|
Securing Your Network with AAA | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Terms you'll need to understand
Techniques you'll need to master:
The Cisco Security OptionsCisco provides IOS options and hardware products to help secure your network and make securing the network easier. The router IOS now has a number of security options, such as virtual private network (VPN) capabilities and integration with intrusion detection system (IDS) sensors and the firewall feature set. Each of the different security options is also available as a separate security appliance; typically, an appliance is another piece of hardware designed for a specific task. Some of the different appliances follow:
CiscoSecure ACS and AAAThe feature and product this chapter discusses most is the CiscoSecure ACS. It is available on UNIX and Windows platforms, and is what provides a Cisco network with AAA capabilities. The CiscoSecure ACS has a graphical user interface (GUI) accessible from a Web browser. It is a highly scalable Web-based Java tool that allows multiple administrators to work with it simultaneously. Let's examine the three different AAA services in detail. AuthenticationAuthentication happens before a user is permitted onto the network. It is the ability to identify the user and determine whether he should be allowed. AuthorizationAuthorization is what a user is allowed to do on a network. You can control which protocols and services are permitted. You can also control what system levels and configuration modes the user can reach and what commands are available at that point. AccountingAccounting allows an administrator to keep track of a number of things: the duration of a connection, the amount of traffic transmitted, and the commands entered on a device. ACS ComponentsThe CiscoSecure ACS has three components:
ACS ProtocolsThe two most common AAA protocols are TACACS+ and RADIUS. When a Cisco router communicates with an AAA server, it uses either TACACS+ or RADIUS:
Router Access ModesIt is important to understand that you can put in place AAA controls for traffic passing through a router or traffic destined for the router. Traffic passing through the router is defined as a packet moving from one network to another. Traffic destined for the router is a Telnet session to the router itself. AAA environments are usually in place for two reasons: first, as a method to authenticate dial-in or remote users, and second, as a means to manage an IT team. It is common to find elaborate and complex AAA configurations that only regulate the IT staff. With AAA in place, you no longer need to give an administrator the enable password to any device. She connects to a router, the router prompts her for a username and password, and they are sent to the AAA server. Based on her profile, the administrator obtains access to the device at the appropriate system or configuration levels, and AAA logs a record of everything she does. Based on the two uses, dialing in and managing, the router supports two modes. The two modes are packet mode and character mode. In packet mode, also known as interface mode, the data passes through the router from one network to another through ports, such as asynchronous, Basic Rate Interface (BRI), Primary Rate Interface (PRI), serial, and dialer interfaces. The format of the packet requesting AAA services dictates the type. Packet mode is expressed as Service-Type = Framed-User and Framed-Type In character mode or line mode, the data is destined to the router to a TTY, VTY, AUX, or CON port, most likely for configuration and maintenance reasons. The format of a packet for character mode is Service-Type = Exec-User AAA OperationTo enable AAA on the router, go to configuration mode and simply enter Router(config)#aaa new-model Specify the protocol and location of the AAA server with one of the following lines: tacacs-server host ip-address [single-connection] radius-server host ip-address The host ip-address specifies the IP address of the AAA TACACS or RADIUS server, and the single-connection option only available with TACACS specifies that the router maintain a single open connection for confirmation from an AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). The single-connection option does give better performance, but it is not the default. The last command to get AAA up and running configures the shared password between the router and the AAA server. The passwords are case-sensitive: tacacs-server key key radius-server key key A complete example looks something like this: Router(config)#aaa new-model Router(config)#tacacs-server host 192.168.1.100 single-connection Router(config)#tacacs-server key MyPassWord AAA Authentication Commandsaaa authentication login specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define: aaa authentication login {default | list-name} group _{group-name | radius | tacacs+} [method 2...3...4] Using the name default means its settings are applied to all lines (console, VTY, TTY, and so on) and interfaces (async, serial, Ethernet, and so on) unless you define and use another name. A unique list name overrides the default and its settings when applied to a specific line or interface. The group parameter has three options: a group-name, radius, or tacacs+. If you use either tacacs+ or radius, the router uses all those types of servers that you configured using the tacacs/radius-server host ip-address command, or you can build a custom group and call it with its group name. The other methods are used if the method before it has an error. One other method of special note is none with the option that if all others fail, you are authenticated. All the different authentication methods appear in Table 3.1. Table 3.1 AAA Authentication Methods
