ns1_v20_module05.ppt

8/11/2019 NS1_v20_Module05.ppt

1/32

1 2005 Cisco Systems, Inc. All rights reserved.

111 2004, Cisco Systems, Inc. All rights reserved.

CNIT 221 Security1 ver.2Module 5

City College of San FranciscoSpring 2006


2/32


Network Security 1

Module 5 Cisco Secure Access ControlServer


3/32


Learning Objectives

5.1 Cisco Secure Access Control Server forWindows

5.2 Configuring RADIUS and TACACS+ with

CSACS


4/32


Module 5

Cisco Secure AccessControl Server

5.1 Cisco Secure Access Control Server forWindows


5/32


Cisco Access Control Server

Cisco Secure Access Control Server (ACS) networksecurity software helps you authenticate users bycontrolling access to an AAA client.

Router, switch or VPN Concentrator

The AAA client can be any one of many networkdevices that can be configured to deferauthentication and authorization of network users to

an AAA server.AAA - Authentication, Authorization and Accounting

AAA can be implemented on a device locally or managedfrom a central server running RADIUS or TACACS+protocols.


6/32


Cisco Secure ACS Products

Cisco Secure ACSfor Windows

ServerRemote client

(Dial-up)NAS

Console

PSTN/ISDN

Internet

Remote client(VPN Client)

RouterCisco Secure ACSSolution Engine


7/327 2005 Cisco Systems, Inc. All rights reserved.

What Is Cisco Secure ACS for WindowsServer?

Provides AAA services to network devices that function as AAA clients,such as routers, NASs, PIX Security Appliances, or VPN Concentrators

Helps centralize access control and accounting, in addition to routerand switch access management

Allows network administrators to quickly administer accounts and

globally change levels of service offerings for entire groups of users Although the use of an external user database is optional, Cisco Secure

ACS for Windows Server supports many popular user repositoryimplementations

Uses the TACACS+ and RADIUS protocols to provide AAA services thatensure a secure environment

Can authenticate against many popular token servers

Cisco Secure ACS supports any token server that is a RADIUSserver compliant with IETF RFC 2865.



Cisco Secure ACS General Features

NASCisco Secure ACS forWindows Server

TACACS+RADIUS

PAPCHAP

MS-CHAP

Uses TACACS+ or RADIUS between Cisco Secure ACSand NAS

Allows authentication against Windows 2000 user database, ACSuser database, token server, or other external databases

Supports PAP, CHAP, and MS-CHAP authentication onthe NAS



Authentication and User Databases

Cisco Secure ACS supports severalexternal user databases

Windows NT/2000 User Database

Generic LDAPNDSODBC-compliant relational databasesCRYPTOCard token serverSafeWord token server

AXENT token serverRSA SecureID token serverActivCard token serverVasco token server



Cisco Secure ACS System Architecture

Provides ACS to multiple Ciscoauthenticating devices

Comprises several modular Windows2000 services, operating together onone server

Authentication serviceAuthorization service

Logging service

RADIUS service

TACACS+ service

Administration service

Sync service

Monitor service

NAS 1

NAS 2

NAS 3



Cisco Secure ACS Windows Services

CSAdminProvides the HTML interface for administration ofCisco Secure ACS.

CSAuthProvides authentication services.

CSDBSyncProvides synchronization of the CiscoSecure userdatabase with an external RDBMS application.

CSLogProvides logging services, both for accounting and systemactivity.

CSMonProvides monitoring, recording, and notification ofCisco Secure ACS performance, and includes automatic response tosome scenarios.

CSTacacs

Provides communication between TACACS+ AAA clientsand the CSAuth service.

CSRadiusProvides communication between RADIUS AAA clientsand the CSAuth service.



Cisco Secure ACS User Database

NAS 1

NAS 2

NAS 3

ACS user

database

Cisco Secure ACS authorizes network services for users based upon group membershipand specific user settings found in the Cisco Secure ACS user database.



