1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Authentication, Authorization, and Accounting
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Remote Networking Architectures
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Chapter 17 TACACS+.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
© 2004, Cisco Systems, Inc. All rights reserved.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3: Authentication, Authorization, and Accounting
70-411: Administering Windows Server 2012
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 Week 6 – NPS and RADIUS Install and Configure a Network Policy Server Configure RADIUS Clients and Servers NPS Authentication Methods Monitor and Troubleshoot.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
Module 8: Configuring Network Access Protection
5.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 5: Planning.
Cisco’s Secure Access Control Server (ACS)
User Access to Router Securing Access.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 7 – Secure Network Architecture and Management.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Chapter 3: Authentication, Authorization, and Accounting
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Configuring Network Access Protection
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.
Jose Luis Flores / Amel Walkinshaw
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—16-1 Lesson 16 Easy VPN Remote—Small Office/Home Office.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
Access Control Authentication, Authorization, and Accounting
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
© 2002, Cisco Systems, Inc. All rights reserved..
Module Overview Installing and Configuring a Network Policy Server
Information Security Professionals
Configuring and Troubleshooting Routing and Remote Access
Ch. 7 Network Management CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016.
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College of San Francisco Spring 2006

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 5 – Cisco Secure Access Control Server

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 5.1 Cisco Secure Access Control Server for Windows 5.2 Configuring RADIUS and TACACS+ with CSACS

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Cisco Secure Access Control Server 5.1 Cisco Secure Access Control Server for Windows

5 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Access Control Server Cisco Secure Access Control Server (ACS) network security software helps you authenticate users by controlling access to an AAA client. –Router, switch or VPN Concentrator The AAA client can be any one of many network devices that can be configured to defer authentication and authorization of network users to an AAA server. –AAA - Authentication, Authorization and Accounting –AAA can be implemented on a device locally or managed from a central server running RADIUS or TACACS+ protocols.

6 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Products Cisco Secure ACS for Windows Server Remote client (Dial-up) NAS Console PSTN/ISDN Internet Remote client (VPN Client) Router Cisco Secure ACS Solution Engine

7 © 2005 Cisco Systems, Inc. All rights reserved. What Is Cisco Secure ACS for Windows Server? Provides AAA services to network devices that function as AAA clients, such as routers, NASs, PIX Security Appliances, or VPN Concentrators Helps centralize access control and accounting, in addition to router and switch access management Allows network administrators to quickly administer accounts and globally change levels of service offerings for entire groups of users Although the use of an external user database is optional, Cisco Secure ACS for Windows Server supports many popular user repository implementations Uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment Can authenticate against many popular token servers Cisco Secure ACS supports any token server that is a RADIUS server compliant with IETF RFC 2865.

8 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS General Features NAS Cisco Secure ACS for Windows Server TACACS+ RADIUS PAP CHAP MS-CHAP Uses TACACS+ or RADIUS between Cisco Secure ACS and NAS Allows authentication against Windows 2000 user database, ACS user database, token server, or other external databases Supports PAP, CHAP, and MS-CHAP authentication on the NAS

9 © 2005 Cisco Systems, Inc. All rights reserved. Authentication and User Databases Cisco Secure ACS supports several external user databases –Windows NT/2000 User Database –Generic LDAP –NDS –ODBC-compliant relational databases –CRYPTOCard token server –SafeWord token server –AXENT token server –RSA SecureID token server –ActivCard token server –Vasco token server

10 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS System Architecture Provides ACS to multiple Cisco authenticating devices Comprises several modular Windows 2000 services, operating together on one server Authentication service Authorization service Logging service RADIUS service TACACS+ service Administration service Sync service Monitor service NAS 1 NAS 2 NAS 3

11 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Windows Services CSAdmin—Provides the HTML interface for administration of Cisco Secure ACS. CSAuth—Provides authentication services. CSDBSync—Provides synchronization of the CiscoSecure user database with an external RDBMS application. CSLog—Provides logging services, both for accounting and system activity. CSMon—Provides monitoring, recording, and notification of Cisco Secure ACS performance, and includes automatic response to some scenarios. CSTacacs—Provides communication between TACACS+ AAA clients and the CSAuth service. CSRadius—Provides communication between RADIUS AAA clients and the CSAuth service.

12 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS User Database NAS 1 NAS 2 NAS 3 ACS user database Cisco Secure ACS authorizes network services for users based upon group membership and specific user settings found in the Cisco Secure ACS user database.

