© 2008 cisco systems, inc. all rights reserved.presentation_id 1 chapter 3: authentication,...

© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID 1

Chapter 3: Authentication, Authorization, and Accounting

CCNA-Security

Presentation_ID 2© 2008 Cisco Systems, Inc. All rights reserved.

Chapter 3: ObjectivesIn this chapter you will:

Describe the importance of AAA as it relates to authentication, authorization, and accounting.

Describe the characteristics of AAA.

Configure AAA authentication, using the CLI, to validate users against a local database.

Configure AAA authentication, using CCP, to validate users against a local database.

Troubleshoot AAA authentication that validates users against a local database.

Describe the benefits of server-based AAA.

Compare the TACACS+ and RADIUS authentication protocols.

Describe the features of Cisco Secure ACS for Windows.

Configure Cisco Secure ACS as a TACACS+ server.

Configure Cisco Secure ACS users and groups.

Configure server-based AAA authentication, using the CLI, on Cisco routers.

Configure server-based AAA authentication, using CCP, on Cisco routers.

Troubleshoot server-based AAA authentication using Cisco Secure ACS.

Configure server-based AAA authorization using Cisco Secure ACS.

Configure server-based AAA accounting using Cisco Secure ACS.


Chapter 3

3.0 Introduction

3.1 Purpose of AAA

3.2 Local AAA Authentication

3.3 Server-Based AAA

3.4 Server-Based AAA Authentication

3.5 Server-Based AAA Authorizing and Accounting

3.6 Summary


3.1 Purpose of AAA


AAA Overview

Authentication without AAA Many types of authentication methods can be performed on a

Cisco device, and each method offers varying levels of security.

The simplest form of authentication is passwords.

Password-only logins are very vulnerable to brute-force attacks, and do not provide accountability.

The local database method provides additional security, because an attacker is required to know a username and a password. It also provides more accountability, because the username is recorded when a user logs in.

A better solution is to have all devices refer to the same database of usernames and passwords from a central server.


AAA Overview

AAA ComponentsNetwork and administrative AAA security in the Cisco environment has several functional components:

Authentication- Users and administrators must prove that they are who they say they are. Authentication can be established using username and password combinations, challenge and response questions, token cards, and other methods.

Authorization- After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.

Accounting and auditing- Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made.


AAA Characteristics

Authentication ModesAAA can be used to authenticate users for administrative access or to authenticate users for remote network access. These two access methods use different modes to request AAA services.

Local AAA Authentication - Uses a local database for authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database.

Server-Based AAA Authentication - The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols.


AAA Characteristics

AuthorizationAuthorization is what a user can and cannot do on the network after that user is authenticated.


AAA Characteristics

AccountingAccounting collects and reports usage data so that it can be employed for purposes such as auditing or billing.


3.2 Local AAA Authorization


Configuring Local AAA Authentication with CLI

Authenticating Administrative Access The Local AAA Authentication method is similar to using the login

local command with one exception. AAA also provides a way to configure backup methods of authentication.

Configuring local AAA services to authenticate administrator access (character mode access) requires a few basic steps:

Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router.

Step 2. Enable AAA globally on the router.

Step 3. Configure AAA parameters on the router.

Step 4. Confirm and troubleshoot the AAA configuration.



Authentication Methods To enable AAA, use the aaa new-model global configuration mode

command.

To configure authentication on vty ports, asynchronous lines (tty), the auxiliary port, or the console port, define a named list of authentication methods and then apply that list to the various interfaces.

To define a named list of authentication methods, use the aaa authentication login command.



Authentication Methods Cont. To configure authentication, define a named list of authentication methods,

and then apply that list to the various interfaces.

To define a named list of authentication methods, use the aaa authentication login command.

To enable local authentication using a preconfigured local database, use the local or local-case (case-sensitive) keyword.

To specify that a user can authenticate using the enable password, use the enable keyword.

A minimum of one method and a maximum of four methods can be specified for a single method list. When a user attempts to log in, the first method listed is used.



Default and Named Methods The defined list of authentication methods must be applied to specific

interfaces or lines. Different method lists can be applied to different interfaces and lines.

To enable a specific list name, use the login authentication list-name command in line configuration mode.

The option also exists to configure a default list name. When AAA is first enabled, the default method list named “default” is automatically applied to all interfaces and lines, but it has no authentication methods defined.

To assign multiple authentication methods to the default list, use the command aaa authentication login default method1...[method2].



