© 2006 Cisco Systems, Inc. All rights reserved. SND v Securing the Perimeter Configuring AAA Functions on the Cisco IOS Router

© 2006 Cisco Systems, Inc. All rights reserved. SND v Outline Overview Identification and Authentication Introduction to AAA for Cisco Routers Authenticating Remote Access TACACS+ and RADIUS AAA Protocols Authentication Methods Point-to-Point Authentication Protocols Authenticating Router Access Configuring AAA for Cisco Routers Troubleshooting AAA on Cisco Routers Configuring AAA with Cisco SDM Summary

© 2006 Cisco Systems, Inc. All rights reserved. SND v AAA ModelNetwork Security Architecture Authentication –Who are you? –I am user student and my password validateme proves it. Authorization –What can you do? What can you access? –User student can access host serverXYZ using Telnet. Accounting –What did you do? How long did you do it? How often did you do it? –User student accessed host serverXYZ using Telnet for 15 minutes.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Implementing Cisco AAA Administrative accessconsole, Telnet, and auxiliary access Remote user network accessDial-up or VPN access Cisco Secure ACS for Windows Server Remote Client (Dial-Up Client) NAS Corporate File Server Console Remote Client (VPN Client) Router Cisco Secure ACS Solution Engine Internet PSTN and ISDN PSTN = public switched telephone network

© 2006 Cisco Systems, Inc. All rights reserved. SND v Implementing Authentication Using Local Services 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. Perimeter Router Remote Client 1 2 3

© 2006 Cisco Systems, Inc. All rights reserved. SND v Implementing Authentication Using External Servers 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote Client Cisco Secure ACS for Windows Server Cisco Secure ACS Solution Engine

© 2006 Cisco Systems, Inc. All rights reserved. SND v TACACS+ and RADIUS AAA Protocols Two different protocols are used to communicate between the AAA security servers and authenticating devices. Cisco Secure ACS supports both TACACS+ and RADIUS: –TACACS+ remains more secure than RADIUS. –RADIUS has a robust application programming interface and strong accounting. Cisco Secure ACS Firewall Router Network Access Server TACACS+RADIUS Security Server

© 2006 Cisco Systems, Inc. All rights reserved. SND v Authentication Methods and Ease of Use Strongest Weak Authentication Ease of use HighLow Token cards or soft tokens using OTPs S/Key (OTP for terminal login) Username and password (aging) Username and password (static) No username or password

© 2006 Cisco Systems, Inc. All rights reserved. SND v AuthenticationRemote PC Username and Password Microsoft Windows dial-up networking connection: Username and Password fields Security Server Microsoft Windows Remote PC NAS Username and password (TCP/IP PPP) PSTN or ISDN

© 2006 Cisco Systems, Inc. All rights reserved. SND v AuthenticationToken Cards and Servers Cisco Secure ACS (OTP) Token Server

© 2006 Cisco Systems, Inc. All rights reserved. SND v AAA ExampleAuthentication via PPP Link Password Authentication Protocol –Clear text, repeated password –Subject to eavesdropping and replay attacks Challenge Handshake Authentication Protocol –Secret password, per remote user –Challenge sent on link (random number) –Challenge can be repeated periodically to prevent session hijacking –CHAP response is Message Digest 5 hash of (challenge + secret) that provides authentication –Robust against sniffing and replay attacks MS-CHAP version 1 (supported in Cisco IOS Release 11.3 and later) and version 1 or version 2 (supported in Cisco IOS Release 12.2 and later) Network Access Server TCP/IP and PPP Client PPP PSTN or ISDN

© 2006 Cisco Systems, Inc. All rights reserved. SND v Authenticating Router Access Telnet Host LAN Remote LAN Network Access Console Router Remote Router Administrative Access Internet

© 2006 Cisco Systems, Inc. All rights reserved. SND v Router Local Authentication Configuration Process Here are the general steps required to configure a Cisco router for local authentication: Step 1: Secure access to privileged EXEC mode. Step 2: Enable AAA globally on the perimeter router with the aaa new-model command. Step 3: Configure AAA authentication lists. Step 4: Configure AAA authorization for use after the user has passed authentication. Step 5: Configure the AAA accounting options for how you want to write accounting records. Step 6: Verify the configuration.

