Terms you'll need to understand

• CiscoSecure Access Control Server (ACS)

• Authentication, authorization, and accounting (AAA)

• Terminal Access Controller Access Control System (TACACS)

• Remote Authentication Dial-In User Service (RADIUS)

• Packet mode

• Character mode

Techniques you'll need to master:

• Starting the AAA process on a router

• Configuring AAA addresses and passwords

• Enabling authentication

• Enabling authorization

• Enabling accounting

• Understanding the AAA commands

The Cisco Security Options

Cisco provides IOS options and hardware products to help secure your network and make securing the network easier. The router IOS now has a number of security options, such as virtual private network (VPN) capabilities and integration with intrusion detection system (IDS) sensors and the firewall feature set.

Each of the different security options is also available as a separate security appliance; typically, an appliance is another piece of hardware designed for a specific task. Some of the different appliances follow:

• VPN concentrators and hardware clients—An appliance designed specifically for encryption and decryption to offload the work from routers, servers, workstations, and other infrastructure devices.

• IDSs—Available to examine traffic passing along the wire looking for known signatures of attacks as well as other anomalies. One IDS option is an add-on card for the 6500 catalyst switch, a separate appliance for critical servers, known as a host-based IDS.

• PIX Firewall—The PIX Firewall uses its own proprietary operating system, featuring a stateful packet-inspecting system based on the Adaptive Security Algorithm (ASA), cut-through proxy, hot standby, and failover capabilities.

CiscoSecure ACS and AAA

The feature and product this chapter discusses most is the CiscoSecure ACS. It is available on UNIX and Windows platforms, and is what provides a Cisco network with AAA capabilities. The CiscoSecure ACS has a graphical user interface (GUI) accessible from a Web browser. It is a highly scalable Web-based Java tool that allows multiple administrators to work with it simultaneously. Let's examine the three different AAA services in detail.

Authentication

Authentication happens before a user is permitted onto the network. It is the ability to identify the user and determine whether he should be allowed.

Authorization

Authorization is what a user is allowed to do on a network. You can control which protocols and services are permitted. You can also control what system levels and configuration modes the user can reach and what commands are available at that point.

Accounting

Accounting allows an administrator to keep track of a number of things: the duration of a connection, the amount of traffic transmitted, and the commands entered on a device.

ACS Components

The CiscoSecure ACS has three components:

• AAA clients—Makes requests and communicates with the AAA server, sending usernames and other parameters.

• AAA server—Receives authentication requests from the clients, compares them to a database, authorizes the client, and begins accounting tasks.

• User or accounts database—Can be Open Database Connectivity (ODBC), Lightweight Directory Access Protocol (LDAP), Novell Directory Services (NDS), or Windows NT, 2000, or 2003. It allows an administrator to easily manage users and groups with different levels of permissions.

ACS Protocols

The two most common AAA protocols are TACACS+ and RADIUS. When a Cisco router communicates with an AAA server, it uses either TACACS+ or RADIUS:

• TACACS+ is a Cisco proprietary protocol for use with the CiscoSecure ACS. It uses TCP/IP, encrypts all data, and allows multiple levels of authorization, and can use other methods of authentication, such as Kerberos.

• RADIUS is an open Internet Engineering Task Force (IETF) standard; it uses User Datagram Protocol (UDP) and encrypts only passwords. It also combines authentication and authorization as a single service; it is not separated as TACACS+ is.

Router Access Modes

It is important to understand that you can put in place AAA controls for traffic passing through a router or traffic destined for the router. Traffic passing through the router is defined as a packet moving from one network to another. Traffic destined for the router is a Telnet session to the router itself. AAA environments are usually in place for two reasons: first, as a method to authenticate dial-in or remote users, and second, as a means to manage an IT team. It is common to find elaborate and complex AAA configurations that only regulate the IT staff. With AAA in place, you no longer need to give an administrator the enable password to any device. She connects to a router, the router prompts her for a username and password, and they are sent to the AAA server. Based on her profile, the administrator obtains access to the device at the appropriate system or configuration levels, and AAA logs a record of everything she does.

Based on the two uses, dialing in and managing, the router supports two modes. The two modes are packet mode and character mode. In packet mode, also known as interface mode, the data passes through the router from one network to another through ports, such as asynchronous, Basic Rate Interface (BRI), Primary Rate Interface (PRI), serial, and dialer interfaces. The format of the packet requesting AAA services dictates the type. Packet mode is expressed as

Service-Type = Framed-User and Framed-Type

In character mode or line mode, the data is destined to the router to a TTY, VTY, AUX, or CON port, most likely for configuration and maintenance reasons. The format of a packet for character mode is

Service-Type = Exec-User

AAA Operation

To enable AAA on the router, go to configuration mode and simply enter

Router(config)#aaa new-model

Specify the protocol and location of the AAA server with one of the following lines:

tacacs-server host ip-address [single-connection]
radius-server host ip-address

The host ip-address specifies the IP address of the AAA TACACS or RADIUS server, and the single-connection option only available with TACACS specifies that the router maintain a single open connection for confirmation from an AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). The single-connection option does give better performance, but it is not the default.

