CCNPv5 Module 5 Lesson 9

Download Report

Transcript CCNPv5 Module 5 Lesson 9

Implementing Secure
Converged Wide
Area Networks
(ISCW)
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
1
Configuring SNMP
Lesson 9 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this ninth lesson, you will be able
to:
Describe the concepts behind the use of SNMP
Explain the various SNMP actions
Explain why the use of SNMP v1 and 2 is not recommended
Demonstrate how to configure Cisco routers to use SNMPv3
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
4
SNMP
 SNMP – the Simple Network Management Protocol forms part of the internet protocol suite as defined by
the IETF
 SNMP is used by network management systems to
monitor network-attached devices for conditions that
warrant administrative attention
 It consists of a set of standards for network
management, including an Application Layer protocol, a
database schema, and a set of data objects
 The current version is SNMPv3
SNPv1 and v2 are considered obsolete, and are extremely
insecure. It is recommended they NOT be used on a
publicly attached network
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
5
SNMP Components

An SNMP-managed network consists of three key components:
1. Managed devices
2. Agents
3. Network-management systems (NMSs)
1. A managed device is a network node that contains an SNMP agent
and that resides on a managed network. Managed devices collect
and store management information and make this information
available to NMSs using SNMP. Managed devices can be routers
and access servers, switches and bridges, hubs, computer hosts, or
printers.
2. An agent is a network-management software module that resides in
a managed device. An agent has local knowledge of management
information and translates that information into a form compatible
with SNMP.
3. An NMS executes applications that monitor (and possibly control)
managed devices. NMSs provide the bulk of the processing and
memory resources required for network management. One or more
NMSs must exist on any managed network.
Ref: Wikepedia - SNMP
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
6
SNMP Managed Network
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
7
SNMPv1 and SNMPv2 Architecture
SNMP asks agents embedded in network devices for
information or tells the agents to do something.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
8
SNMP Actions
 The SNMP protocol specifies (in version 1) five core
PDUs:
1. GET REQUEST - used to retrieve a piece of management
information.
2. GETNEXT REQUEST - used iteratively to retrieve sequences of
management information.
3. GET RESPONSE - used agent responds with data to get and set
requests from the manager.
4. SET REQUEST - used to initialise and make a change to a value
of the network element.
5. TRAP - used to report an alert or other asynchronous event
about a managed subsystem.
In SNMPv1, asynchronous event reports are called traps
while they are called notifications in later versions of SNMP.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
9
SNMP Actions
 Other PDUs were added in later versions, including:
GETBULK REQUEST - a faster iterator used to retrieve sequences
of management information.
INFORM - an acknowledged trap.
 Typically, SNMP uses UDP ports 161 for the agent and 162 for the
manager. The Manager may send Requests from any available
ports (source port) to port 161 in the agent (destination port).
 The agent response will be given back to the source port. The
Manager will receive traps on port 162.
 The agent may generate traps from any available port.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
10
Community Strings
 SNMPv1 and SNMPv2 use a community string to access router
SNMP agents
 SNMP community strings act like passwords
 An SNMP community string is a text string used to authenticate
messages between a management station and an SNMP engine
 If the manager sends one of the correct read-only community
strings, the manager can get information but NOT set information
in an agent
 If the manager uses one of the correct read-write community
strings, the manager can get or set information in the agent
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
11
Community Strings
 In effect, having read-write access is equivalent to having the
enable password!
 SNMP agents accept commands and requests only from SNMP
systems that use the correct community string.
 By default, most SNMP systems use a community string of “public”
 If the router SNMP agent is configured to use this commonly
known community string, anyone with an SNMP system is able to
read the router MIB
 Router MIB variables can point to entities like routing tables and
other security-critical components of a router configuration, so it is
very important that custom SNMP community strings are created
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
12
SNMP Security Models and Levels
Definitions:
• Security model is a security strategy used by the SNMP agent.
• Security level is the permitted level of security within a security model.
Model
Level
Authentication
Encryption
v1
noAuthNoPriv
Community
String
No
– Authenticates with a community string
match
v2
noAuthNoPriv
Community
String
No
– Authenticates with a community string
match
v3
noAuthNoPriv
Username
No
– Authenticates with a username
authNoPriv
MD5 or SHA
No
– Provides HMAC MD5 or SHA
algorithms for authentication
authPriv
MD5 or SHA
DES
– Provides HMAC MD5 or SHA
algorithms for authentication
– Provides DES 56-bit encryption in
addition to authentication based on the
CBC-DES (DES-56) standard
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
What Happens
13
SNMPv3 Operational Model
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
14
SNMPv3 Operational Model
 The concepts of separate SNMP agents and SNMP managers do not
apply in SNMPv3
 SNMP combines these concepts into single SNMP entities
 Each managed node and the network management system (NMS) is a
single entity
 There are two types of entities, each containing different
applications:
Managed node SNMP entities: The managed node SNMP entity includes an
SNMP agent and an SNMP MIB. The agent implements the SNMP protocol and
allows a managed node to provide information to the NMS and accept
instructions from the NMS. The MIB defines the information that can be
collected and used to control the managed node. Information that is exchanged
using SNMP takes the form of objects from the MIB
SNMP NMS entities: The SNMP entity on an NMS includes an SNMP manager
and SNMP applications. The manager implements the SNMP protocol and
collects information from managed nodes and sends instructions to the nodes.
The SNMP applications are software applications used to manage the network
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
15
SNMPv3 Features and Benefits
It is strongly recommend that all network management systems use
SNMPv3 rather than SNMPv1 or SNMPv2
Features
– Message integrity: Ensures that a packet has
not been tampered with in transit
– Authentication: Determines that the message
is from a valid source
Benefits
– Encryption: Scrambles the contents of a
packet to prevent the packet from being seen
by an unauthorised source
– Data can be collected securely from SNMP
devices without fear of the data being
tampered with or corrupted
– Confidential information, such as SNMP Set
command packets that change a router
configuration, can be encrypted to prevent the
contents from being exposed on the network
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
16
Configuring an SNMP Managed Node

