© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Cisco Device Hardening Configuring AAA on Cisco Routers

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Introduction to AAA

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Model Authentication: –Who are you? –I am user student and my password validateme proves it. Authorization: –What can you do? What can you access? –User student can access host serverXYZ using Telnet. –Assign an IP address and ACL to user student connecting through VPN. –When user student starts an EXEC session, assign privilege level 10. Accounting: –What did you do? How long and how often did you do it? –User student accessed host serverXYZ using Telnet for 15 minutes. –User student was connected to VPN for 25 minutes. –EXEC session of user student lasted 20 minutes and only show commands were executed.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Implementing AAA Administrative access: Console, Telnet, and AUX access Remote user network access: Dialup or VPN access

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Router Access Modes

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Router Access Modes

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Protocols: RADIUS and TACACS+

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Protocols: RADIUS and TACACS+

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v RADIUS Authentication and Authorization The example shows how RADIUS exchange starts once the NAS is in possession of the username and password. The ACS can reply with Access-Accept message, or Access- Reject if authentication is not successful.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v RADIUS Messages There are four types of messages: Access-Request Access-Challenge, to facilitate challenge-response authentication protocols Access-Accept Access-Reject

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v RADIUS Attributes RADIUS messages contain zero or more AV-pairs, for example: –User-Name –User-Password (this is the only encrypted entity in RADIUS) –CHAP-Password –Service-Type –Framed-IP-Address There are approximately 50 standard-based attributes (RFC 2865). RADIUS allows proprietary attributes. Basic attributes are used for authentication purposes. Most other attributes are used in the authorization process.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v RADIUS Features Standard protocol (RFC 2865) Standard attributes can be augmented by proprietary attributes: –Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS Uses UDP on standard port numbers (1812 and 1813; Cisco Secure ACS uses 1645 and 1646 by default) Includes only two security features: –Encryption of passwords (MD5 encryption) –Authentication of packets (MD5 fingerprinting) Authorization only possible as part of authentication

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v TACACS+ Authentication The example shows how TACACS+ exchange starts before the user is prompted for username and password. The prompt text can be supplied by the TACACS+ server.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v TACACS+ Network Authorization The example shows the process of network authorization which starts after successful authentication.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v TACACS+ Command Authorization The example illustrates the command authorization process which is repeatedly started for every single command that requires authorization (based on command privilege level)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v TACACS+ Attributes and Features TACACS+ messages also contain AV-pairs, such as these: –ACL –ADDR –CMD –Interface-Config –Priv-Lvl –Route TACACS+ uses TCP on well-known port number 49. TACACS+ establishes a dedicated TCP session for every AAA action. Cisco Secure ACS can use one persistent TCP session for all actions. Protocol security includes authentication and encryption of all TACACS+ datagrams.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring the AAA Server TACACS+ RADIUS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configure AAA Login Authentication on Cisco Routers Using CLI

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Authentication Commands aaa authentication login {default | list_name} group {group_name | tacacs+ | radius} [method2 [method3 [method4]]] Router(config)# Use this command to configure the authentication process. Router(config)#aaa authentication login default group tacacs+ local line

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Character Mode Login Example Router#show running-config... aaa new-model aaa authentication login default group tacacs+ local aaa authentication login my_list group tacacs+... line con 0 line aux 0 line vty 0 4 login authentication my_list Because the authentication has not been specified for line con 0 and aux 0, the default option will be used.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configure AAA Login Authentication on Cisco Routers Using SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Enabling AAA in SDM

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Confirming the AAA Activation

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Defining RADIUS Servers

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Defining TACACS+ Servers

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating a Login Authentication Policy

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring a Login Authentication Policy

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating an EXEC Authorization Policy

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring an EXEC Authorization Policy

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Creating Local User Accounts

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Configuring VTY Line Parameters

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Applying Authentication Policy to VTY Lines

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Applying Authorization Policy to VTY Lines

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Verifying AAA Login Authentication Commands aaa new-model ! aaa authentication login default local aaa authentication login radius_local group radius group radius aaa authorization exec default local ! username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1 ! tacacs-server host single-connection key secrettacacs radius-server host auth-port 1645 acct-port 1646 key secretradius ! line vty 0 4 login authentication radius_local

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshoot AAA Login Authentication on Cisco Routers

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshoot AAA Login Authentication on Cisco Routers debug aaa authentication router# Use this command to help troubleshoot AAA authentication problems.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshoot AAA Authentication Example R2#debug aaa authentication : Feb 4 10:11: CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv= : Feb 4 10:11: CST: AAA/AUTHEN/START ( ): port='tty1' list='' action=LOGIN service=LOGIN : Feb 4 10:11: CST: AAA/AUTHEN/START ( ): using "default" list : Feb 4 10:11: CST: AAA/AUTHEN/START ( ): Method=LOCAL : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETUSER : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): continue_login (user='(undef)') : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETUSER : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): Method=LOCAL : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETPASS : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): continue_login (user='diallocal') : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETPASS : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): Method=LOCAL : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = PASS

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Authorization Commands

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Authorization Commands aaa authorization {network | exec | commands level | config-commands | reverse-access} {default|list-name} method1 [method2...] router(config)# router(config)#aaa authorization exec default group radius local none Example:

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Authorization Example R2#show running-config... aaa new-model ! aaa authentication login default local aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local... username admin password 0 cisco123

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting Authorization debug aaa authorization router# Use this command to help troubleshoot AAA authorization problems. R2#debug aaa authorization 2:23:21: AAA/AUTHOR (0): user='carrel' 2:23:21: AAA/AUTHOR (0): send AV service=shell 2:23:21: AAA/AUTHOR (0): send AV cmd* 2:23:21: AAA/AUTHOR ( ): Method=TACACS+ 2:23:21: AAA/AUTHOR/TAC+ ( ): user=carrel 2:23:21: AAA/AUTHOR/TAC+ ( ): send AV service=shell 2:23:21: AAA/AUTHOR/TAC+ ( ): send AV cmd* 2:23:21: AAA/AUTHOR ( ): Post authorization status = FAIL

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Accounting Commands

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Accounting Commands aaa accounting {command level | connection | exec | network | system} {default | list-name} {start-stop | stop-only | wait-start} group {tacacs+ | radius} router(config)# R2(config)#aaa accounting exec default start-stop group tacacs+ Example:

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Accounting Example R2#show running-config | begin aaa aaa new-model ! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local aaa accounting exec default start-stop group tacacs+... tacacs-server host tacacs-server key SeCrEtKeY...

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v AAA Accounting Example (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Troubleshooting Accounting debug aaa accounting router# Use this command to help troubleshoot AAA accounting problems. R2#debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address= cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v Summary Authentication, authorization, and accounting are used to effectively control network access. The router access modes for AAA are character and packet. The most popular AAA protocols are TACACS+ and RADIUS. AAA can be configured on the router using CLI or SDM. SDM simplifies the AAA configuration process. One of the troubleshooting tools for login authentication is the debug aaa authentication command. The aaa authorization exec command is used for character mode while aaa authorization network command is used for packet mode access authorization. The aaa accounting command provides numerous options for accounting purposes.

© 2006 Cisco Systems, Inc. All rights reserved.ISCW v