Configuring AAA Using Cisco Secure ACS
Step 3 Configure an encryption key to be used to encrypt the data transfer between the network access server (NAS) and the Cisco Secure ACS.
Example 4-3 shows these steps being used with TACACS+.
Table 4-9 lists commonly used AAA configuration commands and their functions.
Using the CLI to Configure AAA Login Authentication on Cisco Routers
To enable the AAA authentication process, the aaa authentication login command is issued in global configuration mode. Here is an example of the syntax that is used:
Example 4-3 Configuring the Network Access Server with TACACS+ router(config)# aaaaaaaaaa aa nnnneeweew-ww---mmmmoodoodeddeeellll
router(config)# ttattaacacccaacaacccss-ss---sssseereerrrvvevvereer rr hhohhooosssstt tt 1191199922.22...111166866888..1..11100.00...77577555 ssissiniingnngggllelle ee ccoccoononnnnnnneeceecccttttiioiiooonnnn router(config)# ttttaaaaccaccacaacccss-ss---sssseeeerrrrvvevvereer rr kkekkeeeyyyy sshsshahhaaarrerreeedddd1111
Table 4-9 Commonly Used AAA Configuration Commands
Command Description
aaa new-model Used to enable AAA on the router. This is a prerequisite for all other AAA commands.
tacacs-server host ip-address
single-connection
Used to indicate the address of the Cisco Secure ACS server and to specify the use of the TCP single-connection feature of Cisco Secure ACS. Performance is improved by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session, which is the default.
tacacs-server key
key
Used to establish a shared secret encryption key between the network access server and the Cisco Secure ACS server.
Configuring AAA Using Cisco Secure ACS 145 a a a aaaaaaaaa aauaautuuthtthhheeneennnttitticiicccaataatittioiiooonnnn llollogoogggiiniinnn {dddedefeefffaauaauluulltlttt | list-name} ggggrrorrouoouuupppp {group-name | rrrraadaadddiiuiiuuuss ss | ttttaaaaccaccaaaccsccsss++++}
[method2 [method3 [method4]]]
Table 4-10 lists the aaaauthentication login parameters, along with the details of their usage.
Table 4-10 aaa authentication loginParameters
Parameter Description
Default Used to create a default that is automatically applied to all lines and interfaces to specify the method or sequence of methods used for authentication.
list-name Used to create a list (you may choose the name) that is applied explicitly to a line or interface using the method or methods specified. This list overrides the default when applied to a specific line or interface. group group- name group radius group tacacs+
Used to specify the use of a AAA server. The group radius and
group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. The group-name string is used to specify a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaagroup server tacacs+ command).
method2
method3
method4
Used to execute authentication methods in the order listed. If an error is returned by the authentication method, such as a timeout error, the Cisco IOS software attempts to execute the next method. Access is denied if the authentication fails. Up to four methods may be configured for each operation. The method must be supported by the authentication operation specified.
A general list of methods includes the following:
enable:The enable password for authentication
group:Uses server-group
krb5:Kerberos version 5 is used for authentication
line:The line password is used for authentication
local:The local username and password database is used for authentication
local-case: Specifies the use of case-sensitive local username authentication
Configuring Cisco Routers to Use TACACS+ Using the Cisco SDM
In addition to using the CLI to configure your routers to use TACACS+ as a AAA protocol, you may use the graphical user interface of the Cisco Security Device Manager (SDM). The first task when configuring AAA using the Cisco Security Device Manager is to enable AAA.
To enable AAA through the SDM, choose Configure > Additional Tasks > AAA. Figure 4-7 shows this process in the interface.
Figure 4-7 Enabling AAA in the Cisco SDM
Click the Enable AAA button in the upper-right corner to enable AAA on the router.The SDM performs a series of precautionary tasks toprevent locking the router or disconnecting the SDM session. Figure 4-8 shows the Enable AAA dialog box.
Configuring AAA Using Cisco Secure ACS 147
Figure 4-8 Enable AAA Dialog Box
Defining the AAA Servers
After you have enabled AAA on the router, you can define the AAA servers to be used. To do this, choose Configure > Additional Tasks > AAA > AAA Servers and Groups. Click the Add button in the upper-right corner to create a new AAA server entry.