These are the four configuration tasks used to set up
SNMPv3 communications on a Cisco IOS router:
1. Configure the SNMP-server engine ID to identify the devices
for administrative purposes
2. Configure the SNMP-server group names for grouping
SNMP users
3. Configure the SNMP-server users to define usernames that
reside on hosts that connect to the local agent
4. Configure the SNMP-server hosts to specify the recipient of
a notification operation (trap or inform)
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
17
Configuring the SNMP-Server Engine ID (1)
 To configure a name for either the local or remote SNMP engine
on the router, use the snmp-server engineID global configuration
command.
 The SNMP engine ID is a unique string used to identify the device
for administration purposes.
An engine ID is not required for the device as a default string is
generated using a Cisco enterprise number (1.3.6.1.4.1.9) and the
MAC address of the first interface on the device.
 If an individualised ID is required do not specify the entire 24character engine ID if the ID contains trailing zeros.
Specify only the portion of the engine ID up to the point at which only
zeros remain in the value. This portion must be 10 hexadecimal
characters or more. For example, to configure an engine ID of
123400000000000000000000, specify snmp-server engineID local
1234000000.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
18
Configuring the SNMP-Server Engine ID (1)
 A remote engine ID must be created when an SNMPv3
inform is configured
 The remote engine ID is used to compute the security
digest for authenticating and encrypting packets that
are sent to a user on the remote host
Informs are acknowledged traps. The agent sends an inform to
the manager. When the manager receives the inform, the
manager sends a response to the agent. Thus, the agent knows
that the inform reached the intended destination.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
19
Configuring the SNMP-Server Group Names (2)
 To configure a new SNMP group, or a table that maps
SNMP users to SNMP views, use the snmp-server
group global configuration command
This command groups SNMP users that reside on hosts that
connect to the local SNMP agent
 An SNMP view is a mapping between SNMP objects
and the access rights that are available for those
objects
An object can have different access rights in each view
Access rights indicate whether the object is accessible by either
a community string or a user
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
20
Configuring the SNMP-Server Group Names (2)
Router(config)#
•snmp-server group groupname {v1 | v2c | v3 {auth |
noauth | priv}} [read readview] [write writeview]
[notify notifyview] [access access-list]
• Configures a new SNMP group or a table that maps SNMP
users to SNMP views
PR1(config)#snmp-server group johngroup v3 auth
PR1(config)#snmp-server group billgroup v3 auth priv
• The top example shows how to define a group johngroup for SNMP v3
using authentication but not privacy (encryption)
• The bottom example shows how to define a group billgroup for SNMP
v3 using both authentication and privacy
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
21
Configuring the SNMP-Server Users (3)
 To add a new user to an SNMP group, use the snmp-server user
global configuration command
 To configure a user that exists on a remote SNMP device, specify
the IP address or port number for the remote SNMP device where
the user resides
 Also, before configuring remote users for that device, configure the
SNMP engine ID using the command snmp-server engineID with
the remote option
 The SNMP engine ID of the remote device is needed to compute
the authentication and privacy digests from the password
If the remote engine ID is not configured first, the configuration
command will fail
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
22
Configuring the SNMP-Server Users (3)
• Configure a new user to an SNMP group
Router(config)#
•snmp-server user username groupname [remote ipaddress [udp-port port]] {v1 | v2c | v3
[encrypted] [auth {md5 | sha} auth-password [priv
des56 priv-password]]} [access access-list]
 The first example (below) shows how to define a user John belonging to
the group johngroup. Authentication uses the password john2passwd
and no privacy (no encryption) is applied. The second example shows
how user Bill, belonging to the group billgroup, is defined using the
password bill3passwd and privacy (encryption) is applied
PR1(config)#snmp-server
PR1(config)#snmp-server
password2
PR1(config)#snmp-server
PR1(config)#snmp-server
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
user John johngroup v3 auth md5 john2passwd
user Bill billgroup v3 auth md5 bill3passwd des56
group johngroup v3 auth
group billgroup v3 auth priv
23
Configuring the SNMP-Server Hosts (4)
 To specify the recipient of an SNMP notification operation, use the snmpserver host global configuration command.
snmp-server host host-address [traps | informs] [version
{1 | 2c | 3 [auth | noauth | priv]}] community-string
[udp-port port] [notification-type]
 SNMP notifications can be sent as traps or inform requests.
Traps are unreliable because the receiver does not send acknowledgments
when the receiver receives traps
The sender cannot determine if the traps were received
 An SNMP entity that receives an inform request acknowledges the
message with an SNMP response PDU.
Informs consume more computing resources in the agent and in the network.
 If an snmp-server host command is NOT entered, no notifications are
sent. To configure the router to send SNMP notifications, at least one
snmp-server host command must be entered
If the command is entered with no keywords, all trap types are enabled for the
host.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
24
Configuring the SNMP-Server Hosts (4)
 To be able to send an “inform,” perform these steps:
1. Configure a remote engine ID.
2. Configure a remote user.
3. Configure a group on a remote device.
4. Enable traps on the remote device.
5. Enable the SNMP manager.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
25
Configuring the SNMP-Server Hosts (4)
• Configures the recipient of an SNMP trap operation
Router(config)#
snmp-server host host-address [traps | informs] [version
{1 | 2c | 3 [auth | noauth | priv]}] community-string
[udp-port port] [notification-type]
The example (below) shows how to send configuration informs to the
10.1.1.1 remote host
PR1(config)#snmp-server
PR1(config)#snmp-server
PR1(config)#snmp-server
PR1(config)#snmp-server
PR1(config)#snmp-server
PR1(config)#snmp-server
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
engineID remote 10.1.1.1 1234
user bill billgroup remote 10.1.1.1 v3
group billgroup v3 noauth
enable traps
host 10.1.1.1 inform version 3 noauth bill
manager
26
SNMP – Types of Traps
Trap
Description
bgp
Sends Border Gateway Protocol (BGP) state change traps.
config
Sends configuration traps.
hsrp
Sends Hot Standby Router Protocol (HSRP) notifications.
sdlc
Sends Synchronous Data Link Control (SDLC) traps.
snmp
Sends SNMP traps defined in RFC 1157.
syslog
Sends error message traps (Cisco Syslog MIB). Specify the level of
messages to be sent with the logging history level command.
tty
Sends Cisco enterprise-specific traps when a TCP connection
closes.
x25
Sends X.25 event traps.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
27
SNMPv3 Configuration
 The next slide shows how to configure Cisco IOS routers for
SNMPv3.
 The router Trap_sender is configured to send traps to the NMS
host with the IP address 172.16.1.1. The traps are encrypted using
the credentials that are configured for the local user snmpuser who
belongs to the group snmpgroup. The Trap_sender router sends
traps that are related to CPU, configuration, and SNMP. The trap
packets are sourced from the router loopback 0 interface
 The router Walked_device is configured so that the NMS host can
read the MIBs on the local device. The NMS server needs to use
the username credentials that are configured on the
Walked_device (snmpuser with respective authentication and
encryption passwords) to gain access to the SNMP information of
the router
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
28
SNMPv3 Configuration Example
Trap_sender(config)#snmp-server
Trap_sender(config)#snmp-server
Trap_sender(config)#snmp-server
des56 encryptpassword
Trap_sender(config)#snmp-server
Trap_sender(config)#snmp-server
Trap_sender(config)#snmp-server
Trap_sender(config)#snmp-server
Trap_sender(config)#snmp-server
group snmpgroup v3 auth
group snmpgroup v3 priv
user snmpuser snmpgroup v3 auth md5 authpassword priv
enable traps cpu
enable traps config
enable traps snmp
host 172.16.1.1 traps version 3 priv snmpuser
source-interface traps loopback 0
Walked_device(config)#snmp-server group snmpgroup v3 auth
Walked_device(config)#snmp-server group snmpgroup v3 priv
Walked_device(config)#snmp-server user snmpuser snmpgroup v3 auth md5 authpassword
priv des56 encrypt password
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
29
Configuring the NTP
Client
Lesson 10 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
30
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
31
Objectives
 At the completion of this tenth lesson, you will be able
to:
Explain how a router maintains an accurate time
Describe NTP and how it is configured
Configure NTP on a router as a server and a client
Associate with NTP servers
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
32
Understanding NTP
“Time has been invented in the universe so that
everything would not happen at once”
‘The NTP FAQ and HOWTO’ - http://www.ntp.org/ntpfaq/

