acls & aaa - cursuri automatica si...
TRANSCRIPT
ACLs&AAA
27‐oct‐2009
Whatthislectureisabout:
Trafficfilteringwithaccesslists Understandingaccesslists Configuringaccesslists
AAA Adifferentapproachtosecurity
ExplainingthosethreeA’s
2
Trafficfiltering Analyzethecontentsofapacket Allowofblockthepacket MakeadecisionbasedonMACorIPaddresses,protocolsorapplicaNontype
3
Devicesprovidingtrafficfiltering Firewallsbuiltintodedicatedrouters Dedicatedsecurityappliances Servers
4
Trafficfilteringexample PacketscomingfromnetworkAornetworkB.
5
Whatisanaccesslist? AsequenNallistofinstrucNons. TheseinstrucNonstelltherouterwhichpacketstoSELECT.
IfyounowaliXlebitaboutaccesslists,youmightsay: “Whyselect?Accesslistspermitordenytraffic!”
IfyouknowaliXlemoreaboutaccesslists,youwon’tcommentanything
6
Sowhatdoesanaccesslistdo? Anaccesscontrollist(ACL)selectstrafficbasedonspecificparameters.
TheeffectoftheACLisdictatedbythewayitisused.
Forexample: Ifappliedtoaninterface,anACLspecifieswhichtrafficispermiXedordenied.
Ifappliedtoavty,anACLspecifieswhocanTelnettoarouter.
Ifusedwithafirewall,itspecifieswhichtrafficwillbeinspected.
IfusedwithaVPNtunnel,itspecifieswhichisthe“interesNngtraffic”thatwillgetencryptedinthetunnel.
InQoSimplementaNons,ACLsareusedtoselectprioritytraffic
7
Thedownside? Moreprocessingmeansincreasedlatencyoverthenetwork. TherouterhastocheckeverypacketagainstthecorrespondingACLontheinterface
Higherloadontherouter’sprocessor LessprocessingNmeavailableforotherservicesandforrouNngitself.
8
ACLscenarioexample
9
GeneralstuffaboutACLs AlltheentriesinanACLsharethesamesyntax. TheACLisalwaysreadfromtoptoboXom
Sotheorderofitsstatementsisimportant
PacketsarecheckedagainstallstatementsunNlamatchisfound.
Assoonasapacketmatchesastatement,allsubsequentstatementswillnotbecheckedanymore. Thematchedstatementsays“permit”or“deny”
Thereisanimplicit“denyany”statementattheendofeachACL. IfapacketdoesnotmatchanyACLentries,itisautomaNcallydropped.
10
ACLdecisionprocess(inboundinterface)
11
RouterbehaviourwithACLs1. Framearrivesonrouter’sinterface
2. Checkifthelayer2addressmatches[otherwisedrop]3. IsthereanACLontheinterface?[ifnot,skipthisstep]
1. Ifyes,isthereamatchoninboundtheACL?
2. IfpermiXed,isthepacketdesNnedtotherouteritself?
3. Ifnot,shouldthepacketbeforwardedtoanotherinterface?
4. Ifyes,isthereanACLontheoutboundinterface?[ifnot,simplyforward]
1. Ifyes,inthereamatchontheoutboundACL?
2. IfitispermiXed,sendittothenextdevice.
12
FilteringtrafficwithACLs Firstofall,createtheACL.
ACLsarestoredintherouter’sconfiguraNonfile.
ApplytheACLtoarouterinterfaceinordertomakeitfilterpakets. Packetsthatmatcha“permit”statementwillbeprocessedbytherouter.
Packetsthatmatcha“deny”statementwillbediscarded.
ACLsDONOTfiltertrafficoriginatedwithintherouteritself(pings,traceroutes,telnets…)
13
HowmanyACLs? YoucanhaveONEACLforEVERY:
Interface(Serial,FastEthenetetc)
DirecNon(in/out) Routedprotocoltobefiltered(IP,AppleTalk,IPX)
14
BasicACLtypes NumberedACLsareidenNfiedbyanumber
Standard
Extended
NamedACLs(recommended)areidenNfiedbyacharacterstring Standard Extended
15
StandardACLs StandardACLsallowyoutopermitordenytrafficfromcertainsourceIPaddresses.
ThedesNnaNonortheportnumbersarenotinvolved.
