Building Cisco Remote Access Networks - PowerPoint PPT Presentation

1 / 55

About This Presentation

Title:

Building Cisco Remote Access Networks

Description:

Building Cisco Remote Access Networks – PowerPoint PPT presentation

Number of Views:53

Avg rating:3.0/5.0

Slides: 56

Provided by: platonLa

Category:

more less

Transcript and Presenter's Notes

Title: Building Cisco Remote Access Networks

1

Building Cisco Remote Access Networks
Ch. 12 Using AAA to Scale Access Control

2
Cisco Security Solutions
3
Cisco Secure

Cisco Secure access control server (ACS).
used simultaneously with dialup access servers,
routers, and firewalls.
communicates with network devices
making central control of dialup access possible
for a service provider.
secures corporate network devices from
unauthorized access.
centralizes control of network access
simplifies access management

4
Cisco Secure

serves as a central repository for accounting
information.
each user session that is granted by the ACS can
be fully accounted for and stored in the server
accounting information can be used for billing,
capacity planning, and security audits.

5
Cisco Secure

You can configure your routers to use Cisco
Secure by configuring AAA.

6
AAA - A model or architecture for network access
security.
7
AAA

In many circumstances, AAA uses protocols such as
RADIUS, TACACS, and Kerberos to administer its
security functions.
If your router or access server is acting as a
Network Access Server (NAS), AAA is the means
through which you establish communication between
your NAS and your RADIUS, TACACS, or Kerberos
security server.

8
AAA Technologies
Cisco Secure TACACS/RADIUS AAA Security Server
Network Access Server
AAA technologies in the remote client system, the
network access server and the security server
work together to secure remote access. The
network access server implements AAA protocols to
handle the AAA services.
9
TACACS and RADIUS

TACACS (Terminal Access Controller Access
Control System) - Cisco Proprietary
RADIUS (Remote Dial-In User Service) - created by
Livingston
Provides remote access authentication and related
services such as event logging.
User passwords are administered in a central
database rather than in individual routers,
providing an easily scalable network security
solution.

10
TACACS and RADIUS

In other words, instead of maintaining all of the
passwords on the individual routers, passwords
and levels are configured on the security server
and the routers and other devices access the
security server to authenticate users .
This can be remote users accessing the internal
network or network administrators logging into
network devices such as routers.
Can also restrict users to certain commands or
sets of commands.

11
TACACS

Many TACACS servers are available on the market
today however, the AAA server is designed
specifically to be scalable and compatible with
Cisco's broad line of routers, access servers,
and switches.
When configured correctly, the AAA server
validates AAA and responds to requests from
routers and access servers with a pass or fail
signal.
Uses TCP

12
RADIUS

The RADIUS protocol was developed by Livingston
Enterprises, Inc., as an access server
authentication and accounting protocol.
Although TACACS is considered to be more
versatile, RADIUS is the AAA protocol of choice
for enterprise ISPs because it uses fewer CPU
cycles and is less memory intensive.

13
RADIUS

Uses UDP
Client/server protocol.
client passes user information to designated
RADIUS servers and acts on the response that is
returned.
RADIUS servers receive user connection requests,
authenticate the user, and then return the
configuration information necessary for the
client to deliver services to the user.

14
TACACS vs RADIUS

RADIUS uses UDP, TACACS uses TCP.
RADIUS encrypts only the password in the
access-request packet less secure.
TACACS encrypts the entire body of the packet
more secure.
RADIUS combines authentication and authorization.
TACACS uses the AAA architecture, which
separates authentication, authorization, and
accounting.

15
TACACS vs RADIUS

RADIUS is an industry standard (created by
Livingston).
TACACS is Cisco Proprietary.
RADIUS does not support ARA access, Net BIOS
Frame Protocol Control protocol, NASI, and X.25
PAD connections.
TACACS offers multiprotocol support.

16
TACACS vs RADIUS

RADIUS does not allow users to control which
commands can be executed on a router.
TACACS provides two ways to control the
authorization of router commands on a per-user
or per-group basis.

17
Kerberos

Authentication via Kerberos is different from
most other authentication methods the user's
password is never sent to the remote access
server.
Remote users logging in to the network are
prompted for a username.
If the key distribution center (KDC) has an entry
for that user, it creates an encrypted ticket
granting ticket (TGT) with the password for that
user and sends it back to the router.
The user is then prompted for a password, and the
router attempts to decrypt the TGT with that
password.
If it succeeds, the user is authenticated and the
TGT is stored in the user's credential cache on
the router.

