Beruflich Dokumente
Kultur Dokumente
AAA network security services provide the primary framework to set up access
control on a network device. AAA is a way to control who is permitted to access
a network (authenticate), what they can do while they are there (authorize),
and to audit what actions they performed while accessing the network
(accounting). It provides a higher degree of scalability than the con, aux, vty
and privileged EXEC authentication commands alone.
Network and administrative AAA security in the Cisco environment has several
functional components:
Authentication - Users and administrators must prove that they are who they
say they are. Authentication can be established using username and password
combinations, challenge and response questions, token cards, and other
methods. For example: "I am user 'student'. I know the password to prove that I
am user 'student'."
Authorization - After the user is authenticated, authorization services determine
which resources the user can access and which operations the user is allowed
to perform. An example is "User 'student' can access host serverXYZ using
Telnet only."
Accounting and auditing - Accounting records what the user does, including
what is accessed, the amount of time the resource is accessed, and any
changes that were made. Accounting keeps track of how network resources are
used. An example is "User 'student' accessed host serverXYZ using Telnet for
15 minutes."
This concept is similar to the use of a credit card. The credit card identifies who
can use it, how much that user can spend, and keeps account of what items
the user spent money on.
With the exception of accounting commands, all AAA commands apply to both
character mode and packet mode. This topic focuses on securing character
mode access. For a truly secure network, it is important to also configure the
router for secure administrative access and remote LAN network access using
AAA services as well. Cisco provides two common methods of implementing
AAA services.
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores
usernames and passwords locally in the Cisco router, and users authenticate
against the local database. This database is the same one required for
establishing role-based CLI. Local AAA is ideal for small networks.
Server-Based AAA Authentication
The server-based method uses an external database server resource that
leverages RADIUS or TACACS+ protocols. Examples include Cisco Secure
Access Control Server (ACS) for Windows Server, Cisco Secure ACS Solution
Engine, or Cisco Secure ACS Express. If there are multiple routers, server-based
AAA is more appropriate.
Access Methods
Access Type
Modes
Routes Ports
Remote
administrative
access
Character Mode
provides user and
privileged EXEC
access
Packet Mode
provides access
to network
resources
Remote network
access
Common AAA
Commands
Login, exec, and
enable
commands
PPP and network
commands
Local AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local
database and the user is authorized to access the network based on
information in the local database.
Server-Based AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA
server.
4. The user is authorized to access the network based on information on the
remote AAA Server.
AAA Authorization
After users are successfully authenticated against the selected AAA data
source (local or server-based), they are then authorized for specific network
resources. Authorization is basically what a user can and cannot do on the
network after that user is authenticated, similar to how privilege levels and
role-based CLI give users specific rights and privileges to certain commands on
the router.
1. When a user has been authenticated, a session is established with the AAA
server.
2. The router requests authorization for the requested service from the AAA
server.
3. The AAA server returns a PASS/FAIL for authorization.
AAA Accounting
Accounting collects and reports usage data so that it can be employed for
purposes such as auditing or billing. The collected data might include the start
and stop connection times, executed commands, number of packets, and
number of bytes.
Accounting is implemented using a AAA server-based solution. This service
reports usage statistics back to the ACS server. These statistics can be
extracted to create detailed reports about the configuration of the network.
One widely deployed use of accounting is combining it with AAA authentication
for managing access to internetworking devices by network administrative
staff. Accounting provides more security than just authentication. The AAA
servers keep a detailed log of exactly what the authenticated user does on the
device. This includes all EXEC and configuration commands issued by the user.
The log contains numerous data fields, including the username, the date and
time, and the actual command that was entered by the user. This information is
useful when troubleshooting devices. It also provides leverage against
individuals who perform malicious actions.
Accounting Steps
1. When a user has been authenticated, the AAA accounting process generates
a start message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting
process ends.
