ITE PC v4.0 Chapter 1
Download
Report
Transcript ITE PC v4.0 Chapter 1
Chapter 3:
Authentication,
Authorization, and
Accounting
CCNA-Security
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
1
Chapter 3: Objectives
In this chapter you will:
Describe the importance of AAA as it relates to authentication, authorization, and accounting.
Describe the characteristics of AAA.
Configure AAA authentication, using the CLI, to validate users against a local database.
Configure AAA authentication, using CCP, to validate users against a local database.
Troubleshoot AAA authentication that validates users against a local database.
Describe the benefits of server-based AAA.
Compare the TACACS+ and RADIUS authentication protocols.
Describe the features of Cisco Secure ACS for Windows.
Configure Cisco Secure ACS as a TACACS+ server.
Configure Cisco Secure ACS users and groups.
Configure server-based AAA authentication, using the CLI, on Cisco routers.
Configure server-based AAA authentication, using CCP, on Cisco routers.
Troubleshoot server-based AAA authentication using Cisco Secure ACS.
Configure server-based AAA authorization using Cisco Secure ACS.
Configure server-based AAA accounting using Cisco Secure ACS.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
2
Chapter 3
3.0 Introduction
3.1 Purpose of AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based AAA Authorizing and Accounting
3.6 Summary
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
3
3.1 Purpose of AAA
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
4
AAA Overview
Authentication without AAA
Many types of authentication methods can be performed on a
Cisco device, and each method offers varying levels of security.
The simplest form of authentication is passwords.
Password-only logins are very vulnerable to brute-force attacks,
and do not provide accountability.
The local database method provides additional security, because
an attacker is required to know a username and a password. It
also provides more accountability, because the username is
recorded when a user logs in.
A better solution is to have all devices refer to the same database
of usernames and passwords from a central server.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
5
AAA Overview
AAA Components
Network and administrative AAA security in the Cisco environment
has several functional components:
Authentication- Users and administrators must prove that they
are who they say they are. Authentication can be established using
username and password combinations, challenge and response
questions, token cards, and other methods.
Authorization- After the user is authenticated, authorization
services determine which resources the user can access and
which operations the user is allowed to perform.
Accounting and auditing- Accounting records what the user
does, including what is accessed, the amount of time the resource
is accessed, and any changes that were made.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
6
AAA Characteristics
Authentication Modes
AAA can be used to authenticate users for administrative access or to
authenticate users for remote network access. These two access
methods use different modes to request AAA services.
Local AAA Authentication - Uses a local database for authentication.
This method stores usernames and passwords locally in the Cisco
router, and users authenticate against the local database.
Server-Based AAA Authentication - The server-based method uses
an external database server resource that leverages RADIUS or
TACACS+ protocols.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
7
AAA Characteristics
Authorization
Authorization is what a user can and cannot do on the network after
that user is authenticated.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
8
AAA Characteristics
Accounting
Accounting collects and reports usage data so that it can be employed
for purposes such as auditing or billing.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
9
3.2 Local AAA
Authorization
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
10
Configuring Local AAA Authentication with CLI
Authenticating Administrative Access
The Local AAA Authentication method is similar to using the login
local command with one exception. AAA also provides a way to
configure backup methods of authentication.
Configuring local AAA services to authenticate administrator access
(character mode access) requires a few basic steps:
Step 1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
11
Configuring Local AAA Authentication with CLI
Authentication Methods
To enable AAA, use the aaa new-model global configuration mode
command.
To configure authentication on vty ports, asynchronous lines (tty), the
auxiliary port, or the console port, define a named list of
authentication methods and then apply that list to the various
interfaces.
To define a named list of authentication methods, use the aaa
authentication login command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
12
Configuring Local AAA Authentication with CLI
Authentication Methods Cont.
To configure authentication, define a named list of authentication methods,
and then apply that list to the various interfaces.
To define a named list of authentication methods, use the aaa
authentication login command.
To enable local authentication using a preconfigured local database, use the
local or local-case (case-sensitive) keyword.
To specify that a user can authenticate using the enable password, use
the enable keyword.
A minimum of one method and a maximum of four methods can be specified
for a single method list. When a user attempts to log in, the first method listed
is used.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
13
Configuring Local AAA Authentication with CLI
Default and Named Methods
The defined list of authentication methods must be applied to specific
interfaces or lines. Different method lists can be applied to different interfaces
and lines.
To enable a specific list name, use the login authentication listname command in line configuration mode.
The option also exists to configure a default list name. When AAA is first
enabled, the default method list named “default” is automatically applied to all
interfaces and lines, but it has no authentication methods defined.
To assign multiple authentication methods to the default list, use the
command aaa authentication login default method1...[method2].
