ns1_v20_module05.ppt
TRANSCRIPT
-
8/11/2019 NS1_v20_Module05.ppt
1/32
1 2005 Cisco Systems, Inc. All rights reserved.
111 2004, Cisco Systems, Inc. All rights reserved.
CNIT 221 Security1 ver.2Module 5
City College of San FranciscoSpring 2006
-
8/11/2019 NS1_v20_Module05.ppt
2/32
2 2005 Cisco Systems, Inc. All rights reserved.
Network Security 1
Module 5 Cisco Secure Access ControlServer
-
8/11/2019 NS1_v20_Module05.ppt
3/32
3 2005 Cisco Systems, Inc. All rights reserved.
Learning Objectives
5.1 Cisco Secure Access Control Server forWindows
5.2 Configuring RADIUS and TACACS+ with
CSACS
-
8/11/2019 NS1_v20_Module05.ppt
4/32
4 2005 Cisco Systems, Inc. All rights reserved.
Module 5
Cisco Secure AccessControl Server
5.1 Cisco Secure Access Control Server forWindows
-
8/11/2019 NS1_v20_Module05.ppt
5/32
5 2005 Cisco Systems, Inc. All rights reserved.
Cisco Access Control Server
Cisco Secure Access Control Server (ACS) networksecurity software helps you authenticate users bycontrolling access to an AAA client.
Router, switch or VPN Concentrator
The AAA client can be any one of many networkdevices that can be configured to deferauthentication and authorization of network users to
an AAA server.AAA - Authentication, Authorization and Accounting
AAA can be implemented on a device locally or managedfrom a central server running RADIUS or TACACS+protocols.
-
8/11/2019 NS1_v20_Module05.ppt
6/32
6 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Products
Cisco Secure ACSfor Windows
ServerRemote client
(Dial-up)NAS
Console
PSTN/ISDN
Internet
Remote client(VPN Client)
RouterCisco Secure ACSSolution Engine
-
8/11/2019 NS1_v20_Module05.ppt
7/327 2005 Cisco Systems, Inc. All rights reserved.
What Is Cisco Secure ACS for WindowsServer?
Provides AAA services to network devices that function as AAA clients,such as routers, NASs, PIX Security Appliances, or VPN Concentrators
Helps centralize access control and accounting, in addition to routerand switch access management
Allows network administrators to quickly administer accounts and
globally change levels of service offerings for entire groups of users Although the use of an external user database is optional, Cisco Secure
ACS for Windows Server supports many popular user repositoryimplementations
Uses the TACACS+ and RADIUS protocols to provide AAA services thatensure a secure environment
Can authenticate against many popular token servers
Cisco Secure ACS supports any token server that is a RADIUSserver compliant with IETF RFC 2865.
-
8/11/2019 NS1_v20_Module05.ppt
8/328 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS General Features
NASCisco Secure ACS forWindows Server
TACACS+RADIUS
PAPCHAP
MS-CHAP
Uses TACACS+ or RADIUS between Cisco Secure ACSand NAS
Allows authentication against Windows 2000 user database, ACSuser database, token server, or other external databases
Supports PAP, CHAP, and MS-CHAP authentication onthe NAS
-
8/11/2019 NS1_v20_Module05.ppt
9/329 2005 Cisco Systems, Inc. All rights reserved.
Authentication and User Databases
Cisco Secure ACS supports severalexternal user databases
Windows NT/2000 User Database
Generic LDAPNDSODBC-compliant relational databasesCRYPTOCard token serverSafeWord token server
AXENT token serverRSA SecureID token serverActivCard token serverVasco token server
-
8/11/2019 NS1_v20_Module05.ppt
10/3210 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS System Architecture
Provides ACS to multiple Ciscoauthenticating devices
Comprises several modular Windows2000 services, operating together onone server
Authentication serviceAuthorization service
Logging service
RADIUS service
TACACS+ service
Administration service
Sync service
Monitor service
NAS 1
NAS 2
NAS 3
-
8/11/2019 NS1_v20_Module05.ppt
11/3211 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS Windows Services
CSAdminProvides the HTML interface for administration ofCisco Secure ACS.