AAA Accounting Functions
Network accounting
Network accounting captures information for
all Point-to-Point Protocol (PPP), Serial Line
Internet Protocol (SLIP), or Apple Remote
Access Protocol (ARAP) sessions, including
packet and byte counts.
Connection
Connection accounting captures information
accounting
about all outbound connections made from
the AAA client, such as Telnet, local-area
transport (LAT), TN3270, packet
assembler/disassembler (PAD), and rlogin.
EXEC accounting
EXEC accounting captures information about
user EXEC terminal sessions (user shells) on
the network access server, including
System accounting
Command accounting
Resource accounting
Command
default
list-name
method1...
[method4]
Method Type
Keywords
enable
krb5
krb5-telnet
line
local
local-case
none
cache group-name
group radius
group tacacs+
group group-name
Description
Uses the listed authentication methods that follow this
keyword as the default list of methods when a user logs
in.
Character string used to name the list of authentication
methods activated when a user logs in.
Identifies the list of methods that the AAA authentication
process will query in the given sequence. At least one
method must be specified. A maximum of four methods
may be specified.
Description
Uses the enable password for authentication.
Uses Kerberos 5 for authentication.
Uses Kerberos 5 Telnet authentication protocol when
using Telnet to connect to the router.
Uses the line password for authentication.
Uses the local username database for authentication.
Uses case-sensitive local username authentication.
Uses no authentication.
Uses a cache server group for authentication.
Uses the list of all RADIUS servers for authentication.
Uses the list of all TACACS+ servers for authentication.
Uses a subset of RADIUS or TACACS+ servers for
authentication as defined by the aaa group server
Additional security can be implemented on the line using the aaa local
authentication attempts max-fail number-of-unsuccessful-attempts command
in global configuration mode. This command secures AAA user accounts by
locking out accounts that have excessive failed attempts. To remove the
number of unsuccessful attempts that was set, use the no form of this
command.
To display a list of all locked-out users, use the show aaa local user lockout
command in privileged EXEC mode. Use the clear aaa local user lockout
{username username | all} command in privileged EXEC mode to unlock a
specific user or to unlock all locked users.
The aaa local authentication attempts max-fail command differs from the login
delay command in how it handles failed attempts. The aaa local authentication
attempts max-fail command locks the user account if the authentication fails.
This account stays locked until it is cleared by an administrator. The login delay
command introduces a delay between failed login attempts without locking the
account.
When a user logs into a Cisco router and uses AAA, a unique ID is assigned to
the session. Throughout the life of the session, various attributes that are
related to the session are collected and stored internally within the AAA
database. These attributes can include the IP address of the user, the protocol
that is used to access the router, such as PPP or Serial Line Internet Protocol
(SLIP), the speed of the connection, and the number of packets or bytes that
are received or transmitted.
To display the attributes that are collected for a AAA session, use the show aaa
user {all | unique id} command in privileged EXEC mode. This command does
not provide information for all users who are logged into a device, but only for
those who have been authenticated or authorized using AAA or whose sessions
are being accounted for by the AAA module.
The show aaa sessions command can be used to show the unique ID of a
session.
Configure Lockout
Command
number-of-unsuccessful-attempts
Description
Number of unsuccessful
authentication attempts before a
connection is dropped and the user
account is locked.
The first task when using CCP to configure AAA services for local authentication
is to create users:
Step 1. Choose Configure > Router > Router Access > User Accounts/View.
Step 2. Click Add to add a new user.
Step 3. In the Add an Account window, enter the username and password in the
appropriate fields to define the user account.
Step 4. From the Privilege Level drop-down list, choose 15, unless there are
lesser privilege levels defined.
Step 5. If views have been defined, check the Associate a View with the user
check box and choose a view from the View Name list that is associated with a
user.
Step 6. Click OK.
The CLI command that CCP generates is username AAAadmin privilege 15
secret 5 $1$f16u$uKOO6J/UnojZ0bCEzgnQi1 view root.
