implementing cisco aaa
DESCRIPTION
This is from the seminar where we have made several demonstrations with Cisco ACS Server and Microsoft Radius IASTRANSCRIPT
AAA Implementation
Presenter: Deniz Kaya
Outline
– Overview– Identification and Authentication– Introduction to AAA for Cisco Routers– Authenticating Remote Access– TACACS+ and RADIUS AAA Protocols– Authentication Methods– Point-to-Point Authentication Protocols– Authenticating Router Access– Configuring AAA for Cisco Routers– Troubleshooting AAA on Cisco Routers– Configuring AAA with Cisco SDM – Summary
AAA Model—Network Security Architecture
• Authentication
– Who are you?
– “I am user student and my password validateme proves it.”
• Authorization
– What can you do? What can you access?
– “User student can access host serverXYZ using Telnet.”
• Accounting
– What did you do? How long did you do it? How often did you do it?
– “User student accessed host serverXYZ using Telnet for 15 minutes.”
Implementing Cisco AAA
• Administrative access—console, Telnet, and auxiliary access
• Remote user network access—Dial-up or VPN access
Cisco Secure ACS for Windows Server
Remote Client(Dial-Up Client) NAS
CorporateFile ServerConsole
Remote Client(VPN Client)
RouterCisco Secure ACS
Solution Engine
Internet
PSTN and ISDN
PSTN = public switched telephone network
Implementing Authentication Using Local Services
1. The client establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database.
PerimeterRouter
Remote Client
1
23
Implementing Authentication Using External Servers
1. The client establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database.
PerimeterRouter
Remote Client
Cisco Secure ACS for
Windows Server
Cisco Secure ACS Solution
Engine
1
2
3
4
TACACS+ and RADIUS AAA Protocols
• Two different protocols are used to communicate between the AAA security servers and authenticating devices.
• Cisco Secure ACS supports both TACACS+ and RADIUS:
– TACACS+ remains more secure than RADIUS.
– RADIUS has a robust application programming interface and strong accounting.
Cisco Secure ACS
Firewall
Router NetworkAccessServer
TACACS+ RADIUS
Security Server
Authentication Methods and Ease of Use
Strongest
Weak
Au
then
tica
tio
n
Ease of use HighLow Ease of use HighLow
Token cards or soft tokens using OTPs
S/Key (OTP for terminal login)
Username and password (aging)
Username and password (static)
No username or password
Authentication—Remote PC Username and Password
Microsoft Windows dial-up networking connection: Username and Password fields
SecurityServer
Microsoft WindowsRemote PC
NAS
Username and password (TCP/IP PPP)
PSTN or ISDN
Authentication—Token Cards and Servers
Cisco SecureACS
(OTP)
Token Server
12
3
4
AAA Example—Authentication via PPP Link
• Password Authentication Protocol
– Clear text, repeated password
– Subject to eavesdropping and replay attacks
• Challenge Handshake Authentication Protocol
– Secret password, per remote user
– Challenge sent on link (random number)
– Challenge can be repeated periodically to prevent session hijacking
– CHAP response is Message Digest 5 hash of (challenge + secret) that provides authentication
– Robust against sniffing and replay attacks
• MS-CHAP version 1 (supported in Cisco IOS Release 11.3 and later) and version 1 or version 2 (supported in Cisco IOS Release 12.2 and later)
Network Access Server
TCP/IPand PPP
Client
PPP PPPPSTN or
ISDN
Authenticating Router Access
Telnet Host
LAN
Remote LANNetworkAccess
Console
Router
Remote Router Administrative
Access
Internet
Router Local Authentication Configuration Process
Here are the general steps required to configure a Cisco router for local authentication:
• Step 1: Secure access to privileged EXEC mode.
• Step 2: Enable AAA globally on the perimeter router with the aaa new-model command.
• Step 3: Configure AAA authentication lists.
• Step 4: Configure AAA authorization for use after the user has passed authentication.
• Step 5: Configure the AAA accounting options for how you want to write accounting records.
• Step 6: Verify the configuration.
