Documente Academic
Documente Profesional
Documente Cultură
AAA Components
AAA network security services provide the primary framework to set up access con
trol on a network device. AAA is a way to control who is permitted to access a n
etwork (authenticate), what they can do while they are there (authorize), and to
audit what actions they performed while accessing the network (accounting). It
provides a higher degree of scalability than the con, aux, vty and privileged EX
EC authentication commands alone.
Network and administrative AAA security in the Cisco environment has several fun
ctional components:
Authentication - Users and administrators must prove that they are who they say
they are. Authentication can be established using username and password combinat
ions, challenge and response questions, token cards, and other methods. For exam
ple: I am user student . I know the password to prove that I am user student .
Authorization - After the user is authenticated, authorization services determin
e which resources the user can access and which operations the user is allowed t
o perform. An example is User student can access host serverXYZ using Telnet only.
Accounting and auditing - Accounting records what the user does, including what
is accessed, the amount of time the resource is accessed, and any changes that w
ere made. Accounting keeps track of how network resources are used. An example i
s "User 'student' accessed host serverXYZ using Telnet for 15 minutes."
This concept is similar to the use of a credit card, as indicated by the figure.
The credit card identifies who can use it, how much that user can spend, and ke
eps account of what items the user spent money on.
Authentication Modes
AAA Authentication
AAA can be used to authenticate users for administrative access or it can be use
d to authenticate users for remote network access. These two access methods use
different modes to request AAA services, as shown in Figure 1:
Character mode - A user sends a request to establish an EXEC mode process with t
he router for administrative purposes.
Packet mode - A user sends a request to establish a connection through the route
r with a device on the network.
With the exception of accounting commands, all AAA commands apply to both charac
ter mode and packet mode. This topic focuses on securing character mode access.
For a truly secure network, it is important to also configure the router for sec
ure administrative access and remote LAN network access using AAA services as we
ll. Cisco provides two common methods of implementing AAA services.
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames
and passwords locally in the Cisco router, and users authenticate against the l
ocal database, as shown in Figure 2. This database is the same one required for
establishing role-based CLI. Local AAA is ideal for small networks.
Server-Based AAA Authentication
The server-based method uses an external database server resource that leverages
RADIUS or TACACS+ protocols. Examples include Cisco Secure Access Control Serve
r (ACS) for Windows Server, as shown in Figure 3, Cisco Secure ACS Solution Engi
ne, or Cisco Secure ACS Express. If there are multiple routers, server-based AAA
is more appropriate.
Note: In this course the focus is on implementing network security with IPv4 on
Cisco routers, switches, and Adaptive Security Appliances. On occasion, referenc
es are made to IPv6-specific technologies and protocols.
Authorization
After users are successfully authenticated against the selected AAA data source,
either local or server-based, they are then authorized for specific network res
ources, as shown in the figure. Authorization is basically what a user can and c
annot do on the network after that user is authenticated, similar to how privile
ge levels and role-based CLI give users specific rights and privileges to certai
n commands on the router.
Author
to the n
the AA
delive
Authorization is automatic and does not require users to perform additional step
s after authentication. Authorization is implemented immediately after the user
is authenticated.
Accounting
AAA Accounting
Accounting collects and reports usage data so that it can be employed for purpos
es such as auditing or billing. The collected data might include the start and s
top connection times, executed commands, number of packets, and number of bytes.
Accounting is implemented using an AAA server-based solution. This service repor
ts usage statistics back to the ACS server. These statistics can be extracted to
create detailed reports about the configuration of the network.
One widely deployed use of accounting is combining it with AAA authentication fo
r managing access to internetworking devices by network administrative staff. Ac
counting provides more security than just authentication. The AAA servers keep a
detailed log of exactly what the authenticated user does on the device, as show
n in Figure 1. Further descriptions of the different types of accounting that is
logged is shown in Figure 2. This includes all EXEC and configuration commands
issued by the user. The log contains numerous data fields, including the usernam
e, the date and time, and the actual command that was entered by the user. This
information is useful when troubleshooting devices. It also provides leverage ag
ainst individuals who perform malicious actions.