The Cisco Secure ACS family of products supports both Terminal Access Control
Access Control Server Plus (TACACS+) and Remote Authentication Dial-In User
Services (RADIUS) protocols, which are the two predominant protocols used by
Cisco security appliances, routers, and switches for implementing AAA.
While both protocols can be used to communicate between client and AAA
servers, TACACS+ is considered the more secure protocol. This is because all
TACACS + protocol exchanges are encrypted; RADIUS only encrypts the user
password. It does not encrypt user names, accounting information, or any other
information carried in the RADIUS message.
Functionality
Standard
Transport Protocol
CHAP
Protocol Support
Confidentiality
Customization
Accounting
TACACS+
Separates AAA
according to the AAA
architecture, allowing
modularity of the
security server
implementation
Mostly Cisco supported
TCP
Bidirectional challenge
and response as used in
Challenge Handshake
Authentication Protocol
(CHAP)
Multiprotocol support
Entire packet encrypted
Provides authorization
of router commands on
a per-user or per-group
basis
Limited
RADIUS
Combines
authentication and
authorization but
separates accounting,
allowing less flexibility
in implementation than
TACACS+
Open/RFC standard
UDP
Unidirectional challenge
and response from the
RADIUS security server
to the RADIUS client
No ARA, no NetBEUI
Password encrypted
Has no option to
authorize router
commands on a peruser or per-group basis
Extensive
Cisco Secure ACS can authenticate users against an internal Cisco Secure user
database, or it can be configured to leverage external databases that can be
centrally managed. This centralizes the control of all user privileges and
distributes them to access points throughout the network. Cisco Secure ACS
provides detailed reporting and monitoring capabilities of user behavior, access
connections, and device configuration changes. This feature is extremely
important for organizations trying to comply with various government
regulations. Cisco Secure ACS supports a broad variety of access connections,
including wired and wireless LAN, dialup, broadband, content, storage, VoIP,
firewalls, and virtual private networks (VPNs).
Cisco Secure ACS provides a variety of advanced features:
Cisco Secure ACS is a core component of the Cisco TrustSec solution. Cisco
TrustSec is deployed in either an 802.1X infrastructure-based approach or a
NAC appliance-based approach.
In the 802.1X infrastructure-based TrustSec approach, the Cisco ACS is the
policy server which authenticates users connecting to the network. ACS offers
central management of access policies for device administration and for
wireless and wired 802.1X network access scenarios. Cisco ACS supports both
RADIUS and TACACS+ protocols for authentication, authorization and
accounting. It is a next-generation network identity and access solution that
serves as an administration point and decision point for policy-based access
control.
In the NAC appliance-based TrustSec approach the Cisco NAC Manager is the
policy server that works with the Cisco NAC Server to authenticate users and
their devices over wired, wireless, and VPN connections. Both approaches can
include the Cisco NAC Profiler and the Cisco NAC Guest Server to enhance
policy-based access control for employees and guests. Cisco TrustSec
integrates with the Cisco SecureX architecture to allow the Cisco security
portfolio to use network-based identity context for full context-aware firewalling
and policy enforcement.
Cisco Secure ACS has many high-performance and scalability features:
http://www.cisco.com/c/en/us/support/security/secure-access-control-serverwindows/products-release-notes-list.html
http://www.cisco.com/c/en/us/support/security/secure-access-control-serverwindows/products-installation-guides-list.html
http://www.cisco.com/c/en/us/products/cloud-systems-management/secureaccess-control-server-express/index.html
3.3.4 Configuring Cisco Secure ACS
Before installing the Cisco Secure ACS, it is important to prepare the server.
Third-party software requirements and the network and port requirements of
the server and AAA devices must be considered.
Third-Party Software Requirements
Software products that are mentioned in the release notes are supported for
interoperability by Cisco. Support for interoperability issues with software
products that are not mentioned in the release notes might be difficult to
attain. The most recent version of the Cisco Secure ACS release notes are
posted on Cisco.com.