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
14
Configuring Local AAA Authentication with CLI
Refine the Authentication Configuration
Additional security can be implemented on the line using the aaa
local authentication attempts max-fail number-ofunsuccessful-attempts command in global configuration mode.
This command secures AAA user accounts by locking out accounts
that have excessive failed attempts.
To show locked out users
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
15
Configuring Local AAA Authentication with CCP
Enable AAA Using CCP
To verify the AAA configuration and to enable or disable AAA, click
Configure > Router > AAA > AAA Summary.
If AAA is currently disabled, click Enable AAA.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
16
Configuring Local AAA Authentication with CCP
Add User Accounts
The first task when using CCP to configure AAA services for local
authentication is to create users:
Step 1. Click Configure >Router >Router Access > User
Accounts/View.
Step 2. Click Add to add a new user.
Step 3. In the Add an Account window, enter the username and
password in the respective fields.
Step 4. From the Privilege Level drop-down list, choose 15, unless
there are lesser privilege levels defined.
Step 5. If views have been defined, click the Associate a View with
the user check box and select a view from the View Name list
associated with a user.
Step 6. Click OK.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
17
Troubleshooting Local AAA Authentication
Debug Options
The debug aaa
authentication comman
d is instrumental when
troubleshooting AAA
problems.
Look specifically for
GETUSER and
GETPASS status
messages. These
messages are helpful
when identifying which
method list is
referenced.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
18
3.3 Server-Based AAA
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
19
Server-Based AAA Characteristics
Comparing Local and Server-Based AAA
Local implementations of
AAA do not scale well. To
solve this challenge, one or
more AAA servers, can be
used to manage the user
and administrative access
needs for an entire
corporate network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
20
Server-Based AAA Characteristics
Introducing Cisco Secure Access Control Server
The Cisco Secure ACS family of products supports both Terminal
Access Control Access Control Server Plus (TACACS+) and Remote
Authentication Dial-In User Services (RADIUS) protocols.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
21
Server-Based AAA Communication Protocols
Introducing TACACS+ and RADIUS
TACACS+ and RADIUS are both authentication protocols with
different capabilities and functionality.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
22
Server-Based AAA Communication Protocols
TACACS+ Authentication
TACACS+ is an entirely new protocol that is incompatible with any
previous version of TACACS. TACACS+ is supported by the Cisco
family of routers and access servers.
TACACS+ offers multiprotocol support.
TACACS+ operation encrypts the entire body of the packet.
TACACS+ utilizes TCP port 49.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
23
Server-Based AAA Communication Protocols
RADIUS Authentication
RADIUS is an open IETF standard AAA protocol for applications such
as network access or IP mobility.
RADIUS works in both local and roaming situations, and is commonly
used for accounting purposes.
RADIUS hides passwords during transmission.
RADIUS combines authentication and authorization as one process.
RADIUS is widely used by VoIP service providers.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
24
Cisco Secure ACS
TACACS+ and RADIUS with Cisco Secure ACS
Cisco Secure ACS for Windows Server is a single solution that offers
AAA for both TACACS+ and RADIUS, and the following benefits:
Extends access security by combining authentication, user access,
and administrator access with policy control within a centralized
identity networking solution.
Allows greater flexibility and mobility, increased security, and userproductivity gains.
Enforces a uniform security policy for all users, regardless of how
they access the network.
Reduces the administrative and management burden when scaling
user and network administrator access to the network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
25
Cisco Secure ACS
Cisco Secure ACS Features
Cisco Secure ACS provides a
variety of advanced features:
Automatic service monitoring
Database synchronization and
importing of tools for large-scale
deployments
Lightweight Directory Access
Protocol (LDAP) user
authentication support
User and administrative access
reporting
Restrictions to network access
based on criteria such as the
time of day and the day of week
User and device group profiles
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
26
Cisco Secure ACS
Cisco Secure ACS As a TrustSec Component
Cisco Secure ACS is a core component of the Cisco TrustSec
solution. TrustSec includes the following Access Control products:
Cisco Network Admission Control (NAC)
Cisco NAC Guest Server
Cisco NAC Profiler
Cisco Secure ACS
The Cisco TrustSec solution offers two deployment options to
address various customer needs and use cases:
ACS 802.1X-Based Infrastructure solution
NAC Appliance-Based Overlay solution
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
27
Cisco Secure ACS
Cisco Secure ACS High Performance and Scalability
Cisco Secure ACS has many high-performance and scalability features:
Ease of use - A web-based user interface simplifies and distributes the
configuration.
Scalability - Cisco Secure ACS is built to provide large networked
environments with support for redundant servers, remote databases, and
database replication and backup services.
Extensibility - LDAP authentication forwarding supports the authentication of
user profiles that are stored in directories from leading directory vendors,
including Sun, Novell, and Microsoft.
Management - Microsoft Windows Active Directory support.
