Download presentation
Presentation is loading. Please wait.
Published byEsmond Richard Modified over 9 years ago
1
© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security
2
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe network access server port types and access control methods Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS Test the network access server AAA configuration using applicable debugging and testing commands
3
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-3 CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ “Dirty” DMZ NetRanger Sensor Dialup NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Windows NT PC Sales CSNT and NAS used to Perform AAA Bastion Host Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server TACACS+ or RADIUS protocol
4
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-4 © 1999, Cisco Systems, Inc. www.cisco.com 3-4 AAA Secures Network Access
5
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-5 AAA Model—Network Security Architecture A A uthentication Who are you? “I am user student and my password validateme proves it” A A uthorization What can you do? What can you access? “User student can access host NT_Server with Telnet” A A ccounting What did you do? How long did you do it? How often did you do it? “User student accessed host NT_Server with Telnet 15 times”
6
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-6 AAA Secures Network Access Character (line) mode access Console, Telnet (tty, vty, aux, cty) Packet (interface) mode access Async, group-async, BRI, serial (PRI) Security Server Remote Client (SLIP, PPP, ARAP) NAS Telnet Host Console Terminal PSTN/ISDN
7
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-7 © 1999, Cisco Systems, Inc. www.cisco.com 3-7 Authentication Methods
8
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-8 Authentication Methods and Ease of Use Token Cards/Soft Tokens (OTP) One-Time Password (OTP) S/Key (OTP for terminal login) Username/Password (aging) Username/Password (static) No Username or Password Strong Weak Authentication Ease of Use HighLow
9
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-9 Authentication—Remote Client Username and Password Windows 95 Dialup Networking screen Username and Password fields Security Server Windows 95 Remote Client Network Access Server PSTN/ISDN username/password (TCP/IP PPP)
10
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-10 Authentication—One-Time Passwords—S/Key List of one-time passwords Generated by S/Key program hash function Sent in cleartext over network Server must support S/Key 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 S/Key PasswordsWorkstation Security Server Supports S/Key S/Key Password (cleartext) 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4
11
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-11 Authentication—Token Cards and Servers 1.2. 4. 3. CiscoSecure [OTP] Token Server Uses algorithm based on PIN or time-of-day to generate secure password Server uses same algorithm to decrypt password Sends password to network access server or security server to complete authentication
12
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-12 © 1999, Cisco Systems, Inc. www.cisco.com 3-12 PAP and CHAP Authentication
13
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-13 Authentication via PPP Link TCP/IP PPP Client PPP PSTN or ISDN PPP PAP = Password Authentication Protocol –Cleartext, repeated password –Subject to eavesdropping and replay attacks CHAP = Challenge Handshake Authentication Protocol –Secret password, per remote user –Challenge sent on link (random number) –Challenge can be repeated periodically to prevent session hijacking –The CHAP response is an MD5 hash of (challenge + secret) provides authentication –Robust against sniffing/replay attacks Network Access Server
14
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-14 © 1999, Cisco Systems, Inc. www.cisco.com 3-14 Network Access Server AAA Configuration Process
15
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-15 Authenticated NAS Port Types CiscoSecure ACS Server Telnet host vty BRI, serial (PRI) ISDN B channels tty, aux, async cty Console Terminal NAS AsyncISDN
16
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-16 Network Access Server AAA Configuration Process General steps to configure the NAS for AAA: Secure access to privileged EXEC and configuration modes (enable and enable secret) Enable AAA globally on the network access server with the aaa new model command Configure AAA authentication profiles Configure AAA authorization for use after the user has passed authentication Configure the AAA accounting options for how you want to write accounting records Verify the configuration
17
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-17 Secure Privileged EXEC and Configuration Mode CiscoSecure ACS Server NAS 10.1.1.4 Router(config)#enable password changeme Router(config)#enable secret supersecret Router(config)#service password-encryption lightweight_encrypt Router(config)#enable password changeme Router(config)#enable secret supersecret Router(config)#service password-encryption lightweight_encrypt Telnet to NAS 10.1.1.1
18
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-18 Begin the AAA Configuration CiscoSecure ACS Server NAS 10.1.2.4 Router(config)#aaa new-model Router(config)#aaa authentication login default enable Router(config)#aaa authentication login console-in local Router(config)#aaa authentication login is-in local Router(config)#aaa authentication login tty-in local Router(config)#aaa authentication ppp dial-in local