Keep in mind that in the Cisco Secure ACS application, a client is a router,
switch, firewall, or VPN concentrator that uses the services of the server.
Network and Port Prerequisites
The network should meet specified requirements before administrators begin
deploying Cisco Secure ACS:
For full TACACS+ and RADIUS support on Cisco IOS devices, AAA clients
must run Cisco IOS Release 11.2 or later.
Cisco devices that are not Cisco IOS AAA clients must be configured with
TACACS+, RADIUS, or both.
Dial-in, VPN, or wireless clients must be able to connect to the applicable
AAA clients. The computer running Cisco Secure ACS must be able to
reach all AAA clients using ping.
Gateway devices between the Cisco Secure ACS and other network
devices must permit communication over the ports that are needed to
support the applicable feature or protocol.
A supported web browser must be installed on the computer running
Cisco Secure ACS. For the most recent information about tested
browsers, see the release notes for the Cisco Secure ACS product on
Cisco.com.
All NICs in the computer running Cisco Secure ACS must be enabled. If
there is a disabled network card on the computer running Cisco Secure
ACS, installing Cisco Secure ACS might proceed slowly because of delays
caused by the Microsoft CryptoAPI.
After successfully installing Cisco Secure ACS, some initial configuration must
be performed. The only way to configure a Cisco Secure ACS server is through
an HTML interface.
To access the Cisco Secure ACS HTML interface from the computer that is
running Cisco Secure ACS, use the Cisco Secure icon labeled ACS Admin that
appears on the desktop. Alternatively, enter the following URL into a supported
web browser: http://127.0.0.1:2002.
The Cisco Secure ACS can also be accessed remotely after an administrator
user account is configured. To remotely access the Cisco Secure ACS, enter
http://ip_address[hostname]:2002. After the initial connection, a different port
is dynamically negotiated.
The home page of the Cisco Secure ACS contains a navigation bar with buttons
that represent functions that can be configured:
User Setup
Group Setup
Shared Profile Components
Network Configuration
System Configuration
Interface Configuration
Administration Control
External User Databases
Posture Validation
Button titles may vary between versions. If the RADIUS options are not
displayed, the AAA client that uses the RADIUS protocol must be added.
Additionally, the interface configuration is directly affected by the settings in
the network configuration.
Secure ACS uses for that user. It is for this reason that it is recommended that
there be only one instance of a username in all the external databases.
To establish an external user database connection, you must access the
External User Databases page.
When configuring the ACS external databases, there are three major
configuration options:
The Windows database configuration has more parameters than the other
external database configurations. Because Cisco Secure ACS is native to the
Windows operating system, administrators can configure additional
functionality on the Windows External User Database Configuration pane.
Administrators can gain more control over who is able to authenticate to the
network, as well as configuring Dialin Permissions.
In the Dialin Permission section, check the Verify That "Grant dialin permissions
to user" setting has been enabled from within the Windows Users Manager for
users configured for Windows User Database authentication check box. Also
make sure that the Grant Dial-in Permissions check box is checked in the
Windows profile within Windows Users Manager. The Dialin Permissions option
of Cisco Secure ACS applies to more than just the dialup connections. If a user
has this option enabled, it applies to any access that user tries to make.
Another option that can be configured using the Windows external database is
mapping databases to domains. Mapping allows an administrator to have the
same username across different domains, all with different passwords.
The External User Database configuration page can be used to configure the
unknown user policy, by selecting the Unknown User Policy link.
When configuring the unknown user policy, the database must be selected
from the External Databases list and placed into the Selected Databases list.
This must be done for each database that Cisco Secure ACS is to use when
attempting to authenticate unknown users. The order in which the external
databases are listed is the same order in which Cisco Secure ACS checks the
selected external databases when attempting to authenticate an unknown
user.
