1 / 50

CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016

CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016. Ch. 7 Network Management. Authentication, Authorization & Accounting.

meverett
Télécharger la présentation

CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIS 187 Multilayer Switched NetworksCCNP version 7Rick GrazianiSpring 2016 Ch. 7 Network Management

  2. Rick Graziani graziani@cabrillo.edu Authentication, Authorization & Accounting • It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components: • authentication, • authorization • accounting also known as AAA • Using a Cisco AAA architecture enables consistent, systematic and scalable access security

  3. Rick Graziani graziani@cabrillo.edu The Three Components of AAA • Authentication – “Who are you?” • Process of identifying a user before that user is allowed access to a protected resource. • A user presents valid credentials, which are then compared with security information in a user database. • In addition, authentication may offer other services depending on the security protocol selected, such as: • an additional challenge and response, messaging support, or encryption.

  4. Rick Graziani graziani@cabrillo.edu The Three Components of AAA • Authorization – “What is this user allowed to do?” • After the user gains access to the network, authorization is performed. • Control the level of access users have. • Define which privileged EXEC commands are available to the user • Control remote access (allowing the user to use protocols such as Point-to-Point Protocol [PPP] or Serial Line Internet Protocol [SLIP]). • User capabilities are defined by a set of attribute-value (AV) pairs, which are associated with the user or the user’s group. • These pairs may be stored locally on the device or on centralized TACACS+/RADIUS server(s).

  5. Rick Graziani graziani@cabrillo.edu The Three Components of AAA • Accounting – “What have the users been doing on the network?” • Accounting is performed after authentication. • Accounting enables you to collect information about the user activity and resource consumption. • Log user logins • Commands executed by the user, session durations, bytes transferred • The network device sends this information in the form of attribute-value pairs to the accounting server. • Therefore, user activity information from all devices in your network is located in one central place. • Authentication can be valid without authorization and accounting. • Authorization and accounting… • …however, cannot be performed without the authentication.

  6. Advantage to using AAA • Increased flexibility and control of access configuration: Beyond IOS passwords, AAA offers additional authorization flexibility on a per-command or per-interface level, which is unavailable with local credentials. • Scalability: Storing usernames and passwords in a local database on a device may be an appropriate solution for a small network with a small number of users. • Larger networks, managing a large number of users on multiple devices becomes highly impractical and error-prone, with a lot of administrative burden. • Single username by a number of network administrators results in the inability to track activities back to a single user. • AAA model is the only solution that scales well. • Standardized authentication methods: AAA supports the RADIUS protocol, which is an industry open standard. • Multiple backup systems: You may specify multiple servers when configuring authentication options on the method list. • In case of a server failure, the AAA engine on the device will continue to query the next server from the server group.

  7. Authentication Options • Generally speaking, authentication is based on: • Something the user knows (username and password) • Something the user has (digital certificate issued by certification authority) • Something the user is (biometrical scanners which can identify him by his fingerprint or eye retina)

  8. Authentication Options • The authentication database may be stored either locally on a network device or on a centralized server. • It is best practice to have multiple methods of authentication in case the primary authentication is down or unreachable. • If the primary is down and no backup authentication method exists, you cannot access the network device in question.

  9. Rick Graziani graziani@cabrillo.edu AAA Protocols: RADIUS and TACACS+ • The best-known and best-used types of AAA protocols are • TACACS+ • RADIUS • TACACS+ and RADIUS have different features that make them suitable for different situations • RADIUS is maintained by a standard that was created by the IETF • TACACS+ is a proprietary Cisco Systems technology that encrypts data • Protocol: • TACACS+ runs over TCP • RADIUS runs over UDP • TACACS+ can control the authorization level of users; RADIUScannot. • Because TACACS+ separates authentication and authorization, it is possible to use TACACS+ for authorization and accounting, while using a different method for authentication, such as Kerberos

  10. Rick Graziani graziani@cabrillo.edu RADIUS Features • Radius is an IETF standard protocol - RFC 2865 • Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default)

  11. RADIUS and TACACS+ Overview • RADIUS and TACACS+ use the client/server model • Step 1 - a user or machine sends a request to a networking device such as a router that acts as a network access server when running AAA. • Step 2 and 3 - The network access server then communicates with the server exchanging RADIUS or TACACS+ messages. • Step 4 - If authentication is successful… • Step 5 - the user is granted access to a protected resource, such as a device CLI, network, and so on. • Cisco implements the AAA server functionality in the Cisco Secure Access Control Server (ACS) and Identity Services Engine (ISE)