ExampleofastandardACL:R1(config)#access-list 1 permit 192.168.2.0 0.0.0.255 R1(config)#access-list 1 permit host 192.168.100.1
ThisaccesslistwillallowtrafficfortheenNre192.168.2.0/24networkANDforthe192.168.100.1host.
Allothertrafficwillbedenied.Why?
16
Analyzingtheexample ExampleofastandardACL:
R1(config)#access-list 1 permit 192.168.2.0 0.0.0.255 R1(config)#access-list 1 permit host 192.168.100.1
Each“access‐list”commandaddsanotherentry. ThegeneralsyntaxfordefiningastandardACLis:
access‐listnumberpermit/denysource_addresswildcard_mask
EntrieswiththesamenumberbelongtothesameACL StatementsarestoredintheACLintheordertheyareentered.
AllowednumbersforstandardACLs: 1‐99 1300‐1999
17
Wildcardmasks InACLs,sourceaddressesaredefinedusingasubnetaddressandawildcardmask.
Thewildcardmasktellstherouterhowmuchofthepacket’ssourceIPaddressesneedstomatch.
Wildcardmaskbitsmean: 1:don’tcare
0:match
Forexample,tomatchallpacketscomingfromthenetwork172.16.12.0/24,youcanusethefollowingstatement:
R1(config)#access-list 5 permit 172.16.12.0 0.0.0.255
Unlikenetworkmasks,wildcardbitscanbedisconNnuous. Forexample,awildcardmaskof0.7.128.0isallowed.
18
Wildcardmaskexample
19
Wildcardmaskkeywords The“host”and“any”keywordsfacilitateenteringthewildcardmasksforhostsandnetworks.
The“host”opNonsubsNtutesforthe“0.0.0.0”mask.ThismaskstatesthatallIPaddressbitsmustmatch,soonlyonehostcanmatch.
The“any”opNonsubsNtutesfortheIPaddressandthe255.255.255.255mask.ThemasksaystoignoretheenNreIPaddress,soanysourceaddresswillmatch.
20
Wildcardmaskkeywordsexamples Example1:
access-list 10 permit 192.168.10.10 0.0.0.0
Isequivalenttoaccess-list 10 permit host 192.168.10.10
Example2:access-list 20 permit 0.0.0.0 255.255.255.255
Isequivalenttoaccess-list 20 permit any
21
Rangeswithwildcardmasks(1)
22
172.30.16.0 10101100 . 00011110 . 00010000 . 00000000 0.0.15.255 00000000 . 00000000 . 00001111 . 11111111 ----------------------------------------- 172.30.16.0 10101100 . 00011110 . 00010000 . 00000000 172.30.16.1 10101100 . 00011110 . 00010000 . 00000001 through . . . 172.30.31.254 10101100 . 00011110 . 00011111 . 11111110 172.30.31.255 10101100 . 00011110 . 00011111 . 11111115
Match subnets 172.30.16.0 to 172.30.31.0 access-list 20 permit 172.30.16.0 0.0.15.255
Must match
Rangeswithwildcardmasks(2)
23
Any Value 172.30.16.0 10101100 . 00011110 . 00010000 . 00000000 0.0.15.255 00000000 . 00000000 . 00001111 . 11111111 ----------------------------------------- 172.30.16.0 10101100 . 00011110 . 00010000 . 00000000 172.30.16.1 10101100 . 00011110 . 00010000 . 00000001 through . . . 172.30.31.254 10101100 . 00011110 . 00011111 . 11111110 172.30.31.255 10101100 . 00011110 . 00011111 . 11111115
Match subnets 172.30.16.0 to 172.30.31.0 access-list 20 permit 172.30.16.0 0.0.15.255
Rangeswithwildcardmasks(3)
24
Match subnets 172.30.16.0 to 172.30.31.0 access-list 20 permit 172.30.16.0 0.0.15.255
172.30.16.0 10101100 . 00011110 . 00010000 . 00000000 0.0.15.255 00000000 . 00000000 . 00001111 . 11111111 ----------------------------------------- 172.30.16.0 10101100 . 00011110 . 00010000 . 00000000 172.30.16.1 10101100 . 00011110 . 00010000 . 00000001 through . . . 172.30.31.254 10101100 . 00011110 . 00011111 . 11111110 172.30.31.255 10101100 . 00011110 . 00011111 . 11111111
Any Value Must match
ExtendedACLs CanfilterpacketsbasedonsourceIPaddress,butalsoon:
DesNnaNonIPaddress
SourceanddesNnaNonportnumbers Protocoltype
…andother“special”features,likeestablishedTCPconnecNons,Nmeofday,etc.