Refine the Authentication Configuration Additional security can be implemented on the line using the aaa local authentication attempts max-fail number-of-unsuccessful-attempts command in global configuration mode.

This command secures AAA user accounts by locking out accounts that have excessive failed attempts.

To show locked out users


Configuring Local AAA Authentication with CCP

Enable AAA Using CCP To verify the AAA configuration and to enable or disable AAA, click

Configure > Router > AAA > AAA Summary.

If AAA is currently disabled, click Enable AAA.


Configuring Local AAA Authentication with CCP

Add User AccountsThe first task when using CCP to configure AAA services for local authentication is to create users:

Step 1. Click Configure >Router >Router Access > User Accounts/View.

Step 2. Click Add to add a new user.

Step 3. In the Add an Account window, enter the username and password in the respective fields.

Step 4. From the Privilege Level drop-down list, choose 15, unless there are lesser privilege levels defined.

Step 5. If views have been defined, click the Associate a View with the user check box and select a view from the View Name list associated with a user.

Step 6. Click OK.


Troubleshooting Local AAA Authentication

Debug Options The debug aaa

authentication command is instrumental when troubleshooting AAA problems.

Look specifically for GETUSER and GETPASS status messages. These messages are helpful when identifying which method list is referenced.


3.3 Server-Based AAA


Server-Based AAA Characteristics

Comparing Local and Server-Based AAA

Local implementations of AAA do not scale well. To solve this challenge, one or more AAA servers, can be used to manage the user and administrative access needs for an entire corporate network.


Server-Based AAA Characteristics

Introducing Cisco Secure Access Control Server

The Cisco Secure ACS family of products supports both Terminal Access Control Access Control Server Plus (TACACS+) and Remote Authentication Dial-In User Services (RADIUS) protocols.


Server-Based AAA Communication Protocols

Introducing TACACS+ and RADIUS

TACACS+ and RADIUS are both authentication protocols with different capabilities and functionality.



TACACS+ AuthenticationTACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.

TACACS+ offers multiprotocol support. TACACS+ operation encrypts the entire body of the packet. TACACS+ utilizes TCP port 49.



RADIUS AuthenticationRADIUS is an open IETF standard AAA protocol for applications such as network access or IP mobility. RADIUS works in both local and roaming situations, and is

commonly used for accounting purposes. RADIUS hides passwords during transmission. RADIUS combines authentication and authorization as one process. RADIUS is widely used by VoIP service providers.


Cisco Secure ACS

TACACS+ and RADIUS with Cisco Secure ACS

Cisco Secure ACS for Windows Server is a single solution that offers AAA for both TACACS+ and RADIUS, and the following benefits: Extends access security by combining authentication, user access,

and administrator access with policy control within a centralized identity networking solution.

Allows greater flexibility and mobility, increased security, and user-productivity gains.

Enforces a uniform security policy for all users, regardless of how they access the network.

Reduces the administrative and management burden when scaling user and network administrator access to the network.


Cisco Secure ACS

Cisco Secure ACS FeaturesCisco Secure ACS provides a variety of advanced features: Automatic service monitoring Database synchronization and

importing of tools for large-scale deployments

Lightweight Directory Access Protocol (LDAP) user authentication support

User and administrative access reporting

Restrictions to network access based on criteria such as the time of day and the day of week

User and device group profiles


Cisco Secure ACS

Cisco Secure ACS As a TrustSec ComponentCisco Secure ACS is a core component of the Cisco TrustSec solution. TrustSec includes the following Access Control products: Cisco Network Admission Control (NAC) Cisco NAC Guest Server Cisco NAC Profiler Cisco Secure ACS

The Cisco TrustSec solution offers two deployment options to address various customer needs and use cases: ACS 802.1X-Based Infrastructure solution NAC Appliance-Based Overlay solution


Cisco Secure ACS

Cisco Secure ACS High Performance and ScalabilityCisco Secure ACS has many high-performance and scalability features: Ease of use - A web-based user interface simplifies and distributes the

configuration.

Scalability - Cisco Secure ACS is built to provide large networked environments with support for redundant servers, remote databases, and database replication and backup services.

Extensibility - LDAP authentication forwarding supports the authentication of user profiles that are stored in directories from leading directory vendors, including Sun, Novell, and Microsoft.

Management - Microsoft Windows Active Directory support.