  12. Rick Graziani graziani@cabrillo.edu TACACS+ Attributes and Features • The TACACS+ protocol is much more flexible than the RADIUS communication. • TACACS+ uses TCP on well-known port number 49 • TACACS+ establishes a dedicated TCP session for every AAA action • Cisco Secure ACS can use one persistent TCP session for all actions

  13. RADIUS Authentication and Authorization • The example shows how RADIUS exchange starts once the NAS is in possession of the username and password • The ACS can reply with Access-Accept message, orAccess-Reject if authentication is not successful

  14. RADIUS Messages • There are four types of messages involved in a RADIUS authentication exchange: • Access-Request:Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port • Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) • Access-Accept:The positive answer if the user information is valid • Access-Reject: Sent as a negative reply if the user information is invalid

  15. RADIUS Authentication Process • RADIUS authentication process between the NAS and RADIUS server starts when a client sends a login request in the form of an Access-Request packet. • This packet contains: • username • encrypted password • NAS IP address • NAS port number

  16. RADIUS Authentication Process • When the RADIUS server receives the query…. • It first compares the shared secret key sent in the request packet with the value configured on the server. • If shared secrets are not identical, the server silently drops the packet. • Only authorized clients can communicate with the server. • If shared secrets are identical… • The packet is further processed… • Comparing the username and password inside the packet with those found in the database.

  17. RADIUS Authentication Process • If a match is found, the server returns an Access-Accept packet… • With a list of attributes to be used with this session in the form of AV pairs (IP address, access control list [ACL] for NAS). • If a match is not found, however, the RADIUS server returns an Access-Reject packet. • It is important to notice that authentication and authorization phases are combined in a single Access-Request packet, unlike TACACS+.

  18. RADIUS Authentication Process • During the authentication and authorization phase, an optional Access-Challenge message may be requested by the RADIUS server … • The purpose of collecting additional data (PIN, token card, and so on), further verifying the client’s identity. • The accounting phase is realized separately after the authentication and authorization phases, using Accounting-Request and Accounting-Response messages.

  19. TACACS+ Authentication • The example shows how TACACS+ exchange starts before the user is prompted for username and password. • The prompt text can be supplied by the TACACS+ server.

  20. TACACS+ Network Authorization • The example shows the process of network authorization that starts after successful authentication.

  21. TACACS+ Authentication Process • TACACS+ communication between the NAS and the TACACS+ server starts with a TCP communication, unlike RADIUS (which uses UDP). • Next, the NAS contacts the TACACS+ server to obtain a username prompt, which is then displayed to the user. • The username entered by the user is forwarded to the server. • The server prompts the user again, this time for a password. • The password is then sent to the server, where it is validated against the database (local or remote).

  22. TACACS+ Authentication Process • If a match is found, the TACACS+ server sends an ACCEPT message to the client, and the authorization phase may begin (if configured on the NAS). • If a match is not found, however, the server responds with a REJECT message, and any further access is denied. • Recall from earlier discussions that TACACS+ separates all its functions..

  23. Configuring AAA Switch(config)# aaa new-model Switch(config)# username User123 secret Secretpwd • Globally enable AAA to allow the use of all AAA elements. • This step is a prerequisite for all other AAA commands. • AAA supports a variety of authentication options. • For example, you can use externalauthentication servers such as RADIUS or TACACS+, or you may specify a local database. • Despite these options, it is best practice to configure a local username, to serve as a backup, should all external servers fail. • NOTE: The aaa new-model command immediately applies local authentication to all lines and interfaces (except console line con 0). To avoid being locked out of the router, it is a best practice to define a local username and password before starting the AAA configuration.

  24. Configuring RADIUS for Console and vty Switch(config)# radius server configuration-name Switch(config-radius-server)# address ipv4 hostname [auth-port integer] [acct-port integer] Switch(config-radius-server)# key string Switch(config)# aaa group server radius group-name Switch(config-sg-radius)# server name configuration-name

  25. Configuring RADIUS for Console and vty Switch(config)# radius server myRadius Switch(config-radius-server)# address ipv4 172.16.1.1 Switch(config-radius-server)# key cisco456 Switch(config)# aaa group server radius Mygroup2 Switch(config-sg-radius)# server name myRadius Switch(config)# aaa authentication login radius_list group Mygroup2 local Switch(config)# line vty 0 Switch(config-line)# login authentication radius_list • Configuration-name is just a text identifier for the server in question. • In the subconfiguration, IP address is specified. • The next step is to add the RADIUS server to a server group. • You can add multiple RADIUS servers to a group, as long as they were previously defined using the radius server command.

