
  • 21.
    21 21 21 © 2009 CiscoLearning Institute. Additional Commands • aaa authentication enable Enables AAA for EXEC mode access • aaa authentication ppp Enables AAA for PPP network access
  • 22.
    22 22 22 © 2009 CiscoLearning Institute. AAA Authentication Command Elements router(config)# aaa authentication login {default | list-name} method1…[method4] Command Description default Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in list-name Character string used to name the list of authentication methods activated when a user logs in password- expiry Enables password aging on a local authentication list. method1 [method2... ] Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods.
  • 23.
    23 23 23 © 2009 CiscoLearning Institute. Method Type Keywords Keywords Description enable Uses the enable password for authentication. This keyword cannot be used. krb5 Uses Kerberos 5 for authentication. krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. line Uses the line password for authentication. local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. none Uses no authentication. cache group-name Uses a cache server group for authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
  • 24.
    24 24 24 © 2009 CiscoLearning Institute. Additional Security R1# show aaa local user lockout Local-user Lock time JR-ADMIN 04:28:49 UTC Sat Dec 27 2008 router(config)# aaa local authentication attempts max-fail [number-of- unsuccessful-attempts] R1# show aaa sessions Total sessions since last reload: 4 Session Id: 1 Unique Id: 175 User Name: ADMIN IP Address: 192.168.1.10 Idle Time: 0 CT Call Handle: 0
  • 25.
    25 25 25 © 2009 CiscoLearning Institute. Sample Configuration R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN
  • 26.
    26 26 26 © 2009 CiscoLearning Institute. Using a Local Database in SDM • Verifying AAA Authentication • Using SDM • Configuring for Login Authentication
  • 27.
    27 27 27 © 2009 CiscoLearning Institute. Verifying AAA Authentication • AAA is enabled by default in SDM • To verify or enable/disable AAA, choose Configure > Additional Tasks > AAA
  • 28.
    28 28 28 © 2009 CiscoLearning Institute. Using SDM 1. Select Configure > Additional Tasks > Router Access > User Accounts/View 2. Click Add 3. Enter username and password 4. Choose 15 5. Check the box and select a view 6. Click OK
  • 29.
    29 29 29 © 2009 CiscoLearning Institute. Configure Login Authentication 1. Select Configure > Additional Tasks > AAA > Authentication Policies > Login and click Add 2. Verify that Default is selected 3. Click Add 4. Choose local 5. Click OK 6. Click OK
  • 30.
    30 30 30 © 2009 CiscoLearning Institute. Troubleshooting • The debug aaa Command • Sample Output
  • 31.
    31 31 31 © 2009 CiscoLearning Institute. The debug aaa Command R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets R1# debug aaa
  • 32.
    32 32 32 © 2009 CiscoLearning Institute. Sample Output R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
  • 33.
    33 33 33 © 2009 CiscoLearning Institute. Introduction to Server-Based AAA • Server-Based AAA • AAA Communication Protocols • Cisco Secure ACS • Configuring Cisco Secure ACS • Cisco Secure ACS Administrative Tasks
  • 34.
    34 34 34 © 2009 CiscoLearning Institute. Server-Based AAA • Comparing Local versus Server-Based AAA • Overview of TACACS+ and RADIUS
  • 35.
    35 35 35 © 2009 CiscoLearning Institute. Local Versus Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4 Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password authenticating the user using a local database. Local Authentication
  • 36.
    36 36 36 © 2009 CiscoLearning Institute. Overview of TACACS+ and RADIUS Perimeter Router Remote User Cisco Secure ACS for Windows Server Cisco Secure ACS Express TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers.
  • 37.
    37 37 37 © 2009 CiscoLearning Institute. AAA Communication Protocols • TACACS/RADIUS Comparison • TACACS+ Authentication Process • RADIUS Authentication Process
  • 38.
    38 38 38 © 2009 CiscoLearning Institute. TACACS+/RADIUS Comparison TACACS+ RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP CHAP Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) Unidirectional challenge and response from the RADIUS security server to the RADIUS client. Protocol Support Multiprotocol support No ARA, no NetBEUI Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis Confidentiality Limited Extensive
  • 39.
    39 39 39 © 2009 CiscoLearning Institute. TACACS+ Authentication Process • Provides separate AAA services • Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
  • 40.
    40 40 40 © 2009 CiscoLearning Institute. RADIUS Authentication Process • Works in both local and roaming situations • Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0rd Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
  • 41.
    41 41 41 © 2009 CiscoLearning Institute. Cisco Secure ACS • Benefits • Advanced Features • Overview • Installation Options
  • 42.
    42 42 42 © 2009 CiscoLearning Institute. Benefits • Extends access security by combining authentication, user access, and administrator access with policy control • Allows greater flexibility and mobility, increased security, and user-productivity gains • Enforces a uniform security policy for all users • Reduces the administrative and management efforts
  • 43.
    43 43 43 © 2009 CiscoLearning Institute. Advanced Features • Automatic service monitoring • Database synchronization and importing of tools for large-scale deployments • Lightweight Directory Access Protocol (LDAP) user authentication support • User and administrative access reporting • Restrictions to network access based on criteria • User and device group profiles
  • 44.
