Ch. 3 AAA
Integrating TACACS+ and ACS
CISCO secure ACS can combine tacacs+ and radius into one single soluciton. it can distribute architecture for medium sized and large deployements lightwieght gui with great nav. for both ipv4 and 6 clients. admin authenticataion thorugh Microsoft active directory. schedule reports sent thorugh email. integrate advanced monitoring. ts capabilites using snmp traps for cisco secure acs health status. encrypt syslogs. Flexible and detailed device administration in IPv4 and IPv6 networks, with full auditing and reporting capabilities as required for standards compliance
Authorization
Dictates what users can and cant do on the network after they are authenticated. similar to privilege levels and role based cli. gives users spefici rights and privs to certain commands on the router. Imped using AAA server based solution. makes set of attributes thatll describe user acces to network. they are compared to info in the aaa database, and the restrictions are applied. it is automatic and wont requre users to do more steps.
server-based aaa authorization
TACACS+ protocol allows the separation of authentication from authorization. A router can be configured to restrict the user to performing only certain functions after successful authentication. Keep in mind that RADIUS does not separate the authentication from the authorization process. improtant aspect of authorization is abil to contorl users access to specific sercices. he JR-ADMIN is permitted to access the show version command, but not the configure terminal command. The router queries the ACS for permission to execute the commands on behalf of the user. When the user issues the show version command, the ACS sends an ACCEPT response. If the user issues a configure terminal command, the ACS sends a REJECT response.
TACACS+ and Radius
both are authenticate, and talk to aaa servers. but have different capabilites and functions large isp uses radius since it supports needed info for billing users. org with many usersgroups would use tacacs+ since it needs authorization policies,
Monitor authentication traffic
debug aaa authentication us usefull for ts command, give s high level view of login activity. as shown in the figure. message show PASS when tacacs+ is successful.
Config TACACS+ servers
globalblty enable aaa using aaa new-model next use tacacs server name in tacacs + serve config ipv4 add of tacacs+ using address ipv4 allos option to mod authetnication port. use the single-connection To enhance tcp performance by maintiang single tcp conection for life of session. mult tacacs+ servers can be IDed by entering theri IPV4 address using the key key command used to config shared secret key to encrypt data transfer. ey must be configed exactly the same way on both router and tacacs+ server.
Login method types
pciture
802.1x port based authentication
port bsed Access control and authent prot, restricts Unauth workstations from connection to the lan. authent server, authents every workstation before givving it access to network . port-based auth have specific roles. Supplicant (Client) - The device (workstation) that requests access to LAN and switch services and then responds to requests from the switch. The workstation must be running 802.1X-compliant client software. (The port that the client is attached to is the supplicant [client] in the IEEE 802.1X specification.) Authenticator (Switch) - Controls physical access to the network based on the authentication status of the client. The switch acts as an intermediary (proxy) between the client (supplicant) and the authentication server, requesting identifying information from the client, verifying that information with the authentication server, and relaying a response to the client. The switch uses a RADIUS software agent, which is responsible for encapsulating and de-encapsulating the EAP (Extensible Authentication Protocol) frames and interacting with the authentication server. Authentication server - Performs the actual authentication of the client. The authentication server validates the identity of the client and notifies the switch whether the client is authorized to access the LAN and switch services. Because the switch acts as the proxy, the authentication service is transparent to the client. The RADIUS security system with EAP extensions is the only supported authentication server.
integrate AAA with identity Service engine.
s an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations. lets ents gather realtime info from networks, users, and devices. admin can use for proactive governance. by tying id to varoius net elements. like access switches, wireless lan controllers, vppns, gateways, and data center switcehs. four features in ISE toolset. Device profiling - can be used to determine whether it is persoanl or corporate. Posture assessment - dets if dev is virus clean and free of suspect apps. guest managment - grants and enforces temp for guest users. AAA - combines authent, authorize, account, into one app with decie profiling, posturing assessment, and guest managemnt, PRIMe funct of ISE To determine whether users are accessing the network on an authorized, policy-compliant device To establish user identity, location, and access history, which can be used for compliance and reporting To assign services based on the assigned user role, group, and associated policy (job role, location, device type, etc.) To grant authenticated users access to specific segments of the network, or specific applications and services, or both, based on authentication results
TACACS+
three critical areas seperates authentication and authorization. encrypts all comms uses tcp port 49 considered more secure since evrything is encrypted. Authentication of TACACS+ is a new prot, not compatiblee with original tacacs. supported by all cisco routers and access ervers. gives seperate aaa services, splitting gives better flexibility cuz you can use it for authenticate, accoutning but use another method of authenticatin. offers mult prot support like ip and legacy apple talk. and encrypts entire packet for secure comms.