Allowednumbers: 100‐199
2000‐2699
TheyworkjustlikestandardACLs(decisionprocess,sequence,denyanyattheend)
25
ExtendedACLsyntax(1)
Access‐list‐number:IdenNfiestheACL
Protocol:NameornumberofanInternetprotocol.Keywordsincludeicmp,ip,tcp,udp.TomatchanyInternetprotocol(includingicmp,tcpandudp)useip.
Source:Numberofthenetworkorhostfromwhichthepacketissent.
Source‐wildcard:Wildcardbitsappliedtothesource.26
ExtendedACLsyntax(2)
Des6na6on:Numberofthenetworkorhosttowhichthepacketissent.
Des6na6on‐wildcard:WildcardbitsappliedtothedesNnaNon.
Operator(opNonal):ComparessourceordesNnaNonports.Keywordsincludegt(greaterthan),lt(lessthan),eq(equalto),neq(notequalto)andrange.
Port(opNonal):ThedecimalnameornumberofaTCPorUDPport.
Established(opNonal):ForTCPonly,indicatesanalreadyestablishedTCPconnecNon.
27
ExtendedACLsexample
R1(config)#access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 21
R1(config)#access-list 101 deny tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 22
R1(config)#access-list 101 permit ip any any
28
Purpose:todenyallFTPtrafficfromPC2’snetworktoPC1’snetwork.
Usingkeywords ExtendedACLssupportthesamekeywordsasthestandardones. Youcanuse“host”and“any”whenappropriate.
ExtendedACLscanalsobecreatedusingkeywordsinsteadofportnumbers.
Examples:
R1(config)#access-list 111 permit tcp 192.168.1.0 0.0.0.255 any eq telnet R1(config)#access-list 111 permit tcp 192.168.1.0 0.0.0.255 any eq ftp R1(config)#access-list 111 permit tcp 192.168.1.0 0.0.0.255 any eq ftp-data
29
Insteadof23,21,20
ApplyingACLstointerfaces AnACLcanbeappliedtoaninterfaceontheinboundortheoubounddirecNon.
ACLsareappliedatinterfaceconfiguraNonlevel.
OnecommandforbothstandardandextendedACLs:R1(config-if)#ip access-group 50 in R1(config-if)#ip access-group 101 out
StandardACLsshouldbeplacedascloseaspossibleto: Answer:thedesNnaNon
ExtendedACLsshouldbeplacedascloseaspossibleto: Answer:thesource
30
ExtendedACLsentries
Layer3andlayer4datafromeachpacketisusedinordertomatchanextendedaccesslistentry.
Allfieldsmustmatchforthepackettomatchanentry.
31
ProtecNngVTYaccess AccesslistscanbeplacedonVTYlinesaswell.
Use“access‐class”insteadof“acces‐group”:
32
NamedACLs AdescripNvenamereplacesthenumberrangeusedtoidenNfytheaccesslist.
Usethe“ipaccess‐list”iniNalcommandtoenterNACLconfiguraNonmode.
Startsuceedingstatementswithpermitordeny,followedbytherequiredcondiNons.
Applyinthesamewayas numberedACLs.
33
NamedACLexample NamedACLsmustspecifythe“standard”or“extended”keywordsintheiniNalcommand:
R1(config)#ip access-list standard STD_NACL R1(config-std-nacl)#deny host 10.0.0.1 R1(config-std-nacl)#deny 192.168.2.0 0.0.0.63 R1(config-std-nacl)#permit any R1(config-std-nacl)#exit R1(config)#
ExtendedNACL:R1(config)#ip access-list extended EXT_NACL R1(config-ext-nacl)#deny tcp host 172.33.15.1 host 200.17.2.99 eq www R1(config-ext-nacl)#deny icmp 192.168.12.0 0.0.0.255 any R1(config-ext-nacl)#permit ip any any log R1(config-ext-nacl)#exit R1(config)#
34
AllowingestablishedconnecNons ExtendedACLsallowtheuseof“established”keyword.
TheseentriesmatchpacketswiththeACKbitsetinaTCPstream.