The last command to get AAA up and running configures the shared password between the router and the AAA server. The passwords are case-sensitive:

tacacs-server key key
radius-server key key

A complete example looks something like this:

Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.1.100 single-connection
Router(config)#tacacs-server key MyPassWord

AAA Authentication Commands

aaa authentication login specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define:

aaa authentication login {default | list-name} group 
_{group-name | radius | tacacs+} [method 2...3...4]

Using the name default means its settings are applied to all lines (console, VTY, TTY, and so on) and interfaces (async, serial, Ethernet, and so on) unless you define and use another name. A unique list name overrides the default and its settings when applied to a specific line or interface.

The group parameter has three options: a group-name, radius, or tacacs+. If you use either tacacs+ or radius, the router uses all those types of servers that you configured using the tacacs/radius-server host ip-address command, or you can build a custom group and call it with its group name. The other methods are used if the method before it has an error. One other method of special note is none with the option that if all others fail, you are authenticated. All the different authentication methods appear in Table 3.1.

Table 3.1 AAA Authentication Methods

Here is a working example of two different authentication settings:

Router(config)#aaa authentication login default group tacacs+ local
Router(config)#aaa authentication login fallback group tacacs+ enable
Router(config)#line vty 0 4
Router(config-line)#login authentication fallback

The first command builds the default list. It tries to authenticate to all TACACS servers configured, and if it receives no response, it uses the next configured setting for authentication—in this example, the local username database.

The second command creates a list called fallback. It checks the TACACS servers, and if it receives no response, it uses the enable password.

The third and fourth commands apply the fallback list to the five VTY lines, 0 through 4.

AAA Authorization Commands

Once a user is authenticated, you can set parameters that restrict the user's access on the network using the aaa authorization command. The authorization commands have the same look and feel as the authentication command:

aaa authorization {network | exec | commands level | reverse-access} 
_{default | list-name} [method 2...3...4]

Table 3.2 lists the four areas of control where you can grant specific authorization.

Table 3.2 AAA Authorization Command

Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. There are a number of ways in which a user can be authenticated; Table 3.3 lists the options for the AAA authorization command.

Table 3.3 AAA Authorization Methods

For authorization, let's take a look at two different examples: one for character mode and the other for packet mode. Remember, in character mode, you are usually securing the router itself:

Router(config)#aaa authorization exec default group tacacs+ none

In this example, a user must be authorized by a TACACS+ server before he can gain access to an EXEC shell or prompt. If the TACACS+ servers are unreachable, then the user is automatically granted access because of the none option at the end. This method is used mainly for administrators who still have physical access to the device.

Let's examine a packet-level example:

Router(config)#aaa authorization network checkem group tacacs+ if-authenticated
Router(config)#int serial 0
Router(config-if)#ppp authorization checkem

The first command determines whether a user is allowed to make a packet-level connection. It built a list called checkem that looks to the TACACS+ servers first; if the servers are down, it allows access if the user has been authenticated. The last command applies the checkem list to PPP services on Serial 0.

AAA Accounting Commands

Accounting allows you to track individual and group usage of network resources. When AAA accounting is activated, the router logs user activity to the TACACS+ or RADIUS server. You can then analyze this data for network management, client billing, security, or auditing. The accounting command looks like this:

aaa accounting {system | network | exec | connection | commands level} 
_{default | list-name} {start-stop | wait-start | stop-only | none} 
_ [method 2...3...4]

The aaa accounting command is unlike the authorization and authentication commands that have two halves. Accounting has three parts: what service or services you want to audit (see Table 3.4), which events trigger it, and where to send the information.

Table 3.4 AAA Accounting Command

Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. Also worth mentioning is that the aaa accounting system command is the only command that doesn't apply to packet or character mode. The different events that you can use for accounting appear in Table 3.5.

Table 3.5 AAA Accounting Events

Then, the accounting command indicates for which server groups the information is recorded and logged. Table 3.6 lists accounting methods for server groups.

Table 3.6 AAA Accounting Methods

Let's look at an example of the aaa accounting command. Here we use the command twice to set up accounting for two different events:

Router(config)#aaa accounting connection default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+

The first command monitors any Telnet, rlogin, or other outbound connections, such as when they start and stop, and logs the information to the AAA servers configured under TACACS+.

The second command turns on accounting for privilege Level 15 commands, which is enable mode, and logs their use to the TACACS servers. You can also use Level 1 for user mode access.

