sc labs

8/22/2019 SC Labs

1/8

CCNA Security Chapter 3 - AAA: Authentication, Authorization andAccountingA network must be designed to control who is allowed to connect to it and what they are allowed to do when they are connected.These design specifications are identified in the network security policy. The policy specifies how network administrators,

corporate users, remote users, business partners, and clients access network resources.

Cisco IOS routers can be configured to use AAA to access :

- a local username and password database,- a Cisco Secure Access Control Server (ACS).

Cisco ACS is :- very scalablebecause all infrastructure devices access a central server,

- fault tolerantbecause multiple servers can be configured,- often implemented by large organizations.

AAA Terminology

Authentication- what user can log in. AAA can be used for PPP, VTY, Console, AUX VPN and othersAuthorization - defines what the user can do.Accounting - logs actions performed by the user.

AAA Sources

- Local Database (running config) Local username xxx password xxx database.

- TACACS+ Server

- RADIUS Server

Access Modes

- Character Used for remote administrative access to VTY,TTY, Aux and Console. AAA can be

configured for login, exec and enable.

- Packet Used for Remote network access on async, BRI ec. AAA will be configured ppp for

network.

Purpose of AAAThe simplest form of authentication is passwords. This method is configured using a login and password combination on console,and vty lines and aux ports.

username username passwordpassword

8/22/2019 SC Labs

2/8

AAA Authentication- local database(stores usernames and passwords locally in the Cisco router. This database is the same one required for

establishing role-based CLI. Local AAA is ideal for small networks). A minimum of one method and a maximum of fourmethods can be specified for a single method list.

The Login Password Retry Lockout(attempts max-fail) feature allows system administrators to lock out a local AAA user

account after a configured number of unsuccessful attempts by the user to log in using the username that corresponds to the AAAuser account. A locked-out user cannot successfully log in again until the user account is unlocked by the administrator.- server-based (uses an external database server resource with RADIUS or TACACS+ protocols).

AAA Accounting collects and reports usage data so that it can be employed for purposes such as auditing or billing.

The Cisco is using 2 protocols:- TACACS+(Terminal Access Control Access Control Server Plus),- RADIUS(Remote Authentication Dial-In User Services).TACACS+ is considered the more secure protocol. This is because all TACACS + protocol exchanges are encrypted; RADIUS

only encrypts the user password. It does not encrypt user names, accounting information, or any other information carried in theRADIUS message.TACACS+ is a Cisco enhancement to the original TACACS protocol. Despite its name, TACACS+ is an entirely new protocolthat is incompatible with any previous version of TACACS.

TACACS+:

* Is incompatible with its predecessors TACACS and XTACACS

* Separates authentication and authorization

* Encrypts all communication

* Utilizes TCP port 49.RADIUS:

* Uses RADIUS proxy servers for scalability

* Combines RADIUS authentication and authorization as one process

* Encrypts only the password

* Utilizes UDP (port 1645 or 1812 for authentication and port 1646 or 1813 for accounting

* Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)

RADIUS is widely used by VoIP service providers.RADIUS is also a common authentication protocol that is utilized by the 802.1X security standard.The Diameter protocol is the planned replacement for RADIUS. Diameter uses a new transport protocol called Stream ControlTransmission Protocol (SCTP) and TCP instead of UDP.

AAA syntax

aaa type { default | list-name} method-1 [ method-2 method-3 method-4]

1) type could be authenticationor authorizationor accounting

2) At least one method must be specified.If an authentication process succeeds but the user is denied,the other methods are checked.

Possible authentication methods:- EnableUse enable password for authentication.

- GroupUse specified server-group (radius / tacacs+)- Line Use line password for authentication.- Local Use local username authentication.- NoneNo authentication. There will be no login prompt.

- group tacacs+

Up to five methods can be specified in the method list (4 for SDM).When used the list is checked from the first entry to the last entry but only if previous method fails (timeouts or fails).

Router(config)#aaa authentication ?

dot1x Set authentication lists for IEEE 802.1x.

enable Set authentication list for enable.

login Set authentication lists for logins.

password-prompt Text to use when prompting for a password

username-prompt Text to use when prompting for a username

...

Router(config)#aaa authentication login ?