Authentication Methods
To enable AAA, use the aaa new-model global configuration command. To disable AA
A, use the no form of this command.
After AAA is enabled, to configure authentication on vty ports, asynchronous lin
es (tty), the auxiliary port, or the console port, define a named list of authen
tication methods and then apply that list to the various interfaces.
To define a named list of authentication methods, use the aaa authentication log
in command, as shown in Figure 1. This command requires a list name and the auth
entication methods. The list name identifies the list of authentication methods
activated when a user logs in. The method list is a sequential list describing t
he authentication methods to be queried for authenticating a user. Method lists
enable an administrator to designate one or more security protocols for authenti
cation. Using more than one protocol provides a backup system for authentication
in case the initial method fails.
Several keywords can be used to indicate the method, as shown in Figure 2. To en
able local authentication using a preconfigured local database, use the keyword
local or local-case. The difference between the two options is that local accept
s a username regardless of case, and local-case is case-sensitive. To specify th
at a user can authenticate using the enable password, use the enable keyword. To
ensure that the authentication succeeds even if all methods return an error, sp
ecify none as the final method. For security purposes, use the none keyword only
when testing the AAA configuration. It should never be applied on a live networ
k. For example, the enable method could be configured as a fallback mechanism in
case the username and password is forgotten.
aaa authentication login TELNET-ACCESS local enable
In this example, an AAA authentication list named TELNET-ACCESS is created that
requires users to attempt to authenticate to the router local user database firs
t. If that attempt returns an error, such as a local user database which is not
configured, the user can attempt to authenticate by knowing the enable password.
This command has no effect unless the TELNET-ACCESS authentication method is sp
all locked-out users, use the show aaa local user lockout c
EXEC mode, as shown in Figure 2. Use the clear aaa local us
username | all} command in privileged EXEC mode to unlock a
unlock all locked users.
The aaa local authentication attempts max-fail command differs from the login de
lay command in how it handles failed attempts. The aaa local authentication atte
mpts max-fail command locks the user account if the authentication fails. This a
ccount stays locked until it is cleared by an administrator. The login delay com
mand introduces a delay between failed login attempts without locking the accoun
t.
When a user logs into a Cisco router and uses AAA, a unique ID is assigned to th
e session. Throughout the life of the session, various attributes that are relat
ed to the session are collected and stored internally within the AAA database. T
hese attributes can include the IP address of the user, the protocol that is use
d to access the router, such as PPP or Serial Line Internet Protocol (SLIP), the
speed of the connection, and the number of packets or bytes that are received o
r transmitted.
To display the attributes that are collected for a AAA session, use the show aaa
user {all | unique id} command in privileged EXEC mode. This command does not p
rovide information for all users who are logged into a device, but only for thos
e who have been authenticated or authorized using AAA or whose sessions are bein
g accounted for by the AAA module.
The show aaa sessions command can be used to show the unique ID of a session, as
shown in Figure 3.
Use the Syntax Checker to configure router R1 in Figure 4.
Configure a JR-ADMIN account with encrypted password Str0ngpa55w0rd and an ADMIN
account with encrypted password Str0ng5rPa55w0rd. Enable AAA on the router and
configure two method lists:
The default authentication list has the primary method as local case-sensitive l
ogin with the enable secret as backup.
The second authentication list is named TELNET-LOGIN and has only one method, lo
cal case-sensitive login.
Accounts are configured to be locked out after a maximum of 3 unsuccessful attem
pts.
The TELNET-LOGIN list is applied to the virtual terminal lines.
View the current AAA sessions on R1.
Enable AAA
AAA can be enabled using CCP. To verify the AAA configuration and to enable or d
isable AAA, choose Configure > Router > AAA > AAA Summary see Figure 1. The curr
ent status of AAA will display in the window along with a button to either enabl
e or disable AAA depending on the current setting. If AAA is currently disabled,
click the Enable AAA button, as shown in Figure 2. CCP will display an informat
ional message stating that configuration changes will be made to prevent loss of
access to the device. Click Yes to continue.
If the Disable AAA button is clicked, CCP displays an informational message stat
ing that it will make configuration changes to ensure that the router can be acc
essed after AAA is disabled.