CSAuthProvides authentication services.
CSDBSyncProvides synchronization of the CiscoSecure userdatabase with an external RDBMS application.
CSLogProvides logging services, both for accounting and systemactivity.
CSMonProvides monitoring, recording, and notification ofCisco Secure ACS performance, and includes automatic response tosome scenarios.
CSTacacs
Provides communication between TACACS+ AAA clientsand the CSAuth service.
CSRadiusProvides communication between RADIUS AAA clientsand the CSAuth service.
-
8/11/2019 NS1_v20_Module05.ppt
12/3212 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS User Database
NAS 1
NAS 2
NAS 3
ACS user
database
Cisco Secure ACS authorizes network services for users based upon group membershipand specific user settings found in the Cisco Secure ACS user database.
-
8/11/2019 NS1_v20_Module05.ppt
13/3213 2005 Cisco Systems, Inc. All rights reserved.
Using the ACS Database Alone
Authorizationinformation
Authenticationconfirmed
Username andpassword
Dial-upclient NAS
Requests andresponses
ACSTACACS+ or
RADIUS service
TACACS+ orRADIUS servicedirects the requestto the appropriateadministrativeservice.
Request isauthenticatedagainst ACSdatabase,associatedauthorizationsassigned, andaccountinginformation logged.
Windows 2000 ServerACS
authentication andauthorization
service
Windows 2000Server user login
process
Windows 2000user database
Authentication
Authorization
Accounting
NAS is directed to Cisco Secure ACS
for Windows Server for AAAservices:
Authentication of the client
Authorization privilegesassignment
Accounting informationdestination
-
8/11/2019 NS1_v20_Module05.ppt
14/3214 2005 Cisco Systems, Inc. All rights reserved.
Using the Windows Database
Authorizationinformation
Authenticationconfirmed
Username andpassword
Dial-upClient NAS
Requests andresponses
ACSTACACS+ or
RADIUS service
Authorization
Accounting
Windows 2000 ServerWindows 2000
Server user loginprocess
Windows 2000
user database
TACACS+ orRADIUS servicedirects the requestto the appropriateadministrativeservice.
Username orpasswordsent to Windows 2000database forauthentication. Ifapproved,confirmation andassociatedauthorizationassignedin ACS for that userare sent to NAS.Accounting
information is logged.
Username orpasswordsubmitted to
Windows 2000 andGrant dial-in as alocal user.Response isreturned to ACSand authorizationsassigned, whichmakes single loginfor dial-in accessand network login
possible.
RAS datagrant dial
ACSauthentication and
authorization service
Authentication
NAS is directed to Cisco Secure
ACS for Windows Server for AAAservices:
Authentication of the client
Authorization privilegesassignment
Accounting informationdestination
-
8/11/2019 NS1_v20_Module05.ppt
15/3215 2005 Cisco Systems, Inc. All rights reserved.
Using External User Databases
NAS 1
NAS 2
NAS 3
ACS user
database
External
user
database
-
8/11/2019 NS1_v20_Module05.ppt
16/3216 2005 Cisco Systems, Inc. All rights reserved.
Using Token Cards
3 1 7 8 4 5 4
Token card
TACACS+
or RADIUS
Token card server Cisco Secure ACS
Proprietary protocols
LEAP proxy RADIUS servers
RSA SecurID token servers
RADIUS-based token servers, including:
ActivCard token servers
CRYPTOCard token servers
VASCO token servers
PassGo token servers
SafeWord token servers
Generic RADIUS token servers
-
8/11/2019 NS1_v20_Module05.ppt
17/3217 2005 Cisco Systems, Inc. All rights reserved.
User-Changeable Passwords
NAS 1
NAS 2
NAS 3
Windows 2000
Server (IIS 5.0)UCP server
Cisco Secure ACSfor Windows Server
128-bit encryptedmessaging
SSLconnection(suggested)
User
-
8/11/2019 NS1_v20_Module05.ppt
18/3218 2005 Cisco Systems, Inc. All rights reserved.