Figure 4-9 shows how to define a TACACS+ server. After you have clicked the Add button in the AAA Servers configuration section, the Add AAA Server window appears. You may select either RADIUS or TACACS+ from the Server Type drop-down box. When you choose TACACS+, you have the option of configuring the key to be used, as shown in the figure.
Review All the Key Topics 149
Exam Preparation Tasks
Review All the Key Topics
Review the most important topics from this chapter, denoted with the Key Topic icon. Table 4-11 lists these key topics and the page where each is found.
Table 4-11 Key Topics for Chapter 4
Key Topic
Element Description
Page Number
List Description of AAA components 115
List Three ways to implement AAA services 115
Table 4-2 AAA commands to secure administrative and remote LAN access
117
Table 4-3 AAA authentication commands 118
List Key AAA authentication commands 119
List Commands to set AAA authentication for login 120
Table 4-4 aaa authentication login command elements 121
Table 4-5 aaa authorization command elements 123
Table 4-6 aaa accounting command elements 124-125
List debug command for AAA 126
List Cisco Secure ACS 4.0 for Windows advanced features 129
List Cisco Secure ACS 4.0 for Windows additional features 130
List Requirements to install Cisco ACS for Windows 133
Table 4-7 Ports used by Cisco Secure ACS for client communication
134-135
Figure 4-3 TACACS+ authentication process 138
List TACACS+ daemon responses 139
Figure 4-4 TACACS+ authorization process 139
Figure 4-5 TACACS+ command authorization process 140
List TACACS+ authentication and authorization attributes 140
Figure 4-6 Authentication process using RADIUS 142
List RADIUS message types 142
List RADIUS AV pairs 142
Complete the Tables and Lists from Memory
Print a copy of Appendix D, “Memory Tables,” (found on the CD) or at least the section for this chapter, and complete the tables and lists from memory. Appendix E, “Memory Tables Answer Key,” also on the CD, includes completed tables and lists so that you can check your work.
Definition of Key Terms
Define the following key terms from this chapter, and check your answers in the glossary: authentication, authorization, and accounting (AAA); authentication; authorization; accounting; auditing; Challenge Handshake Authentication Protocol (CHAP); Extensible Authentication Protocol-Flexible
Authentication via Secure Tunneling (EAP-FAST); Extensible Authentication Protocol-Message Digest 5 (EAP-MD5); Extensible Authentication Protocol-Transport Layer Security (EAP-TLS); Lightweight Extensible Authentication Protocol (LEAP); method list; Microsoft
Challenge Handshake Authentication Protocol (MS-CHAP); network admission control (NAC); network access device (NAD); network access server (NAS); Point-to-Point Protocol (PPP); Remote Authentication Dial-In User Service (RADIUS); Terminal Access Controller Access-Control System Plus (TACACS+); Transmission Control Protocol (TCP); user datagram protocol (UDP); virtual private network (VPN)
Command Reference to Check Your Memory
This section includes the most important configuration and EXEC commands covered in this chapter. To see how well you have memorized the commands as a side effect of your
Key Topic
Element Description
Page Number
Table 4-8 Comparison of RADIUS and TACACS+ 143
List Steps involved in configuring the network access server 144
Example 4-3 Configuring the network access server with TACACS+ 144
Table 4-9 Commonly used AAA configuration commands 144
Table 4-10 AAA authentication login parameters 145
Figure 4-7 Enabling AAA in the Cisco SDM 146
Figure 4-9 Defining the TACACS+ server in the SDM 148 Table 4-11 Key Topics for Chapter 4 (Continued)
Command Reference to Check Your Memory 151
other studies, cover the left side of the table with a piece of paper, read the descriptions on the right side, and see whether you remember the commands.
Table 4-12 Chapter 4 Configuration Command Reference
Command Description
aaa new-model Enables AAA on the router. This is a prerequisite for all other AAA commands.
aaa authentication arap
A global configuration command used by AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+ to enable an AAA authentication method.
aaa authentication banner
Creates a personalized login banner.
aaa authentication enable default
A global configuration command that enables AAA authentication to determine if a user can access the privileged command level.
aaa authentication fail-message
Creates a message that is displayed when a user login fails.
aaa authentication localoverride
Configures the Cisco IOS software to check the local user database for authentication before attempting another form of authentication.
aaa authentication login {default | list- name} group {group- name |radius | tacacs+} [method2 [method3 [method4]]]
A global configuration command that sets AAA authentication at login.
aaa authentication nasi
A global configuration command that specifies AAA authentication for NetWare Access Server Interface (NASI) clients who connect using the access server.
aaa authentication passwordprompt
A global configuration command that changes the text displayed when users are prompted for a password.
aaa authentication ppp
A global configuration command that specifies one or more AAA authentication methods for use on serial interfaces running PPP.
aaa authentication usernameprompt
A global configuration command that changes the text displayed when users are prompted to enter a username.
aaa authentication ppp default local
A global configuration command that specifies a default PPP authentication method list using the local username- password database on the router.
