© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security Chapter 3

© 1999, Cisco Systems, Inc. MCNSv Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe network access server port types and access control methods Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS Test the network access server AAA configuration using applicable debugging and testing commands

© 1999, Cisco Systems, Inc. MCNSv CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ Dirty DMZ NetRanger Sensor Dialup NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Windows NT PC Sales CSNT and NAS used to Perform AAA Bastion Host Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server TACACS+ or RADIUS protocol

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc AAA Secures Network Access

© 1999, Cisco Systems, Inc. MCNSv AAA ModelNetwork Security Architecture A A uthentication Who are you? I am user student and my password validateme proves it A A uthorization What can you do? What can you access? User student can access host NT_Server with Telnet A A ccounting What did you do? How long did you do it? How often did you do it? User student accessed host NT_Server with Telnet 15 times

© 1999, Cisco Systems, Inc. MCNSv AAA Secures Network Access Character (line) mode access Console, Telnet (tty, vty, aux, cty) Packet (interface) mode access Async, group-async, BRI, serial (PRI) Security Server Remote Client (SLIP, PPP, ARAP) NAS Telnet Host Console Terminal PSTN/ISDN

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Authentication Methods

© 1999, Cisco Systems, Inc. MCNSv Authentication Methods and Ease of Use Token Cards/Soft Tokens (OTP) One-Time Password (OTP) S/Key (OTP for terminal login) Username/Password (aging) Username/Password (static) No Username or Password Strong Weak Authentication Ease of Use HighLow

© 1999, Cisco Systems, Inc. MCNSv AuthenticationRemote Client Username and Password Windows 95 Dialup Networking screen Username and Password fields Security Server Windows 95 Remote Client Network Access Server PSTN/ISDN username/password (TCP/IP PPP)

© 1999, Cisco Systems, Inc. MCNSv AuthenticationOne-Time PasswordsS/Key List of one-time passwords Generated by S/Key program hash function Sent in cleartext over network Server must support S/Key A A B 310B E170D A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 S/Key PasswordsWorkstation Security Server Supports S/Key S/Key Password (cleartext) A A B 310B E170D A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4

© 1999, Cisco Systems, Inc. MCNSv AuthenticationToken Cards and Servers CiscoSecure [OTP] Token Server Uses algorithm based on PIN or time-of-day to generate secure password Server uses same algorithm to decrypt password Sends password to network access server or security server to complete authentication

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc PAP and CHAP Authentication

© 1999, Cisco Systems, Inc. MCNSv Authentication via PPP Link TCP/IP PPP Client PPP PSTN or ISDN PPP PAP = Password Authentication Protocol –Cleartext, repeated password –Subject to eavesdropping and replay attacks CHAP = Challenge Handshake Authentication Protocol –Secret password, per remote user –Challenge sent on link (random number) –Challenge can be repeated periodically to prevent session hijacking –The CHAP response is an MD5 hash of (challenge + secret) provides authentication –Robust against sniffing/replay attacks Network Access Server

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Network Access Server AAA Configuration Process

© 1999, Cisco Systems, Inc. MCNSv Authenticated NAS Port Types CiscoSecure ACS Server Telnet host vty BRI, serial (PRI) ISDN B channels tty, aux, async cty Console Terminal NAS AsyncISDN

© 1999, Cisco Systems, Inc. MCNSv Network Access Server AAA Configuration Process General steps to configure the NAS for AAA: Secure access to privileged EXEC and configuration modes (enable and enable secret) Enable AAA globally on the network access server with the aaa new model command Configure AAA authentication profiles Configure AAA authorization for use after the user has passed authentication Configure the AAA accounting options for how you want to write accounting records Verify the configuration

© 1999, Cisco Systems, Inc. MCNSv Secure Privileged EXEC and Configuration Mode CiscoSecure ACS Server NAS Router(config)#enable password changeme Router(config)#enable secret supersecret Router(config)#service password-encryption lightweight_encrypt Router(config)#enable password changeme Router(config)#enable secret supersecret Router(config)#service password-encryption lightweight_encrypt Telnet to NAS

© 1999, Cisco Systems, Inc. MCNSv Begin the AAA Configuration CiscoSecure ACS Server NAS Router(config)#aaa new-model Router(config)#aaa authentication login default enable Router(config)#aaa authentication login console-in local Router(config)#aaa authentication login is-in local Router(config)#aaa authentication login tty-in local Router(config)#aaa authentication ppp dial-in local