Debug Options
The Cisco router has debug commands that are useful for troubleshooting authenti
cation issues. The debug aaa command contains several keywords that can be used
for this purpose, as shown in the figure. Of special interest is the debug aaa a
uthentication command.
It is important to analyze debug output when everything is working properly. Kno
wing how debug output displays when all is well helps identify problems when thi
ngs are not working properly. Exercise caution when using the debug command in a
production environment because these commands place a significant load on route
r resources and can affect network performance.
TACACS+ Authentication
TACACS+ is a Cisco enhancement to the original TACACS protocol, as shown in the
figure. Despite its name, TACACS+ is an entirely new protocol that is incompatib
le with any previous version of TACACS. TACACS+ is supported by the Cisco family
of routers and access servers.
TACACS+ provides separate AAA services. Separating the AAA services provides fle
xibility in implementation, because it is possible to use TACACS+ for authorizat
ion and accounting while using another method of authentication.
The extensions to the TACACS+ protocol provide more types of authentication requ
ests and response codes than were in the original TACACS specification. TACACS+
offers multiprotocol support, such as IP and AppleTalk. Normal TACACS+ operation
encrypts the entire body of the packet for more secure communications and utili
zes TCP port 49.
RADIUS Authentication
RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protoc
ol for applications such as network access or IP mobility. RADIUS works in both
local and roaming situations and is commonly used for accounting purposes. RADIU
S is currently defined by RFCs 2865, 2866, 2867, and 2868, as shown in the figur
e.
The RADIUS protocol hides passwords during transmission, even with the Password
Authentication Protocol (PAP), using a rather complex operation that involves Me
ssage Digest 5 (MD5) hashing and a shared secret. However, the rest of the packe
t is sent in plaintext.
RADIUS combines authentication and authorization as one process. When a user is
authenticated, that user is also authorized. RADIUS uses UDP port 1645 or 1812 f
or authentication and UDP port 1646 or 1813 for accounting.
RADIUS is widely used by VoIP service providers. It passes login credentials of
a SIP endpoint, such as a broadband phone, to a SIP registrar using digest authe
ntication, and then to a RADIUS server using RADIUS. RADIUS is also a common aut
hentication protocol that is utilized by the 802.1X security standard.
The Diameter protocol is the planned replacement for RADIUS. Diameter uses a new
transport protocol called Stream Control Transmission Protocol (SCTP) and TCP i
nstead of UDP. Diameter will be released as an IETF protocol, with improved secu
rity features relative to RADIUS.
The Cisco TrustSec solution offers two deployment options to address various cus
tomer needs and use cases:
ACS 802.1X-Based Infrastructure solution
NAC Appliance-Based Overlay solution
In the 802.1X infrastructure-based TrustSec approach, the Cisco ACS is the polic
y server which authenticates users connecting to the network. ACS offers central
management of access policies for device administration and for wireless and wi
red 802.1X network access scenarios. Cisco ACS supports both RADIUS and TACACS+
protocols for authentication, authorization and accounting. It is a next-generat
ion network identity and access solution that serves as an administration point
and decision point for policy-based access control.
In the NAC appliance-based TrustSec approach the Cisco NAC Manager is the policy
server that works with the Cisco NAC Server to authenticate users and their dev
ices over wired, wireless, and VPN connections. Both approaches can include the
Cisco NAC Profiler and the Cisco NAC Guest Server to enhance policy-based access
control for employees and guests. Cisco TrustSec integrates with the Cisco Secu
reX architecture to allow the Cisco security portfolio to use network-based iden
tity context for full context-aware firewalling and policy enforcement.
Keep in mind that in the Cisco Secure ACS application, a client is a router, swi
tch, firewall, or VPN concentrator that uses the services of the server.
Network and Port Prerequisites
The network should meet specified requirements before administrators begin deplo
ying Cisco Secure ACS:
Cisco devices that are not Cisco IOS AAA clients must be configured with TACACS+
, RADIUS, or both.
Dial-in, VPN, or wireless clients must be able to connect to the applicable AAA
clients.
The computer running Cisco Secure ACS must be able to reach all AAA clients usin
g ping.