Debug
useful for TS authentication issues, the debug aaa give several keywords that ca be used on purpose. debug aaa authentication
AAA components
AAA give main framework to setup access control on network devices. Has three functions authentication - users and admin prove that they are who they say htey are. can be username/password combo, challenge, and response questions, token cards. authorization - after authentication, authorization figures out what hte user can access and what they cant. accounting and auditing - records what the user is doing and what they are accessing, amount of time on it, and if any changes where made.
integrate AAA with active directory
AD is the domain contorller for MS, it enforces security policies by authenticaitn users . can be used to handle authenticate, authorize on cisco IOS. ACS can be integrated to use ad service. config cisco ios is same as comm iwth any radius server. ms ad server is used to perform authentication and authorisation config.
debugging aaa authentication
Important when tsing aaa problems. look for specificyally GETUSER and GETPASS. Helpful to ID which method is being referenced, pass means it was successful. to get rid of use no debug aaa authentication or undebug all.
Server-Based AAA Accounting
One security issue that is addressed by accounting is the creation of a list of users and the time of day they logged into the system. If, for example, the administrator knows that a worker logs in to the system in the middle of the night, this information can be used to further investigate the purpose of the login. another reason is ot create list of changes occuring on netowrk. the user who made the changes and what they did, helps ts if the changes cuase unexpected results. Cisco secure ACS as a repository. tracks events occur on netowrk. similar to CC actiity tracking stored info helps with management, security audit, capacity planning, and network usage bill.
Authenticating admin access
Should be configed for smaller networks, wiht one to two routers. to a lmited numver of users. system admin needs to populate local security datavbse with username and apsswords.. similar to local login method except it gives way to configure backup methods of authentication. 1. Add user name and password, 2. enable aaa globally on router 3. config aaa parameters on router 4. config and tourble shoot aaa config. aaa authentication login command lets users log into router via console or vty lines. default key means authentication method applied to all lines. authentication is case sensitive indicated by local-case keyword. which means both passwrod and username are case sensitive.
config cisco router to access aaa radius server example
Step 1. Create users on the RADIUS server Step 2. Set a secret key on the RADIUS server Step 3. Verify port 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port Step 4. Set up SSH on the router for remote access Step 5. Set up a local user on the router in case of RADIUS server failure Step 6. Enable AAA authentication on the router Step 7. Set AAA authentication login method lists Step 8. Enable the router to use the RADIUS server for authentication by configuring the following on the router: a. RADIUS server name b. RADIUS server IP address, authentication port 1812, and accounting port 1813 c. shared secret key Step 9. Configure the console line and specify the AAA login authentication method list to use Step 10. Configure the VTY lines for SSH and specify the AAA login authentication method list to use Step 11. Test and verify
config 802.1x
Step 1. Enable AAA using the aaa new-model command and configure the RADIUS server. Step 2. Create an 802.1X port-based authentication method list using the aaa authentication dot1x command. Step 3. Globally enable 802.1X port-based authentication using the dot1x system-auth-control command. Step 4. Enable port-based authentication on the interface using the authentication port-control auto command. Step 5. Enable 802.1X authentication on the interface using the dot1x pae command. The authenticator options sets the Port Access Entity (PAE) type so the interface acts only as an authenticator and will not respond to any messages meant for a supplicant.
Authentication without AAA
TAs can gain access to sensitive netowkr equipment and services, so Access control limits who or what can get what recources. many types of authentications can be performed on cisco devcies, and ecah give different levels of security. simplest is a login/password, on vty, conosle, an aux port. and easiest/weakest. No accountabiilty. anyoen can access and alter device info. ssh is more secure form of remote access. needs Username/password, both are encrypted in transmison. local database method gies more security. and accountablity. username is recroded when logging in. local database has limits. - login info needs to needs to be configed on each device. so not practical in big entersprises. no fallback authentication. so cant recover login info. have all devices on the same database of usernames/passwrods from one server.
debugging TACACS+ and radius
Two other very useful server-based AAA troubleshooting commands include the debug radius and debug tacacs commands give more aaa debuging info. similar to debug aaa authentication debug tacacs also indicates status messags of pass or fail. see all tacacs messagses use debug tacacs debug tacacs events in priv exec mode, shows openning and closing of tcp conection to tacacs+ makes alot of output to disable us no form.
Cisco Secure Access control System
a central solution that links enterprise networks access policy and id strategy. they are highly scalable high performacen AC servers, can contorl admin acces and config for all network devs, like radius or tacacs+.
Authentication Modes
authentication has 2 methods thorugh cisco to implement AAA services. Local AAA - uses local databases, called self contained authentication. This stores usernames, passwrods locally in the router, and users authenticate agaisnt the local database. Database needed to require establishing role-based cli, local aaa is ideal for small networks. Server-based AAA - router accesses central aaa server, like Cisco secure access control system(ACS) central server contains users/passwrods, for everyoen, will use Remote authentication dial-in user(RADIUS) or Terminal access controller access control system(TACACS+) to comm with aaa server. better for mult router and switches .