Adding a user account and configuring user access is a critical task for Cisco
Secure ACS. The steps to configure user access vary between different ACS
versions, but all occur from the User Setup page. In the Edit pane, enter data in
the fields to define the user account. Some fields typically configured are the
user password fields, TACACS+ enable control, TACACS+ enable password, and
TACACS+ shell authorized commands.
Step 1. From the CCP home page, choose Configure > Router > AAA > AAA
Servers and Groups > Servers.
Step 2. From the AAA Servers pane, click Add. The Add AAA Server window
appears. Choose TACACS+ from the Server Type list box.
Step 3. Enter the IP address or host name of the AAA server in the Server IP or
Host field. If the router has not been configured to use a DNS server, enter a
DNS server IP address.
Step 4. The router can be configured to maintain a single open connection to
the TACACS+ server rather than opening and closing a TCP connection each
time it communicates with the server. To do so, check the Single connection to
server(for CiscoSecure) check box.
Step 5. To override AAA server global settings and specify a server-specific
timeout value in the Server-Specific Setup section, enter a value in the Timeout
(seconds) field. This field determines how long the router waits for a response
from this server before going on to the next server in the group list. If a value is
not entered, the router uses the value that is configured in the AAA Servers
Global Settings window. The default setting is five seconds.
Step 6. To configure a server-specific key, check the Configure Key check box
and enter the key that is used to encrypt traffic between the router and this
server in the New Key field. Re-enter the key in the Confirm Key field for
confirmation. If this option is not checked and a value is not entered, the router
uses the value that was configured in the AAA Servers Global Settings window.
Step 7. Click OK.
An example CLI command that CCP would generate based on a TACACS+
server at IP address 10.0.1.1 and key TACACS+Pa55w0rd is tacacs-server host
10.0.1.1 key TACACS+Pa55w0rd.
After AAA is enabled and the TACACS+ servers are configured, the router can
be configured to use the Cisco Secure ACS server to authenticate user access
to the router. To configure the router to use the Cisco Secure ACS server for
login authentication, a user-defined (or custom) authentication method list
must be created, or the default method list must be edited. Keep in mind, the
default method list is automatically applied to all interfaces and lines, except
those that have a user-defined method list explicitly applied. The administrator
can use CCP to configure a user-defined authentication login method list:
Step 1. From the CCP home page, choose Configure > Router > AAA >
Authentication Policies > Login.
Step 2. From the Authentication Login pane, click Add.
Step 3. To create a new authentication login method, choose User Defined from
the Name drop-down list.
Step 4. Enter the authentication login method list name in the Specify field, for
example TACACS_SERVER.
Step 5. Click Add to define the methods that this policy uses. The Select
Method List(s) for Authentication Login window appears.
After the authentication login method lists are created, apply the lists to lines
and interfaces on the router.
CCP can be used to apply an authentication policy to a router line:
Step 1. Choose Configure > Router > Router Access > VTY.
Step 2. From the VTY Lines window, click the Edit button to make changes to
the vty lines. The Edit VTY Lines window appears.
Step 3. From the Authentication Policy list box, choose the authentication policy
to apply to the vty lines. For example, applying the authentication policy
named TACACS_SERVER to vty lines 0 through 4 results in the login
authentication TACACS_SERVER CLI command.
The CLI can also be used to apply an authentication policy to lines or interfaces
with the login authentication {default | list-name} command in line
configuration mode or interface configuration mode.
Two other very useful server-based AAA troubleshooting commands include the
debug tacacs and debug radius commands. These commands can be used to
provide more detailed AAA debugging information. To disable debugging
output, use the no form of these commands.
Similar to the debug aaa authentication command, the debug tacacs also
indicates status messages of PASS or FAIL.
To see all TACACS+ messages use the debug tacacs command. To narrow the
results and display information from the TACACS+ helper process, use the
debug tacacs events command in privileged EXEC mode. The debug tacacs
events command displays the opening and closing of a TCP connection to a
TACACS+ server, the bytes read and written over the connection, and the TCP
status of the connection. Use the debug tacacs events command with caution,
because it can generate a substantial amount of output. To disable debugging
output, use the no form of this command.