Many features in a computer network depend on time
synchronisation, such as accurate time information in syslog
messages, certificate-based authentication in VPNs, ACLs with
time range configuration, and key rollover in routing protocol
authentication (EIGRP and RIP)

Most Cisco routers have two clocks: a battery-powered system
calendar in the hardware and a software-based system clock

These two clocks are managed separately
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
33
System Clock
 The heart of the router time service is the software-based system
clock
 This clock starts to keep track of time from the moment the system
starts
 The system clock can be set from a number of sources and can be
used to distribute the current time through various mechanisms to
other systems
 When a router with a system calendar is initialised or rebooted, the
system clock is set based on the time in the internal batterypowered system calendar
 The system clock can then be set manually or by using the
Network Time Protocol (NTP) - an Internet protocol used to
synchronise the clocks of network connected devices to some time
reference
NTP is an Internet standard protocol currently at v3 and specified in
RFC 1305
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
34
UTC - GMT
 UTC (Temps Universel Coordonné or, in English, Coordinated Universal
Time) is an official standard for the current time.
 UTC evolved from the former GMT (Greenwich Mean Time) that was
previously used to accurately set the clocks on sailing ships before they
left London for a long journey (very important to determine longitude and
avoid navigational embarrassment…..)
 Later GMT was adopted as the world's standard time. It has now been
replaced by UTC.
One of the reasons that GMT has been replaced as official standard time was
the fact that it was based on the mean solar time. Newer methods of time
measurement showed that the mean solar time varied appreciably.
 The main components of UTC:
Universal means that the time can be used everywhere in the world, It is
independent from time zones (i.e. it's not local time). To convert UTC to local
time, add or subtract the local time zone.
Coordinated means that several institutions contribute their estimate of the
current time, and UTC is built by combining these estimates.
The UTC second has been defined by the 13th General Conference of Weights and
Measures in 1967 as "The second is the duration of 9,192,631,770 periods of the
radiation corresponding to the transition between the two hyperfine levels of the ground
state of the cesium-133 atom."
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
35
Authoritative Time
 In a router, the system clock keeps track of time internally based
on UTC (which, despite the comment in the curriculum is not
technically the same as GMT…….)
 Information can be configured about the local time zone and
daylight savings time so that the time appears correctly relative to
the local time zone
 The system clock keeps track of whether the time is “authoritative”
or not (that is, whether the time has been set by a time source that
is considered to be “authoritative”)
 If the time is NOT considered authoritative, the time is available
only for display purposes and is not redistributed within the
network
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
36
NTP
 NTP is a protocol designed to time-synchronize a network of
machines. NTP runs over UDP, which in turn runs over IP
 An NTP network usually obtains the time from an authoritative time
source, such as a radio clock or an atomic clock attached to a time
server. NTP then distributes this time across the network. NTP is
extremely efficient; no more than one packet per minute is necessary
to synchronise two machines to within 1mS of one another
As of early 2007, NTP v4 has not completed IETF standardisation. RFC 1305
documents NTP v3
Cisco devices support only RFC specifications of NTPv3
 NTP uses the concept of a “stratum” to describe how many NTP
“hops” away a machine is from an authoritative time source
 A “stratum 1” time server typically has a radio or atomic clock
directly attached to the server; a “stratum 2” time server receives the
time via NTP from a “stratum 1” time server, etc, etc.
A machine that runs NTP automatically chooses the machine with the lowest
stratum number to communicate with via NTP as the machine’s time source
This strategy effectively builds a self-organising tree of NTP speakers
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
37
NTP