Accounting
collects and reports data usage. can be used for auditing/billing, collecting data like start and stop connection times, executed commands, # of packets, and # of bytes. implemented thorugh AAA server-based. service reports usages stats back to acs server. stats can be extracted to make detailed reports about config network. Used to combie accounting with AAA authenticatin. helps internetworkign devs to manage it by netowrk admin staff. gives more secure then just authentication. aaa server keeps details log of authentiated user does on the device. like exec, and confif commands done by user. has many data fields like username.date.time, and actual comand entered.
Radius
combines authenticaiotn and authoriation as one encrypts only passwords uses udp supports rm access tech, 802.1x and session initialsion protocols, SIP> Authentication made by livingston ents as an open ietf. works in local and roaming sits and commonly used fro accounting purpposes. hides passwrods during transmission sessions. using complex ops using MD5 hashing. combines autneticaiton and authorization. when user authenticated, they are authorized. used by VoIP providers, passes login info to sip endpoint like broadband phones. next gen alt to radius is called Diameter AAA.
802.1X Port Authorization State
if authenticated, you get an accept frme from server. port chagnes to authorize all frames. if fails, port remains unauthorized, but authent can be retried. if cant be reached, switch retransmits request, if no response access is denied. wehn you log out you get and EAPOL- LOGOUT message. use authentication port-control to ocntorl port authorization. auto must be entered to enable 802.1x authent. if it works, port stat chagnes to authorize. if fails all prts stay lcosed. when lcient logs off it sents eapol logoff.
Config server-based AAA
server based aaa must ID various tacacs+ and radius servers that the aaa should talk when autehtnicating and authorizing users. 1. globally enable AAA to allow use of all aaa elements. is a prereq for all aaa commands. 2. specify Secure ACS that will give aaa serverices for the router. can be tacacs+ or radius. 3. config encryption as needed. to the data transfer. between entwork access erver and cisco secure acs. 4. config aaa authentication method list to refer to tacacs+ or radius server. for redundnacy is it possible to config more than one server.
config Radius server
to config use radius server name command. puts you into raidu server config mode. used udp no equivalent to single-connection if needing mult radius servers can be ID by using radius server name command. in mode config using address ipv4 ipv4-address. uses port 1645 for accounting, iana has prots 1812 to 1813 for radius to cofnig shared secret key for ecnrypt use key comamnd key must be configed exactly the same way on router and radius server.
Authentication Methods
to enable - aaa new-model needs to enabled first, to disable add No to begining no other aaa commands are available till this is enabled. Always enable local database entry first before enabling AAA use aaa authentication login command to enable authentication on console,aux and vty. custom authentciation methodn can be configed by using a list-name 4 types of authentication methods are avialbable. to config local authentication using preconfiged local database use local or local-case. difference is local is not case sensitive, local-case is. to specifiy user can authentcate using password use enable this makes usre authentication works even if all methds of return fail. specify none as the final method.
Default and named methods
to make things more flexible, you can do different method lists with different interfaces, using aaa authentication login list-name. named list has to explicity enavbled on the line using the login authentication line command. if it has custom, that default method list is overriden possible ot return to defualt list by using no authentication login command.
AAA authorization config
use aaa authorization command. service type can be specifies network - netowrk services like PPP exec - starting exec shell commands level - for exec shell ocmmands. when aaa authorize not on, all users have full access. after default is no access. admin can make users with full rights, and some with limited rights.
AAA accounting config
use the aaa accounting command, as shown in Figure 1. The following three parameters are commonly used aaa accounting keywords: network - Runs accounting for all network-related service requests, including PPP. exec - Runs accounting for the EXEC shell session. connection - Runs accounting on all outbound connections such as SSH and Telnet. As with AAA authentication, either the keyword default or a list-name can be used. Next, the record type, or trigger, is configured. The trigger specifies what actions cause accounting records to be updated. Possible triggers include: start-stop - Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. stop-only - Sends a "stop" accounting record for all cases including authentication failures. none - Disables accounting services on a line or interface.
Fine tune and authentication config
using the command aaa local authentication attempts max-fail will lock user accounts that have excessive fail attempts. login delay doesnt lock accounts if too many attempts. to clear locked accounts use clear aaa local user lockout in privilege exec mode. show aaa local user lockout shows a list of all locked out users. When you log into a cisco router, you are given a unique ID and stuff is saved from your session like IP addresses, protocol used to acces router, speed of connection. show aaa user show info for those who are authenticated or authorized using AAA. show aaa sessions shows unique IDof session.
config authenticatoin to use aaa server
when aaa security sercer has been IDed, servers must include method list of the aaa authentication login command aaa sercer IDed using group tacacs+ or group radius keywords. To configure a method list for the default login to authenticate first using a TACACS+ server, second with a RADIUS server, and finally with a local username database, specify the order with the aaa authentication login default command, as highlighted in Figure 2. It is important to realize that R1 will only attempt to authenticate using RADIUS if the TACACS+ server is not reachable. Likewise, R1 would only attempt to authenticate using the local database if the TACACS+ and RADIUS servers are unavailable.