1 / 54

Implementing Secure Converged Wide Area Networks (ISCW)

Implementing Secure Converged Wide Area Networks (ISCW). Configuring AAA on Cisco Routers. Lesson 11 – Module 5 – ‘Cisco Device Hardening’. Module Introduction.

Télécharger la présentation

Implementing Secure Converged Wide Area Networks (ISCW)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Implementing Secure Converged Wide Area Networks (ISCW)

  2. Configuring AAA on Cisco Routers Lesson 11 – Module 5 – ‘Cisco Device Hardening’

  3. Module Introduction • The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. • Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. • Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions.

  4. Objectives • At the completion of this eleventh lesson, you will be able to: • Describe what is meant by the term ‘triple A’ • Explain how and why AAA should be used to secure router and switch access • Configure AAA using the IOS CLI and SDM • Describe the use of external AAA servers, including a brief overview of CSACS

  5. Authentication, Authorisation & Accounting • It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components: • authentication, • authorisation, and • accounting also known as AAA • These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components • Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data • Using a Cisco AAA architecture enables consistent, systematic and scalable access security

  6. The Three Components of AAA • Authentication • Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption • Authorisation • Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet • Accounting • Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes

  7. Authentication • Authentication is the way a user is identified prior to being allowed access to the network and network services • AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces • The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed • The only exception is the default method list (“default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list. • All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA

  8. Authorisation • Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet • AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform • These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions • The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server • As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces

  9. Accounting • Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes • Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming • With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records • Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing • All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces

  10. Access Control • In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions • If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server • Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA

  11. Implementing AAA • Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment: • Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication) • Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication • Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication • There are also open source AAA servers available that work in conjunction with Cisco IOS devices

  12. Implementing AAA • Administrative access: Console, Telnet, and AUX access • Remote user network access: Dialup or VPN access

  13. Router Access Modes • All of the AAA commands (except aaa accounting system) apply to either character mode or packet mode. (The mode refers to the format of the packets that request AAA) • If the query is presented as Service-Type = Exec-User, the query is presented in character mode • If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode. • Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method • Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements. • With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server

  14. Router Access Modes

  15. AAA Protocols: RADIUS and TACACS+

  16. AAA Protocols: RADIUS and TACACS+ • The best-known and best-used types of AAA protocols are TACACS+ and RADIUS • TACACS+ and RADIUS have different features that make them suitable for different situations • RADIUS is maintained by a standard that was created by the IETF • TACACS+ is a proprietary Cisco Systems technology that encrypts data • TACACS+ runs over TCP - RADIUS runs over UDP • TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot • Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos

  17. RADIUS Features • Radius is an IETF standard protocol - RFC 2865 • Standard attributes can be augmented by proprietary attributes: Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS • Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default) • It includes only two security features: • Encryption of passwords (MD5 encryption) • Authentication of packets (MD5 fingerprinting) • Authorisation is only possible as part of authentication

  18. RADIUS Authentication and Authorisation • The example shows how RADIUS exchange starts once the NAS is in possession of the username and password • The ACS can reply with Access-Accept message, or Access-Reject if authentication is not successful

  19. RADIUS Messages • There are four types of messages involved in a RADIUS authentication exchange: • Access-Request:Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port • Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MS-CHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) • Access-Accept:The positive answer if the user information is valid • Access-Reject:Sent as a negative reply if the user information is invalid

  20. RADIUS AV Pairs • RADIUS messages contain zero or more AV-pairs, for example: • User-Name • User-Password (this is the only encrypted entity in RADIUS) • CHAP-Password • Service-Type • Framed-IP-Address • There are approximately 50 standard-based attributes (RFC 2865) • RADIUS allows proprietary attributes • Basic attributes are used for authentication purposes • Most other attributes are used in the authorisation process • Cisco has added several vendor-specific attributes on the server side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility • Accounting information is sent within special RADIUS accountingmessages

  21. TACACS+ Attributes and Features • The TACACS+ protocol is much more flexible than the RADIUS communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collect enough information until a user is authenticated • TACACS+ messages contain AV-pairs, such as: • ACL • ADDR • CMD • Interface-Config • Priv-Lvl • Route • TACACS+ uses TCP on well-known port number 49 • TACACS+ establishes a dedicated TCP session for every AAA action • Cisco Secure ACS can use one persistent TCP session for all actions • Protocol security includes authentication and encryption of all TACACS+ datagrams

  22. TACACS+ Authentication • The example shows how TACACS+ exchange starts before the user is prompted for username and password. • The prompt text can be supplied by the TACACS+ server.

  23. TACACS+ Network Authorisation • The example shows the process of network authorisation that starts after successful authentication.

  24. TACACS+ Command Authorisation • The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level).

  25. Configuring the AAA Server • These are the first steps in configuring the network access server: • Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. • Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server • Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS

  26. Configuring the AAA Server TACACS+ RADIUS

  27. AAA Configuration Commands

  28. AAA Authentication Commands Router(config)# aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]] • Use this command to configure the authentication process Router(config)#aaa authentication login default group tacacs+ local line

  29. aaa authentication login Parameters

  30. aaa authentication login Parameters (Cont.)

  31. Configuring AAA Authentication Using TACACS+

  32. Character Mode Login Example Router#show running-config ... aaa new-model aaa authentication login default group tacacs+ local aaa authentication login my_list group tacacs+ ... line con 0 line aux 0 line vty 0 4 login authentication my_list • Because the authentication has not been specified for line con 0 and aux 0, the default option is used

  33. Enabling AAA in SDM

  34. Confirming the AAA Activation

  35. Defining RADIUS Servers

  36. Defining TACACS+ Servers

  37. Creating a Login Authentication Policy

  38. Configuring a Login Authentication Policy

  39. Creating an EXEC Authorisation Policy

  40. Configuring an EXEC Authorisation Policy

  41. Creating Local User Accounts

  42. Configuring VTY Line Parameters

  43. Applying Authentication Policy to VTY Lines

  44. Applying Authorisation Policy to VTY Lines

  45. Verifying AAA Login Authentication Commands aaa new-model !aaa authentication login default local aaa authentication login radius_local group radius group radius aaa authorization exec default local ! username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1 ! tacacs-server host single-connection key secrettacacs radius-server host auth-port 1645 acct-port 1646 key secretradius ! line vty 0 4 login authentication radius_local

  46. Troubleshoot AAA Login Authentication on Cisco Routers • Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication • Thecommanddisplays debugging messages on authentication functions router# debug aaa authentication

  47. ‘AAA Authorization’ Commands • The access server can be configured to restrict the user to perform certain functions only after successful authentication • Use the aaa authorization command in global configuration mode to select the function authorised and the method of authorisation • Troubleshooting Authorization • To display information on AAA authorisation, use the debug aaa authorization command in privileged-EXEC mode. • Use the nodebug aaa authorization form of the command to disable this debug mode.

  48. ‘AAA Authorization’ Commands router(config)# aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...] Example: router(config)#aaa authorization exec default group radius local none

  49. AAA Accounting Commands • Use the aaa accounting command in global configuration mode for auditing and billing purposes.. • Accounting of user EXEC sessions requires that aaa new-model is enabled and that the authentication and authorisation configuration is in place. • The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. • Accounting tracks events that occur on the network. • Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing.

  50. AAA Accounting Commands router(config)# aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius} Example: R2(config)#aaa accounting exec default start-stop group tacacs+

More Related