Using the ACS Database Alone

Authorizationinformation

Authenticationconfirmed

Username andpassword

Dial-upclient NAS

Requests andresponses

ACSTACACS+ or

RADIUS service

TACACS+ orRADIUS servicedirects the requestto the appropriateadministrativeservice.

Request isauthenticatedagainst ACSdatabase,associatedauthorizationsassigned, andaccountinginformation logged.

Windows 2000 ServerACS

authentication andauthorization

service

Windows 2000Server user login

process

Windows 2000user database

Authentication

Authorization

Accounting

NAS is directed to Cisco Secure ACS

for Windows Server for AAAservices:

Authentication of the client

Authorization privilegesassignment

Accounting informationdestination



Using the Windows Database

Authorizationinformation

Authenticationconfirmed

Username andpassword

Dial-upClient NAS

Requests andresponses

ACSTACACS+ or

RADIUS service

Authorization

Accounting

Windows 2000 ServerWindows 2000

Server user loginprocess

Windows 2000

user database

TACACS+ orRADIUS servicedirects the requestto the appropriateadministrativeservice.

Username orpasswordsent to Windows 2000database forauthentication. Ifapproved,confirmation andassociatedauthorizationassignedin ACS for that userare sent to NAS.Accounting

information is logged.

Username orpasswordsubmitted to

Windows 2000 andGrant dial-in as alocal user.Response isreturned to ACSand authorizationsassigned, whichmakes single loginfor dial-in accessand network login

possible.

RAS datagrant dial

ACSauthentication and

authorization service

Authentication

NAS is directed to Cisco Secure

ACS for Windows Server for AAAservices:

Authentication of the client

Authorization privilegesassignment

Accounting informationdestination



Using External User Databases

NAS 1

NAS 2

NAS 3

ACS user

database

External

user

database



Using Token Cards

3 1 7 8 4 5 4

Token card

TACACS+

or RADIUS

Token card server Cisco Secure ACS

Proprietary protocols

LEAP proxy RADIUS servers

RSA SecurID token servers

RADIUS-based token servers, including:

ActivCard token servers

CRYPTOCard token servers

VASCO token servers

PassGo token servers

SafeWord token servers

Generic RADIUS token servers



User-Changeable Passwords

NAS 1

NAS 2

NAS 3

Windows 2000

Server (IIS 5.0)UCP server

Cisco Secure ACSfor Windows Server

128-bit encryptedmessaging

SSLconnection(suggested)

User



Module 5

Cisco Secure AccessControl Server

5.2 Configuring RADIUS and TACACS+ withCSACS



Gathering Answers for the Installation Questions

Determine whether the computer that Cisco Secure ACSwill be installed on is a domain controller or a memberserver.

Determine which AAA protocol and vendor-specific

attribute to implement. Record the name of the AAA client.

Record the IP address of the AAA client.

Record the IP address of the computer that Cisco Secure

ACS will be installed on . Record the shared secret TACACS+ or RADIUS key.



Cisco Secure ACS for Windows Server:Installation Overview

Task 1: Preconfigure Windows 2000 Server system.

Task 2: Verify connection between Windows 2000 Serversystem and Cisco routers.

Task 3: Install Cisco Secure ACS for Windows Server on

the Windows 2000 Server system.Task 4: Initially configure Cisco Secure ACS for WindowsServer via web browser.

Task 5: Configure routers for AAA.

Task 6: Verify correct installation and operation.



Administering Cisco Secure ACS for WindowsServer


22/32


Troubleshooting

Use the Failed Attempts Report under Reports and Activity as astarting point.

Provides a valuable source of troubleshooting information.


23/32


Globally Enable AAA

Cisco SecureACS for Windows Server

NAS

10.1.2.4

aaa new-model

router(config)#

router(config)# aaa new-model


24/32


tacacs-serverCommands

tacacs-server key keystringrouter(config)#

router(config)# tacacs-server key 2bor!2b@?

tacacs-server host ipaddress

router(config)#

router(config)# tacacs-server host 10.1.2.4

tacacs-server host ipaddress keykeystring

router(config)#

router(config)# tacacs-server host 10.1.2.4 key

2bor!2b@?