8/22/2019 SC Labs

3/8

WORD Named authentication list (max 31 characters, longer will be rejected).

default The default authentication list.

Router(config)#aaa authentication login default ?

enable Use enable password for authentication.

group Use Server-group

line Use line password for authentication.

local Use local username authentication.

local-case Use case-sensitive local username authentication.none NO authentication.

passwd-expiry enable the login list to provide password aging support

aaa authentication login default local enable

! 1) This list is specifying that the local database (running-config) will be used first to look

for the username.

! If the username isn't in the running, then it will go to the second method in the list.

! 2) The second method of "enable" says that if the user account isn't found in the running, then

to use the enable secret to login.

! This default list will apply to all SSH, Telnet, VTY, AUX and Console sessions unless there is

another (different) custom

! method list that is created and directly applied to one of those lines.

!

! accepts a locally configured username, regardless of case.

! local- Specifies the local authentication method.! none- No authentication, everyone permitted.

! Activate the Authentication, except for the console port

aaa authentication login NOTACACS local

line con 0

login authenticationNOTACACS

end

By using the syntax on authentication "local none" it will use those methods for the default group i.e. the local database, which ifno user/passes exist it will use no authentication.

! Example turns off password validation.

switch(config)# aaa authentication login default none

The difference between using the login local command andlocal aaa authenticationfor authenticating administrator access:

Local AAA provides a way to configure backup methods of authentication; login local does not.

# conf t(config)# username ADMIN secret SFEG$T#D45gd

(config)# aaa new-model

8/22/2019 SC Labs

4/8

User authenticated, but not is was not set correct authorization commands.Example:IS SET: aaa authorization exec default local

SHOULD BE: aaa authorization exec default group tacacs+ local none

AAA authorizationAAA authorizationenables you to limit the services available to a user.Default: Authorization is disabled for all actions (equivalent to the method keyword none).

If AAA authorization on a device is not configured = Authenticated users are granted full access rights.If an administrator configures the aaa authorization command prior to creating a user with full access rights, the administrator is

immediately locked out of the system.

1) aaa authorization {network |exec |commands level| reverse-access}{default |list-name}

[method1[method2...] ]

2) line[aux| console| tty| vty] line-number [ending-line-number]or

interfaceinterface-type interface-number

Cisco Secure ACSMany enterprise-level authentication servers are on the market today, but they lack the ability to combine both the TACACS+and RADIUS protocols into a single solution. Fortunately, Cisco Secure ACS for Windows Server is a single solution that offers

AAA for both TACACS+ and RADIUS.Cisco Secure ACS supports a broad variety of access connections, including wired and wireless LAN, dialup, broadband, content ,

storage, VoIP, firewalls, and virtual private networks (VPNs).For Cisco Secure ACS the client device are routers, switches, firewalls or VPN concentrators.Cisco ACS supports authenticating users of a Lightweight Directory Access Protocol (LDAP).A Web browser is used to configure a Cisco Secure ACS.

Good explain in : CCNA Security 640-554 Official Cert Guide

InstallCisco Secure ACS is available as software installed on

- a Windows Server (Cisco ACS version 4.x),- a Linux apliance (Cisco ACS version 5.x),- a 1U, rack-mountable, security-hardened server, such as ACS Solution Engine (where more than 350 users need to be

supported),- a ACS Express is also a 1U rack-mountable unit, security-hardened appliance with a pre-installed Cisco Secure ACS Expresslicense (up to 50 devices / up to 350 user logins per 24h).

NOTE: Cisco ACS 4.x is no longer being sold and might not be supported (link).

AAA Accounting

aaa accounting {network | exec | connection} {default | list-name} {start-stop | stop-only |

none} [broadcast] method1...[method4]

* Network - Runs accounting for all network-related service requests, including Serial Line Internet* Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs).

* Exec - Runs accounting for the EXEC shell session.* Connection - Runs accounting on all outbound connections made from the network access server, such as Telnet or local-areatransport (LAT).

* Default - Uses the listed accounting methods that follow this keyword as the default list of methods.* List-name - Character string used to name a custom accounting method list.* Start-stop - Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a

process.* Stop-only - Sends a "stop" accounting record for all cases including authentication failures.

* None - Disables accounting services on a line or interface.* Broadcast - (Optional) Enables sending accounting records to multiple AAA servers.