Itdoesn’treallycheckiftheconnecNonisestablishedornot. AnaXackercaneasilyspooftheACKbitinpacketstopenetratethis
accesslist.R1(config)# access-list 110 permit tcp any 192.168.0.0 0.0.0.255
established
NameanaXackthatcanbepreventedwithsuchanaccesslist. Answer:TCPSYNflood
35
ACL
SYN
ACK
MoreIPandTCPopNons SeveralotheropNonsforfilteringTCPpacketsareavailablewithextendedaccesslists: ACKbit(similarto“established”)
SYN,FINbits
RST(reset)R1(config)# access-list 110 permit tcp any 192.168.0.0 0.0.0.255 ack
R1(config)#access-list 110 permit tcp any any fin
“fragments”matchonnon‐iniNalfragmentsofsamepacket:R1(config)#access-list 110 permit tcp any any fragments
36
QoSfiltering QoS=QualityofService
ExtendedACLscanselecttrafficbasedonDiffServvalues DiffServisanewermodelforclassifyingIPpacketsintodifferentprioritylevels,usingthevalueintheToSIPheaderfield.
“newer”thantheoriginalRFC
37
QoSfiltering(2) OriginalToSbitfields:
P2,P1,P0:IPPrecedence
T2,T1,T0:Delay(min),Throughput(max),Reliability(max)
CU:“CurrentlyUnused”
NewDiffServbitfields:
[DS5,DS4,DS3]:AssuredForwarding(AF)class:higherisbeXer [DS2,DS1,DS0]:DropProbability:lowerisbeXer(DS0=0)
NotaNonexample:AF31meansAssuredForwardingclass3,withdropprecedence1.
38
P2 P1 P0 T2(D) T1(T) T0(R) CU1 CU0
DS5 DS4 DS3 DS2 DS1 DS0 ECN ECN
QoSfiltering(3) UsingDiffServorToSvaluesinextendedaccesslists:
R1(config)#access-list 110 permit ip any any dscp af31
isequivalentto:R1(config)#access-list 110 permit ip any any dscp 26
BecauseAF31is[011010]=26
UsingIPPrecedencevalues:R1(config)#access-list 110 permit ip any any precedence ? <0-7> Precedence value critical Match packets with critical precedence (5) flash Match packets with flash precedence (3) flash-override Match packets with flash override precedence (4) immediate Match packets with immediate precedence (2) internet Match packets with internetwork control precedence (6) network Match packets with network control precedence (7) priority Match packets with priority precedence (1) routine Match packets with routine precedence (0)
39
ReflexiveACLs Aredynamicaccesslists Theycreatedynamicopeningsontheuntrustedsideofarouter(the“internet”interface)
Openingsaremadebasedonsessionscreatedfromthetrustedside(theinterfacefacingyournetwork)
UsedtopermitsessionsiniNatedfromtheinsidenetworkandtodenysessionsiniNatedfromtheInternet.
Well,that’swhat“established”isusedfor,right? No.“established’onlyworkswithTCP,notUDPandICMP
ReflexiveACLscanforcethereplytrafficfromthedesNnaNonofaknownrecentoutboundpackettogotothesourceofthatpacket.
40
TheworldwithoutreflexiveACLs
Toprovide“minimal”Interentaccessfortheabovenetworkwewouldnormallydefinesomethinglike:
ip access-list standard inACL permit tcp 192.168.1.0 0.0.0.255 any eq 80 permit udp 192.168.1.0 0.0.0.255 any eq 53 permit tcp 192.168.1.0 0.0.0.255 any eq 53 deny ip any any
And:ip access-list standard outACL permit tcp any eq 80 192.168.1.0 0.0.0.255 permit udp any eq 53 192.168.1.0 0.0.0.255 permit tcp any eq 53 192.168.1.0 0.0.0.255 deny ip any any
41
TheworldwithreflexiveACLs(1) Ofcourse,theaboveexampleisn’tnearlysufficienttoprovideInternetaccess,butit’sjustanexample!
WithreflexiveACLs,therouterexaminestheoutboundtrafficandonceitseesanewconnecNon,itaddsatemporayACLentrytoallowpacketsbackin:
ip access-list extended outACL permit ip any any reflect MIRROR ! ip access-list extended inACL evaluate MIRROR ! interface GigabitEthernet2/0 ip access-group outACL out ip access-group inACL in !