NTP is careful to avoid synchronising to a machine whose time may
not be accurate. NTP avoids doing so in two ways:
1. NTP never synchronises to a machine that is not synchronised itself
2. NTP compares the time that is reported by several machines and does not
synchronise to a machine whose time is significantly different than the
others, even if the machine’s stratum number is lower



ISCW-Mod5_L9
The communications (known as “associations”) between machines
that run NTP are usually statically configured; each machine is
given the IP address of all machines with which the machine should
form associations
Accurate timekeeping is possible by exchanging NTP messages
between each pair of machines with an association
In a LAN environment, NTP can be configured to use IP broadcast
messages instead
•
This alternative reduces configuration complexity because each machine
can be configured to send or receive broadcast messages.
•
However, the accuracy of timekeeping is marginally reduced because the
information flow is one-way only
© 2007 Cisco Systems, Inc. All rights reserved.
38
NTP Security
 The time that a machine keeps is a critical resource, so the
security features of NTP should be used to avoid the
accidental or malicious setting of incorrect time
 Two mechanisms are available:
1. an ACL-based restriction scheme
2. an encrypted authentication mechanism.
 Time service for a network should be derived from the public
NTP servers that are available on the Internet
• If the network is isolated from the Internet, the Cisco implementation
of NTP allows a machine to be configured so that the machine acts
as though the machine is synchronised via NTP when in fact the
machine has determined the time using other means.
• Other machines then synchronise to that machine via NTP
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
39
NTP Association
 When multiple sources of time (eg, manual
configuration) are available, NTP is always considered
to be more authoritative
 NTP time overrides the time set by any other method
 An NTP association can be a peer association (this
system is willing to either synchronise to the other
system or to allow the other system to synchronise to
it), or the association can be a server association (only
this system will synchronise to the other system, and
not vice versa)
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
40
NTP Basic Features - Overview
 A collected overview of NTP features:
NTP needs some reference clock that defines the true time to operate. All
clocks are set towards that true time. (It will not just make all systems agree on
some time, but will make them agree upon the true time as defined by some
standard)
NTP uses UTC as reference time (NOT GMT…..)
NTP is a fault-tolerant protocol that will automatically select the best of several
available time sources to synchronise to. Multiple candidates can be combined
to minimise the accumulated error. Temporarily or permanently insane time
sources will be detected and avoided
NTP is highly scalable. A synchronisation network may consist of several
reference clocks. Each node of such a network can exchange time information
either bidirectional or unidirectional. Propagating time from one node to another
forms a hierarchical graph with reference clocks at the top
Having available several time sources, NTP can select the best candidates to
build its estimate of the current time. The protocol is highly accurate, using a
resolution of less than a nanosecond (about 2^-32 seconds)
Even when a network connection is temporarily unavailable, NTP can use
measurements from the past to estimate current time and error
For formal reasons NTP will also maintain estimates for the accuracy of the
local time
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
41
Configuring NTP Authentication
 NTP services are enabled on all interfaces by default.
To disable NTP on a specific interface, use the ntp disable
command in the interface configuration mode.
 To authenticate the associations with other systems for
security purposes, use the commands in the “NTP
Authentication Commands” table (see next slide)
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
42
NTP Authentication Commands
Command
Description
ntp authenticate
Enables the NTP authentication feature. If this command
is specified, the system will not synchronize to a system
unless the system’s NTP messages carry one of the
authentication keys that you specify in the ntp trustedkey global configuration command.
ntp
Defines an authentication key. Message authentication
authentication-key support is provided using the MD5 algorithm. The key
number md5 value
type md5 is currently the only key type that this
command supports. The key value can be any arbitrary
string of up to eight characters.
ntp trusted-key
key-number
Defines trusted authentication keys.
The first command enables the NTP authentication feature. The second
command defines each of the authentication keys. Each key has a key
number, a type, and a value. Currently the only key type supported is md5.
Finally, a list of trusted authentication keys is defined. If a key is trusted,
this system is ready to synchronise to a system that uses this key in the
system’s NTP packets
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
43
Configuring NTP Authentication
Router(config)#
ntp authenticate
• Enables the authentication feature
Router(config)#
ntp authentication-key number md5 value
• Defines the authentication keys
• Used for both peer and server associations
Router(config)#
ntp trusted-key key-number
• Defines the trusted authentication keys
• Required to synchronise to a system (server association)
R1(config)#ntp authentication
R1(config)#ntp authentication-key 1 md5 NeVeRgUeSs
R1(config)#ntp trusted-key 1
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
44
Configuring NTP Associations
 To configure a router as an NTP client, either create an association
to a server or configure the router to listen to NTP broadcast
packets.
ntp server: Although the router can be configured with either a peer or
a server association, NTP clients are typically configured with a server
association (meaning that only this system will synchronise to the other
system, and not vice versa).
To allow the software clock to be synchronised by an NTP time server,
use the ntp server command in global configuration mode.
 ntp broadcast client: In addition to or instead of creating unicast
NTP associations, the system can be configured to listen to
broadcast packets on an interface-by-interface basis
To do this, use the ntp broadcast client command in interface
configuration mode
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
45
Configuring NTP Associations
Router(config)#
ntp server {ip-address | hostname} [version number] [key
keyid] [source interface] [prefer]
• Forms a server association with another system
Router(config-if)#
ntp broadcast client
• Receives NTP broadcast packets
R1(config)#ntp server 10.1.1.1 key 1
R1(config)#ntp server 10.2.2.2 key 2 prefer
R1(config)#interface Fastethernet 0/1
R1(config-if)#ntp broadcast client
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
46
Configuring Additional NTP Options