Enable AAA Globally Using the aaa new-model Command
aaa new-model
router(config)#
router(config)# aaa new-model
username username password password
router(config)#
router(config)# username Joe106 password 1MugOJava
• Establishes AAA section in configuration file
• Sets username and password
aaa authentication login default local
• Helps prevent administrative access lockout while configuring AAA
router(config)#
aaa authentication Commands
• These aaa authentication commands are available in Cisco IOS Releases 12.2 and later.
• Each of these commands has its own syntax and options (methods).
aaa authentication arapaaa authentication banneraaa authentication enable defaultaaa authentication fail-messageaaa authentication local-overrideaaa authentication loginaaa authentication nasiaaa authentication password-promptaaa authentication pppaaa authentication username-prompt
router(config)#
aaa authentication login Command
aaa authentication login {default | list-name} method1 [method2...]
router(config)#
router(config)# aaa authentication login default enable
router(config)# aaa authentication login console-in local
router(config)# aaa authentication login tty-in line
aaa authentication ppp Command
aaa authentication ppp {default | list-name} method1 [method2...]
router(config)#
router(config)# aaa authen ppp default local
router(config)# aaa authen ppp dial-in local none
aaa authentication enable default Command
aaa authentication enable default method1[method2...]
router(config)#
router(config)# aaa authentication enable default group tacacs+ enable none
Apply Authentication Commands to Lines and Interfaces
• Authentication commands can be applied to lines or interfaces.
router(config)# line console 0router(config-line)# login authentication console-inrouter(config)# int s3/0router(config-if)# ppp authentication chap dial-in
Note: It is recommended that you always define a default list for AAA to provide “last resort”authentication on all lines and interfaces protected by AAA.
aaa authorization Command
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...]
router(config)#
router(config)# aaa authorization commands 1 alpha local
router(config)# aaa authorization commands 15 bravo local
router(config)# aaa authorization network charlie local none
router(config)# aaa authorization exec delta if-authenticated
router(config)# aaa authorization commands 15 default local
aaa accounting Command
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname
router(config)#
router(config)# aaa accounting commands 15 default stop-only group tacacs+
router(config)# aaa accounting auth-proxy default start-stop group tacacs+
Troubleshooting AAA Using debug Commands
debug aaa authentication
router#
• Use this command to help troubleshoot AAA authentication problems
debug aaa accounting
router#
• Use this command to help troubleshoot AAA accounting problems
debug aaa authorization
router#
• Use this command to help troubleshoot AAA authorization problems
Troubleshooting AAA Using the debug aaa authentication Command
router# debug aaa authentication113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN
priv=1113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1'
list=''action=LOGIN service=LOGIN113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default"
list113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login(user='(undef)')113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login(user='diallocal')113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
Troubleshooting AAA Using the debug aaa accounting Command
router# debug aaa accounting16:49:21: AAA/ACCT: EXEC acct start, line 1016:49:32: AAA/ACCT: Connect start, line 10, glare16:49:47: AAA/ACCT: Connection acct stop:task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
Configuring AAA with Cisco SDM
1
2
3
Summary• AAA services provide a higher degree of scalability than the line-level and
privileged EXEC authentication • AAA services may be self-contained in the router or network access server (NAS)
itself. This form of authentication is also known as local authentication • In situations where local authentication will not scale well, such as for many remote
clients connecting to the network from different locations, it is better to implement a remote security database.
• TACACS+ and RADIUS are the two predominant AAA protocols used by Cisco security appliances, routers, and switches for implementing AAA with a remote security database.
• The most common authentication method is the use of a username and password. Authentication strength varies from the weakest which is to use a database of usernames and passwords to the strongest which is to use OTPs.
• PPP enables authentication between remote clients and servers using PAP, CHAP, or MS-CHAP.
• Administrative access to a router and remote LAN access through perimeter routers is secured using aaa comands.
• To configure AAA for local authentication on a router, first enable AAA with the aaanew-model command, second specify a username and password with the usnernameusername password password command, and third specify local authentication with the aaa authentication login default local command.
• There are three commands to use when debugging AAA: debug aaa authentication, debug aaa authorization, and debug aaa accounting
• You can configure AAA with Cisco SDM by following the Configure > Additional Tasks> AAA path.
New Horizons' Partners