42
TheworldwithreflexiveACLs(2) Ofcourse,youalsoneedtodefinetheMIRRORaccesslist
Router#show ip access-lists MIRROR Reflexive IP access list Mirror permit tcp host 193.239.22.50 eq www host 192.168.1.100 eq 1234 (7 matches)
43
TheworldwithreflexiveACLs
ThelifeNmeofadynamicentryis5minutesbydefault. IfaddiNonaltrafficpassesoveranexisNngrule,theNmerisresetagain.
IftherouterdetectsaFINorRST(sessionclosing),theentryisimmediatelyremoved.
TheNmeoutcanbechangedwith:Router(config)#ip reflexive-list timeout 300
44
LimitaNonsofreflexiveACLs DonotworkwithapplicaNonsthatdynamicallychangeportnumbersduringaTCPsession. FTPinacNvemodedoesthis.
AlternaNves: Usepassive‐modeFTP(orsimilaropNoninyourapplicaNon).
UseCBAC(Content‐BasedAccessLists) We’lltalkabouttheseinafuturecourse.
45
VerifyingACLs The“showaccess‐lists”command:
R1#show access-lists Standard IP access list 50 20 deny 192.168.13.10 10 permit 192.168.13.20 (85 matches) Standard IP access list STD_NACL 10 deny 10.0.0.1 20 deny 192.168.2.0, wildcard bits 0.0.0.63 30 permit any Extended IP access list 101 10 permit ip any any Extended IP access list EXT_NACL 10 deny tcp host 172.33.15.1 host 200.17.2.99 eq www 20 deny icmp 192.168.12.0 0.0.0.255 any 30 permit ip any any log
46
Thenumberofmatchedpackets.TheACLmustbeappliedonaninterface.
Entrieshaveseq
uencenu
mbe
rs.
EdiNngACLs NumberedACLs(bothstandardandextended)cannotbeedited. AllsubsequentstatementsareaddedtotheboXomoftheACL.
TomodifyanACL,youneedtopasteitinatextfile,deleteitfromtherouter,modifyitinthetexteditorandpasteitbackintheconfiguraNon.
NamedACLsCANbeedited. ACLentriesarenumberedwithanincrementof10.
Precedeyourstatementwiththedesiredindexnumber:R1(config)#ip access-list standard STD_NACL R1(config-std-nacl)#5 deny 17.0.0.1
47
Sequencenumber
ResequencingACLs Thepreviousexamplelookslikethis:
R1#show access-lists STD_NACL Standard IP access list STD_NACL 10 deny 10.0.0.1 5 deny 17.0.0.1 20 deny 192.168.2.0, wildcard bits 0.0.0.63 30 permit any
StatementsaresNllconsecuNve,don’tworry
Youcanresequencethisaccesslist:R1(config)#ip access-list resequence STD_NACL 20 15 R1#show access-lists STD_NACL Standard IP access list STD_NACL 20 deny 10.0.0.1 35 deny 17.0.0.1 50 deny 192.168.2.0, wildcard bits 0.0.0.63 65 permit any
48
Start
Increment
CommenNngACLs CommenNngnumberedACLs:
R1(config)#access-list 50 remark Permit only Gigi's computer through. R1(config)#access-list 50 permit 192.168.13.20 R1(config)#access-list 50 remark Do not allow the secretary through. R1(config)#access-list 50 deny 192.168.13.10
CommenNngnamedACLs:R1(config)#ip access-list standard STD_NACL R1(config-std-nacl)remark This is a standard access list. R1#show run ip access-list standard STD_NACL deny 10.0.0.1 deny 17.0.0.1 deny 192.168.2.0 0.0.0.63 permit any remark This is a standard access list.
49
ACLsbestpracNces StartbycreaNnganACLinatexteditor,notdirectlyontherouter Andnotwhileitisinuse!
VerifyyourACLfirstinatestenvironment. Ifyou’rehavingsecondthoughts,usethe“reloadin”commandbeforeapplyingACLs,incaseyoulockyourselfoutoftherouter:
R1#reload in ? Delay before reload (mmm or hhh:mm)
50
AAA
AuthenNcaNon,AuthorizaNon,AccounNng
51
Majorconcepts ThepurposeofAAAandvariousimplementaNontechniques.
ImplementAAAusingalocaldatabase.
ImplementAAAusingRADIUSandTACACS+protocols. AuthorizaNon AccounNng
52
Usesonlyapasswordforlineaccess Easiesttoimplement,butprovidesliXlesecurity. Vulnerabletobrute‐forceaXacks.