© 2006 Cisco Systems, Inc. All rights reserved. SND v Enable AAA Globally Using the aaa new-model Command aaa new-model router(config)# router(config)# aaa new-model username username password password router(config)# router(config)# username Joe106 password 1MugOJava Establishes AAA section in configuration file Sets username and password aaa authentication login default local Helps prevent administrative access lockout while configuring AAA router(config)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v aaa authentication Commands These aaa authentication commands are available in Cisco IOS Releases 12.2 and later. Each of these commands has its own syntax and options (methods). aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication username-prompt router(config)#

© 2006 Cisco Systems, Inc. All rights reserved. SND v aaa authentication login Command aaa authentication login {default | list-name} method1 [method2...] router(config)# router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line

© 2006 Cisco Systems, Inc. All rights reserved. SND v aaa authentication ppp Command aaa authentication ppp {default | list-name} method1 [method2...] router(config)# router(config)# aaa authen ppp default local router(config)# aaa authen ppp dial-in local none

© 2006 Cisco Systems, Inc. All rights reserved. SND v aaa authentication enable default Command aaa authentication enable default method1 [method2...] router(config)# router(config)# aaa authentication enable default group tacacs+ enable none

© 2006 Cisco Systems, Inc. All rights reserved. SND v Apply Authentication Commands to Lines and Interfaces Authentication commands can be applied to lines or interfaces. router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in Note: It is recommended that you always define a default list for AAA to provide last resort authentication on all lines and interfaces protected by AAA.

© 2006 Cisco Systems, Inc. All rights reserved. SND v aaa authorization Command aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...] router(config)# router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none router(config)# aaa authorization exec delta if-authenticated router(config)# aaa authorization commands 15 default local

© 2006 Cisco Systems, Inc. All rights reserved. SND v aaa accounting Command aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf- name] {start-stop | stop-only | none} [broadcast] group groupname router(config)# router(config)# aaa accounting commands 15 default stop-only group tacacs+ router(config)# aaa accounting auth-proxy default start-stop group tacacs+

© 2006 Cisco Systems, Inc. All rights reserved. SND v Troubleshooting AAA Using debug Commands debug aaa authentication router# Use this command to help troubleshoot AAA authentication problems debug aaa accounting router# Use this command to help troubleshoot AAA accounting problems debug aaa authorization router# Use this command to help troubleshoot AAA authorization problems

© 2006 Cisco Systems, Inc. All rights reserved. SND v Troubleshooting AAA Using the debug aaa authentication Command router# debug aaa authentication : Feb 4 10:11: CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv= : Feb 4 10:11: CST: AAA/AUTHEN/START ( ): port='tty1' list='' action=LOGIN service=LOGIN : Feb 4 10:11: CST: AAA/AUTHEN/START ( ): using "default" list : Feb 4 10:11: CST: AAA/AUTHEN/START ( ): Method=LOCAL : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETUSER : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): continue_login (user='(undef)') : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETUSER : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): Method=LOCAL : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETPASS : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): continue_login (user='diallocal') : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETPASS : Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): Method=LOCAL : Feb 4 10:11: CST: AAA/AUTHEN ( ): status = PASS

© 2006 Cisco Systems, Inc. All rights reserved. SND v Troubleshooting AAA Using the debug aaa accounting Command router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address= cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14

© 2006 Cisco Systems, Inc. All rights reserved. SND v Configuring AAA with Cisco SDM 1 2 3

© 2006 Cisco Systems, Inc. All rights reserved. SND v Summary AAA services provide a higher degree of scalability than the line-level and privileged EXEC authentication AAA services may be self-contained in the router or network access server (NAS) itself. This form of authentication is also known as local authentication In situations where local authentication will not scale well, such as for many remote clients connecting to the network from different locations, it is better to implement a remote security database. TACACS+ and RADIUS are the two predominant AAA protocols used by Cisco security appliances, routers, and switches for implementing AAA with a remote security database. The most common authentication method is the use of a username and password. Authentication strength varies from the weakest which is to use a database of usernames and passwords to the strongest which is to use OTPs. PPP enables authentication between remote clients and servers using PAP, CHAP, or MS-CHAP. Administrative access to a router and remote LAN access through perimeter routers is secured using aaa comands. To configure AAA for local authentication on a router, first enable AAA with the aaa new-model command, second specify a username and password with the usnername username password password command, and third specify local authentication with the aaa authentication login default local command. There are three commands to use when debugging AAA: debug aaa authentication, debug aaa authorization, and debug aaa accounting You can configure AAA with Cisco SDM by following the Configure > Additional Tasks > AAA path.

© 2006 Cisco Systems, Inc. All rights reserved. SND v