© 1999, Cisco Systems, Inc. 3-1
Configuring theNetwork Access Server
for AAA Security
Configuring theNetwork Access Server
for AAA Security
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-2
ObjectivesObjectives
Upon completion of this chapter, you will be able to perform the following tasks:
• Describe network access server port types and access control methods
• Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS
• Test the network access server AAA configuration using applicable debugging and testing commands
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-3
CA ServerPIX
Firewall
WebSurfer
RemoteBranch
InternetWeb Server
Protected DMZ
“Dirty”DMZ
NetRanger Sensor
Dialup
NAS
Client Server
Campus Router
BastionHost
BastionHost
SMTPServer
DNS Server
IS
NetRanger Director
NetSonar
WindowsNT PC
Sales
CSNT and NAS used to Perform AAA
BastionHost
BastionHost
PerimeterRouter
Internet
NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server
TACACS+ or RADIUS protocol
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-4© 1999, Cisco Systems, Inc. www.cisco.com 3-4
AAA Secures Network Access
AAA Secures Network Access
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-5
AAA Model—Network Security Architecture
AAA Model—Network Security Architecture
AAuthentication• Who are you? • “I am user student and my password validateme
proves it”
AAuthorization• What can you do? What can you access? • “User student can access host NT_Server with
Telnet”
AAccounting• What did you do? How long did you do it?
How often did you do it?• “User student accessed host NT_Server with
Telnet 15 times”
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-6
AAA Secures Network Access
AAA Secures Network Access
• Character (line) mode access
Console, Telnet (tty, vty, aux, cty)
• Packet (interface) mode access
Async, group-async, BRI, serial (PRI)
Security Server
RemoteClient
(SLIP, PPP, ARAP)
NAS
Telnet HostConsole Terminal
PSTN/ISDN
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-7© 1999, Cisco Systems, Inc. www.cisco.com 3-7
Authentication Methods
Authentication Methods
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-8
Authentication Methods and Ease of Use
Authentication Methods and Ease of Use
Token Cards/Soft Tokens (OTP)
One-Time Password (OTP)
S/Key (OTP for terminal login)
Username/Password (aging)
Username/Password (static)
No Username or Password
Strong
Weak
Au
then
tica
tio
n
Ease of Use HighLow
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-9
Authentication—Remote Client Username and Password
Authentication—Remote Client Username and Password
Windows 95 Dialup Networking screenUsername and Password fields
SecurityServer
Windows 95 Remote Client
Network Access Server
PSTN/ISDN
username/password (TCP/IP PPP)
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-10
Authentication—One-Time Passwords—S/Key
Authentication—One-Time Passwords—S/Key
• List of one-time passwords
• Generated by S/Key program hash function
• Sent in cleartext over network
• Server must support S/Key
308202A8 30820211 A0030201 020204380500301B 310B3009 06035504 061302551E170D39 39313032 32313730 3634375AC84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4
S/Key Passwords Workstation
Security ServerSupports S/Key
S/Key Password(cleartext)
308202A8 30820211 A0030201 020204380500301B 310B3009 06035504 061302551E170D39 39313032 32313730 3634375AC84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-11
Authentication—Token Cards and Servers
Authentication—Token Cards and Servers
1. 2.
4.
3.