Providesnoaccountability(who’sdoingwhat?...)R1(config)#line vty 0 4 R1(config-line)#password cisco R1(config-line)#login
AuthenNcaNon–passwordonly
53
Internet User Access Verification
Password: cisco Password: cisco1 Password: cisco12 % Bad passwords
AuthenNcaNon–localdatabase Thedatabaseismadeupofuseraccounts. Eachuseraccounthasausernameandapassword. Accountsareconfiguredandstoredlocally.
Providesaccountability. ButdoesnotprovideanyfallbackauthenNcaNonmethod.
R1(config)#username student secret restanta
54
Internet User Access Verification
Username: Admin Password: cisco1 % Login invalid
Username: Admin Password: cisco12 % Login invalid
AAA–creditcardsimilarity
55
Accounting What did you spend it on?
Authentication Who are you?
Authorization which resources the user is allowed to access and which
operations the user is allowed to perform?
Self‐containedAAAauthenNcaNon Selfcontained=everythingisstoredlocally,intherouter. Workswellforsmallnetworks.
TheclientestablishesaconnecNonwiththerouter.
TheAAArouterpromptstheclientwithausernameandapassword.
TherouterauthenNcatesthecredenNalsusingthelocaldatabase.
TheuserreceivesthecorrespondingauthorizaNonlevel.
56
AAA Router Remote Client
1
2 3
Server‐basedAAAauthenNcaNon Usesanexternaldatabase,storedonaserver. AppropriateiftherearemulNpledevicesinthenetworkthatrequireuserauthenNcaNon.
TheclientestablishesaconnecNontotherouter.
TheAAArouterpromptstheclientforausernameandapassword.
TherouterauthenNcatesthecredenNalsbycontacNngaremoteAAAserver.
TheuserreceivesauthorizaNontousethenetworkbasedontheinformaNonstoredontheremoteAAAserver.
57
AAA Router Remote Client
1
24
Cisco Secure ACS Server
3
AAAauthorizaNon TypicallyimplementedusinganAAAserver‐basedsoluNon.
TheuserreceivesasetofaXributesthatdescribeitslevelofaccessonthenetwork.
TheuserestablishesasessionwiththeAAAserver.
TherouterrequestsauthorizaNonfortherequesteduserservicefromtheAAAserver.
TheAAAserverreturnsaPASS/FAILresponse.58
AAA Router Remote Client 1
2
3
AAAaccounNng Usuallyimplementedusingaserver‐basedAAAsoluNon. KeepsadetailedlogofwhatanauthenNcateduserisdoingwhileconnectedtoadevice.
AwerauthenNcaNon,theAAAaccounNgprocessgeneratesastartmessagetobeginaccounNng.
Whentheuserfinishes,astopmessageissentinordertostopaccounNng.
59
AAA Router Remote Client 1
2
LocalAAAauthenNcaNoncommands CreaNngtheuserdatabase:
R1(config)#username student secret R3st4nt4 R1(config)#username profesor secret d1n0saur
EnablingAAAontherouter:R1(config)#aaa new-model
ConfiguretheauthenNcaNonmethodlist:R1(config)#aaa authentication login default local-case
60
ThedefaultauthenNcaNon
list
Uselocaldatabase(case
sensiNve)
AAAauthenNcaNoncommandelementsR1(config)#aaa authentication login {default|list-name} method1
[method2] …
default:definetheauthenNcaNonmethodsforthedefaultlist.
list‐name:specifyadifferentauthenNcaNonmethodlist.
method#:IdenNfiesalistofauthenNcaNonmethodsthatthealgorithmwilltry,insequence.
Atleastonemethodisrequired.
Fourmethodscanbedefined,asaamaximum.
SubsequentmethodsareONLYusedifthefirstonesfailduetoerrorsorNmeouts. IfaFAILanswerisreceivedfromonemethod,theothersarenotcheckedany
more.61
Availablemethodtypes
62
Keywords Descrip6onenable UsestheenablepasswordforauthenNcaNon.Thiskeywordcannotbeused.
krb5 UsesKerberos5forauthenNcaNon.krb5‐telnet UsesKerberos5telnetauthenNcaNonprotocolwhenusingTelnettoconnecttothe
router.line UsesthelinepasswordforauthenNcaNon.local UsesthelocalusernamedatabaseforauthenNcaNon.local‐case Usescase‐sensiNvelocalusernameauthenNcaNon.none UsesnoauthenNcaNon.cachegroup‐name UsesacacheservergroupforauthenNcaNon.groupradius UsesthelistofallRADIUSserversforauthenNcaNon.grouptacacs+ UsesthelistofallTACACS+serversforauthenNcaNon.groupgroup‐name UsesasubsetofRADIUSorTACACS+serversforauthenNcaNonasdefinedbythe
aaagroupserverradiusoraaagroupservertacacs+command.