Administration - Different access levels for each Cisco Secure ACS administrator and the ability to group network devices together.

Product flexibility - Can be used across virtually any network access server that Cisco sells.


Configuring Cisco Secure ACS

Software and Network Requirements The network should meet specified requirements before administrators begin deploying Cisco Secure ACS: Cisco devices that are not Cisco IOS AAA clients must be configured with

TACACS+, RADIUS, or both.

Dial-in, VPN, or wireless clients must be able to connect to the applicable AAA clients.

The computer running Cisco Secure ACS must be able to reach all AAA clients using ping.

Gateway devices between the Cisco Secure ACS and other network devices must permit communication over the ports that are needed to support the applicable feature or protocol.

A supported web browser must be installed on the computer running Cisco Secure ACS.

All NICs in the computer running Cisco Secure ACS must be enabled.



Cisco Secure ACS Homepage



Adding Cisco Secure ACS Clients The specific steps to add and configure a client varies between different ACS versions, but is done through the Network Configuration page (4.x) or the Network Resources page (5.x) by clicking Add Entry.



Adding Cisco Secure ACS Clients Cont.The User Data Configuration link on the Interface Configuration page enables administrators to customize the fields that appear in the user setup and configuration windows.



Cisco Secure ACS Databases Cisco Secure ACS can be configured to forward

authentication of users to one or more external user databases.

Support for external user databases means that Cisco Secure ACS does not require duplicate user entries to be created in the Cisco Secure user database.

To establish an external user database connection, you must access the External User Databases page.



Cisco Secure ACS Databases Cont.When configuring the ACS external databases, there are three major options:

Unknown User Policy - Configures the authentication procedure for users that are not located in the Cisco Secure ACS database.

Database Group Mappings - Configures what group privileges external database users inherit when Cisco Secure ACS authenticates them. In most cases, the actual privileges are drawn from Cisco Secure ACS and not the external database.

Database Configuration - Defines the external servers that Cisco Secure ACS works with.



Cisco Secure ACS Databases Cont.


Configuring Cisco Secure ACS Users and Groups

Cisco Secure ACS User Database Setup When Cisco Secure ACS is configured to communicate with an

external user database, it can be configured to authenticate users in one of two ways:

By specific user assignment - Authenticate specific users with an external user database.

By unknown user policy - Use an external database to authenticate users not found in the Cisco Secure user database. This method does not require administrators to define users in the Cisco Secure user database.

The External User Database configuration page can be used to configure the unknown user policy, by clicking the Unknown User Policy link.

When configuring the unknown user policy, the database must be selected from the External Databases list and moved into the Selected Databases list. This must be done for each database that Cisco Secure ACS is to use.



Cisco Secure ACS Group Setup Due to the potential need for different authorizations,

database group mappings can be used to place users that are authenticated by the Windows server in one group and users that are authenticated by the LDAP server in another group.

Database group mappings enable an administrator to map an authentication server (i.e., LDAP, Windows, ODBC, etc.) to a group that has been configured in Cisco Secure ACS.

One option that can be configured in a group setup is per group command authorization, which authorizes which router commands the users in a group can execute.



Cisco Secure ACS User SetupAdd a user account and configure user access from the User Setup page.


3.4 Server-Based AAA Authentication


Configuring Server-Based AAA Authentication

Configuring Server-Based AAA Authentication with CLI

Server-based AAA must identify various TACACS+ and RADIUS servers that the AAA service should consult when authenticating and authorizing users.


Configuring Server-Based AAA AuthenticationConfiguring the CLI for TACACS+ and RADIUS Servers

Globally enable AAA by using the aaa new-model command.

Configure a TACACS+ Server and Encryption Key

• Use the tacacs-server host ip-address single-connection command to configure a TACACS+ server.

• Use the tacacs-server key key command to configure the shared secret key.


Configuring Server-Based AAA AuthenticationConfiguring the CLI for TACACS+ and RADIUS Servers Cont.

Configure a RADIUS Server and Encryption Key

• Use the radius-server host ip-address command.

• To configure the shared secret key, use the radius-server key key command.

Configure Authentication to Use the AAA Server - Use the aaa authentication login default group radius group tacacs+ local-case command.


Configuring Server-Based AAA AuthenticationConfiguring the CLI for TACACS+ and RADIUS Servers Cont.