Gateway devices between the Cisco Secure ACS and other network devices must perm
it communication over the ports that are needed to support the applicable featur
e or protocol.
A supported web browser must be installed on the computer running Cisco Secure A
CS. For the most recent information about tested browsers, see the release notes
for the Cisco Secure ACS product on Cisco.com.
All NICs in the computer running Cisco Secure ACS must be enabled. If there is a
disabled network card on the computer running Cisco Secure ACS, installing Cisc
o Secure ACS might proceed slowly because of delays caused by the Microsoft Cryp
toAPI.
After successfully installing Cisco Secure ACS, some initial configuration must
be performed. The only way to configure a Cisco Secure ACS server is through an
HTML interface.
To access the Cisco Secure ACS HTML interface from the computer that is running
Cisco Secure ACS, use the Cisco Secure icon labeled ACS Admin that appears on th
e desktop. Alternatively, enter the following URL into a supported web browser:
http://127.0.0.1:2002.
The Cisco Secure ACS can also be accessed remotely after an administrator user a
ccount is configured. To remotely access the Cisco Secure ACS, enter http://ip_a
ddress[hostname]:2002. After the initial connection, a different port is dynamic
ally negotiated.
r that user. It is for this reason that it is recommended that there be only one
instance of a username in all the external databases.
To establish an external user database connection, you must access the External
User Databases page, as shown in Figure 1.
When configuring the ACS external databases, there are three major configuration
options:
Unknown User Policy - Configures the authentication procedure for users that are
not located in the Cisco Secure ACS database.
Database Group Mappings - Configures what group privileges external database use
rs inherit when Cisco Secure ACS authenticates them. In most cases, when a user
is authenticated by an external user database, the actual privileges are drawn f
rom Cisco Secure ACS and not the external database.
Database Configuration - Defines the external servers that Cisco Secure ACS work
s with.
The Database Configuration screen is used to define the parameters of the extern
al server, as shown in Figure 2. Options include:
RSA SecurID Token Server
RADIUS Token Server
External ODBC Database
Windows Database
LEAP Proxy RADIUS Server
Generic LDAP
The Windows database configuration has more parameters than the other external d
atabase configurations, as shown in Figure 3. Because Cisco Secure ACS is native
to the Windows operating system, administrators can configure additional functi
onality on the Windows External User Database Configuration pane. Administrators
can gain more control over who is able to authenticate to the network, as well
as configuring Dialin Permissions.
In the Dialin Permission section, check the Verify That Grant dialin permissions
to user setting has been enabled from within the Windows Users Manager for users
configured for Windows User Database authentication check box. Also make sure th
at the Grant Dial-in Permissions check box is checked in the Windows profile wit
hin Windows Users Manager, as shown in Figure 4. The Dialin Permissions option o
f Cisco Secure ACS applies to more than just the dialup connections. If a user h
as this option enabled, it applies to any access that a user tries to make.
Another option that can be configured using the Windows external database is map
ping databases to domains. Mapping allows an administrator to have the same user
name across different domains, all with different passwords.
database.
By unknown user policy - Use an external database to authenticate users not foun
d in the Cisco Secure user database. This method does not require administrators
to define users in the Cisco Secure user database.
The External User Database configuration page can be used to configure the unkno
wn user policy, by selecting the Unknown User Policy link, as shown in Figure 1.
When configuring the unknown user policy, the database must be selected from the
External Databases list and placed into the Selected Databases list. This must
be done for each database that Cisco Secure ACS is to use when attempting to aut
henticate unknown users, as shown in Figure 2. The order in which the external d
atabases are listed is the same order in which Cisco Secure ACS checks the selec
ted external databases when attempting to authenticate an unknown user.
Remember that the Interface Configuration page allows the administrator to contr
ol the display of properties on the User Setup page. If there are necessary user
properties that are not present on the User Setup page, the interface configura
tion must be modified.
o encrypt the data transfer between the TACACS+ server and AAA-enabled router. T
his key must be configured exactly the same on the router and the TACACS+ server
.