To control access to NTP services, in addition to packet
authentication, a NTP access group can be created and a basic IP
ACL applied to it
To control access to NTP services, use the ntp access-group
command in global configuration mode
The access group options are scanned in the following order, from
least restrictive to most restrictive:
1. peer: Allows time requests and NTP control queries and allows the system
to synchronise itself to a system whose address passes the ACL criteria.
This option is used in scenarios where either the local or the remote system
can become the NTP source
2. serve: Allows time requests and NTP control queries but does not allow the
system to synchronise itself to a system whose address passes the ACL
criteria. This option lets you filter IP addresses of systems that can become
clients of the local system from which NTP control queries will be permitted
3. serve-only: Allows only time requests from a system whose address passes
the ACL criteria. This option lets you filter IP addresses of systems that can
become clients of the local system from which NTP control queries will be
denied
4. query-only: Allows only NTP control queries from a system whose address
passes the ACL criteria
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
47
Configuring Additional NTP Options
 If the source IP address matches the ACLs for more than one
access type, the first access type that is listed is granted. If no
access groups are specified, all access types are granted to all
systems. If any access groups are specified, only the specified
access types are granted
 When the system sends an NTP packet, the source IP address is
normally set to the address of the interface through which the NTP
packet is sent. Use the ntp source command in global
configuration mode to configure a specific interface from which the
IP source address will be taken
 ntp source interface
This interface is used for the source address for all packets sent to all
destinations. If a source address is to be used for a specific
association, use the source parameter on the ntp peer or ntp server
command
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
48
Implementing the NTP Server


Cisco IOS routers work as an NTP server by default.
As soon as a router is synchronised to an authoritative time
source, the router allows peers with lower stratum to
synchronise to that router:
Requires a peer association


You can make a router an authoritative NTP server, even if
the system is not synchronised to an outside time source.
Two options to establish a peer association:
1. Unicast
2. Broadcast

Same exchange control methods as those methods used
with client:
Packet authentication
Access group filtering
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
49
Configuring the NTP Server
Router(config)#
ntp peer ip-address [normal-sync][version number] [key
keyid] [source interface] [prefer]
• Forms a peer association with another system
Router(config)#
ntp master [stratum]
• Makes the system an authoritative NTP server
Router(config-int)#
ntp broadcast [version number][destination address][key keyid]
• Configures an interface to send NTP broadcast packets
R2(config)#ntp peer 10.1.1.1 key 1
R2(config)#ntp master 3
R2(config)#interface Fastethernet0/0
R2(config-int)#ntp broadcast
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
50
NTP Configuration Example
Source(config)#ntp
Source(config)#ntp
Source(config)#ntp
Source(config)#ntp
master 5
authentication-key 1 md5 secretsource
peer 172.16.0.2 key 1
source loopback 0
Intermediate(config)#ntp authentication-key 1 md5 secretsource
Intermediate(config)#ntp authentication-key 2 md5 secretclient
Intermediate(config)#ntp trusted-key 1
Intermediate(config)#ntp server 172.16.0.1
Intermediate(config)#ntp source loopback 0
Intermediate(config)#interface Fastethernet0/0
Intermediate(config-int)#ntp broadcast
Client(config)#ntp authentication-key 1 md5 secretclient
Client(config)#ntp trusted-key 1
Client(config)#interface Fastethernet0/1
Client(config-int)#ntp broadcast client
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
51
Configuring AAA on
Cisco Routers
Lesson 11 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
52
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
53
Objectives
 At the completion of this eleventh lesson, you will be
able to:
Describe what is meant by the term ‘triple A’
Explain how and why AAA should be used to secure router
and switch access
Configure AAA using the IOS CLI and SDM
Describe the use of external AAA servers, including a brief
overview of CSACS
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
54
Authentication, Authorisation &
Accounting