R1(config)# aaa accounting exec start-stop group tacacs+

8/22/2019 SC Labs

5/8

The default accounting method listis automatically applied to all interfaces, except those with named accounting method lists.

Cisco Configuration ProfessionalOn Windows 7, after install to run needed: - download older version (10.x) of flash playerhere- run as Administrator Cisco Configuration Professional,- Allow ActiveX for this page,- disable plugins from Internet Explorer that could block content (ie: AVG...),

more info:http://docwiki.cisco.com/wiki/Cisco_Configuration_Professional_--_Troubleshooting

Connect CCP to router (link @ cisco.com)

!

Router(config)#enable secret cisco

Router(config)#username privilege 15 password 0

Router(config)#ip http server

Router(config)#ip http secure-server

Router(config)#ip http authentication local

!

Router(config-line)#no aaa new-model

Router(config)#line vty 0 4Router(config-line)#privilege level 15

Router(config-line)#login local

Router(config-line)#transport input telnet

Router(config-line)#transport input telnet ssh

Router(config-line)#end

Router#wr

Enabling AAA with CCP:

aaa new-model

aaa authorization exec default local

aaa authentication login default local

line vty 0 4

login authentication default

authorization exec default

no privilege level

exit

line con 0login authentication default

exit

Cisco Secure ACS 5.2 (real installation)

Key Components for Configuring ACS

Network device groups- Groups of network devices, normally based on routers or switches with similar functions/devicesmanaged by the same administrators.Network devices (ACS clients/routers/switches) - The individual network devices that go into the device groups.Identity groups (user/admin groups) -Groups of administrators, normally based on users who will need similar rights and

access to specific groups of network devices.User accounts - Individual administrator/user accounts that are place in Identity groups.Authorization profiles - These profiles control what rights are permitted. The profile is associated with a network device groupand a user/administrator identity group.

1)Install Cisco Secure ACS5.2

sclabs/sc#sh ver

Cisco Application Deployment Engine OS Release: 1.2

ADE-OS Build Version: 1.2.0.182

ADE-OS System Architecture: i386

Copyright (c) 2005-2009 by Cisco Systems, Inc.

All rights reserved.

Hostname: sclabs

Version information of installed applications
http://www.adobe.com/support/flashplayer/downloads.html#fp10.3http://www.adobe.com/support/flashplayer/downloads.html#fp10.3http://www.adobe.com/support/flashplayer/downloads.html#fp10.3http://docwiki.cisco.com/wiki/Cisco_Configuration_Professional_--_Troubleshootinghttp://docwiki.cisco.com/wiki/Cisco_Configuration_Professional_--_Troubleshootinghttp://docwiki.cisco.com/wiki/Cisco_Configuration_Professional_--_Troubleshootinghttp://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b2f103.shtmlhttp://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b2f103.shtmlhttp://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b2f103.shtmlhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_ins.htmlhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_ins.htmlhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_ins.htmlhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_ins.htmlhttp://www.cisco.com/en/US/products/ps9422/products_configuration_example09186a0080b2f103.shtmlhttp://docwiki.cisco.com/wiki/Cisco_Configuration_Professional_--_Troubleshootinghttp://www.adobe.com/support/flashplayer/downloads.html#fp10.3

8/22/2019 SC Labs

6/8

---------------------------------------------

Cisco ACS VERSION INFORMATION

-----------------------------

Version : 5.2.0.26

Internal Build ID : B.3075

sclabs/sc#sh application status acs

ACS role: PRIMARY

Process 'database' runningProcess 'management' running

Process 'runtime' running

Process 'view-database' running

Process 'view-jobmanager' running

Process 'view-alertmanager' running

Process 'view-collector' running

Process 'view-logprocessor' running

2)Post install procedures:

Access ACS URL in your browser.For examplehttps://192.168.1.250/acsadminUsername: ACSAdmin , which is the default username. The value is not case-sensitive.Password: default, which is the default password. The value is case-sensitive.

Insert Licence File (Evaluation Licence for 90 days)https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

AAA Step by Step1) Decide what the policy should be (for example, which vty lines should require authentication/authorization, and whichmethods (ACS, local, none) should be used.2) Enable AAA. (# aaa new-model)

3) Specify the address of an ACS server to use. (tacacs-server host/key)4) Create 2 named method lists (authentication and another for authorization), based on your policy.Each method list is created in global configuration mode, specifying which methods this list uses, in order, from left to right.5) Apply the method lists to the location that should use those methods.