19
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-19 © 1999, Cisco Systems, Inc. www.cisco.com 3-19 AAA Security Servers
20
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-20 AAA with a Local Security Database 1.User establishes PPP connection with NAS 3.NAS authenticates username and password in local database 5.NAS tracks user traffic and compiles accounting records as specified in local database 4.NAS authorizes user to access network based on local database 2.NAS prompts user for username/password 2 1 3 4 5 Network Access Server
21
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-21 Remote Alternatives: TACACS+ and RADIUS Two different protocols used to communicate between the security server and router, NAS, or firewall CiscoSecure supports both TACACS+ and RADIUS –TACACS+ remains more secure and more scalable than RADIUS –RADIUS has a robust API, strong accounting CiscoSecure ACS Firewall Router Nework Access Server TACACS+RADIUS Security Server
22
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-22 AAA Authentication Commands (config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]] (config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]] login enable krb5 line local none tacacs+ radius krb5- telnet enable krb5 line local none tacacs+ radius krb5- telnet enable default enable line none tacacs+ radius enable line none tacacs+ radius arap guest auth- guest line local tacacs+ radius guest auth- guest line local tacacs+ radius ppp if–needed krb5 local none tacacs+ radius if–needed krb5 local none tacacs+ radius nasi enable line local none tacacs+ enable line local none tacacs+
23
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-23 AAA Authentication Example Configuration aaa authen login tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+ (config)#line console 0 (config-line)#login authen tech-pubs (config)#int s3/0 (config-line)#ppp authen chap mktg
24
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-24 AAA Authorization Commands aaa authorization {network | exec | command level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} CiscoSecure ACS Server Network Access Server router(config)#
25
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-25 CiscoSecure ACS Server (Orion) AAA Authorization Example Configuration aaa author command 1 Orion local aaa author command 15 Andromeda local aaa author network Pisces local none aaa author exec Virgo if-authenticated router(config)# Network Access Server
26
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-26 AAA Accounting Commands aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method 1 [method2…]] aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method 1 [method2…]] router(config)# CiscoSecure ACS Server Network Access Server
27
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-27 AAA Accounting Example Configuration aaa account system wait-start local aaa account network stop-only local aaa account exec start-stop local aaa acc command 15 wait-start local router(config)# CiscoSecure ACS Server Network Access Server
28
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-28 AAA Troubleshooting router#debug aaa authentication router#debug aaa authorization router#debug aaa accounting Displays detailed AAA information
29
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-29 © 1999, Cisco Systems, Inc. www.cisco.com 3-29 Lab Exercise
30
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-30 Lab Objectives Upon completion of this lab, you will be able to perform the following tasks: Configure the network access server to secure enable mode access to the network access server Configure AAA services using the local security database Test the network access server AAA configuration using applicable debugging and testing commands
31
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-31 PIX1 Firewall Protected DMZ “Dirty” DMZ 192.168.X.0 /24.2 Outside.1 192.168.1X.0/24.1 DMZ Inside.3 NAS1 IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA 192.168.255.2/24 172.16.X.1 /30 Perimeter1 Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #
32
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-32 © 1999, Cisco Systems, Inc. www.cisco.com 3-32 Summary and Review Questions
33
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-33 Summary In local-server AAA, the local NAS performs AAA services. Character and packet modes can be secured with AAA. Network access server AAA configuration should follow an orderly progression. Use the aaa authentication command to specify the authentication process and method. Use aaa debug commands selectively to troubleshoot AAA. Use the no aaa new-model command to remove AAA commands from the configuration.
34
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-34 Review Questions 1. What are the two network access server modes that can be secured by AAA commands? A.Character (line mode) with tty, vty, aux, and cty ports B.Packet (interface mode) with async, group- async, BRI, and serial (PRI) ports
35
© 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-35 Review Questions (cont.) 2.What is being configured in each of the fields of the following command? aaa authentication ppp sales if-needed local A.aaa authen ppp–Specifies the PPP operation for this authentication process B.sales–Assigns the profile name sales to this process C.if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated D.local–If the if-needed method fails, uses the local database method for PPP authentication
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.