ccna security ch7 implementing aaa using ios acs server

8/9/2019 Ccna Security Ch7 Implementing Aaa Using Ios ACS Server

1/28

Chapter 7: Implementing AAA Using IOS and the ACSServer

I. Foundation Topics1. Using the local database does not scale well with multiple routers and switches.

ACS server takes care of AAA for administrators as well as for users of the network.

II.Cisco Secure ACS, RA IUS, and TACACS!. "h# Use Cisco ACS$

1. ACS can be the center for AAA, either using it's own local database or MicrosoftActive irector!.

%. "hat &lat'orm oes ACS Run On$1. "indows, #M, ph!sical appliance

(. "hat is IS)$1. $S% is an identit! and access control polic! platform, checking that re&uirements are

met for access nodes. $S% is not a full replacement of ACS. Usuall! ACS is usedfor AAA and $S% is used in con unction for the identit! and access control.

*. &rotocols Used +et een the ACS Server and the Client -the Router

1. (ACACS) and *A $US protocols are used between the ACS server and the client.+. (ACACS) (erminal Access Control Access Control Server - lder versionse/isted but we onl! use (ACACS) now. (ACACS) packets are encr!pted beforesent back and forth with the ACS server.

0. *A $US - *emote Authentication ial $n User Service - pen standard, onl!passwords are encr!pted


2/28

III. Con'iguring Routers to Interoperate ith an ACS Server1. (ACACS) has ver! granular command authori ation, while *A $US does not.

(ACACS) will most likel! be used for AAA for administrators needing C2$ access,while *A $US, open $%(3 standard, will be used for authentication andauthori ation for end users to send their packets through the router.

+. 4oth (ACACS) and *A $US can be used simultaneousl! between ACS and router.Ta/le 70% TACACS+ Versus RADIUS

TACACS1 RA IUS

3unctionalit! Separates AAA functions intodistinct elements. Authenticationis separate from authori ation,and both of those are separatefrom accounting

Combines man! of the functionsof authentication andauthori ation together. 5asdetailed accounting capabilit!when accounting is configuredfor use

Standard Cisco proprietar!, but ver! wellknown

pen standard, and supported b!nearl! all vendors' AAAimplementation

26 protocol (C7 U 7

*eplacement coming 8one officiall! planned 7ossibl! iameter 9named toimpl! that *A $US is onl! halfas much, pun intended:

Confidentialit! All packets are encr!ptedbetween ACS server and therouter 9which is the client:.

nl! the password is encr!ptedwith regard to packets sent backand forth between the ACSserver and the router

;ranular command b! commandauthori ation

(his is supported, and the rulesare defined on the ACS serverabout which commands areallowed or disallowed

8o e/plicit commandauthori ation checking rules canbe implemented

Accounting 7rovides accounting support 7rovide accounting support, andgenerall! acknowledged asproviding more detailed ore/tensive accounting capabilit!than (ACACS)

0. C2$ and CC7 can be used6. 7lan for Configuration

a. Administrators


3/28

>. %/ample*19config:? aaa ne 0model9re&uired to enable AAA on the router, b! default on most $ S s!stems it's disabled:

*19config:? aaa authentication login AUT2)34via4TACACS group tacacs1 local9authentication, custom method list using (ACACS) first, and if fails use the local database:

*19config:? aaa authori5ation e6ec Author0)6ec4via4TACACS group tacacs1 local9authori ation, custom method list using tacacs) first, and if fails due to lack of an ACS server, use the

local database:

*19config:? username admin privilege ! secret cisco9create local database username and password as a backup in case the ACS server is not available:

*19config:? tacacs0server host !8%.!9 .!.% % ;e# cisco!%(9Configure ACS server connection settings and password:*19config:? line vt# < **19config line:? authori5ation e6ec Author0)6ec4via4TACACS*19config line:? login authentication AUT2)34via4TACACS

%/ample @ + Verifying AAA*1? de/ug tacacs(ACACS access control debugging is on (elnet to an $7 address on the local router.*1? telnet !