    44 44 44 © 2009 CiscoLearning Institute. Overview • Centrally manages access to network resources for a growing variety of access types, devices, and user groups • Addresses the following: - Support for a range of protocols including Extensible Authentication Protocol (EAP) and non-EAP - Integration with Cisco products for device administration access control allows for centralized control and auditing of administrative actions - Support for external databases, posture brokers, and audit servers centralizes access policy control
  • 45.
    45 45 45 © 2009 CiscoLearning Institute. Installation Options Cisco Secure ACS for Windows can be installed on: - Windows 2000 Server with Service Pack 4 - Windows 2000 Advanced Server with Service Pack 4 - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition Cisco Secure ACS Solution Engine - A highly scalable dedicated platform that serves as a high- performance ACS - 1RU, rack-mountable - Preinstalled with a security-hardened Windows software, Cisco Secure ACS software - Support for more than 350 users Cisco Secure ACS Express 5.0 - Entry-level ACS with simplified feature set - Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period
  • 46.
    46 46 46 © 2009 CiscoLearning Institute. Configuring Cisco Secure ACS • Deploying ACS • Cisco Secure ACS Homepage • Network Configuration • Interface Configuration • External User Database • Windows User Database Configuration
  • 47.
    47 47 47 © 2009 CiscoLearning Institute. Deploying ACS • Consider Third-Party Software Requirements • Verify Network and Port Prerequisites - AAA clients must run Cisco IOS Release 11.2 or later. - Cisco devices that are not Cisco IOS AAA clients must be configured with TACACS+, RADIUS, or both. - Dial-in, VPN, or wireless clients must be able to connect to AAA clients. - The computer running ACS must be able to reach all AAA clients using ping. - Gateway devices must permit communication over the ports that are needed to support the applicable feature or protocol. - A supported web browser must be installed on the computer running ACS. - All NICs in the computer running Cisco Secure ACS must be enabled. • Configure Secure ACS via the HTML interface
  • 48.
    48 48 48 © 2009 CiscoLearning Institute. Cisco Secure ACS Homepage add, delete, modify settings for AAA clients (routers) set menu display options for TACACS and RADIUS configure database settings
  • 49.
    49 49 49 © 2009 CiscoLearning Institute. Network Configuration 1. Click Network Configuration on the navigation bar 2. Click Add Entry 3. Enter the hostname 4. Enter the IP address 5. Enter the secret key 6. Choose the appropriate protocols 7. Make any other necessary selections and click Submit and Apply
  • 50.
    50 50 50 © 2009 CiscoLearning Institute. Interface Configuration The selection made in the Interface Configuration window controls the display of options in the user interface
  • 51.
    51 51 51 © 2009 CiscoLearning Institute. External User Database 1. Click the External User Databases button on the navigation bar 2. Click Database Configuration 3. Click Windows Database
  • 52.
    52 52 52 © 2009 CiscoLearning Institute. Windows User Database Configuration 4. Click configure 5. Configure options
  • 53.
    53 53 53 © 2009 CiscoLearning Institute. Configuring a TACACS+ Server • Configuring the Unknown User Policy • Configuring Database Group Mappings • Configuring Users
  • 54.
    54 54 54 © 2009 CiscoLearning Institute. Configuring the Unknown User Policy 1. Click External User Databases on the navigation bar 2. Click Unknown User Policy 3. Place a check in the box 4. Choose the database in from the list and click the right arrow to move it to the Selected list 6. Click Submit 5. Manipulate the databases to reflect the order in which each will be checked
  • 55.
    55 55 55 © 2009 CiscoLearning Institute. Group Setup Database group mappings - Control authorizations for users authenticated by the Windows server in one group and those authenticated by the LDAP server in another 1. Click Group Setup on the navigation bar 2. Choose the group to edit and click Edit Settings 3. Click Permit in the Unmatched Cisco IOS commands option 4. Check the Command check box and select an argument 5. For the Unlisted Arguments option, click Permit
  • 56.
    56 56 56 © 2009 CiscoLearning Institute. User Setup 1. Click User Setup on the navigation bar 2. Enter a username and click Add/Edit 3. Enter the data to define the user account 4. Click Submit
  • 57.
    57 57 57 © 2009 CiscoLearning Institute. Server-Based AAA Authentication • Overview • Using SDM • Troubleshooting
  • 58.
    58 58 58 © 2009 CiscoLearning Institute. Overview • CLI aaa authentication Command • Sample Configuration
  • 59.
    59 59 59 © 2009 CiscoLearning Institute. Configuring Server-Based AAA Authentication 1. Globally enable AAA to allow the user of all AAA elements (a prerequisite) 2. Specify the Cisco Secure ACS that will provide AAA services for the network access server 3. Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS 4. Configure the AAA authentication method list
  • 60.
    60 60 60 © 2009 CiscoLearning Institute. aaa authentication Command R1(config)# aaa authentication type { default | list-name } method1 … [method4] R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group
  • 61.
