At8000 s configurando_aaa

837
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
837
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

At8000 s configurando_aaa

  1. 1. AAA - Authentication, Authorization and Accounting AT - 8000S
  2. 2. AAA Services  Authentication  Authorization  Accounting
  3. 3. The Need for AAA services • In present day networks many tools are available to access and configure devices, locally or remotely (Terminal, Telnet, EWS, SSH etc) • It is desirable and useful to be able to limit who can view/change settings of the system • Verification is needed for: – User authentication – will user have (any) device access? – User authorization – once user has access, what level of access will he has?
  4. 4. AAA services • AAA security services - using usernames and/or password to Authenticate user’s identity and access (authorization) level and to record what user has done. • The AT - 8000S switches implement the Authentication and Authorization.
  5. 5. Secure Switch Management Local Authentication Data Flow Device Database UserID: bob Password: ge55gep attributes: xxxx Device UserID: bob Password: ge55gep Access-Accept User Telnet to the Switch User Console to the Switch User SSH to the Switch
  6. 6. Secure Switch Management Authentication Data Flow User Database UserID: bob Select UserID=bob Device Password: ge55gep Device-ID: 207.12.4.1 Bob password=ge55gep UserID: bob Access-Accept Timeout=3600 Password: ge55gep User-Name=bob RADIUS [other attributes] [other attributes] Server User Telnet to the Switch User Console to the Switch User SSH to the Switch
  7. 7. RADIUS Basics • Defined by IETF standard RFC2138 & RFC2139 http://www.faqs.org/rfcs/rfc2138.html http://www.faqs.org/rfcs/rfc2139.html • Requires Clients (normally a NAS, in our case a Switch) and servers (often called RADIUS servers)
  8. 8. Switches AAA Implementation AT - 8000S
  9. 9. AAA – Databases • Access security (AAA) services on the AT - 8000S uses the following databases (or methods) for username and Password validation: – Local – Device database with the following fields: Username, Password and Level of privilege (access) – Enable - Device general password list for gaining privileged (high) level access – Line – Device password list for each specific line (console, telnet and SSH) for gaining access – RADIUS server – External database with the following fields: Username, Password and Level of privilege (access) – TACACS + - A security application that provides centralized validation of users to gain access to a device (router or an access server). To be addressed in a separate presentation – (None) – no database is used (username and PW not needed)
  10. 10. AAA – Management interfaces • Access security (AAA) services on the device can be configured on 5 management interfaces: – Console (ASCII terminal), telnet & SSH – • Have their own line command mode. • Lookup using any of the methods • Are associated with one or more lookup methods using method lists – or lists of databases • Separate method lists for authentication and authorization – HTTP & HTTPS • Do not have a line command mode • Lookup using only in local, RADIUS, TACACS+ or “none” methods • Associated directly to one or more methods (not through a list) • Lookup only for authentication (includes authorization lookup) • One more interface is the 802.1x which is an access (not management) control – This issue will be covered in separate presentation.
  11. 11. AAA – Methods Lists • Methods lists contain one or more databases (methods) • Methods lists are defined separately for Authentication and Authorization verification • User can define many lists for each type • Each method list is assigned a list-name. • “Default” method list is a unique list which exists on the device. This list can be configured by user like any other list (but not removed). • Console, Telnet and SSH are associated separately to one authentication method-list and one authorization method- list
  12. 12. AAA – Methods Lists • Authentication methods lists can contain one or more of the following methods: enable, line, local, RADIUS, TACACS+ and “none”. • Authorization methods list can contain one or more of the following methods: enable, line, RADIUS, TACACS+ and “none” (but not local database)
  13. 13. AAA – “Default” Method List • System has 2 method lists named “default”: one for login and one for enable (authorization) • This is the method list which applies to the lines – unless user defines otherwise. • At system startup the default method list is different for console or network (telnet, SSH) connections: – For login default method list is: • Console_Default : None • Network_Default : Local – For enable default method list is: • Console_Default : Enable None • Network_Default : Enable – http : Local – https : Local – dot1x : • If user modifies the “default” list (via CLI) the same method list applies for both console and network connections. Via web management both defaults can be changed separately