No authentication means authentication always succeeds.
SampleauthenNcaNonconfiguraNon
R1(config)#username student secret R3st4nt4 R1(config)#username profesor secret d1n0saur R1(config)#aaa new-model R1(config)#aaa authentication login default local-case enable R1(config)#aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)#login authentication TELNET-LOGIN
63
DebuggingAAAR1# debug aaa ?
accounting Accounting
administrative Administrative
api AAA api events
attr AAA Attr Manager
authentication Authentication
authorization Authorization
cache Cache activities
coa AAA CoA processing
db AAA DB Manager
dead-criteria AAA Dead-Criteria Info
id AAA Unique Id
ipc AAA IPC
mlist-ref-count Method list reference counts
mlist-state Information about AAA method list state change and
notification
...
64
SuccessfulloginindebugmodeR1# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
65
OverviewofTACACS+andRADIUS
66
Perimeter Router
Remote User
Cisco Secure ACS for Windows Server
Cisco Secure ACS Express
TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers.
RADIUS RemoteAuthenNcaNonDial‐InUserService IETFstandard–worksanywhere UsesUDPports1812,1813
CiscoSecureACSismorespecial:usesUDPports1645,1646
AuthenNcaNngusers:
67
Systemdatabase• ForUNIXservers,afilelike/etc/passwd
Internaldatabase• UseRADIUSinternaldatabase
SQLauthenNcaNon• ExternalSQLdatabase.NoformatrestricNons.
RADIUSauthenNcaNonprocess
68
RADIUSsecurity Security:
Packetcontentsarenotencryptedsodatacanbesniffed
Onlypasswordsareencrypted(RADIUSusesPAP,butdoesnotsendpasswordsincleartext,likePPP,forexample)
RADIUScannotseparatelycontroluserauthorizaNon ItisbydefaultpartoftheauthenNcaNonprocess
MessageauthenNcaNon: MessagesareauthenNcatedusinganMD5fingerprint
Messagestructure: UsesAXribute‐Valuemessagesbetweentherouterandtheserver
TheroutergathersallauthenNcaNondetailsbeforeforwardingthemtotheRADIUSserver
Avendor‐specificaXributeallowsittorunoverTACACS+
69
RADIUSusage WidelyusedbyVoIPserviceproviders. ItpasseslogincredenNalsofaSIPendpoint(likeanIPphone)toaSIPregistrarandthentoaRADIUSserver.
70
Also,commonlyusedbythe802.1xsecuritystandard
switchportsecurity WLANsecurity
TACACS+ CreatesanarbitraryconnecNonbetweentheclientandtheTACACS+daemonunNlthedaemonhasenoughinformaNontoauthenNcatetheuser.
UsesTCPport49. SupportedbyCiscoASA,PIXfirewalls,Ciscorouters ExtensiveauthorizaNonfeatures:
Canuploadper‐userACLsandstaNcroutestotherouteruponuserauthorizaNon.
TherouterqueriestheTACACS+serveronbehalfoftheuserinordertocheckwhetheritshouldexecuteacommand.
SetsaTCPsessionforeachauthorizaNonrequest Inducesdelays‐>CiscoSecureACSsupportsasingleconnecNon
71
TACACS+authenNcaNonprocess
72
TACACS+vsRADIUScomparisionbreakdown
73
TACACS+ RADIUS
Func6onality SeparatesAAAaccordingtotheAAAarchitecture,allowingmodularityofthesecurityserverimplementaNon
CombinesauthenNcaNonandauthorizaNonbutseparatesaccounNng,allowinglessflexibilityinimplementaNonthanTACACS+.
Standard MostlyCiscosupported Open/RFCstandard
TransportProtocol TCP UDP
CHAP BidirecNonalchallengeandresponseasusedinChallengeHandshakeAuthenNcaNonProtocol(CHAP)
UnidirecNonalchallengeandresponsefromtheRADIUSsecurityservertotheRADIUSclient.