    61 61 61 © 2009 CiscoLearning Institute. Sample Configuration • Multiple RADIUS servers can be identified by entering a radius-server command for each • For TACACS+, the single-connection command maintains a single TCP connection for the life of the session R1 TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. 192.168.1.100 192.168.1.101 Cisco Secure ACS Solution Engine using TACACS+ Cisco Secure ACS for Windows using RADIUS R1(config)# aaa new-model R1(config)# R1(config)# radius-server host 192.168.1.100 R1(config)# radius-server key RADIUS-Pa55w0rd R1(config)# R1(config)# tacacs-server host 192.168.1.101 R1(config)# tacacs-server key TACACS+Pa55w0rd single-connection R1(config)# R1(config)# aaa authentication login default group tacacs+ group radius local-case R1(config)#
  • 62.
    62 62 62 © 2009 CiscoLearning Institute. Using SDM • Add TACACS Support • Create an AAA Login Method • Apply Authentication Policy
  • 63.
    63 63 63 © 2009 CiscoLearning Institute. Add TACACS Support 192.168.1.101 1. Choose Configure > Additional Tasks > AAA > AAA Servers and Groups > AAA Servers 2. Click Add 3. Choose TACACS+ 4. Enter the IP address (or hostname) of the AAA server 5. Check the Single Connection check box to maintain a single connection 6. Check the Configure Key to encrypt traffic 7. Click OK
  • 64.
    64 64 64 © 2009 CiscoLearning Institute. Create AAA Login Method 1. Choose Configure>Additional Tasks>AAA>Authentication Policies>Login 2. Click Add 3. Choose User Defined 4. Enter the name 5. Click Add 6. Choose group tacacs+ from the list 7. Click OK 8. Click Add to add a backup method 9. Choose enable from the list Click OK twice
  • 65.
    65 65 65 © 2009 CiscoLearning Institute. Apply Authentication Policy 1. Choose Configure>Additional Tasks>Router Access>VTY 2. Click Edit 3. Choose the authentication policy to apply
  • 66.
    66 66 66 © 2009 CiscoLearning Institute. Troubleshooting Server-Based AAA Authentication • Sample debug aaa authentication • Sample debug tacacs|radius Command
  • 67.
    67 67 67 © 2009 CiscoLearning Institute. Sample Commands • The debug aaa authentication command provides a view of login activity • For successful TACACS+ login attempts, a status message of PASS results R1# debug aaa authentication AAA Authentication debugging is on R1# 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS
  • 68.
    68 68 68 © 2009 CiscoLearning Institute. Sample Commands R1# debug radius ? accounting RADIUS accounting packets only authentication RADIUS authentication packets only brief Only I/O transactions are recorded elog RADIUS event logging failover Packets sent upon fail-over local-server Local RADIUS server retransmit Retransmission of packets verbose Include non essential RADIUS debugs <cr> R1# debug radius R1# debug tacacs ? accounting TACACS+ protocol accounting authentication TACACS+ protocol authentication authorization TACACS+ protocol authorization events TACACS+ protocol events packet TACACS+ packets <cr>
  • 69.
    69 69 69 © 2009 CiscoLearning Institute. Sever-Based AAA Authorization and Accounting • Configuring Server-Based AAA Authorization • Configuring Server-Based AAA Accounting
  • 70.
    70 70 70 © 2009 CiscoLearning Institute. Server-Based AAA Authorization • Overview • AAA Authorization Command • Configuring Authorization Using SDM-Character Mode • Configuring Authorization Using SDM-Packet Mode
  • 71.
    71 71 71 © 2009 CiscoLearning Institute. AAA Authorization Overview • The TACACS+ protocol allows the separation of authentication from authorization. • Can be configured to restrict the user to performing only certain functions after successful authentication. • Authorization can be configured for - character mode (exec authorization) - packet mode (network authorization) • RADIUS does not separate the authentication from the authorization process show version Command authorization for user JR-ADMIN, command “show version”? Accept Display “show version” output configure terminal Command authorization for user JR-ADMIN, command “config terminal”? Reject Do not permit “configure terminal”
  • 72.
    72 72 72 © 2009 CiscoLearning Institute. AAA Authorization Commands • To configure command authorization, use: aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] • Service types of interest include: - commands level For exec (shell) commands - exec For starting an exec (shell) - network For network services. (PPP, SLIP, ARAP) R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z
  • 73.
    73 73 73 © 2009 CiscoLearning Institute. Using SDM to Configure Authorization Character Mode 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization window
  • 74.
    74 74 74 © 2009 CiscoLearning Institute. Using SDM to Configure Authorization Packet Mode 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization pane
  • 75.
    75 75 75 © 2009 CiscoLearning Institute. Configure Server-Based AAA Accounting • Overview • AAA Accounting Commands
  • 76.
    76 76 76 © 2009 CiscoLearning Institute. AAA Accounting Overview • Provides the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered • To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] • Supports six different types of accounting: network, connection, exec, system, commands level, and resource.
  • 77.
    77 77 77 © 2009 CiscoLearning Institute. AAA Accounting Commands • aaa accounting exec default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for user EXEC terminal sessions. • aaa accounting network default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for all network-related service requests. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z
  • 78.
    78 78 78 © 2009 CiscoLearning Institute.