18
Configuring AAA-Authentication

Declaring methods by which authentication takes
place.
Steps
1. Globally enable AAA
2. Specify the security server that will provide
AAA services for the NAS
3. Configure the encryption key that is used to
encrypt the data transfer between the NAS and the
security server

19
Configuring AAA TACACS

To activate TACACS, use the tacacs-server key
command
1. Router(config)aaa new-model
(new-model is a key-word not a name)
2. Router(config)tacacs-server host
192.168.229.76
3. Router(config)tacacs-server key itsasecret

20
Configuring AAA RADIUS

To activate RADIUS, use the radius-server key
command
Router(config)aaa new-model
Router(config)radius-server host 192.168.229.76
Router(config)radius-server key itsasecret

21
Configuring Authentication

Router(config)aaa new-model
The aaa authentication command, in global
configuration mode, is the basic command to
enable the AAA authentication process.

22
Authentication commands

aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication nasi
aaa authentication password-prompt
aaa authentication ppp
aaa authentication username-prompt

23
Configuring Authentication (PPP)

You can configure AAA authentication to specify
one or more AAA authentication methods for use on
serial interfaces running Point-to-Point Protocol
(PPP) and TACACS
Router(config)aaa authentication ppp default
list-name method1 ...method4
RTA(config)aaa authentication ppp default
tacacs local

24
Configuring Authentication (logins)

You can configure AAA authentication for users
wishing to access the EXEC prompt.
Router(config)aaa authentication login default
list-name method1 ...method4
RTA(config)aaa authentication login default
tacacs none

25
Configuring Authentication
26
Authentication Configuration
The aaa authentication login command is used to
create a list which can be applied to configure
character-mode authentication. In this example, a
list called Callers is created and applied to the
console (con 0) and 48 tty lines (line 1 48). A
separate list is created to be used as the
default.
27
Authentication Examples

Authentication during login
aaa authentication login myway tacacs local
line 1 12
login authentication myway
Authentication for Appletack Remote Access
aaa authentication arap applefolk tacacs local
line 1 12
arap authentication applefolk
Authentication with PPP
aaa authentication ppp pppfolk tacacs local
line 1 12
ppp authentication pppfolk
Authentication for Novell Asynchronous Support
Interface
aaa authentication nasi novellfolk tacacs local
line 1 12

28
Configuring Authorization

Router(config)aaa authorization network exec
commands level config-commands
reverse-accessdefault listname
if-authenticated local none radius
tacacs krb5-instance

29
Authorization Commands
30
Authorization Configuration

aaa authorization do-what? check-how?
The logged in user is tested against the TACACS
database for authorization to run level 1 and
level 15 commands.
The IOS commands are either level 1 or level 15.

31
Configuring Accounting

Router(config)aaa accounting command level
connection exec network systemdefault
listnamestart-stop stop-only wait-start
tacacs radius
aaa accounting what-to-track how-to-track
where-to-send-the-information

32
Accounting
33
Accounting Continued

aaa accounting what-to-track how-to-track
where-to-send-the-information
start-stop sends an accounting record when the
process begins. When the user process is
completed, the stop time and information is sent
to the AAA database. This option is needed when
an elapsed time of usage is required.

34
The Accounting File

Sat Aug 5 123622 2000 192.168.4.1 mark tty2 10.
5.0.1 start task_id34 timezoneUTC serviceconnec
tion protocoltelnet addr10.3.0.1 cmdconnect
10.3.0.1
Sat Aug 5 123838 2000 192.168.4.1 mark tty2 10.
5.0.1 stop task_id34 timezoneUTC serviceconnect
ion protocoltelnet addr10.3.0.1 cmdconnect
10.3.0.1 bytes_in5173 bytes_out333 paks_in297 p
aks_out368 elapsed_time13

35
The Accounting File

Sat Aug 5 123923 2000 192.168.4.1 mark tty2 10.
5.0.1 stop task_id37 timezoneUTC serviceshell
priv-lvl15
cmdrouter rip ltcrgt
Sat Aug 5 123930 2000 192.168.4.1 mark tty2 10.
5.0.1 stop task_id38 timezoneUTC serviceshell p
riv-lvl15
cmdno distribute-list 2 out ltcrgt
Sat Aug 5 124040 2000 192.168.4.1 mark tty2 10.
5.0.1 stop task_id39 timezoneUTC serviceshell p
riv-lvl15
cmdterminal monitor ltcrgt