It is strongly recommended that network and administrative
access security in the Cisco environment is based on a modular
architecture that has three functional components:
1. authentication,
2. authorisation, and
3. accounting



ISCW-Mod5_L9
also known as AAA
These AAA services provide a higher degree of scalability than
line-level and privileged-EXEC authentication to networking
components
Unauthorised access in campus, dialup, and Internet
environments creates the potential for network intruders to gain
access to sensitive network equipment, services and data
Using a Cisco AAA architecture enables consistent, systematic
and scalable access security
© 2007 Cisco Systems, Inc. All rights reserved.
55
The Three Components of AAA
 Authentication
Provides the method of identifying users, including login and password
dialog, challenge and response, messaging support, and, depending
on the security protocol selected, encryption
 Authorisation
Provides the method for remote access control, including one-time
authorisation or authorisation for each service, per-user account list
and profile, user group support, and support of IP, IPX, ARA, and
Telnet
 Accounting
Provides the method for collecting and sending security server
information used for billing, auditing, and reporting, such as user
identities, start and stop times, executed commands (such as PPP),
number of packets, and number of bytes
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
56
Authentication
 Authentication is the way a user is identified prior to being allowed
access to the network and network services
 AAA authentication is configured by defining a named list of
authentication methods, and then applying that list to various
interfaces
 The method list defines the types of authentication to be performed
and the sequence in which they will be performed; it MUST be
applied to a specific interface before any of the defined
authentication methods will be performed
The only exception is the default method list (“default”). The default
method list is automatically applied to all interfaces if no other method
list is defined. A defined method list overrides the default method list.
 All authentication methods, except for local, line password, and
enable authentication, MUST be defined through AAA
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
57
Authorisation
 Authorisation provides the method for remote access control,
including one-time authorisation or authorisation for each service,
per-user account list and profile, user group support, and support
of IP, IPX, ARA, and Telnet
 AAA authorisation works by assembling a set of attributes that
describe what the user is authorised to perform
 These attributes are compared to the information contained in a
database for a given user and the result is returned to AAA to
determine the user's actual capabilities and restrictions
The database can be located locally on the access server or router, or
it can be hosted remotely on a RADIUS or TACACS+ security server
 As with authentication, AAA authorisation is configured by defining
a named list of authorisation methods, and then applying that list to
various interfaces
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
58
Accounting
 Accounting provides the method for collecting and sending security
server information used for billing, auditing, and reporting - user
identities, start and stop times, executed commands, number of
packets, and number of bytes
 Accounting enables tracking of the services users are accessing
as well as the amount of network resources they are consuming
 With AAA accounting activated, the NAS reports user activity to the
RADIUS or TACACS+ security server in the form of accounting
records
 Each accounting record is comprised of accounting AV pairs and is
stored on the access control server. This data can then be
analysed for network management, client billing, and/or auditing
 All accounting methods must be defined through AAA. Accounting
is configured by defining a named list of accounting methods, and
then applying that list to various interfaces
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
59
Access Control
 In many circumstances, AAA uses protocols such as RADIUS,
TACACS+, or Kerberos to administer security functions
 If your router or access server is acting as a network access
server, AAA is the means through which you establish
communication between your network access server and your
RADIUS, TACACS+, or Kerberos security server
 Although AAA is the primary (and recommended) method for
access control, Cisco IOS software provides additional features for
simple access control that are outside the scope of AAA, such as
local username authentication, line password authentication, and
enable password authentication. However, these features do not
provide the same degree of access control that is possible by
using AAA
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
60
Implementing AAA

Cisco provides three ways of implementing AAA services for
Cisco routers, network access servers (NAS), and switch
equipment:
1. Self-contained AAA: AAA services can be self-contained in the
router or NAS itself (also known as local authentication)
2. Cisco Secure ACS for Windows Server: AAA services on the
router or NAS contact an external Cisco Secure Access Control
Server (ACS) for Windows system for user and administrator
authentication
3. Cisco Secure ACS Solution Engine: AAA services on the router
or NAS contact an external Cisco Secure ACS Solution Engine for
user and administrator authentication

ISCW-Mod5_L9
There are also open source AAA servers available that work in
conjunction with Cisco IOS devices
© 2007 Cisco Systems, Inc. All rights reserved.
61
Implementing AAA
Administrative access: Console, Telnet, and AUX access
Remote user network access: Dialup or VPN access
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
62
Router Access Modes
 All of the AAA commands (except aaa accounting system) apply
to either character mode or packet mode. (The mode refers to
the format of the packets that request AAA)
If the query is presented as Service-Type = Exec-User, the query is
presented in character mode
If the request is presented as Service-Type = Framed-User and
Framed-Type = PPP, the request is presented in packet mode.
 Character mode allows a network administrator with a large
number of routers in a network to authenticate one time as the
user, and then access all routers that are configured in this method
 Primary applications for the Cisco Secure ACS include securing
dialup access to a network and securing the management of
routers within a network. Both applications have unique AAA
requirements.
 With CSACS, a variety of authentication methods can be chosen,
each providing a set of authorisation privileges. Router ports must
be secured using the Cisco IOS software and a CSACS server
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
63
Router Access Modes
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
64
AAA Protocols: RADIUS and TACACS+
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
65
AAA Protocols: RADIUS and TACACS+
 The best-known and best-used types of AAA protocols are
TACACS+ and RADIUS
 TACACS+ and RADIUS have different features that make them
suitable for different situations
 RADIUS is maintained by a standard that was created by the IETF
 TACACS+ is a proprietary Cisco Systems technology that encrypts
data
TACACS+ runs over TCP - RADIUS runs over UDP
 TACACS+ provides many benefits for configuring Cisco devices to
use AAA for management and terminal services. TACACS+ can
control the authorisation level of users; RADIUS cannot
Because TACACS+ separates authentication and authorisation, it is
possible to use TACACS+ for authorisation and accounting, while
using a different method for authentication, such as Kerberos
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
66
RADIUS Features
 Radius is an IETF standard protocol - RFC 2865
 Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be
used over RADIUS
 Uses UDP on standard port numbers (1812 and 1813; CSACS
uses 1645 and 1646 by default)
 It includes only two security features:
1.Encryption of passwords (MD5 encryption)
2.Authentication of packets (MD5 fingerprinting)
 Authorisation is only possible as part of authentication
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
67
RADIUS Authentication and
Authorisation
The example shows how RADIUS exchange starts once the
NAS is in possession of the username and password
The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
68
RADIUS Messages