Here is a working example of two different authentication settings: Router(config)#aaa authentication login default group tacacs+ local Router(config)#aaa authentication login fallback group tacacs+ enable Router(config)#line vty 0 4 Router(config-line)#login authentication fallback The first command builds the default list. It tries to authenticate to all TACACS servers configured, and if it receives no response, it uses the next configured setting for authenticationin this example, the local username database. The second command creates a list called fallback. It checks the TACACS servers, and if it receives no response, it uses the enable password. The third and fourth commands apply the fallback list to the five VTY lines, 0 through 4. TIP A trick question here is to ask what authentication settings are in use for Line Console 0; the answer is the default list. Remember that once a default list is built, it applies to all interfaces and lines unless overridden by an explicit assignment as you saw on the VTY ports. Another feature worth pointing out is that when you turn on authentication using the default group, it is applied to all interfaces. You will find yourself locked out of the router if you have not finished setting up your authentication sources and you log out or your session times out. AAA Authorization CommandsOnce a user is authenticated, you can set parameters that restrict the user's access on the network using the aaa authorization command. The authorization commands have the same look and feel as the authentication command: aaa authorization {network | exec | commands level | reverse-access} _{default | list-name} [method 2...3...4] Table 3.2 lists the four areas of control where you can grant specific authorization. Table 3.2 AAA Authorization Command
Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. There are a number of ways in which a user can be authenticated; Table 3.3 lists the options for the AAA authorization command. Table 3.3 AAA Authorization Methods
For authorization, let's take a look at two different examples: one for character mode and the other for packet mode. Remember, in character mode, you are usually securing the router itself: Router(config)#aaa authorization exec default group tacacs+ none In this example, a user must be authorized by a TACACS+ server before he can gain access to an EXEC shell or prompt. If the TACACS+ servers are unreachable, then the user is automatically granted access because of the none option at the end. This method is used mainly for administrators who still have physical access to the device. Let's examine a packet-level example: Router(config)#aaa authorization network checkem group tacacs+ if-authenticated Router(config)#int serial 0 Router(config-if)#ppp authorization checkem The first command determines whether a user is allowed to make a packet-level connection. It built a list called checkem that looks to the TACACS+ servers first; if the servers are down, it allows access if the user has been authenticated. The last command applies the checkem list to PPP services on Serial 0. AAA Accounting CommandsAccounting allows you to track individual and group usage of network resources. When AAA accounting is activated, the router logs user activity to the TACACS+ or RADIUS server. You can then analyze this data for network management, client billing, security, or auditing. The accounting command looks like this: aaa accounting {system | network | exec | connection | commands level} _{default | list-name} {start-stop | wait-start | stop-only | none} _ [method 2...3...4] The aaa accounting command is unlike the authorization and authentication commands that have two halves. Accounting has three parts: what service or services you want to audit (see Table 3.4), which events trigger it, and where to send the information. Table 3.4 AAA Accounting Command
Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. Also worth mentioning is that the aaa accounting system command is the only command that doesn't apply to packet or character mode. The different events that you can use for accounting appear in Table 3.5. Table 3.5 AAA Accounting Events
Then, the accounting command indicates for which server groups the information is recorded and logged. Table 3.6 lists accounting methods for server groups. Table 3.6 AAA Accounting Methods
Let's look at an example of the aaa accounting command. Here we use the command twice to set up accounting for two different events: Router(config)#aaa accounting connection default start-stop group tacacs+ Router(config)#aaa accounting commands 15 default start-stop group tacacs+ The first command monitors any Telnet, rlogin, or other outbound connections, such as when they start and stop, and logs the information to the AAA servers configured under TACACS+. The second command turns on accounting for privilege Level 15 commands, which is enable mode, and logs their use to the TACACS servers. You can also use Level 1 for user mode access. Exam Prep QuestionsQuestion 1What are the three components of the CiscoSecure ACS?