13 © 2005 Cisco Systems, Inc. All rights reserved. Using the ACS Database Alone Authorization information Authentication confirmed Username and password Dial-up client NAS Requests and responses ACS TACACS+ or RADIUS service TACACS+ or RADIUS service directs the request to the appropriate administrative service. Request is authenticated against ACS database, associated authorizations assigned, and accounting information logged. Windows 2000 Server ACS authentication and authorization service Windows 2000 Server user login process Windows 2000 user database Authentication Authorization Accounting NAS is directed to Cisco Secure ACS for Windows Server for AAA services: Authentication of the client Authorization privileges assignment Accounting information destination

14 © 2005 Cisco Systems, Inc. All rights reserved. Using the Windows Database Authorization information Authentication confirmed Username and password Dial-up Client NAS Requests and responses ACS TACACS+ or RADIUS service Authorization Accounting Windows 2000 Server Windows 2000 Server user login process Windows 2000 user database TACACS+ or RADIUS service directs the request to the appropriate administrative service. Username or password sent to Windows 2000 database for authentication. If approved, confirmation and associated authorization assigned in ACS for that user are sent to NAS. Accounting information is logged. Username or password submitted to Windows 2000 and Grant dial-in as a local user. Response is returned to ACS and authorizations assigned, which makes single login for dial-in access and network login possible. RAS data grant dial ACS authentication and authorization service Authentication NAS is directed to Cisco Secure ACS for Windows Server for AAA services: Authentication of the client Authorization privileges assignment Accounting information destination

15 © 2005 Cisco Systems, Inc. All rights reserved. Using External User Databases NAS 1 NAS 2 NAS 3 ACS user database External user database

16 © 2005 Cisco Systems, Inc. All rights reserved. Using Token Cards Token card TACACS+ or RADIUS Token card server Cisco Secure ACS Proprietary protocols –LEAP proxy RADIUS servers –RSA SecurID token servers –RADIUS-based token servers, including: ActivCard token servers CRYPTOCard token servers VASCO token servers PassGo token servers SafeWord token servers Generic RADIUS token servers

17 © 2005 Cisco Systems, Inc. All rights reserved. User-Changeable Passwords NAS 1 NAS 2 NAS 3 Windows 2000 Server (IIS 5.0) UCP server Cisco Secure ACS for Windows Server 128-bit encrypted messaging SSL connection (suggested) User

18 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Cisco Secure Access Control Server 5.2 Configuring RADIUS and TACACS+ with CSACS

19 © 2005 Cisco Systems, Inc. All rights reserved. Gathering Answers for the Installation Questions Determine whether the computer that Cisco Secure ACS will be installed on is a domain controller or a member server. Determine which AAA protocol and vendor-specific attribute to implement. Record the name of the AAA client. Record the IP address of the AAA client. Record the IP address of the computer that Cisco Secure ACS will be installed on. Record the shared secret TACACS+ or RADIUS key.

20 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS for Windows Server: Installation Overview –Task 1: Preconfigure Windows 2000 Server system. –Task 2: Verify connection between Windows 2000 Server system and Cisco routers. –Task 3: Install Cisco Secure ACS for Windows Server on the Windows 2000 Server system. –Task 4: Initially configure Cisco Secure ACS for Windows Server via web browser. –Task 5: Configure routers for AAA. –Task 6: Verify correct installation and operation.

21 © 2005 Cisco Systems, Inc. All rights reserved. Administering Cisco Secure ACS for Windows Server

22 © 2005 Cisco Systems, Inc. All rights reserved. Troubleshooting –Use the Failed Attempts Report under Reports and Activity as a starting point. –Provides a valuable source of troubleshooting information.

23 © 2005 Cisco Systems, Inc. All rights reserved. Globally Enable AAA Cisco Secure ACS for Windows Server NAS aaa new-model router(config)# router(config)# aaa new-model

24 © 2005 Cisco Systems, Inc. All rights reserved. tacacs-server Commands tacacs-server key keystring router(config)# router(config)# tacacs-server key tacacs-server host ipaddress router(config)# router(config)# tacacs-server host tacacs-server host ipaddress key keystring router(config)# router(config)# tacacs-server host key The two commands shown here can be used to share the key with all servers or This command can be used for a single server

25 © 2005 Cisco Systems, Inc. All rights reserved. AAA Configuration Commands aaa authentication {login | enable default | arap | ppp | nasi} {default | list-name} method1 [method2 [method3 [method4]]] aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] aaa authorization {network | exec | commands level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} router(config)#