There are four types of messages involved in a
RADIUS authentication exchange:
1. Access-Request: Contains AV pairs for the username,
password (this is the only information that is encrypted by
RADIUS), and additional information such as the NAS port
2. Access-Challenge: Necessary for challenge-based
authentication methods such as Challenge Handshake
Authentication Protocol (CHAP), Microsoft CHAP (MSCHAP), and Extensible Authentication Protocol-Message
Digest 5 (EAP-MD5)
3. Access-Accept: The positive answer if the user information
is valid
4. Access-Reject: Sent as a negative reply if the user
information is invalid
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
69
RADIUS AV Pairs

RADIUS messages contain zero or more AV-pairs, for example:
1.
2.
3.
4.
5.

There are approximately 50 standard-based attributes (RFC 2865)




RADIUS allows proprietary attributes
Basic attributes are used for authentication purposes
Most other attributes are used in the authorisation process
Cisco has added several vendor-specific attributes on the server
side. Cisco IOS devices will, by default, always use Cisco AV
pairs, but Cisco devices can be configured to use only IETF
attributes for standard compatibility
Accounting information is sent within special RADIUS
accounting messages

ISCW-Mod5_L9
User-Name
User-Password (this is the only encrypted entity in RADIUS)
CHAP-Password
Service-Type
Framed-IP-Address
© 2007 Cisco Systems, Inc. All rights reserved.
70
TACACS+ Attributes and Features


The TACACS+ protocol is much more flexible than the RADIUS
communication. TACACS+ protocol permits the TACACS+
server to use virtually arbitrary dialogs to collect enough
information until a user is authenticated
TACACS+ messages contain AV-pairs, such as:
1. ACL
2. ADDR
3. CMD
4. Interface-Config
5. Priv-Lvl
6. Route
ISCW-Mod5_L9


TACACS+ uses TCP on well-known port number 49
TACACS+ establishes a dedicated TCP session for every AAA
action

Cisco Secure ACS can use one persistent TCP session for all
actions

Protocol security includes authentication and encryption of all
TACACS+ datagrams
© 2007 Cisco Systems, Inc. All rights reserved.
71
TACACS+ Authentication
The example shows how TACACS+ exchange starts before the
user is prompted for username and password.
The prompt text can be supplied by the TACACS+ server.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
72
TACACS+ Network Authorisation
The example shows the process of network authorisation that
starts after successful authentication.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
73
TACACS+ Command Authorisation
The example illustrates the command authorisation process that
repeatedly starts for every command that requires authorisation
(based on command privilege level).
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
74
Configuring the AAA Server
 These are the first steps in configuring the network
access server:
ISCW-Mod5_L9

Globally enable AAA to allow the use of all AAA elements.
This step is a prerequisite for all other AAA commands.

Specify the Cisco Secure ACS (if being used, or other
server if not) that will provide AAA services for the network
access server