Administration - Different access levels for each Cisco Secure ACS
administrator and the ability to group network devices together.
Product flexibility - Can be used across virtually any network access server
that Cisco sells.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
28
Configuring Cisco Secure ACS
Software and Network Requirements
The network should meet specified requirements before administrators
begin deploying Cisco Secure ACS:
Cisco devices that are not Cisco IOS AAA clients must be configured with
TACACS+, RADIUS, or both.
Dial-in, VPN, or wireless clients must be able to connect to the applicable
AAA clients.
The computer running Cisco Secure ACS must be able to reach all AAA
clients using ping.
Gateway devices between the Cisco Secure ACS and other network devices
must permit communication over the ports that are needed to support the
applicable feature or protocol.
A supported web browser must be installed on the computer running Cisco
Secure ACS.
All NICs in the computer running Cisco Secure ACS must be enabled.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
29
Configuring Cisco Secure ACS
Cisco Secure ACS Homepage
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
30
Configuring Cisco Secure ACS
Adding Cisco Secure ACS Clients
The specific steps to add and configure a client varies between different
ACS versions, but is done through the Network Configuration page (4.x)
or the Network Resources page (5.x) by clicking Add Entry.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
31
Configuring Cisco Secure ACS
Adding Cisco Secure ACS Clients Cont.
The User Data Configuration link on the Interface Configuration page
enables administrators to customize the fields that appear in the user
setup and configuration windows.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
32
Configuring Cisco Secure ACS
Cisco Secure ACS Databases
Cisco Secure ACS can be configured to forward
authentication of users to one or more external user
databases.
Support for external user databases means that Cisco
Secure ACS does not require duplicate user entries to be
created in the Cisco Secure user database.
To establish an external user database connection, you
must access the External User Databases page.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
33
Configuring Cisco Secure ACS
Cisco Secure ACS Databases Cont.
When configuring the ACS external databases, there are three
major options:
Unknown User Policy - Configures the authentication
procedure for users that are not located in the Cisco Secure
ACS database.
Database Group Mappings - Configures what group
privileges external database users inherit when Cisco Secure
ACS authenticates them. In most cases, the actual privileges
are drawn from Cisco Secure ACS and not the external
database.
Database Configuration - Defines the external servers that
Cisco Secure ACS works with.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
34
Configuring Cisco Secure ACS
Cisco Secure ACS Databases Cont.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
35
Configuring Cisco Secure ACS Users and Groups
Cisco Secure ACS User Database Setup
When Cisco Secure ACS is configured to communicate with an
external user database, it can be configured to authenticate users in
one of two ways:
By specific user assignment - Authenticate specific users with an
external user database.
By unknown user policy - Use an external database to authenticate
users not found in the Cisco Secure user database. This method does not
require administrators to define users in the Cisco Secure user database.
The External User Database configuration page can be used to
configure the unknown user policy, by clicking the Unknown User
Policy link.
When configuring the unknown user policy, the database must be
selected from the External Databases list and moved into the Selected
Databases list. This must be done for each database that Cisco
Secure ACS is to use.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
36
Configuring Cisco Secure ACS Users and Groups
Cisco Secure ACS Group Setup
Due to the potential need for different authorizations,
database group mappings can be used to place users that
are authenticated by the Windows server in one group
and users that are authenticated by the LDAP server in
another group.
Database group mappings enable an administrator to map
an authentication server (i.e., LDAP, Windows, ODBC,
etc.) to a group that has been configured in Cisco Secure
ACS.
One option that can be configured in a group setup is per
group command authorization, which authorizes which
router commands the users in a group can execute.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
37
Configuring Cisco Secure ACS Users and Groups
Cisco Secure ACS User Setup
Add a user account and configure user access from the User Setup
page.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
38
3.4 Server-Based AAA
Authentication
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
39
Configuring Server-Based AAA Authentication
Configuring Server-Based AAA Authentication with CLI
Server-based AAA must identify various TACACS+ and RADIUS
servers that the AAA service should consult when authenticating and
authorizing users.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
40
Configuring Server-Based AAA Authentication
Configuring the CLI for TACACS+ and RADIUS Servers
Globally enable AAA by using the aaa new-model command.
Configure a TACACS+ Server and Encryption Key
• Use the tacacs-server host ip-address singleconnection command to configure a TACACS+ server.
• Use the tacacs-server key key command to configure the
shared secret key.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
41
Configuring Server-Based AAA Authentication
Configuring the CLI for TACACS+ and RADIUS Servers Cont.
Configure a RADIUS Server and Encryption Key
• Use the radius-server host ip-address command.
• To configure the shared secret key, use the radius-server
key key command.
Configure Authentication to Use the AAA Server - Use the aaa
authentication login default group radius group
tacacs+ local-case command.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
42
Configuring Server-Based AAA Authentication
Configuring the CLI for TACACS+ and RADIUS Servers Cont.
