Chapter 12 - YSU Computer Science & Information Systems

Download Report

Transcript Chapter 12 - YSU Computer Science & Information Systems

S6C12 - AAA
AAA Facts
AAA Defined
• Authentication, Authorization, and Accounting
• Central Management of AAA
– Information in a single, centralized, secure database
• Easier to administer
• Permits access control from a central database
– Access server, and network access server (NAS), refer
to a router connected to the "edge" of a network.
• This router allows outside users to access the network
Authentication
•
•
•
•
•
Authentication asks the question, "Who are
you?"
Determines who user is
Determines if user should be allowed access
Bars intruders from networks
– May use simple database of users and
passwords
– Can use one-time passwords
Why Use AAA for
Authentication?
• AAA provides scalability.
• Supports standardized security protocols, namely
Terminal Access Controller Access Control
System Plus (TACACS+), Remote Authentication
Dial-In User Service (RADIUS), and Kerberos
• Allows you to configure multiple backup systems.
– For example, you can configure an access server to
consult a security server first and a local database
second
Authorization
• Asks the question, "What privileges do you
have?"
• Determines what user is allowed to do
• Network managers can limit which network
services are available to each user
• Limits commands a new network
administrator may issue on corporate NAS
or routers
Accounting
• Asks the questions, "What did you do and
when did you do it?"
• Tracks what user did and when they did it
• Can be used as audit trail
• Can be used for billing connection time or
resources used
TACACS+
• PROTOCOL
– Designed to allow effective communications of AAA
information between NAS and central server
– Uses TCP for reliable connections between client and
servers
– NAS sends authentication and authorization requests &
accounting information to TACACS+ server
– Shifts logic and policy to database and server software
– moves it from Cisco IOS
• Provides centralized validation of users
attempting to gain access to a router or network
access server
RADIUS
• Developed by Livingston Enterprises, Inc.
– Secures remote access to networks and network
services against unauthorized access
• Protocol with frame format; utilizes UDP/IP
• A Server
– Authenticates, authorizes, accounts
– Runs on customer site
• A Client
– Resides in dial-up access servers
– Distributed throughout network
Kerberos
• A secret-key network authentication protocol used
with AAA that uses the Data Encryption Standard
(DES) cryptographic algorithm for encryption and
authentication
– Designed to authenticate requests for network
resources.
– Based on the concept of a trusted third party that
performs secure verification of users and services.
– a trusted Kerberos server issues tickets to users
• can be used in place of the standard username and password
authentication mechanism
How RADIUS Client/Server Works
• NAS operates as client of RADIUS
• Client passes user information to designated
RADIUS server
• RADIUS server receives request,
authenticates and returns necessary
configuration
• RADIUS server can act as proxy client for
other kinds of authentication servers
RADIUS and Network Security
• Transactions authenticated through use of
shared secret (never sent over network)
• User passwords are encrypted between
client and RADIUS server
• Supports a variety of methods to
authenticate user
– PAP, CHAP, UNIX, et. Al.
Cisco Access Secure Server
• Specialized security software that runs on
Windows NT/2000 and Unix
– simplifies and centralizes control for all user
authentication, authorization, and accounting
– can distribute the AAA information to hundreds or even
thousands of access points in a network
– uses either the TACACS+ or the RADIUS protocol to
provide this network security and tracking
– also acts as a central repository for accounting
information
Configuring AAA
• Enable AAA
– AAA new-model
• Tell NAS where to locate the server
– Tacacs-server host ip-address
– Tacacs-server host ip-address 2
– Two servers provide redundancy
• Set encryption key
– Tacacs-server key key
• Tell which TACACS+ features to use
– Next Slide
Configuration Process
• follow a three-step process for each AAA
authentication command, as shown in
– Specify the authentication type (login, enable, PPP,
etc.).
– Specify the method list as default or give it a name.
– List the authentication methods to be tried, in order.
• Router(config)#AAA authentication ppp {default | list-name}
method1 [...[method4]
Authentication
• Authentication provides the method of identifying
users including:
–
–
–
login and password dialog
challenge and response
messaging support
• AAA authentication can be used to configure all
of these configuration types
–
–
–
–
–
Access to privileged EXEC mode (enable mode)
Access to virtual terminals
Access to the console CHAP and PAP authentication for PPP connections
NetWare Asynchronous Services Interface (NASI) authentication
AppleTalk Remote Access Protocol (ARAP) authentication
Authentication Methods
• Using a password already configured on the
router, such as the enable password or a line
password
• Using the local username/password database
• Consulting a Kerberos server
• Consulting a RADIUS server, or group of
RADIUS servers
• Consulting a TACACS+ server or group of
TACACS+ servers
Sample TACACS+ Features
• AAA authentication login default tacacs+
line none
• AAA authentication login admin_only
tacacs_ enable none
• AAA authentication login old_way line
none
– You just created three login lists named default,
admin_only and old_way
Four Methods
Enable
Use enable password
Line
Use line password
None
Use no authentication
Tacacs+
Use TACACS+
authentication
Error
Not same as failure (server could
be unreachable)
• Line con0
– Login authentication admin_only
• Line aux 0
– Login authentication admin_only
• Line vty 0 4
– Login authentication old_way
• Line 1 16
– Login authentication default
Sample Code
• AAA authorization network tacacs+ none
• AAA authorization connection tacacs+ ifauthenticated
• AAA authorization command 1 tacacs+ server ifauthenticated
• AAA authorization command 15 tacacs+ ifauthenticated
– NOTE – can’t configure router until you become
authenticated
Eight Authorization Methods
• Authentication proxy services
• Commands
• Configuration Commands - Using no AAA
authorization
• EXEC
• Network services
• Reverse Telnet access
• Configuration
• ip Mobile
Configuring AAA Authorization
• Enable AAA using the AAA new-model
command.
• Configure AAA authentication. Authorization
generally takes place after authentication and
relies on authentication to work properly.
• Configure the router as a TACACS+ or RADIUS
client, if necessary.
• Configure the local username/password database,
if necessary. Using the username command, you
can define the rights associated with specific
users.
Privilege Levels
• privilege level 1 = non-privileged (prompt
is router>), the default level for login
• privilege level 15 = privileged (prompt is
router#), the level after going into enable
mode
• privilege level 0 = includes 5 commands:
disable, enable, exit, help, and logout
AAA supports six different
types of accounting:
•
•
•
•
•
•
Network
Exec
Commands
Connection
System
Resource
Security Example – W/WO TACACS
• AAA new-model
• AAA authentication login default local user-name
admin password cisco
• With Tacacs
– AAA new-model
– AAA authentication login default group tacacs+ local
– AAA authentication enable default group tacacs+
enable
– AAA authentication exec tacacs+
– Tacacs-server host 10.1.1.254
– Tacacs-server timeout 30
– Tacacs-server key superman
– Username admin password cisco
– Enable password cisco