Configure the encryption key that will be used to encrypt the
data transfer between the network access server and the
Cisco Secure ACS
© 2007 Cisco Systems, Inc. All rights reserved.
75
Configuring the AAA Server
TACACS+
RADIUS
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
76
AAA Configuration Commands
Command
Description
aaa new-model
Enables AAA on the router. Prerequisite for all other AAA
commands.
tacacs-server host ipaddress single-connection
Indicates the address of the Cisco Secure ACS server
and specifies use of the TCP single-connection feature
of Cisco Secure ACS. This feature improves
performance by maintaining a single TCP connection for
the life of the session between the network access
server and the Cisco Secure ACS server, rather than
opening and closing TCP connections for each session
(the default).
tacacs-server key key
Establishes the shared secret encryption key between
the network access server and the Cisco Secure ACS
server.
radius-server host ipaddress
Specifies a RADIUS AAA server.
radius-server key key
Specifies an encryption key to be used with the RADIUS
AAA server.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
77
AAA Authentication Commands
Router(config)#
aaa authentication login {default | list_name} group
{group_name | tacacs+ | radius} [method2 [method3
[method4]]]
• Use this command to configure the authentication process
Router(config)#aaa authentication login default group tacacs+
local line
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
78
aaa authentication login Parameters
Parameter
Description
default
This command creates a default that is automatically
applied to all lines and interfaces, specifying the method
or sequence of methods for authentication.
list-name
This command creates a list, with a name of your
choosing, that is applied explicitly to a line or interface
using the method or methods specified. This defined list
overrides the default when you apply the defined list to a
specific line or interface.
group group-name
group radius
group tacacs+
These methods specify the use of an AAA server. The
group radius and group tacacs+ methods refer to
previously defined RADIUS or TACACS+ servers. The
group-name string allows the use of a predefined group of
RADIUS or TACACS+ servers for authentication (created
with the aaa group server radius or aaa group server
tacacs+ command).
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
79
aaa authentication login
Parameters (Cont.)
Parameter
Description
method2
method3
method4
This command executes authentication methods in the order that the
methods are listed. If an authentication method returns an error, such
as a timeout, the Cisco IOS software attempts to execute the next
method. If the authentication fails, access is denied. You can configure
up to four methods for each operation. The method must be supported
by the authentication operation that you specify. A general list of
methods includes:
n- enable:
n- krb5:
Uses the enable password for authentication
nUses server-group
nUses Kerberos Version 5 for authentication
n- line:
nUses the line password for authentication
n- local:
n- local-case:
Uses the local username and password database for
authentication
nUses case-sensitive local username authentication
n- none:
nUses no authentication
n- group:
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
80
Configuring AAA Authentication Using
TACACS+
Command
Description
aaa authentication login The default login is TACACS+ server. If there is no
default group tacacs+
response from the server, then use the local username
local
and password database.
aaa authentication login Used for character mode username and password
my_list group tacacs+
challenge. A new list name, my_list, is defined, and the
only method is TACACS+.
line con 0
Enters console configuration mode.
login authentication
my_list
Configures the console line to use the AAA list name
my_list, which has been previously defined to use only
TACACS+.
line 1 48
login authentication
my_list
Configures lines 1 through 48 to use the AAA list name
my_list, which has been previously defined to use only
TACACS+.
line vty 0 4
On lines vty 0 through 4, the default list is used, which
in this case specifies the aaa authentication login
default tacacs+ local command.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
81
Character Mode Login Example
Router#show running-config
...
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login my_list group tacacs+
...
line con 0
line aux 0
line vty 0 4
login authentication my_list
• Because the authentication has not been specified for line
con 0 and aux 0, the default option is used
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
82
Enabling AAA in SDM
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
83
Confirming the AAA Activation
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
84
Defining RADIUS Servers
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
85
Defining TACACS+ Servers
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
86
Creating a Login Authentication Policy
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
87
Configuring a Login Authentication
Policy
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
88
Creating an EXEC Authorisation Policy
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
89
Configuring an EXEC Authorisation
Policy
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
90
Creating Local User Accounts
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
91
Configuring VTY Line Parameters
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
92
Applying Authentication Policy to VTY
Lines
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
93
Applying Authorisation Policy to VTY
Lines
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
94
Verifying AAA Login Authentication
Commands
aaa new-model
!
aaa authentication login default local
aaa authentication login radius_local group radius group radius
aaa authorization exec default local
!
username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1
!
tacacs-server host 10.1.1.10 single-connection key secrettacacs
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key
secretradius
!
line vty 0 4
login authentication radius_local
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
95
Troubleshoot AAA Login Authentication on Cisco
Routers
 Use the debug aaa authentication command on
routers to trace AAA packets and monitor
authentication
 The command displays debugging messages on
authentication functions
router#
debug aaa authentication
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
96
‘AAA Authorization’ Commands
 The access server can be configured to restrict the user
to perform certain functions only after successful
authentication
 Use the aaa authorization command in global
configuration mode to select the function authorised
and the method of authorisation
 Troubleshooting Authorization
To display information on AAA authorisation, use the debug
aaa authorization command in privileged-EXEC mode.
Use the no debug aaa authorization form of the command to
disable this debug mode.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
97
‘AAA Authorization’ Commands
router(config)#
aaa authorization {network | exec | commands level | config-commands
| reverse-access} {default|list-name} method1 [method2...]
Example:
router(config)#aaa authorization exec default group radius local none
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
98
AAA Accounting Commands
 Use the aaa accounting command in global configuration mode
for auditing and billing purposes..
 Accounting of user EXEC sessions requires that aaa new-model is
enabled and that the authentication and authorisation configuration
is in place.
 The Cisco Secure ACS serves as a central repository for
accounting information by completing the access control
functionality.
Accounting tracks events that occur on the network.
 Each session that is established through the Cisco Secure ACS
can be fully accounted for and stored on the server. This stored
information can be very helpful for management, security audits,
capacity planning, and network usage billing.
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
99
AAA Accounting Commands
router(config)#
aaa accounting {command level | connection | exec | network |
system} {default | list-name} {start-stop | stop-only | wait-start}
group {tacacs+ | radius}
Example:
R2(config)#aaa accounting exec default start-stop group tacacs+
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
100
AAA Accounting Example
R2#show running-config | begin aaa
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
...
tacacs-server host 10.1.1.3
tacacs-server key SeCrEtKeY
...
The Cisco Secure ACS serves as a central repository for accounting
information by completing the access control functionality. Accounting
tracks events that occur on the network. The next slide shows a
TACACS+ report from Windows ACS
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
101
TACACS+ Reports and Activity
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
102
Troubleshooting Accounting
• Use this command to help troubleshoot AAA accounting
problems.
router#
debug aaa accounting
R2#debug aaa accounting
16:49:21: AAA/ACCT: EXEC acct start, line 10
16:49:32: AAA/ACCT: Connect start, line 10, glare
16:49:47: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78
cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54
elapsed_time=14
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
103
ISCW-Mod5_L9
© 2007 Cisco Systems, Inc. All rights reserved.
104