Implementing Secure Converged Wide Area Networks (ISCW) ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 1 Configuring AAA on Cisco Routers Lesson 11 – Module 5 – ‘Cisco Device Hardening’ ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 2 Module Introduction The open nature of the Internet makes it increasingly important for businesses to pay attention to the security of their networks. As organisations move more of their business functions to the public network, they need to take precautions to ensure that attackers do not compromise their data, or that the data does not end up being accessed by the wrong people. Unauthorised network access by an outside hacker or disgruntled employee can wreak havoc with proprietary data, negatively affect company productivity, and stunt the ability to compete. Unauthorised network access can also harm relationships with customers and business partners who may question the ability of companies to protect their confidential information, as well as lead to potentially damaging and expensive legal actions. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 3 Objectives At the completion of this eleventh lesson, you will be able to: Describe what is meant by the term ‘triple A’ Explain how and why AAA should be used to secure router and switch access Configure AAA using the IOS CLI and SDM Describe the use of external AAA servers, including a brief overview of CSACS ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 4 Authentication, Authorisation & Accounting It is strongly recommended that network and administrative access security in the Cisco environment is based on a modular architecture that has three functional components: 1. authentication, 2. authorisation, and 3. accounting ISCW-Mod5_L11 also known as AAA These AAA services provide a higher degree of scalability than line-level and privileged-EXEC authentication to networking components Unauthorised access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment, services and data Using a Cisco AAA architecture enables consistent, systematic and scalable access security © 2007 Cisco Systems, Inc. All rights reserved. 5 The Three Components of AAA Authentication Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol selected, encryption Authorisation Provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet Accounting Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 6 Authentication Authentication is the way a user is identified prior to being allowed access to the network and network services AAA authentication is configured by defining a named list of authentication methods, and then applying that list to various interfaces The method list defines the types of authentication to be performed and the sequence in which they will be performed; it MUST be applied to a specific interface before any of the defined authentication methods will be performed The only exception is the default method list (“default”). The default method list is automatically applied to all interfaces if no other method list is defined. A defined method list overrides the default method list. All authentication methods, except for local, line password, and enable authentication, MUST be defined through AAA ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 7 Authorisation Authorisation provides the method for remote access control, including one-time authorisation or authorisation for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet AAA authorisation works by assembling a set of attributes that describe what the user is authorised to perform These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions The database can be located locally on the access server or router, or it can be hosted remotely on a RADIUS or TACACS+ security server As with authentication, AAA authorisation is configured by defining a named list of authorisation methods, and then applying that list to various interfaces ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 8 Accounting Accounting provides the method for collecting and sending security server information used for billing, auditing, and reporting - user identities, start and stop times, executed commands, number of packets, and number of bytes Accounting enables tracking of the services users are accessing as well as the amount of network resources they are consuming With AAA accounting activated, the NAS reports user activity to the RADIUS or TACACS+ security server in the form of accounting records Each accounting record is comprised of accounting AV pairs and is stored on the access control server. This data can then be analysed for network management, client billing, and/or auditing All accounting methods must be defined through AAA. Accounting is configured by defining a named list of accounting methods, and then applying that list to various interfaces ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 9 Access Control In many circumstances, AAA uses protocols such as RADIUS, TACACS+, or Kerberos to administer security functions If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS, TACACS+, or Kerberos security server Although AAA is the primary (and recommended) method for access control, Cisco IOS software provides additional features for simple access control that are outside the scope of AAA, such as local username authentication, line password authentication, and enable password authentication. However, these features do not provide the same degree of access control that is possible by using AAA ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 10 Implementing AAA Cisco provides three ways of implementing AAA services for Cisco routers, network access servers (NAS), and switch equipment: 1. Self-contained AAA: AAA services can be self-contained in the router or NAS itself (also known as local authentication) 2. Cisco Secure ACS for Windows Server: AAA services on the router or NAS contact an external Cisco Secure Access Control Server (ACS) for Windows system for user and administrator authentication 3. Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication ISCW-Mod5_L11 There are also open source AAA servers available that work in conjunction with Cisco IOS devices © 2007 Cisco Systems, Inc. All rights reserved. 