Exam Prep Questions

Question 1

What are the three components of the CiscoSecure ACS?

1. AAA server

2. User database

3. VPN

4. AAA client

Answers A, B, and D are correct. The three components are the AAA server, typically a TACACS+ or RADIUS server; the AAA client, such as a router or switch; and the user database, which is typically housed on the AAA server. Answer C is incorrect because VPN is not part of the CiscoSecure ACS.

Question 2

What does AAA stand for?

1. Authority

2. Authorization

3. Auditing

4. Authentication

5. Accounting

Answers B, D, and E are correct. AAA stands for authentication, authorization, and accounting. Answers A and C are not part of AAA.

Question 3

Which command starts AAA on a Cisco router?

1. aaa-server

2. aaa new-model

3. tacacs

4. aaa tacacs-server

Answer B is correct. Answer A, aaa-server, starts the AAA process, but it does so on a PIX Firewall, so it is incorrect. The aaa new-model is not the most intuitive command, but it starts AAA on a router. Answers C and D are incorrect and do not work.

Question 4

What are the two most common AAA protocols?

1. TCP/IP

2. RADIUS

3. TACACS+

4. PPP

Answers B and C are correct. Answer A, TCP/IP, is certainly a well used protocol, and is in fact used by TACACS+, but it is not an AAA protocol. Answer D is not an AAA protocol.

Question 5

What are three characteristics of RADIUS?

1. Proprietary

2. Developed by the IETF

3. Encrypts passwords only

4. Uses TCP/IP

5. Uses UDP/IP

Answers B, C, and E are correct. RADIUS is an open standard developed by the IETF; it uses UDP/IP and is only able to encrypt passwords. Answers A and D describe TACACS+; it is Cisco proprietary, uses TCP/IP, and encrypts all the data.

Question 6

Which ports are used in character mode? (Choose three.)

1. Serial 2/0

2. AUX

3. BRI

4. CON 0

5. VTY

Answers B, D, and E are correct. Character mode is for data destined to the router. Serial 2/0, Answer A, and BRI, Answer C, represent interfaces; packets would travel into, out of, and through those interfaces. VTY, AUX, CON, and TTY typically represent character-mode ports.

Question 7

Which aaa accounting keyword monitors outbound Telnet traffic?

1. connection

2. start-stop

3. network

4. telnet

Answer A is correct. You use the keyword connection for all outbound connections. You use Answer B, start-stop, to record when a service or connection starts and stops, not just Telnet. Answer C is incorrect; network is for auditing service requests such as SLIP and PPP. There is no telnet keyword with accounting, so Answer D is wrong.

Question 8

How do you set an encryption key of CISCO for your RADIUS server?

1. tacas-server key CISCO

2. aaa-server CISCO

3. username RADIUS password CISCO

4. radius-server key CISCO

Answer D is correct. Answer A would be valid if the question was about a TACACS server. Answer B is made up and is incorrect. Answer C would create a local account called RADIUS with a password of CISCO, so it is also a wrong answer.

Question 9

What command would you enter to set up authentication on your router to query the TACACS servers and, if unable to communicate to the servers, authenticate from the enable password?

1. aaa authentication login default group radius enable

2. aaa authentication login default group tacacs+ local

3. aaa authentication login default group tacacs+ enable

4. aaa authentication login default group tacacs+ none

Answer C is correct; it tries TACACS first and then uses the enable password. All four of the commands are valid in some circumstances. Answer A is wrong because it goes to a RADIUS server. Answer B uses the local database if the TACACS server is down, so it is incorrect. Answer D is incorrect because it allows access if the TACACS server is unavailable because of the none option.

Question 10

If you enable aaa authentication login default and do nothing else, what happens?

1. The TACACS server will use a guest account.

2. Nothing, because authentication has not been applied anywhere yet.

3. When your session times out, you are locked out from the router.

4. You need to set up authorization and accounting before any settings go into effect.

Answer C is correct. Remember that when authentication is configured with the default option, it is applied everywhere. When you disconnect or your session times out, you cannot log in to your router. The router wants to authenticate you before allowing you access, and there is no way configured for the router to do that. You will be locked out. Answer A is incorrect because it does not use a guest account by default. Answer B is the exact opposite of the right answer; it is applied everywhere as soon as authentication is enabled. Answer D is wrong because each of the services is independent of the other.

Need to Know More?

There is a huge amount of material on the Cisco Web site about AAA and the CiscoSecure ACS. The online documentation has a number of examples and different configurations.

The Cisco IOS Security Configuration Guide discusses AAA at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fsaaa/index.htm.

The Cisco IOS Security Command Reference discusses AAA at http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_r/faaacr/index.htm.