In vty line configuration mode, specify the authentication and authorization method lists that you created in the preceding step.

Example AAA config

aaa new-model

tacacs-server host 192.168.1.10 single-connection! single-conn - improve aaa performance (reduces delays in the authorization queries by using

persistent TCP sessions)

tacacs-server key TACACS+s0m3pass0rd

aaa authentication login MY-LIST-1 group tacacs local enable

aaa authorization commands 1 TAC1 group tacacs+ local

aaa authorization commands 15 TAC15 group tacacs+ local

aaa accounting commands 1 TAC-act1 start-stop group tacacs+

aaa accounting commands 15 TAC-act15 start-stop group tacacs+

!

! The named method lists must be applied to the VTY lines

line vty 0 4

login authentication MY-LIST-1

authorization commands 1 TAC1

authorization commands 15 TAC15

accounting commands 1 TAC-act1

accounting commands 15 TAC-act15

!

AAA Cisco basic config

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

aaa authorization config-commands

aaa authorization exec default group tacacs+ local if-authenticated
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_postins.htmlhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_postins.htmlhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_postins.htmlhttps://192.168.1.250/acsadminhttps://192.168.1.250/acsadminhttps://192.168.1.250/acsadminhttps://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?Demokeys=Yhttps://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?Demokeys=Yhttps://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?Demokeys=Yhttps://192.168.1.250/acsadminhttp://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/installation/guide/csacs_postins.html

8/22/2019 SC Labs

7/8

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ local if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa new-modelThis basically turns on aaa on the router.

aaa authentication login default group tacacs+ localHere we are saying that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then usethe local user account configured on the router. (This is why you always want to make sure you have a local user configured onyour router)

aaa authentication enable default group tacacs+ enable Here we are saying that for enable mode we want to use the default group tacacs+ (notice the local keyword is not used. This is

because that a locally defined user will have specified the authorization level they require. . for example leve 15 will get enable

mode)

aaa authorization config-commandsThis says we want to check with TACACS+ to authorize going into config mode.

aaa authorization exec default group tacacs+ local if-authenticatedNotice the "if-authenticated" keyword at the end of this line. This is saying that if we are authenticated we will immediately bedropped into exec (enable) mode.The CLI represents an Exec Shell.

aaa authorization commands 1 default group tacacs+ if-authenticatedFor best practices Cisco recommends that authorization be configured to each level of user access to network devices. In thiscommand we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be

configured such as a local user. This also requires the use of tacacs+.

aaa authorization commands 15 default group tacacs+ local if-authenticatedHere we are providing authorization for level 15 users against tacacs+. If tacacs+ is not available then the local user account is

used. If authenticated the user will immediately be dropped into exec/enable mode.

aaa accounting exec default start-stop group tacacs+

AAA Accounting for each level of commands ensures there is accountability for use of privileged commands on the router.Privilege levels range from 1 to 15, with 15 being the highest level. Some organizations may want to implement additional levelsof commands where 1 might be a help desk and 15 are network administrators.

aaa accounting commands 1 default start-stop group tacacs+This is an optional command as far as best practices go... but this provides accountability or tracking of user activity even theythay have only logged in (not exec/enable)

aaa accounting commands 15 default start-stop group tacacs+This command will provide for accounting of adminsitrators or priveledge level 15

Labs1) A hands-on lab,Securing Administrative Access Using AAA and RADIUS, allows learners to use CLI and CCP to configure

and test local authentication with and without AAA. Centralized authentication using AAA and RADIUS is also explored.2) A Packet Tracer activity, Configure AAA Authentication on Cisco Routers, provides learners additional practice implementingthe technologies introduced in this chapter. Learners configure local authentication with and without AAA. Server-based AAA

authentication is configured with TACACS+ and RADIUS.

Done:- Setup Cisco ACS 5.2 @ ESXi with 90 day trial licence

- Setup a router with CCP (AAA, SNMP, ACL, NTP, Logging...)

8/22/2019 SC Labs

8/8

sc labs

Documents