  26. Configuring RADIUS for Console and vty Switch(config)# radius server myRadius Switch(config-radius-server)# address ipv4 172.16.1.1 Switch(config-radius-server)# key cisco456 Switch(config)# aaa group server radius Mygroup2 Switch(config-sg-radius)# server name myRadius Switch(config)# aaa authentication login radius_list group Mygroup2 local Switch(config)# line vty 0 Switch(config-line)# login authentication radius_list • Configure login authentication using a named method list radius_list, • server group Mygroup2 as primary authentication option • local user database as a backup • Final step is to apply this method list to the vty0 line.

  27. Configuring TACACS+ for Console and vty Switch(config)# tacacs server myTacacs Switch(config-server-tacacs)# address ipv4 192.168.1.1 Switch(config-server-tacacs)# key cisco123 Switch(config)# aaa group server tacacs+ Mygroup1 Switch(config-sg-tacacs+)# server name myTacacs Switch(config)# aaa authentication login default group Mygroup1 local Switch(config)# aaa authorization exec default group Mygroup1 local • The default method list is automatically applied to all interfaces except those that have a named method list explicitly defined.

  28. Rick Graziani graziani@cabrillo.edu • The commands create a method list that first tries to contact a TACACS+ server. • If neither server can be contacted, AAA tries to use the enable password. • This attempt may return an error because no enable password is configured on RTA. • However, the user is allowed access with no authentication.

  29. AAA Authorization Switch(config)# aaa authorization authorization-type list-name method-list Switch(config)# line line-type line-number Switch(config)# authorization {arap | commands level | exec | reverse-access} list-name • AAA authorization goes beyond authentication to control what actions, commands, and so on a user is allowed to perform. • Step 1. Define a named list of authorization methods. • Step 2. Apply that list to one or more interfaces (except for the default method list). • Step 3. The first listed method is used. If it fails to respond, the second one is used, and so on until all listed methods are exhausted. Once the method list is exhausted, a failure message is logged.

  30. AAA Accounting witch(config)# aaa accounting accounting-type list-name {start-stop | stop-only | none} method-list Switch(config)# interface interface-type interface-number Switch(config-if)# ppp accounting list-name • AAA accounting feature enables you to track the services that users are accessing and the amount of network resources that they are consuming. • Step 1. You must first define a named list of accounting methods. • Step 2. Apply that list to one or more interfaces (except for the default method list). • Step 3. The first listed method is used; if it fails to respond, the second one is used, and so on. • Step 4. The first listed method is used; if it fails to respond, the second one is used, and so on.

  31. Rick Graziani graziani@cabrillo.edu TACACS+ Reports and Activity

  32. Configuring AAA authorization

  33. Rick Graziani graziani@cabrillo.edu Configuring AAA authorization Router(config)#aaa authorization type {default | list-name} [method1 [...[method4]] • AAA authorizationlimits the services available to a user. • When AAA authorization is enabled, the router uses information retrieved from the user's profile to configure the session. • This profile is located either in the local user database or on the security server. • Once this authorization is done, the user will be granted access to a requested service only if the information in the user profile will allow it.

  34. Rick Graziani graziani@cabrillo.edu Configuring AAA authorization

  35. Rick Graziani graziani@cabrillo.edu Configuring AAA authorization • Before AAA authorization can be configured, the following tasks must be performed: • Enable AAA using the aaa new-model command. • Configure AAA authentication. Authorization generally takes place after authentication and it relies on authentication to work properly. • Configure the router as a TACACS+ or a RADIUS client, if necessary. • Configure the local username/password database, if necessary. • Use the username command to define the rights associated with specific use

  36. Rick Graziani graziani@cabrillo.edu • The aaa authorization reverse-access command configures authorization for reverse Telnet sessions. • Users attempting to reverse Telnet from the router must be authorized to issue the command first by a TACACS+ server.