Module 5
Cisco Secure AccessControl Server
5.2 Configuring RADIUS and TACACS+ withCSACS
-
8/11/2019 NS1_v20_Module05.ppt
19/3219 2005 Cisco Systems, Inc. All rights reserved.
Gathering Answers for the Installation Questions
Determine whether the computer that Cisco Secure ACSwill be installed on is a domain controller or a memberserver.
Determine which AAA protocol and vendor-specific
attribute to implement. Record the name of the AAA client.
Record the IP address of the AAA client.
Record the IP address of the computer that Cisco Secure
ACS will be installed on . Record the shared secret TACACS+ or RADIUS key.
-
8/11/2019 NS1_v20_Module05.ppt
20/3220 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS for Windows Server:Installation Overview
Task 1: Preconfigure Windows 2000 Server system.
Task 2: Verify connection between Windows 2000 Serversystem and Cisco routers.
Task 3: Install Cisco Secure ACS for Windows Server on
the Windows 2000 Server system.Task 4: Initially configure Cisco Secure ACS for WindowsServer via web browser.
Task 5: Configure routers for AAA.
Task 6: Verify correct installation and operation.
-
8/11/2019 NS1_v20_Module05.ppt
21/3221 2005 Cisco Systems, Inc. All rights reserved.
Administering Cisco Secure ACS for WindowsServer
-
8/11/2019 NS1_v20_Module05.ppt
22/32
22 2005 Cisco Systems, Inc. All rights reserved.
Troubleshooting
Use the Failed Attempts Report under Reports and Activity as astarting point.
Provides a valuable source of troubleshooting information.
-
8/11/2019 NS1_v20_Module05.ppt
23/32
23 2005 Cisco Systems, Inc. All rights reserved.
Globally Enable AAA
Cisco SecureACS for Windows Server
NAS
10.1.2.4
aaa new-model
router(config)#
router(config)# aaa new-model
-
8/11/2019 NS1_v20_Module05.ppt
24/32
24 2005 Cisco Systems, Inc. All rights reserved.
tacacs-serverCommands
tacacs-server key keystringrouter(config)#
router(config)# tacacs-server key 2bor!2b@?
tacacs-server host ipaddress
router(config)#
router(config)# tacacs-server host 10.1.2.4
tacacs-server host ipaddress keykeystring
router(config)#
router(config)# tacacs-server host 10.1.2.4 key
2bor!2b@?
The two
commands
shown here
can be used
to share thekey with all
servers
or
This
commandcan be used
for a single
server
-
8/11/2019 NS1_v20_Module05.ppt
25/32
25 2005 Cisco Systems, Inc. All rights reserved.
AAA Configuration Commands
aaa authentication {login | enable default | arap | ppp
| nasi} {default | list-name}method1 [method2
[method3[method4]]]
aaa accounting {system | network | exec | connection |
commands level}{default | list-name} {start-stop |
wait-start | stop-only | none} [method1 [method2]]
aaa authorization {network | exec | commands level|
reverse-access} {default | list-name}
{if-authenticated | local | none | radius | tacacs+ |
krb5-instance}
router(config)#
router(config)#
router(config)#
-
8/11/2019 NS1_v20_Module05.ppt
26/32
26 2005 Cisco Systems, Inc. All rights reserved.
AAA TACACS+ Troubleshooting
Displays detailed information associatedwith TACACS+
debug tacacs
router#
debug tacacs events
router#
Displays detailed information fromthe TACACS+ helper process
-
8/11/2019 NS1_v20_Module05.ppt
27/32
27 2005 Cisco Systems, Inc. All rights reserved.
debug aaa authent icat ionCommandTACACS+ Example Output
14:01:17: AAA/AUTHEN (567936829): Method=TACACS+
14:01:17: TAC+: send AUTHEN/CONT packet
14:01:17: TAC+ (567936829): received authenresponse status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS
-
8/11/2019 NS1_v20_Module05.ppt
28/32
28 2005 Cisco Systems, Inc. All rights reserved.