CiscoSecure
[OTP]
Token Server
Uses algorithm based on PIN or time-of-day to generate secure password
Server uses same algorithm to decrypt password
Sends password to network access server or security server to complete authentication
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-12© 1999, Cisco Systems, Inc. www.cisco.com 3-12
PAP and CHAP AuthenticationPAP and CHAP Authentication
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-13
Authentication via PPP LinkAuthentication via PPP Link
TCP/IPPPP
Client
PPPPSTN or
ISDN
PPP
• PAP = Password Authentication Protocol– Cleartext, repeated password
– Subject to eavesdropping and replay attacks
• CHAP = Challenge Handshake Authentication Protocol– Secret password, per remote user
– Challenge sent on link (random number)
– Challenge can be repeated periodically to prevent session hijacking
– The CHAP response is an MD5 hash of (challenge + secret) provides authentication
– Robust against sniffing/replay attacks
Network Access Server
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-14© 1999, Cisco Systems, Inc. www.cisco.com 3-14
Network Access Server AAA
Configuration Process
Network Access Server AAA
Configuration Process
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-15
Authenticated NAS Port Types
Authenticated NAS Port Types
CiscoSecure ACS Server
Telnet host
vty
BRI, serial (PRI)ISDN B channels
tty, aux,async
ctyConsole Terminal
NAS
Async ISDN
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-16
Network Access Server AAA Configuration Process
Network Access Server AAA Configuration Process
General steps to configure the NAS for AAA:
• Secure access to privileged EXEC and configuration modes (enable and enable secret)
• Enable AAA globally on the network access server with the aaa new model command
• Configure AAA authentication profiles
• Configure AAA authorization for use after the user has passed authentication
• Configure the AAA accounting options for how you want to write accounting records
• Verify the configuration
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-17
Secure Privileged EXEC and Configuration Mode
Secure Privileged EXEC and Configuration Mode
CiscoSecureACS Server
NAS
10.1.1.4
Router(config)#enable password changeme
Router(config)#enable secret supersecret
Router(config)#service password-encryption lightweight_encrypt
Router(config)#enable password changeme
Router(config)#enable secret supersecret
Router(config)#service password-encryption lightweight_encrypt
Telnet to NAS
10.1.1.1
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-18
Begin the AAA ConfigurationBegin the AAA Configuration
CiscoSecureACS Server
NAS
10.1.2.4
Router(config)#aaa new-model
Router(config)#aaa authentication login default enable
Router(config)#aaa authentication login console-in local
Router(config)#aaa authentication login is-in local
Router(config)#aaa authentication login tty-in local
Router(config)#aaa authentication ppp dial-in local
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-19© 1999, Cisco Systems, Inc. www.cisco.com 3-19
AAA Security Servers
AAA Security Servers
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-20
AAA with a Local Security DatabaseAAA with a Local Security Database
1. User establishes PPP connection with NAS
3. NAS authenticates username and password in local database
5. NAS tracks user traffic and compiles accounting records as specified in local database
4. NAS authorizes user to access network based on local database
2. NAS prompts user for username/password
22
11 33
44
55
NetworkAccessServer
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-21
Remote Alternatives: TACACS+ and RADIUSRemote Alternatives:
TACACS+ and RADIUS
• Two different protocols used to communicate between the security server and router, NAS, or firewall
• CiscoSecure supports both TACACS+ and RADIUS
–TACACS+ remains more secure and more scalable than RADIUS
–RADIUS has a robust API, strong accounting
CiscoSecure ACS
Firewall
Router NeworkAccessServer
TACACS+ RADIUS
Security Server
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-22
AAA Authentication CommandsAAA Authentication Commands
(config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]]
(config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]]
login
enablekrb5linelocalnonetacacs+radiuskrb5-telnet
enablekrb5linelocalnonetacacs+radiuskrb5-telnet
enabledefault
enablelinenonetacacs+radius
enablelinenonetacacs+radius
arap
guestauth-guestlinelocaltacacs+radius
guestauth-guestlinelocaltacacs+radius
ppp
if–neededkrb5localnonetacacs+radius
if–neededkrb5localnonetacacs+radius
nasi
enablelinelocalnonetacacs+
enablelinelocalnonetacacs+
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-23
AAA Authentication Example Configuration
AAA Authentication Example Configuration