While authentication is concerned with ensuring that the device or end user is
legitimate, authorization is concerned with allowing and disallowing
authenticated users access to certain areas and programs on the network.
The TACACS+ protocol allows the separation of authentication from
authorization. A router can be configured to restrict the user to performing only
certain functions after successful authentication. Authorization can be
configured for both character mode (exec authorization) and packet mode
(network authorization). Keep in mind that RADIUS does not separate the
authentication from the authorization process.
Another important aspect of authorization is the ability to control user access
to specific services. Controlling access to configuration commands greatly
simplifies the infrastructure security in large enterprise networks. Per-user
permissions on the Cisco Secure ACS simplify network device configuration.
For example, an authorized user can be permitted to access the show version
command but not the configure terminal command. The router queries the ACS
for permission to execute the commands on behalf of the user. When the user
issues the show version command, the ACS sends an ACCEPT response. If the
user issues a configure terminal command, the ACS sends a REJECT response.
By default, TACACS+ establishes a new TCP session for every authorization
request, which can lead to delays when users enter commands. Cisco Secure
ACS supports persistent TCP sessions to improve performance.
When AAA authorization is not enabled, all users are allowed full access. After
authentication is started, the default changes to allow no access. This means
that the administrator must create a user with full access rights before
authorization is enabled. Failure to do so immediately locks the administrator
out of the system the moment the aaa authorization command is entered. The
only way to recover from this is to reboot the router. If this is a production
router, rebooting might be unacceptable. Be sure that at least one user always
has full rights.
To configure the router to use the Cisco Secure ACS server for authorization,
create a user-defined (or custom) authorization method list or edit the default
authorization method list. The default authorization method list is automatically
applied to all interfaces except those that have a user-defined authorization
method list explicitly applied. A user-defined authorization method list
overrides the default authorization method list. CCP can be used to configure
the default authorization method list for character mode (exec) access:
Step 1. From the CCP home page, choose Configure > Router > AAA >
Authorization Policies > EXEC Command Mode.
Step 2. From the Exec Authorization pane, select the default list and click Edit.
Step 3. From the Edit a Method List for Exec Authorization window, click Add to
define the methods that this policy uses.
Step 4. From the Select Method List(s) for Exec Authorization window, choose
group tacacs+ from the method list.
Step 5. Click OK to return to the Edit a Method List for Exec Authorization
window.
Step 6. Click OK to return to the Exec Authorization pane.
The resulting CLI command that CCP generates is aaa authorization exec
default group tacacs+.
CCP can also be used to configure the default authorization method list for
packet mode (network):
Step 1. From the CCP home page, choose Configure > Router > AAA >
Authorization Policies > Network.
Step 2. From the Network Authorization pane, click Add.
Step 3. From the Add a Method List for Network Authorization window, choose
Default from the Name drop-down list.
Step 4. Click Add to define the methods that this policy uses.
Step 5. From the Select Method List(s) for Network Authorization window,
choose group tacacs+ from the method list.
Step 6. Click OK to return to the Add a Method List for Network Authorization
window.
Step 7. Click OK to return to the Network Authorization pane.
The resulting CLI command that CCP generates is aaa authorization network
default group tacacs+.
Default - Uses the listed accounting methods that follow this keyword as
the default list of methods.
List-name - Character string used to name a custom accounting method
list.
Start-stop - Sends a "start" accounting notice at the beginning of a
process and a "stop" accounting notice at the end of a process.
Stop-only - Sends a "stop" accounting record for all cases including
authentication failures.
None - Disables accounting services on a line or interface.
Broadcast - (Optional) Enables sending accounting records to multiple
AAA servers.
AAA controls who is allowed to connect to the network, what they are allowed
to do, and keeps records of what was done.
The Cisco Access Control Server (ACS) can be used to provide AAA
server services.