4/28

$f we e/it, and change the debugs slightl!, and do it again, it will give us !et another perspective.3rom the 2ibrar! of Koshua % KohnsonChapter @ $mplementing AAA Using $ S and the ACS Server*1? de/ug aaa authenticationAAA Authentication debugging is on*1? de/ug aaa authori5ationAAA Authori ation debugging is on(elnet

*1? telnet !


5/28

F. Using CC7 to implement the same as abovea. Con'igure = Router = AAA = AAA Servers and >roups = Servers = Add

a. 7rovide relevant information below, then press oka!

b. As shown b! the fields on the ;U$, !ou are adding a (ACACS) server to theconfiguration.


6/28

c. (o create a method lista. Con'igure = Router = AAA = Authentication &olicies = ?ogin, click Add

1. (his method list is for login Authentication1. Add methods to the method list+. (here's also an option to move methods up and down through the list.

(op is priorit!, bottom is less priorit!.

d. Lou can see all authentication method lists here


7/28

@. Lou can create an authori ation method lista. Con'igure = Router = AAA = Authori5ation &olicies = )@)C Command

ode click Adda. Same as before, add methods to the method list. (op has priorit!.


8/28


9/28

E. Appl! method lists to vt! linesa. Con'igure = Router = Router Access = BT click )dit

a. After clicking edit, !ou can select the authentication and authori ationmethod lists.

b. Click oka! and an! confirmation buttons until config is sent to router

b. Shows a summar! of configurationc. (his demonstration has not !et created a local account for administration, and if

the ACS server is not reachable and !ou have not created a local account, then!ou will run into trouble


10/28

1B. Create a local user accounta. Con'igure = Router = Router Access = User AccountsDBie click Add


11/28

IB. Con'iguring the ACS Server to Interoperate ith a Router1. f

Ta/le 70* Key Components for Configuring ACSComponent o' ACS 2o It is Used

8ew device groups ;roups of network devices, normall! based on routers orswitches with similar functions


12/28

6. f


13/28

>. 3irst step is to create a device group as shown above.a. 3et or; Resources = 3et or; evice >roups = evice T#pe click Create

a. 3ill it out and create the group, click Su/mit

F. Add a device so we can put it in the device group we ust createda. 3et or; Resources = 3et or; evices and AAA Clients click Create

a. 3ill out the following1. Select device t!pe to select device group.+. 8ame and escription0. $7 Address6. Select 7rotocol 9(ACACS) and. 7assword

b. *eview info and click Su/mit


14/28


15/28

@. Configure User groupa. Users and Identit# Stores = Identit# >roups click Create

a. (!pe in name of group and click Su/mit1. Continue this until !ou have created all groups !ou need

G. Summar! pops up after submitting a user group


16/28

E. Create user accountsa. Users and Identit# Stores = Internal Identit# Stores = Users click Create

a. 3ields1. 8ame+. escription0. %nabled< isabled6. $dentit! ;roup - Select the identit! group>. 7assword


17/28

1B. Summar! of what !ou configured


18/28

11. Create Authori ation policiesa. Access &olicies = Access Services = e'ault evice Admin = Authori5ation

click Createa. 8ame the polic!b. Check bo/ under Conditions ne/t to $dentit! ;roup and click the Select

button to choose the admin group created earlierc. Check the bo/ ne/t to 8 ; evice t!pe and click the Select button to

indicate the device belongs to the group of routers device group that wascreated earlier.

d. Click the select button ne/t to Shell 7rofile.

1+. Lou could assign one of the preconfigured profiles, or !ou could create !our ownprofile and assign it to this group of users. (o create a custom profile, click theCreate button, and from the new window that is brought up name the profile in thedialog bo/ provided, and then displa! the Common (asks tab and change the defaultprivilege level to Static , and assign the privilege level of 1>, as shown in 3igure @1G.