ProtocolSupport MulNprotocolsupport NoARA,noNetBEUI
Confiden6ality EnNrepacketencrypted Passwordencrypted
Customiza6on ProvidesauthorizaNonofroutercommandsonaper‐userorper‐groupbasis.
HasnoopNontoauthorizeroutercommandsonaper‐userorper‐groupbasis
Accoun6ng Limited Extensive
RADIUSandTACACS+authenNcaNoncommands
R1(config)#aaa new-model R1(config)#tacacs-server host 192.168.1.101 single-connection R1(config)#tacacs-server key TACACS-p@$$word R1(config)#radius-server host 192.168.1.100 R1(config)#radius-server key RADIUS-p@$$word R1(config)#aaa authentication login default group tacacs+ group radius local-case
74
192.168.1.100
192.168.1.101
R1
RADIUS server
TACACS+ server
AAAauthenNcaNonmodes
75
AAAcanbeusedtoauthenNcateusersfor: Remotenetworkaccess
AdministraNveaccess
TherearetwomodestorequestAAAservices: Charactermode:theusersendsarequesttoaccessanEXECprocess,foradministraNvepurposes; login,exec,enablecommands
Packetmode:theusersendsarequesttoestablishaconnecNonwithadeviceonthenetwork. pppandnetworkcommands
AAA:AuthorizaNon
76
Server‐basedAAAauthorizaNon RADIUSdoesnotseparateauthenNcaNonfromauthorizaNon.
TACACS+considersthemasseparateprocesses.
CiscoIOSallowsauthorizaNontocontroluseraccesstocertaincommands.
AuthorizaNonprocess: Theusersendacommandtotherouter.
TherouteraskstheAAAserveriftheuserisauthorizedtorunthecommand.
TheAAAservergivesaPASS/FAILresponseandtherouteractsaccordingly.
77
Configuringserver‐basedauthorizaNon AuthorizaNoncommandsyntax:aaaauthorizaNon{network|exec|commandslevel}{default|list‐name}
method1...[method4]
Network:fornetworkservices(SLIP,PPP)Exec:forstarNnganexec(shell)sessionCommandslevel:forexeccommands
78
ConfiguringauthorizaNonexample
79
R1(config)#username student secret R3st4nt4 R1(config)#username profesor secret d1n0saur R1(config)#aaa new-model R1(config)#aaa authentication login default group radius local-case
R1(config)#aaa authentication login TELNET-LOGIN group tacacs+ local-case
R1(config)#aaa authorization exec default group tacacs+ R1(config)#aaa authorization network default group tacacs+ R1(config)#aaa authorization commands 15 default group tacacs+ R1(config)# line vty 0 4 R1(config-line)#login authentication TELNET-LOGIN R1(config-line)#authorization commands 15 default R1(config-line)#authorization exec default
AAA:AccounNng
80
Server‐basedAAAaccounNng KeeptrackofindividualacNvity
Importantfromafinancial,managementbutalsofromasecuritypointofview. Whydidthatuseraccesstheserverat4am?
UsefulforcreaNngalistofchangesoccuringonthenetwork. Whomadethechanges?
Whendidtheyoccur?
Whatwaschanged?
ThedefaultaccounNnglistautomaNcallyappliestoallinterfaces.
81
Server‐basedaccounNngconfiguraNon ToconfigureAAAaccounNng,usetheglobalconfiguraNonmodecommand:
aaaaccounNng{network|exec|connecNon}{default|list‐name}{start‐stop|stop‐only|none}[broadcast]method1...[method4]
Thedefaultorthe<list‐name>listcanbedefined. Thetrigger(start‐stop,stop‐only,none)specifywhicheventscausetheaccounNngrecordstobeupdated.
82
Server‐basedaccounNngexample Forexample,tologtheuseofexecsessionsandnetworkconnecNons:
R1(config)# aaa accounting exec default start-stop group tacacs+ R1(config)# aaa accounting network default start-stop group tacacs+
83
THELASTSLIDE! Thisevening’ssummary:
ACLs:usage,types
ACLconfiguraNon ACLbestpracNces
AAAbasicconcepts
ConfiguringauthenNcaNon ConfiguringauthorizaNon
ConfiguringaccounNng
84
TheREALfinalslide
Amateurs hack systems, professionals hack people.
BruceSchneier
85