Command Description
aaa authentication ppp dial-in local none
A global configuration command that specifies that a PPP authentication method list named dial-in should be used on the initial login attempt, using the local username-password database on the router. If the local username is not defined, no authentication is used. aaa authorization {network|exec| commands level | reverse-access| configuration} {default| list-name} method1 [method2. . .]
A global configuration command that may be used to set parameters that restrict administrative EXEC access to the routers or user access to the network.
Table 4-13 Chapter 4 EXEC Command Reference
Command Description
debug aaa authentication Displays debugging messages for the authentication functions of AAA
debug aaa authorization Displays debugging messages for the authorization functions of AAA
debug aaa accounting Displays debugging messages for the accounting functions of AAA
Locking down the router: This section discusses various router services that attackers might target. To help you harden the security of a router, this section also describes the AutoSecure feature and Cisco SDM’s One-Step Lockdown feature.
Using secure management and reporting:
This section focuses on securing and monitoring router access using syslog, SSH, and SNMPv3 technologies. Also, this section distinguishes between in-band and out-of-band network management and shows you how to use Cisco SDM to configure a variety of management and monitoring features.
C HA
P
T
E
R
5
Securing the Router
Newly installed Cisco IOS routers might have multiple services and interfaces enabled that do not need to be enabled. Therefore, they present potential security vulnerabilities. The process of turning off unnecessary services is called “hardening” a router, and this chapter discusses Cisco best-practice recommendations for router hardening. Cisco SDM’s One- Step Lockdown feature is explored, in addition to the auto secure command.
Besides disabling unneeded services and interfaces, unsecured router management traffic can pose a security threat. For example, an attacker could compromise router security by intercepting login credentials. Therefore, this chapter also addresses management and reporting protocols and applications such as syslog, Secure Shell (SSH), and Simple Network Management Protocol v3 (SNMPv3). Interestingly, just as Cisco SDM can help harden a router, it can also be used to enable a variety of Cisco IOS management features.
“Do I Know This Already?” Quiz
The “Do I Know This Already?” quiz helps you determine your level of knowledge of this chapter’s topics before you begin. Table 5-1 details the major topics discussed in this chapter and their corresponding quiz questions.
1. If you need to use Simple Network Management Protocol (SNMP) on your network, what version does Cisco recommend?
a. Version 2
b. Version 2c
c. Version 3
d. Version 3c
Table 5-1 “Do I Know This Already?” Section-to-Question Mapping
Foundation Topics Section Questions
Locking Down the Router 1 and 2
2. What are two automated approaches for hardening the security of a Cisco IOS router? (Choose two.)
a. AutoQoS
b. AutoSecure
c. Cisco SDM’s One-Step Lockdown
d. Cisco IPS Device Manager (IDM)
3. Which of the following router services can best help administrators correlate events appearing in a log file?
a. Finger
b. TCP small services
c. CDP
d. NTP
4. What management topology keeps management traffic isolated from production traffic?
a. OOB
b. OTP
c. SAFE
d. MARS
5. What syslog logging level is associated with warnings?
a. 3
b. 4
c. 5
d. 6
6. Information about a managed device’s resources and activity is defined by a series of objects. What defines the structure of these management objects?
a. LDAP
b. CEF
c. FIB
“Do I Know This Already?” Quiz 157
7. When SSH is configured, what is the Cisco minimum recommended modulus value?
a. 256 bits
b. 512 bits
c. 1024 bits
d. 2048 bits
8. If you click the Configure button along the top of Cisco SDM’s graphical interface, which Tasksbutton allows you to configure such features as SSH, NTP, SNMP, and syslog?
a. Additional Tasks
b. Interfaces and Connections
c. Security Audit