Answers A, B, and D are correct. The three components are the AAA server, typically a TACACS+ or RADIUS server; the AAA client, such as a router or switch; and the user database, which is typically housed on the AAA server. Answer C is incorrect because VPN is not part of the CiscoSecure ACS. Question 2What does AAA stand for?
Answers B, D, and E are correct. AAA stands for authentication, authorization, and accounting. Answers A and C are not part of AAA. Question 3Which command starts AAA on a Cisco router?
Answer B is correct. Answer A, aaa-server, starts the AAA process, but it does so on a PIX Firewall, so it is incorrect. The aaa new-model is not the most intuitive command, but it starts AAA on a router. Answers C and D are incorrect and do not work. Question 4What are the two most common AAA protocols?
Answers B and C are correct. Answer A, TCP/IP, is certainly a well used protocol, and is in fact used by TACACS+, but it is not an AAA protocol. Answer D is not an AAA protocol. Question 5What are three characteristics of RADIUS?
Answers B, C, and E are correct. RADIUS is an open standard developed by the IETF; it uses UDP/IP and is only able to encrypt passwords. Answers A and D describe TACACS+; it is Cisco proprietary, uses TCP/IP, and encrypts all the data. Question 6Which ports are used in character mode? (Choose three.)
Answers B, D, and E are correct. Character mode is for data destined to the router. Serial 2/0, Answer A, and BRI, Answer C, represent interfaces; packets would travel into, out of, and through those interfaces. VTY, AUX, CON, and TTY typically represent character-mode ports. Question 7Which aaa accounting keyword monitors outbound Telnet traffic?
Answer A is correct. You use the keyword connection for all outbound connections. You use Answer B, start-stop, to record when a service or connection starts and stops, not just Telnet. Answer C is incorrect; network is for auditing service requests such as SLIP and PPP. There is no telnet keyword with accounting, so Answer D is wrong. Question 8How do you set an encryption key of CISCO for your RADIUS server?
Answer D is correct. Answer A would be valid if the question was about a TACACS server. Answer B is made up and is incorrect. Answer C would create a local account called RADIUS with a password of CISCO, so it is also a wrong answer. Question 9What command would you enter to set up authentication on your router to query the TACACS servers and, if unable to communicate to the servers, authenticate from the enable password?
Answer C is correct; it tries TACACS first and then uses the enable password. All four of the commands are valid in some circumstances. Answer A is wrong because it goes to a RADIUS server. Answer B uses the local database if the TACACS server is down, so it is incorrect. Answer D is incorrect because it allows access if the TACACS server is unavailable because of the none option. Question 10If you enable aaa authentication login default and do nothing else, what happens?
Answer C is correct. Remember that when authentication is configured with the default option, it is applied everywhere. When you disconnect or your session times out, you cannot log in to your router. The router wants to authenticate you before allowing you access, and there is no way configured for the router to do that. You will be locked out. Answer A is incorrect because it does not use a guest account by default. Answer B is the exact opposite of the right answer; it is applied everywhere as soon as authentication is enabled. Answer D is wrong because each of the services is independent of the other. Need to Know More?There is a huge amount of material on the Cisco Web site about AAA and the CiscoSecure ACS. The online documentation has a number of examples and different configurations. The Cisco IOS Security Configuration Guide discusses AAA at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm. The Cisco IOS Security Command Reference discusses AAA at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/faaacr/index.htm. |
|