10. Click Su/mit , and then confirm an! dialog bo/es presented to !ou from ACS until

the configuration is applied. 4! using these steps, an! users in the Admin groupaccessing an! of the devices in the specified device group will not onl! be able toauthenticate but also be automaticall! authori ed for and placed into privilege level1> after successfull! authenticating on those routers. "e would repeat this processfor the Monitor group, assigning a static privilege level of 1.


19/28

16. After saving the changes, !ou can view a summar! of the authori ation profiles inthis same location.


20/28

B. Beri'#ing and Trou/leshooting Router0to0ACS Server Interactions1. f

7ing /./././

+. (he above shows a ping. Make sure !ou have connectivit! to the ACS server, !oubeing the router. (his could entail routing protocols, spanning tree etc... use !ourtroubleshooting techni&ues.

*1? test aaa group tacacs1 admin cisco!%( legac#Attempting authentication test to server group tacacs) using tacacs)User was successfull! authenticated.

0. (est AAA authentication b! indicating the group, username and password and theke!word legac# .

6. (he above is the product of the following, which is ACS reporting which ma! give!ou some insight to what a particular issue might be.a. onitoring E Reports = Reports = Favorites

a. Click Authentications TACACS Toda# link


21/28

>. Common occurrence is that there are no reports to look at due to filtering somewherebetween the ACS and the router. Also ensure the right ip address is being used forconnection to the ACS server.

F. Also verif! that AAA using the ACS server is working correctl! b! telneting to therouter from a remote workstation to ensure the user accounts are being authenticated

against the ACS b! using debugging. #erif!ing what debugging is currentl! in place on the router*1? sho de/ug;eneral S(ACACS access control debugging is onAAA Authentication debugging is onAAA Authori ation debugging is on1F@ on a remote machine, we telnet and authenticate as the user admin, and simpl! view the debug output on the console of the router receiving the telnet session

*1?AAA


22/28

(72US9BBBBBBG0:


23/28


24/28

(72US9BBBBBBG6:


25/28

BI. G o I Hno This Alread#$ Jui5Ta/le 70! Do I Know This Alrea y!" Se#tion$to$%uestion &appingFoundation Topics Section Juestions

Cisco Secure ACS, *A $US, and (ACACS 1 0

Configuring *outers to $nteroperate with an ACS Server 6 F

Configuring the ACS Server to $nteroperate with a *outer @ G

#erif!ing and (roubleshooting *outer to ACS Server $nteractions E 1B

1. "hich of the following are most likel! to be used for authentication of a networkadministrator accessing the C2$ of a Cisco routerO 9Choose all that appl!.:a. (ACACS)b. iameterc. *A $USd. ACS

+. "hich of the following allows for granular control related to authori ation ofspecific Cisco $ S commands that are being attempted b! an authenticated andauthori ed Cisco router administratorOa. *A $US

b. iameterc. (ACACS)d. $S%

0. "hich devices or users would be clients of an ACS serverO 9Choose all that appl!.:a. *outersb. Switchesc. #78 usersd. Administrators

6. n the router, what should be created and applied to a vt! line to enforce a specificset of methods for identif!ing who a user isOa. *A $US server

b. (ACACS) serverc. Authori ation method listd. Authentication method list

>. "hat is the minimum si e for an effective (ACACS) group of serversOa. 1b. +c. >d. F

F. "ith what can !ou configure AAA on the routerO 9Choose all that appl!.:a. ACSb. CC7

c. C2$d. (ACACS)@. "hich statement is true for ACS >./O

a. User groups are nested in network device groupsb. Authori ation policies can be associated with user groups that are accessing

specific network device groupsc. (here must be at least one user in a user groupd. User groups can be used instead of device groups for simplicit!