Sample Configuration
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
43
Configuring Server-Based AAA Authentication with CCP
Configuring the CCP for TACACS+
If using CCP for TACACS+, specify a list of available Cisco Secure
ACS servers that provide TACACS+ services for the router.
Step 1. From the CCP home page, click Configure >Router > AAA > AAA Servers and
Groups > Servers.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
44
Configuring Server-Based AAA Authentication with CCP
Configuring the CCP for TACACS+ Cont.
Step 2. From the AAA Servers pane, click Add, the Add AAA Server window
appears. Choose TACACS+
Step 3. Enter the IP address or host name of the AAA server in the Server IP
or Hostfield. If the router has not been configured to use a DNS server,
enter a DNS server IP address.
Step 4. The router can be configured to maintain a single open connection to
the TACACS+ server. Check the Single connection to server (for
CiscoSecure) check box.
Step 5. To override AAA server global settings and specify a server-specific
timeout value in the Server-Specific Setup section, enter a value in
the Timeout (seconds) field.
Step 6. To configure a server-specific key, check the Configure Key check box
and enter the key that is used to encrypt traffic between the router and
this server in the New Key field. Re-enter the key in the Confirm Key
field for confirmation.
Step 7. Click OK.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
45
Configuring Server-Based AAA Authentication with CCP
Configuring Method Lists for CCP
To configure the router to use the Cisco Secure ACS server for login
authentication, a user-defined (or custom) authentication method list
must be created, or the default method list must be edited.
The administrator can use CCP to configure a user-defined
authentication login method list.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
46
Configuring Server-Based AAA Authentication with CCP
Configuring Lines with Method Lists Using CCP
After the authentication login method lists
are created, CCP can be used to apply an
authentication policy to a router line:
Step 1. Click Configure > Router > Router
Access > VTY.
Step 2. From the VTY Lines window, click
the Edit button to make changes to
the vty lines.
Step 3. From the Authentication Policy list
box, choose the authentication policy
to apply to the vty lines.
The CLI can also be used to apply an authentication policy to lines or
interfaces with the login authentication{default | listname} command in line configuration mode or interface configuration
mode.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
47
Troubleshooting Server-Based AAA Authentication Traffic
Monitoring Authentication Traffic
Other debugging Commands
• debug radius and debug tacacs
• debug tacacs events
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
48
3.5 Server-Based AAA
Authorization and
Accounting
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
49
Configuring Server-Based AAA Authorization
Introduction to Server-Based AAA Authorization
Authorization allows and disallows authenticated users access to
certain areas and programs on the network.
The TACACS+ protocol allows the separation of authentication from
authorization.
A router can be configured to restrict the user to performing only
certain functions after successful authentication.
Authorization can be configured for both character mode (exec
authorization) and packet mode (network authorization).
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
50
Configuring Server-Based AAA Authorization
AAA Authorization Types
Authorization Method Lists
AAA Authorization Example
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
51
Configuring Server-Based AAA Authorization
AAA Authorization Fundamentals with CCP
CCP can be used to configure the default authorization method list for
character mode (exec) access.
From the CCP home page, Configure > Router > AAA > Authorization
Policies > EXEC Command Mode.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
52
Configuring Server-Based AAA Authorization
AAA Authorization Methods with CCP
CCP can also be used to configure the default authorization method list for
packet mode (network).
From the CCP home page, click Configure > Router > AAA > Authorization
Policies > Network.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
53
Configuring Server-Based AAA Accounting
Introduction to Server-Based AAA Accounting
Companies often must track resources that individuals or groups use.
AAA accounting enables usage tracking, such as dial-in access, to log
the data gathered to a database, and to produce reports on the data
gathered.
One security issue (addressed by accounting) is the creation of a user
list and the time of day a user dialed into the system.
Another reason to implement accounting is to create a list of changes
occurring on the network, the user that made the changes, and the
exact nature of the changes.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
54
Configuring Server-Based AAA Accounting
AAA Accounting Configuration with CLI
Accounting Methods Lists
AAA Accounting Example
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
55
3.6 Summary
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
56
Chapter 3
Summary
The AAA protocol provides a scalable framework for enabling
administrative access.
AAA controls who is allowed to connect to the network, what they are
allowed to do, and tracks records of what was done.
In small or simple networks, AAA authentication can be implemented
using the local database.
In larger or complex networks, AAA authentication should be
implemented using server-based AAA.
AAA servers can use RADIUS or TACACS+ protocols to communicate
with client routers.
The Cisco ACS can be used to provide AAA server services.
Local AAA and server-based AAA authentication can be configured
using the CLI or CCP.
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
57
Presentation_ID
© 2008 Cisco Systems, Inc. All rights reserved.
58