26 © 2005 Cisco Systems, Inc. All rights reserved. AAA TACACS+ Troubleshooting –Displays detailed information associated with TACACS+ debug tacacs router# debug tacacs events router# Displays detailed information from the TACACS+ helper process

27 © 2005 Cisco Systems, Inc. All rights reserved. debug aaa authentication Command TACACS+ Example Output 14:01:17: AAA/AUTHEN ( ): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ ( ): received authen response status = PASS 14:01:17: AAA/AUTHEN ( ): status = PASS

28 © 2005 Cisco Systems, Inc. All rights reserved. debug tacacs Command Example Output – Failure 13:53:35: TAC+: Opening TCP/IP connection to /49 13:53:35: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/START) 13:53:35: TAC+: Receiving TCP/IP packet number from /49 13:53:35: TAC+ ( ): received authen response status = GETUSER 13:53:37: TAC+: send AUTHEN/CONT packet 13:53:37: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 13:53:37: TAC+: Receiving TCP/IP packet number from /49 13:53:37: TAC+ ( ): received authen response status = GETPASS 13:53:38: TAC+: send AUTHEN/CONT packet 13:53:38: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 13:53:38: TAC+: Receiving TCP/IP packet number from /49 13:53:38: TAC+ ( ): received authen response status = 13:53:40: TAC+: Closing TCP/IP connection to /49 FAIL

29 © 2005 Cisco Systems, Inc. All rights reserved. debug tacacs Command Example Output – Pass 14:00:09: TAC+: Opening TCP/IP connection to /49 14:00:09: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/START) 14:00:09: TAC+: Receiving TCP/IP packet number from /49 14:00:09: TAC+ ( ): received authen response status = GETUSER 14:00:10: TAC+: send AUTHEN/CONT packet 14:00:10: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 14:00:10: TAC+: Receiving TCP/IP packet number from /49 14:00:10: TAC+ ( ): received authen response status = GETPASS 14:00:14: TAC+: send AUTHEN/CONT packet 14:00:14: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 14:00:14: TAC+: Receiving TCP/IP packet number from /49 14:00:14: TAC+ ( ): received authen response status = 14:00:14: TAC+: Closing TCP/IP connection to /49 PASS

30 © 2005 Cisco Systems, Inc. All rights reserved. debug tacacs events Command Output router# debug tacacs events %LINK-3-UPDOWN: Interface Async2, changed state to up 00:03:16: TAC+: Opening TCP/IP to /49 timeout=15 00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to /49 00:03:16: TAC+: periodic timer started 00:03:16: TAC+: req=3BD868 id= ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued 00:03:17: TAC+: ESTAB 3BD868 wrote 46 of 46 bytes 00:03:22: TAC+: CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:22: TAC+: CLOSEWAIT read=61 wanted=61 alloc=61 got=49 00:03:22: TAC+: received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id= ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed 00:03:22: TAC+: periodic timer stopped (queue empty) 00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to /49 00:03:22: TAC+: Opening TCP/IP to /49 timeout=15 00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to /49 00:03:22: TAC+: periodic timer started 00:03:22: TAC+: req=3BD868 id= ver=192 handle=0x489F08 (ESTAB) expire=14 AUTHEN/START/SENDPASS/CHAP queued 00:03:23: TAC+: ESTAB 3BD868 wrote 41 of 41 bytes 00:03:23: TAC+: CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:23: TAC+: CLOSEWAIT read=21 wanted=21 alloc=21 got=9 00:03:23: TAC+: received 21 byte reply for 3BD868 00:03:23: TAC+: req=3BD868 id= ver=192 handle=0x489F08 (CLOSEWAIT) expire=13 AUTHEN/START/SENDPASS/CHAP processed 00:03:23: TAC+: periodic timer stopped (queue empty)

31 © 2005 Cisco Systems, Inc. All rights reserved. RADIUS Server Command radius-server key keystring router(config)# router(config)# radius-server key radius-server host {host-name | ipaddress} router(config)# router(config)# radius-server host radius-server host ipaddress key keystring router(config)# router(config)# radius-server host key The two commands shown here can be used to share the key with all servers Or This command can be used for a single server

32 © 2005 Cisco Systems, Inc. All rights reserved. 32 © 2005, Cisco Systems, Inc. All rights reserved.