The two

commands

shown here

can be used

to share thekey with all

servers

or

This

commandcan be used

for a single

server


25/32


AAA Configuration Commands

aaa authentication {login | enable default | arap | ppp

| nasi} {default | list-name}method1 [method2

[method3[method4]]]

aaa accounting {system | network | exec | connection |

commands level}{default | list-name} {start-stop |

wait-start | stop-only | none} [method1 [method2]]

aaa authorization {network | exec | commands level|

reverse-access} {default | list-name}

{if-authenticated | local | none | radius | tacacs+ |

krb5-instance}

router(config)#

router(config)#

router(config)#


26/32


AAA TACACS+ Troubleshooting

Displays detailed information associatedwith TACACS+

debug tacacs

router#

debug tacacs events

router#

Displays detailed information fromthe TACACS+ helper process


27/32


debug aaa authent icat ionCommandTACACS+ Example Output

14:01:17: AAA/AUTHEN (567936829): Method=TACACS+

14:01:17: TAC+: send AUTHEN/CONT packet

14:01:17: TAC+ (567936829): received authenresponse status = PASS

14:01:17: AAA/AUTHEN (567936829): status = PASS


28/32


debug tacacsCommand Example Output Failure

13:53:35: TAC+: Opening TCP/IP connection to 10.1.1.4/49

13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 10.1.1.4/49

(AUTHEN/START)

13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 10.1.1.4/49

13:53:35: TAC+ (416942312): received authen response status = GETUSER



(AUTHEN/CONT)


13:53:37: TAC+ (416942312): received authen response status = GETPASS



(AUTHEN/CONT)


13:53:38: TAC+ (416942312): received authen response status =13:53:40: TAC+: Closing TCP/IP connection to 10.1.1.4/49

FAIL


29/32


debug tacacsCommand Example Output Pass

14:00:09: TAC+: Opening TCP/IP connection to 10.1.1.4/49


(AUTHEN/START)


14:00:09: TAC+ (383258052): received authen response status = GETUSER



(AUTHEN/CONT)


14:00:10: TAC+ (383258052): received authen response status = GETPASS



(AUTHEN/CONT)

14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 10.1.1.4/4914:00:14: TAC+ (383258052): received authen response status =

14:00:14: TAC+: Closing TCP/IP connection to 10.1.1.4/49PASS


30/32


debug tacacs eventsCommand Output

router# debug tacacs events

%LINK-3-UPDOWN: Interface Async2, changed state to up

00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15

00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 10.1.1.4/49

00:03:16: TAC+: periodic timer started

00:03:16: TAC+: 10.1.1.4 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB)

expire=14 AUTHEN/START/SENDAUTH/CHAP queued

00:03:17: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 46 of 46 bytes

00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12

00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=61 wanted=61 alloc=61 got=4900:03:22: TAC+: 10.1.1.4 received 61 byte reply for 3BD868

00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9

AUTHEN/START/SENDAUTH/CHAP processed

00:03:22: TAC+: periodic timer stopped (queue empty)

00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 10.1.1.4/49

00:03:22: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15

00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 10.1.1.4/49

00:03:22: TAC+: periodic timer started

00:03:22: TAC+: 10.1.1.4 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB)expire=14 AUTHEN/START/SENDPASS/CHAP queued

00:03:23: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 41 of 41 bytes



00:03:23: TAC+: 10.1.1.4 received 21 byte reply for 3BD868

00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13

AUTHEN/START/SENDPASS/CHAP processed

00:03:23: TAC+: periodic timer stopped (queue empty)


31/32


RADIUS Server Command

radius-server key keystring

router(config)#

router(config)# radius-server key 2bor!2b@?

radius-server host {host-name| ipaddress}

router(config)#

router(config)# radius-server host 10.1.2.4

radius-server host ipaddress keykeystring

router(config)#

router(config)# radius-server host 10.1.2.4 key

2bor!2b@?

The twocommandsshown herecan beused to

share thekey with allservers

Or

Thiscommandcan beused for asingleserver


32/32

ns1_v20_module05.ppt

Documents