  37. Rick Graziani graziani@cabrillo.edu • The aaa authorization exec command configures authorization for EXEC sessions. • The router will contact a TACACS+ server to determine if users are permitted to start an EXEC shell when they log in.

  38. Rick Graziani graziani@cabrillo.edu IOS command privilege levels • The aaa authorization command can also be used to control exactly which commands a user is allowed to enter on the router. • Users can only enter commands at or beneath their privilege level. • All IOS router commands are assigned a privilege level from 0 to 15. • There are three privilege levels on the router by default. • Routers use privilege levels even when AAA is not configured. • When a user opens an EXEC session using the console or a VTY, the user can issue any command in privilege level 1 and/or privilege level 0 by default. • privilege level 1 – user mode • privilege level 15 – priviledged (enable) mode • Once the user authenticates using the enable command and enable password, that user has privilege level 15.

  39. Rick Graziani graziani@cabrillo.edu IOS command privilege levels • Levels 2 to 14 arenotused in a default configuration. • However, commands that are normally at level 15 can be moved down to any level between 2 and 14. • Commands that are normally at level 1 can be moved up to one of those levels. • This security model involves some administration on the router. • To determine the privilege level as a logged in user, the show privilege command is used. • The commands that are available at a particular privilege level for the Cisco IOS Software Release being used can be determined. • Enter a “?” at the command line when logged in at that privilege level to show those commands. • Note:Instead of assigning privilege levels, command authorization can be done if the authentication server supports TACACS+. The RADIUS protocol does not support command authorization.

  40. Rick Graziani graziani@cabrillo.edu Configuring command authorization • The privilege command can be used to configure precisely which commands belong to which privilege levels, including user-defined levels. • The commands entered on RTA move the snmp-server commands from privilege level 15, the default, to privilege level 7. • The ping command is moved up from privilege level 1 to privilege level 7

  41. Rick Graziani graziani@cabrillo.edu Configuring command authorization • Once privilege levels have been defined, the aaa authorization command can be used to give access to commands by privilege level. • The user who logs in with level 7 privileges can ping and do snmp-server configuration in configuration mode. • Other configuration commands are not available. • The security server or the local username/password database can determine a user’s privilege level.

  42. Rick Graziani graziani@cabrillo.edu Configuring command authorization Router(config)#username name privilege level password password RTA(config)#username flannery privilege 7 password letmein • The above configuration shows the username command used to create a user named “flannery” with a privilege level of 7. • When this user logs in, access to commands will only be given in privilege level 7 and below.

  43. Configuring AAA accounting

  44. Rick Graziani graziani@cabrillo.edu Configuring AAA accounting • Method lists for accounting define the way accounting will be performed and the sequence in which these methods are performed.

  45. Rick Graziani graziani@cabrillo.edu Configuring AAA accounting • Accounting method lists are specific to the type of accounting being requested. • AAA supports the follow six different types of accounting. • Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts. • EXEC accounting provides information about user EXEC terminal sessions of the network access server. • Command accounting generates accounting records for all EXEC mode commands, including global configuration commands, associated with a specific privilege level. • Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin. • System accounting provides information about system-level events. • Resource accounting provides "start" and "stop" records for calls that have passed user authentication, and provides "stop" records for calls that fail to authenticate.

  46. Rick Graziani graziani@cabrillo.edu Configuring AAA accounting

  47. Rick Graziani graziani@cabrillo.edu Configuring AAA accounting • After specifying a named or default list, the accounting record type must be specified. The following are the four accounting record types: • none • start-stop • stop-only • wait-start • For minimal accounting, use the stop-only keyword. • This keyword instructs the specified method, RADIUS or TACACS+, to send a stop record accounting notice at the end of the requested user process. • For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the end of the event. • Wait-start sends both a start and a stop accounting record to the accounting server. • However, if the wait-start keyword is used, the requested user service does not begin until the start accounting record is acknowledged. • A stop accounting record is also sent. • To stop all accounting activities on this line or interface, use the none keyword.

  48. Rick Graziani graziani@cabrillo.edu • RTA is configured with the aaa accounting network command. • This command enables accounting for network services, such as PPP, SLIP, and ARAP sessions. • RTA will send accounting information for PPP sessions to a TACACS+ server. • The format of the output stored on the server varies depending on the TACACS+ or RADIUS implementation.

  49. CIS 187 Multilayer Switched NetworksCCNP version 7Rick GrazianiSpring 2016 Ch. 7 Network Management

More Related