debug tacacsCommand Example Output Failure
13:53:35: TAC+: Opening TCP/IP connection to 10.1.1.4/49
13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 10.1.1.4/49
(AUTHEN/START)
13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 10.1.1.4/49
13:53:35: TAC+ (416942312): received authen response status = GETUSER
13:53:37: TAC+: send AUTHEN/CONT packet
13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 10.1.1.4/49
(AUTHEN/CONT)
13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 10.1.1.4/49
13:53:37: TAC+ (416942312): received authen response status = GETPASS
13:53:38: TAC+: send AUTHEN/CONT packet
13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 10.1.1.4/49
(AUTHEN/CONT)
13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 10.1.1.4/49
13:53:38: TAC+ (416942312): received authen response status =13:53:40: TAC+: Closing TCP/IP connection to 10.1.1.4/49
FAIL
-
8/11/2019 NS1_v20_Module05.ppt
29/32
29 2005 Cisco Systems, Inc. All rights reserved.
debug tacacsCommand Example Output Pass
14:00:09: TAC+: Opening TCP/IP connection to 10.1.1.4/49
14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 10.1.1.4/49
(AUTHEN/START)
14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 10.1.1.4/49
14:00:09: TAC+ (383258052): received authen response status = GETUSER
14:00:10: TAC+: send AUTHEN/CONT packet
14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 10.1.1.4/49
(AUTHEN/CONT)
14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 10.1.1.4/49
14:00:10: TAC+ (383258052): received authen response status = GETPASS
14:00:14: TAC+: send AUTHEN/CONT packet
14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 10.1.1.4/49
(AUTHEN/CONT)
14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 10.1.1.4/4914:00:14: TAC+ (383258052): received authen response status =
14:00:14: TAC+: Closing TCP/IP connection to 10.1.1.4/49PASS
-
8/11/2019 NS1_v20_Module05.ppt
30/32
30 2005 Cisco Systems, Inc. All rights reserved.
debug tacacs eventsCommand Output
router# debug tacacs events
%LINK-3-UPDOWN: Interface Async2, changed state to up
00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 10.1.1.4/49
00:03:16: TAC+: periodic timer started
00:03:16: TAC+: 10.1.1.4 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB)
expire=14 AUTHEN/START/SENDAUTH/CHAP queued
00:03:17: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 46 of 46 bytes
00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12
00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=61 wanted=61 alloc=61 got=4900:03:22: TAC+: 10.1.1.4 received 61 byte reply for 3BD868
00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9
AUTHEN/START/SENDAUTH/CHAP processed
00:03:22: TAC+: periodic timer stopped (queue empty)
00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 10.1.1.4/49
00:03:22: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15
00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 10.1.1.4/49
00:03:22: TAC+: periodic timer started
00:03:22: TAC+: 10.1.1.4 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB)expire=14 AUTHEN/START/SENDPASS/CHAP queued
00:03:23: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 41 of 41 bytes
00:03:23: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12
00:03:23: TAC+: 10.1.1.4 CLOSEWAIT read=21 wanted=21 alloc=21 got=9
00:03:23: TAC+: 10.1.1.4 received 21 byte reply for 3BD868
00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13
AUTHEN/START/SENDPASS/CHAP processed
00:03:23: TAC+: periodic timer stopped (queue empty)
-
8/11/2019 NS1_v20_Module05.ppt
31/32
31 2005 Cisco Systems, Inc. All rights reserved.
RADIUS Server Command
radius-server key keystring
router(config)#
router(config)# radius-server key 2bor!2b@?
radius-server host {host-name| ipaddress}
router(config)#
router(config)# radius-server host 10.1.2.4
radius-server host ipaddress keykeystring
router(config)#
router(config)# radius-server host 10.1.2.4 key
2bor!2b@?
The twocommandsshown herecan beused to
share thekey with allservers
Or
Thiscommandcan beused for asingleserver
-
8/11/2019 NS1_v20_Module05.ppt
32/32