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc AAA Security Servers

© 1999, Cisco Systems, Inc. MCNSv AAA with a Local Security Database 1. User establishes PPP connection with NAS 3. NAS authenticates username and password in local database 5. NAS tracks user traffic and compiles accounting records as specified in local database 4. NAS authorizes user to access network based on local database 2. NAS prompts user for username/password Network Access Server

© 1999, Cisco Systems, Inc. MCNSv Remote Alternatives: TACACS+ and RADIUS Two different protocols used to communicate between the security server and router, NAS, or firewall CiscoSecure supports both TACACS+ and RADIUS –TACACS+ remains more secure and more scalable than RADIUS –RADIUS has a robust API, strong accounting CiscoSecure ACS Firewall Router Nework Access Server TACACS+RADIUS Security Server

© 1999, Cisco Systems, Inc. MCNSv AAA Authentication Commands (config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]] (config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]] login enable krb5 line local none tacacs+ radius krb5- telnet enable krb5 line local none tacacs+ radius krb5- telnet enable default enable line none tacacs+ radius enable line none tacacs+ radius arap guest auth- guest line local tacacs+ radius guest auth- guest line local tacacs+ radius ppp if–needed krb5 local none tacacs+ radius if–needed krb5 local none tacacs+ radius nasi enable line local none tacacs+ enable line local none tacacs+

© 1999, Cisco Systems, Inc. MCNSv AAA Authentication Example Configuration aaa authen login default tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+ (config)#line console 0 (config-line)#login authen tech-pubs (config)#int s3/0 (config-line)#ppp authen chap mktg

© 1999, Cisco Systems, Inc. MCNSv AAA Authorization Commands aaa authorization {network | exec | commands level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} CiscoSecure ACS Server Network Access Server router(config)#

© 1999, Cisco Systems, Inc. MCNSv CiscoSecure ACS Server (Orion) AAA Authorization Example Configuration aaa author command 1 Orion local aaa author command 15 Andromeda local aaa author network Pisces local none aaa author exec Virgo if-authenticated router(config)# Network Access Server

© 1999, Cisco Systems, Inc. MCNSv AAA Accounting Commands aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method 1 [method2…]] aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method 1 [method2…]] router(config)# CiscoSecure ACS Server Network Access Server

© 1999, Cisco Systems, Inc. MCNSv AAA Accounting Example Configuration aaa account system wait-start local aaa account network stop-only local aaa account exec start-stop local aaa acc command 15 wait-start local router(config)# CiscoSecure ACS Server Network Access Server

© 1999, Cisco Systems, Inc. MCNSv AAA Troubleshooting router#debug aaa authentication router#debug aaa authorization router#debug aaa accounting Displays detailed AAA information

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Lab Exercise

© 1999, Cisco Systems, Inc. MCNSv Lab Objectives Upon completion of this lab, you will be able to perform the following tasks: Configure the network access server to secure enable mode access to the network access server Configure AAA services using the local security database Test the network access server AAA configuration using applicable debugging and testing commands

© 1999, Cisco Systems, Inc. MCNSv PIX1 Firewall Protected DMZ Dirty DMZ X.0 /24.2 Outside X.0/24.1 DMZ Inside.3 NAS1 IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA / X.1 /30 Perimeter1 Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

© 1999, Cisco Systems, Inc. MCNSv © 1999, Cisco Systems, Inc Summary and Review Questions

© 1999, Cisco Systems, Inc. MCNSv Summary In local-server AAA, the local NAS performs AAA services. Character and packet modes can be secured with AAA. Network access server AAA configuration should follow an orderly progression. Use the aaa authentication command to specify the authentication process and method. Use aaa debug commands selectively to troubleshoot AAA. Use the no aaa new-model command to remove AAA commands from the configuration.

© 1999, Cisco Systems, Inc. MCNSv Review Questions 1. What are the two network access server modes that can be secured by AAA commands? A.Character (line mode) with tty, vty, aux, and cty ports B.Packet (interface mode) with async, group- async, BRI, and serial (PRI) ports

© 1999, Cisco Systems, Inc. MCNSv Review Questions (cont.) 2. What is being configured in each of the fields of the following command? aaa authentication ppp sales if-needed local A.aaa authen ppp–Specifies the PPP operation for this authentication process B.sales–Assigns the profile name sales to this process C.if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated D.local–If the if-needed method fails, uses the local database method for PPP authentication

© 1999, Cisco Systems, Inc. MCNSv Blank for pagination