26/28

G. "here in the ACS do !ou go to create a new group of administratorsOa. Users and Identit# Stores = Identit# >roups/. Identit# Stores = Identit# >roupsc. Identit# Stores and >roups = Identit# >roupsd. User and >roups = Identit# >roups

E. 3rom the router, which method tests the most about the ACS configuration, withoutforcing !ou to log in again at the routerOa. &ing/. traceroutec. test aaad. telnet

1B. "hich of the following could likel! cause an ACS authentication failure, even whenthe user is using the correct credentialsO 9Choose all that appl!.:a. $ncorrect secret on the ACSb. $ncorrect $7 address of the ACS configured on the routerc. $ncorrect routingd. $ncorrect filtering between the ACS and the router

BII. Revie All the He# Topic

Ta/le 70 Key Topi#sHe# Topic)lement

escription &age3um/er

(e/t "h# use Cisco ACS 16B

(e/t &rotocols used /et een the ACS and the router 161

(able @ + TACACS1 versus RA IUS 16+

%/ample @ 1 Using the C?I to con'igure IOS 'or use ith ACS 166

(able @ 0 Con'iguring the router to use ACS via TACACS1 16G

3igure @ F Appl#ing the ne l# created method lists 1>+

(able @ 6 He# components 'or con'iguring ACS 1>>

%/ample @ 6 Testing AAA /et een the router and the ACS 1F>


27/28

BIII.Complete the Ta/les and ?ists 'rom emor#

Ta/le 70% TACACS+ Versus RADIUSTACACS1 RA IUS

3unctionalit! Separates AAA functions into distinctelements. Authentication is separatefrom authori ation, and both of thoseare separate from accounting

Combines man! of the functions ofauthentication and authori ationtogether. 5as detailed accountingcapabilit! when accounting isconfigured for use

Standard Cisco proprietar!, but ver! wellknown

pen standard, and supported b! nearl!all vendors' AAA implementation

26 protocol (C7 U 7

*eplacement coming 8one officiall! planned 7ossibl! iameter 9named to impl! that*A $US is onl! half as much, punintended:

Confidentialit! All packets are encr!pted betweenACS server and the router 9which isthe client:

nl! the password is encr!pted withregard to packets sent back and forthbetween the ACS server and the router

;ranular commandb! commandauthori ation

(his is supported, and the rules aredefined on the ACS server aboutwhich commands are allowed ordisallowed

8o e/plicit command authori ationchecking rules can be implemented

Accounting 7rovides accounting support 7rovide accounting support, andgenerall! acknowledged as providingmore detailed or e/tensive accountingcapabilit! than (ACACS)

Ta/le 70* Key Components for Configuring ACS

Component o' ACS 2o It Is Used8etwork device groups ;roups of network devices, normall! based on routers or switches

with similar functions


28/28

@. Command Re'erence to Chec; our emor#

Ta/le 709 Comman Referen#eCommand escription

Aaa ne 0model %nable the configuration of method lists and other AAA related elements,including the use of ACS

Test aaa group tacacs1a min #is#o'() legac#

Allow verification of the authentication function working between theAAA client 9the router: and the ACS server 9the AAA server:

Aaa authenticationlogin &* IST' grouptacacs1 none

Create an authentication method list, that when applied elsewhere in theconfiguration, re&uests the services of an ACS server via (ACACS), and ifno server responds, the ne/t method PlocalQ 9which is the local routerconfiguration: is checked to verif! the credentials of the user

Aaa authori5ation e6ec &* IST( group tacacs1none

Create an authori ation method list, that when applied to a vt! line,re&uests the services of an ACS server 9via (ACACS):. $f no serverresponds , the second method PnoneQ is used. (his result in no usernameprompt being provided to the user, and authentication is not re&uired

Tacacs0server host',(-'./-'-(0( ;e##is#o'()

7laces a server into the PgroupQ of ACS servers the router can use for(ACACS) re&uests. $t includes the $7 address and the secret used toencr!pt packets between this router 9the client: and the ACS server

ccna security ch7 implementing aaa using ios acs server

Documents