Sample Configuration


Configuring Server-Based AAA Authentication with CCPConfiguring the CCP for TACACS+

If using CCP for TACACS+, specify a list of available Cisco Secure ACS servers that provide TACACS+ services for the router.Step 1. From the CCP home page, click Configure >Router > AAA > AAA Servers and

Groups > Servers.


Configuring Server-Based AAA Authentication with CCPConfiguring the CCP for TACACS+ Cont.

Step 2. From the AAA Servers pane, click Add, the Add AAA Server window appears. Choose TACACS+

Step 3. Enter the IP address or host name of the AAA server in the Server IP or Hostfield. If the router has not been configured to use a DNS server, enter a DNS server IP address.

Step 4. The router can be configured to maintain a single open connection to the TACACS+ server. Check the Single connection to server

(for CiscoSecure) check box.

Step 5. To override AAA server global settings and specify a server-specific timeout value in the Server-Specific Setup section, enter a value

in the Timeout (seconds) field.

Step 6. To configure a server-specific key, check the Configure Key check box and enter the key that is used to encrypt traffic between the

router and this server in the New Key field. Re-enter the key in the Confirm Key field for confirmation.

Step 7. Click OK.


Configuring Server-Based AAA Authentication with CCP

Configuring Method Lists for CCP To configure the router to use the Cisco Secure ACS server for login

authentication, a user-defined (or custom) authentication method list must be created, or the default method list must be edited.

The administrator can use CCP to configure a user-defined authentication login method list.


Configuring Server-Based AAA Authentication with CCPConfiguring Lines with Method Lists Using CCP

After the authentication login method lists are created, CCP can be used to apply an authentication policy to a router line:

Step 1. Click Configure > Router > Router Access > VTY.

Step 2. From the VTY Lines window, click the Edit button to

make changes to the vty lines.

Step 3. From the Authentication Policy list box, choose the

authentication policy to apply to the vty lines.

e.

The CLI can also be used to apply an authentication policy to lines or interfaces with the login authentication{default | list-name} command in line configuration mode or interface configuration mode.


Troubleshooting Server-Based AAA Authentication Traffic

Monitoring Authentication TrafficOther debugging Commands

• debug radius and debug tacacs

• debug tacacs events


3.5 Server-Based AAA Authorization and Accounting


Configuring Server-Based AAA Authorization

Introduction to Server-Based AAA Authorization Authorization allows and disallows authenticated users access to

certain areas and programs on the network.

The TACACS+ protocol allows the separation of authentication from authorization.

A router can be configured to restrict the user to performing only certain functions after successful authentication.

Authorization can be configured for both character mode (exec authorization) and packet mode (network authorization).



AAA Authorization TypesAuthorization Method Lists

AAA Authorization Example



AAA Authorization Fundamentals with CCP CCP can be used to configure the default authorization method list for

character mode (exec) access.

From the CCP home page, Configure > Router > AAA > Authorization Policies > EXEC Command Mode.



AAA Authorization Methods with CCP CCP can also be used to configure the default authorization method list for

packet mode (network).

From the CCP home page, click Configure > Router > AAA > Authorization Policies > Network.


Configuring Server-Based AAA Accounting

Introduction to Server-Based AAA Accounting Companies often must track resources that individuals or groups use.

AAA accounting enables usage tracking, such as dial-in access, to log the data gathered to a database, and to produce reports on the data gathered.

One security issue (addressed by accounting) is the creation of a user list and the time of day a user dialed into the system.

Another reason to implement accounting is to create a list of changes occurring on the network, the user that made the changes, and the exact nature of the changes.


Configuring Server-Based AAA Accounting

AAA Accounting Configuration with CLIAccounting Methods Lists

AAA Accounting Example


3.6 Summary


Chapter 3

Summary The AAA protocol provides a scalable framework for enabling

administrative access.

AAA controls who is allowed to connect to the network, what they are allowed to do, and tracks records of what was done.

In small or simple networks, AAA authentication can be implemented using the local database.

In larger or complex networks, AAA authentication should be implemented using server-based AAA.

AAA servers can use RADIUS or TACACS+ protocols to communicate with client routers.

The Cisco ACS can be used to provide AAA server services.

Local AAA and server-based AAA authentication can be configured using the CLI or CCP.

© 2008 cisco systems, inc. all rights reserved.presentation_id 1 chapter 3: authentication,...

Documents

cisco systems

cisco environment

cisco router

local aaa authorization

local aaa services

local aaa authentication3

serverbased aaa authorizing

administrative aaa security