Configure a RADIUS Server and Encryption Key
To configure a RADIUS server, use the radius-server host ip-address command. Bec
ause RADIUS uses UDP, there is no equivalent single-connection keyword. If requi
red, multiple RADIUS servers can be identified by entering a radius-server host
command for each server.
To configure the shared secret key for encrypting the password, use the radius-s
erver key key command. This key must be configured exactly the same on the route
r and the RADIUS server.
Figure 2 displays a sample TACACS+ and RADIUS server configuration.
Configure Authentication to Use the AAA Server
When the AAA security servers have been identified, the servers must be included
in the method list of the aaa authentication login command. AAA servers are ide
ntified using the group tacacs+ or group radius keywords. Refer to Figure 3 for
the aaa authentication command syntax.
For example, to configure a method list for the default login to authenticate us
ing a RADIUS server, a TACACS+ server, or a local username database, use the com
mand aaa authentication login default group radius group tacacs+ local-case, as
shown in Figure 4.
Note: In IOS 15, the commands and modes for some of these commands have changed.
The commands on this page are still accepted, but the administrator will see a
message such as:
Warning: The CLI will be deprecated soon
'tacacs-server host 192.168.1.101'
Please move to 'tacacs server ' CLI
or
Warning: The CLI will be deprecated soon
'radius-server host 192.168.1.100'
Please move to 'radius server ' CLI.
Use the Syntax Checker in Figure 5 to configure server-based AAA authentication
on router R1. The local username database has been configured and TACACS+ and RA
DIUS servers have been implemented on the network.
Enable AAA.
Configure a persistent TCP connection to the TACACS+ server at 192.168.1.101, wi
th key TACACS+Pa55w0rd.
Enable access to the RADIUS server at 192.168.1.100 with key RADIUS-Pa55w0rd.
Specify a default authentication method list with primary option TACACS+, second
ary method RADIUS, and tertiary option local username case-sensitive authenticat
ion.
Step 1. From the CCP home page, choose Configure > Router > AAA > Authentication
Policies > Login.
Step 2. From the Authentication Login pane, click Add.
Step 3. To create a new authentication login method, choose User Defined from th
e Name drop-down list.
Step 4. Enter the authentication login method list name in the Specify field, fo
r example TACACS_SERVER.
Step 5. Click Add to define the methods that this policy uses. The Select Method
List(s) for Authentication Login window appears.
Step 6. Choose group tacacs+ from the method list.
Step 7. Click OK to add group tacacs+ to the method list and return to the Add a
Method List for Authentication Login window, as shown in the figure.
Step 8. Click Add to add a backup method to this policy. The Select Method List(
s) for Authentication Login window appears.
Step 9. Choose enable from the method list to use the enable password as the bac
kup login authentication method.
Step 10. Click OK to add enable to the method list and return to the Add a Metho
d List for Authentication Login window.
Step 11. In the Deliver Configuration to Device window, click the Deliver button
to deliver the configuration to the router.
The resulting CLI command that CCP generates is aaa authentication login TACACS_
SERVER group tacacs+ enable.
To configure the router to use the Cisco Secure ACS server for authorization, cr
eate a user-defined, or custom, authorization method list or edit the default au
thorization method list. The default authorization method list is automatically
applied to all interfaces except those that have a user-defined authorization me
thod list explicitly applied. A user-defined authorization method list overrides
the default authorization method list. CCP can be used to configure the default
authorization method list for character mode (exec) access, as shown in Figures
1 and 2:
Step 1. From the CCP home page, choose Configure > Router > AAA > Authorization
Policies > EXEC Command Mode.
Step 2. From the Exec Authorization pane, select the default list and click Edit
.
Step 3. From the Edit a Method List for Exec Authorization window, click Add to
define the methods that this policy uses.
Step 4. From the Select Method List(s) for Exec Authorization window, choose gro
up tacacs+ from the method list.
Step 5. Click OK to return to the Edit a Method List for Exec Authorization wind
ow.
Step 6. Click OK to return to the Exec Authorization pane.
The resulting CLI command that CCP generates is aaa authorization exec default g
roup tacacs+.
The resulting CLI command that CCP generates is aaa authorization network defaul
t group tacacs+.