Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

AUTHENTICATION IN CISCO IOS

advertisement 
AUTHENTICATION IN CISCO IOS
Maxim Habrat
Figure 1. Authentication scheme (continued)
Figure 2. Authentication scheme
AAA (Authentication, Authorization and Accounting) is a system of authentication, authorization and event accounting embedded into
Cisco IOS and is responsible for secure remote
user access to Cisco network hardware. This system provides different methods of user identification and authorization together with collecting and sending data to a server.
AAA is disabled by default. Moreover, it has
a rather complicated configuration process.
Configuration flaws could make a connection
unstable and insecure or even lead to connection failures. This article details how to configure
authentication with AAA.
Figures 1 and 2 display the authentication
scheme in general.
We deliberately divide the scheme into two
parts: the first part describes the main path from
managing lines (vty or con) to authentication
methods, and the second path - authentication
methods themselves.
But first things first.
Lack of AAA New-Model
Now we talk about the right part of the first
scheme.
As described above, AAA new-model service
is disabled by default. A user could connect to
a device physically, or use a console port (line
console 0) without any credentials, or via Telnet
protocol (line vty). In the latter case, even if an IP
address is configured on Cisco, it is impossible
to access the device because of the lack of password (line authentication method, see figure 3).
If there is a password set for vty line, the device
asks for a password only, which significantly decreases the connection security, as login is not
required. However, security also depends on the
complexity of the password.
As far as establishing a connection, the device asks for login and password executing
"login local" command.
So: if you do not use AAA new-model, at
most you would be required to use a password
(line authentication method) or login and a
password from a local database (local authentication method).
Figure 3. Authentication scheme without AAA new-model
Figure 4. Authentication methods without AAA new-model
Figure 5. Authentication configuration for group method
AAA new-model configuration
AAA configuration advantage is that the
model has a great number of authentication methods (unlike with the case described
above). Add AAA new-model command in
the global configuration mode to enable AAA.
Then, you should choose an authentication
method. All methods are structured into lists
with default or a certain list name (list-name).
Therefore, you could assign various authentication methods to different line types (aus, vty,
con ...) for user access control.
Here is an example of AAA new-model configuration and authentication lists:
Router(config)#aaa new-model
Router(config)#aaa
authentication login {default |
list-name} method1 [method2…]
Router(config)#line {vty | aux
| con…} line-numbers
Router(config-line)#login
authentication {default | listname}
Methods
As described above, AAA has a number of
authentication methods. The following lists the
most common ones:
• Local is a database with logins and passwords stored on a network device. It requires
username <user> {password | secret}.
• Local-case is the same as Local except it is
case-sensitive for logins.
• Enable requires enable {password | secret}
for authentication.
• Line requires line password (see figure 4, line
authentication method) for authentication.
• None does not require authentication, a
CISCO_RA_A4.ENG.0020.01.JAN.7.2015 user could access a device without credentials.
• Group {tacacs+ | radius} connects servers
with set TACACS+ or RADIUS for AAA configuration additional features.
• Group {group-name} allows you to configure a group of services with set TACACS+ or
RADIUS or configure a private group server.
The most interesting authentication method
is Group: which is quite common with medium
and large companies.
Below we could find an example how to configure Group method that requires authentication lists (figure 5).
Adding a group of servers and Radius private
server:
Router(config)#aaa
authentication login default
group servradius1
Router(config)#aaa group
server radius servradius1
Router(config-sgradius)#server 192.168.1.1
Router(config-sgradius)#server 192.168.1.2
Router(config-sgradius)#server 192.168.1.3
Router(config-sgradius)#server-private
192.168.1.10
There are three servers configured in this
example. How does this scheme operate?
The first idea that comes to my head is as follows: most likely, they operate one after another: if 192.168.1.1 is unavailable, the system
asks 192.168.1.2 etc. But that's not the case.
Actually there is an error in the example and
192.168.1.1, 192.168.1.2, 192.168.1.3 are con-
© 2014 Positive Technologies.
figured incorrectly; and therefore never used
in authentication. This configuration lacks
Router(config)#radius-server host <IP> command for every server. Please refer to the
vendor's site for details on configuration (bit.
ly/1kI0vJA). We can describe this in the following manner.
We hope that this article helps you to successfully configure authentication on your
network device. Follow the scheme, if errors
occur, look at the configuration more closely: it
is possible that the device is accessed without
credentials (no authentication method).
We usually try to automate such complex
checks. Here is an example of MaxPatrol report
on AAA service.
Figure 6. Requirement status
Figure 7. Results on AAA service
Related documents
CCNA Security – Chapter 3 Case Study © 2009 Cisco Learning
CCNA Security – Chapter 3 Case Study © 2009 Cisco Learning
CS 2813 - Loyola College
CS 2813 - Loyola College
Chapter 11 HW
Chapter 11 HW
Chapter 1:
Chapter 1:
File
File
EZproxy
EZproxy
Chapter 13
Chapter 13
I think that public-key`s authentication process and symmetric key`s
I think that public-key`s authentication process and symmetric key`s
sequence authentication
sequence authentication
Download
advertisement