11 Implementing AAA Administrative access: Console, Telnet, and AUX access Remote user network access: Dialup or VPN access ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 12 Router Access Modes All of the AAA commands (except aaa accounting system) apply to either character mode or packet mode. (The mode refers to the format of the packets that request AAA) If the query is presented as Service-Type = Exec-User, the query is presented in character mode If the request is presented as Service-Type = Framed-User and Framed-Type = PPP, the request is presented in packet mode. Character mode allows a network administrator with a large number of routers in a network to authenticate one time as the user, and then access all routers that are configured in this method Primary applications for the Cisco Secure ACS include securing dialup access to a network and securing the management of routers within a network. Both applications have unique AAA requirements. With CSACS, a variety of authentication methods can be chosen, each providing a set of authorisation privileges. Router ports must be secured using the Cisco IOS software and a CSACS server ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 13 Router Access Modes ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 14 AAA Protocols: RADIUS and TACACS+ ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 15 AAA Protocols: RADIUS and TACACS+ The best-known and best-used types of AAA protocols are TACACS+ and RADIUS TACACS+ and RADIUS have different features that make them suitable for different situations RADIUS is maintained by a standard that was created by the IETF TACACS+ is a proprietary Cisco Systems technology that encrypts data TACACS+ runs over TCP - RADIUS runs over UDP TACACS+ provides many benefits for configuring Cisco devices to use AAA for management and terminal services. TACACS+ can control the authorisation level of users; RADIUS cannot Because TACACS+ separates authentication and authorisation, it is possible to use TACACS+ for authorisation and accounting, while using a different method for authentication, such as Kerberos ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 16 RADIUS Features Radius is an IETF standard protocol - RFC 2865 Standard attributes can be augmented by proprietary attributes: Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS Uses UDP on standard port numbers (1812 and 1813; CSACS uses 1645 and 1646 by default) It includes only two security features: 1.Encryption of passwords (MD5 encryption) 2.Authentication of packets (MD5 fingerprinting) Authorisation is only possible as part of authentication ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 17 RADIUS Authentication and Authorisation The example shows how RADIUS exchange starts once the NAS is in possession of the username and password The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 18 RADIUS Messages There are four types of messages involved in a RADIUS authentication exchange: 1. Access-Request: Contains AV pairs for the username, password (this is the only information that is encrypted by RADIUS), and additional information such as the NAS port 2. Access-Challenge: Necessary for challenge-based authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Microsoft CHAP (MSCHAP), and Extensible Authentication Protocol-Message Digest 5 (EAP-MD5) 3. Access-Accept: The positive answer if the user information is valid 4. Access-Reject: Sent as a negative reply if the user information is invalid ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 19 RADIUS AV Pairs RADIUS messages contain zero or more AV-pairs, for example: 1. 2. 3. 4. 5. There are approximately 50 standard-based attributes (RFC 2865) RADIUS allows proprietary attributes Basic attributes are used for authentication purposes Most other attributes are used in the authorisation process Cisco has added several vendor-specific attributes on the server side. Cisco IOS devices will, by default, always use Cisco AV pairs, but Cisco devices can be configured to use only IETF attributes for standard compatibility Accounting information is sent within special RADIUS accounting messages ISCW-Mod5_L11 User-Name User-Password (this is the only encrypted entity in RADIUS) CHAP-Password Service-Type Framed-IP-Address © 2007 Cisco Systems, Inc. All rights reserved. 20 TACACS+ Attributes and Features The TACACS+ protocol is much more flexible than the RADIUS communication. TACACS+ protocol permits the TACACS+ server to use virtually arbitrary dialogs to collect enough information until a user is authenticated TACACS+ messages contain AV-pairs, such as: 1. ACL 2. ADDR 3. CMD 4. Interface-Config 5. Priv-Lvl 6. Route ISCW-Mod5_L11 TACACS+ uses TCP on well-known port number 49 TACACS+ establishes a dedicated TCP session for every AAA action Cisco Secure ACS can use one persistent TCP session for all actions Protocol security includes authentication and encryption of all TACACS+ datagrams © 2007 Cisco Systems, Inc. All rights reserved. 21 TACACS+ Authentication The example shows how TACACS+ exchange starts before the user is prompted for username and password. The prompt text can be supplied by the TACACS+ server. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 22 TACACS+ Network Authorisation The example shows the process of network authorisation that starts after successful authentication. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 23 TACACS+ Command Authorisation The example illustrates the command authorisation process that repeatedly starts for every command that requires authorisation (based on command privilege level). ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 24 Configuring the AAA Server These are the first steps in configuring the network access server: ISCW-Mod5_L11 Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Specify the Cisco Secure ACS (if being used, or other server if not) that will provide AAA services for the network access server Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS © 2007 Cisco Systems, Inc. All rights reserved. 25 Configuring the AAA Server TACACS+ RADIUS ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 26 AAA Configuration Commands Command Description aaa new-model Enables AAA on the router. Prerequisite for all other AAA commands. tacacs-server host ipaddress single-connection Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default). tacacs-server key key Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server. radius-server host ipaddress Specifies a RADIUS AAA server. radius-server key key Specifies an encryption key to be used with the RADIUS AAA server. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 27 AAA Authentication Commands Router(config)# aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]] • Use this command to configure the authentication process Router(config)#aaa authentication login default group tacacs+ local line ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 28 aaa authentication login Parameters Parameter Description default This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication. list-name This command creates a list, with a name of your choosing, that is applied explicitly to a line or interface using the method or methods specified. This defined list overrides the default when you apply the defined list to a specific line or interface. group group-name group radius group tacacs+ These methods specify the use of an AAA server. The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command). ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 29 aaa authentication login Parameters (Cont.) Parameter Description method2 method3 method4 This command executes authentication methods in the order that the methods are listed. If an authentication method returns an error, such as a timeout, the Cisco IOS software attempts to execute the next method. If the authentication fails, access is denied. You can configure up to four methods for each operation. The method must be supported by the authentication operation that you specify. A general list of methods includes: n- enable: n- krb5: Uses the enable password for authentication nUses server-group nUses Kerberos Version 5 for authentication n- line: nUses the line password for authentication n- local: n- local-case: Uses the local username and password database for authentication nUses case-sensitive local username authentication n- none: nUses no authentication n- group: ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 30 Configuring AAA Authentication Using TACACS+ Command Description aaa authentication login The default login is TACACS+ server. If there is no default group tacacs+ response from the server, then use the local username local and password database. aaa authentication login Used for character mode username and password my_list group tacacs+ challenge. A new list name, my_list, is defined, and the only method is TACACS+. line con 0 Enters console configuration mode. login authentication my_list Configures the console line to use the AAA list name my_list, which has been previously defined to use only TACACS+. line 1 48 login authentication my_list Configures lines 1 through 48 to use the AAA list name my_list, which has been previously defined to use only TACACS+. line vty 0 4 On lines vty 0 through 4, the default list is used, which in this case specifies the aaa authentication login default tacacs+ local command. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 31 Character Mode Login Example Router#show running-config ... aaa new-model aaa authentication login default group tacacs+ local aaa authentication login my_list group tacacs+ ... line con 0 line aux 0 line vty 0 4 login authentication my_list • Because the authentication has not been specified for line con 0 and aux 0, the default option is used ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 32 Enabling AAA in SDM ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 33 Confirming the AAA Activation ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 34 Defining RADIUS Servers ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 35 Defining TACACS+ Servers ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 36 Creating a Login Authentication Policy ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 37 Configuring a Login Authentication Policy ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 38 Creating an EXEC Authorisation Policy ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 39 Configuring an EXEC Authorisation Policy ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 40 Creating Local User Accounts ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 41 Configuring VTY Line Parameters ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 42 Applying Authentication Policy to VTY Lines ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 43 Applying Authorisation Policy to VTY Lines ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 44 Verifying AAA Login Authentication Commands aaa new-model ! aaa authentication login default local aaa authentication login radius_local group radius group radius aaa authorization exec default local ! username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1 ! tacacs-server host 10.1.1.10 single-connection key secrettacacs radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key secretradius ! line vty 0 4 login authentication radius_local ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 45 Troubleshoot AAA Login Authentication on Cisco Routers Use the debug aaa authentication command on routers to trace AAA packets and monitor authentication The command displays debugging messages on authentication functions router# debug aaa authentication ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 46 ‘AAA Authorization’ Commands The access server can be configured to restrict the user to perform certain functions only after successful authentication Use the aaa authorization command in global configuration mode to select the function authorised and the method of authorisation Troubleshooting Authorization To display information on AAA authorisation, use the debug aaa authorization command in privileged-EXEC mode. Use the no debug aaa authorization form of the command to disable this debug mode. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 47 ‘AAA Authorization’ Commands router(config)# aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...] Example: router(config)#aaa authorization exec default group radius local none ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 48 AAA Accounting Commands Use the aaa accounting command in global configuration mode for auditing and billing purposes.. Accounting of user EXEC sessions requires that aaa new-model is enabled and that the authentication and authorisation configuration is in place. The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. Each session that is established through the Cisco Secure ACS can be fully accounted for and stored on the server. This stored information can be very helpful for management, security audits, capacity planning, and network usage billing. ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 49 AAA Accounting Commands router(config)# aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius} Example: R2(config)#aaa accounting exec default start-stop group tacacs+ ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 50 AAA Accounting Example R2#show running-config | begin aaa aaa new-model ! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+ ... tacacs-server host 10.1.1.3 tacacs-server key SeCrEtKeY ... The Cisco Secure ACS serves as a central repository for accounting information by completing the access control functionality. Accounting tracks events that occur on the network. The next slide shows a TACACS+ report from Windows ACS ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 51 TACACS+ Reports and Activity ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 52 Troubleshooting Accounting • Use this command to help troubleshoot AAA accounting problems. router# debug aaa accounting R2#debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14 ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 53 ISCW-Mod5_L11 © 2007 Cisco Systems, Inc. All rights reserved. 54