aaa authen login tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+
aaa authen login tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+
(config)#line console 0(config-line)#login authen tech-pubs(config)#int s3/0(config-line)#ppp authen chap mktg
(config)#line console 0(config-line)#login authen tech-pubs(config)#int s3/0(config-line)#ppp authen chap mktg
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-24
AAA Authorization Commands
AAA Authorization Commands
aaa authorization {network | exec | command level | reverse-access} {default | list-name}{if-authenticated | local | none | radius | tacacs+ | krb5-instance}
aaa authorization {network | exec | command level | reverse-access} {default | list-name}{if-authenticated | local | none | radius | tacacs+ | krb5-instance}
CiscoSecureACS Server
Network Access Server
router(config)#
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-25
CiscoSecureACS Server (Orion)
AAA Authorization Example Configuration
AAA Authorization Example Configuration
aaa author command 1 Orion localaaa author command 15 Andromeda localaaa author network Pisces local noneaaa author exec Virgo if-authenticated
router(config)#
Network Access Server
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-26
AAA Accounting CommandsAAA Accounting Commands
aaa accounting {system | network | exec | connection | commands level}{default | list-name}{start-stop | wait-start | stop-only | none}[method 1 [method2…]]
aaa accounting {system | network | exec | connection | commands level}{default | list-name}{start-stop | wait-start | stop-only | none}[method 1 [method2…]]
router(config)#
CiscoSecureACS Server
Network Access Server
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-27
AAA Accounting Example Configuration
AAA Accounting Example Configuration
aaa account system wait-start localaaa account network stop-only localaaa account exec start-stop localaaa acc command 15 wait-start local
router(config)#
CiscoSecureACS Server
Network Access Server
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-28
AAA TroubleshootingAAA Troubleshooting
router#debug aaa authenticationrouter#debug aaa authorizationrouter#debug aaa accounting
Displays detailed AAA information
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-29© 1999, Cisco Systems, Inc. www.cisco.com 3-29
Lab Exercise
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-30
Lab ObjectivesLab Objectives
Upon completion of this lab, you will be able to perform the following tasks:
• Configure the network access server to secure enable mode access to the network access server
• Configure AAA services using the local security database
• Test the network access server AAA configuration using applicable debugging and testing commands
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-31
PIX1Firewall Protected
DMZ
“Dirty” DMZ
192.168.X.0 /24.2
Outside .1
192.168.1X.0/24
.1 DMZ Inside .3
NAS1
IS .1
10.X.2.1 /24
10.X.2.2 to 10.X.2.10 /24
WindowsNT PC
NT1 NT Server:CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server,
TFTP Server
.4
Instructor NT Server:FTP, HTTP, CA192.168.255.2/24
172.16.X.1 /30
Perimeter1Router
10.X.1.0 /24
Bastion Host:Web ServerFTP Server
.3
.3
Sales Dialup
Frame Relay(Internet)
Telco Simulator
100X
MCNS Lab Environment GenericMCNS Lab Environment Generic
.1
.2
X = POD #
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-32© 1999, Cisco Systems, Inc. www.cisco.com 3-32
Summary and Review
Questions
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-33
SummarySummary
• In local-server AAA, the local NAS performs AAA services.
• Character and packet modes can be secured with AAA.
• Network access server AAA configuration should follow an orderly progression.
• Use the aaa authentication command to specify the authentication process and method.
• Use aaa debug commands selectively to troubleshoot AAA.
• Use the no aaa new-model command to remove AAA commands from the configuration.
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-34
Review QuestionsReview Questions
1. What are the two network access server modes that can be secured by AAA commands?
A. Character (line mode) with tty, vty, aux, and cty ports
B. Packet (interface mode) with async, group-async, BRI, and serial (PRI) ports
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-35
Review Questions (cont.)Review Questions (cont.)
2. What is being configured in each of the fields of the following command?
aaa authentication ppp sales if-needed local
A. aaa authen ppp–Specifies the PPP operation for this authentication process
B. sales–Assigns the profile name sales to this process
C. if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated
D. local–If the if-needed method fails, uses the local database method for PPP authentication
Top Related