  14. 14. AAA – Method Rules • Method lists containing only 1 method: – If username and/or PW are verified by DB - user is granted access or the level of access required – If the method specified is “none” - user is granted access or the level of access required without having to provide a Username or PW. – If username and/or PW are not accepted by DB – access or access level is denied – If database is unavailable (or not configured) - access or access level is denied
  15. 15. AAA – Method Rules • Method lists containing a list of methods: – If username and/or PW are verified by current DB - user is granted access or the level of access required – If username and/or PW do not exist on current DB – access or access level is denied (does not check next DB) – even if “none” is the next method on the list – If current methods is unavailable (or not configured) – verification process is attempted on next methods on list – If all methods are unavailable (checked one by one) - access or access level is denied, unless “none” method is part of the list
  16. 16. AAA Configuration • When using separate security server, the device has to be configured with the RADIUS/TACACS+ server parameters and attributes • Configure the databases (on device or RADIUS/TACACS server) with the relevant Username and/or PW • Define the method lists for authentication and authorization using AAA commands • Apply the method lists to a particular line (line command mode), if required • If needed, apply the methods directly to the HTTP/HTTPS services
  17. 17. AAA Process • When a particular line attempts to access the device, user authentication (or access level) is performed by checking the method list attached to that line. • User authentication and authorization occurs in the order the methods are listed in the relevant list • User will be authenticated by the first method on the list, and only if the first option cannot be reached - by next methods listed. • If the first (or current) methods is functioning properly – but user is not authenticated (entry does not exit), next methods are not used
  18. 18. AAA 1. Creating passwords (and users) databases • Local, enable, line, RADIUS, TACACS+, none 2. Assign databases to methods • One or more database to each method (or none) 3. Attaching methods to line Console Local Pwd Regis login Enable Pwd rating telnet Method Line Pwd the enable system ssh Radius Pwd None http https
  19. 19. AAA (1) DataBase console(config)# username XXX password YYY level 15 User name password level local: Local1 loc1 1 Local15 loc15 15 console(config)# enable password level 15 YYY User name password level enable: ----- en1 1 ----- en15 15 console(config)# line console/telnet/ssh console(config-line)# password YYY line: User name password level ----- linec (for console) ----- ----- linet (for telnet) ----- ----- lines (for ssh) -----
  20. 20. AAA cont’ Assign database to methods: console(config)# aaa authentication login log_tel enable none login/enable method name Database in use login log_cons line none login log_tel enable none login log_ssh local console(config)# aaa authentication enable en_cons local login/enable method name Database in use enable en_cons local enable en_tel line enable en_ssh Radius enable none
  21. 21. AAA cont’ • Attaching methods to line: console(config)# line console console(config-line)# login authentication log_cons console(config-line)# enable authentication en_cons console(config-line)# console(config)# line telnet console(config-line)# login authentication log_tel console(config-line)# enable authentication en_tel console(config-line)# console(config)# line ssh console(config-line)# login authentication log_ssh console(config-line)# enable authentication en_ssh console(config-line)# console(config)# console(config)# ip http authentication local none console(config)# ip https authentication radius local
  22. 22. AAA cont’ • console# show authentication methods DB – local User name password level • Login Authentication Method Lists • ------------------------------------------- Local1 loc1 1 • Console_Default : None Local15 loc15 15 • Network_Default : Local • log_ssh : Local • log_tel : Enable None • log_cons : Line None DB – enable User name password level • Enable Authentication Method Lists ----- en1 1 • ---------------------------------- • Console_Default : Enable None ----- en15 15 • Network_Default : Enable • en_ssh : Radius Enable None • en_tel : Line DB – line • en_cons : Enable None User password level name • Line Login Method List Enable Method List ---- linec (for console) ----- • ---------- ------------------------ ----------------- -- ---- linet (for telnet) ----- • Console log_cons en_cons • Telnet log_tel en_tel ---- lines (for ssh) ----- • SSH log_ssh en_ssh • http : Local None • https : Radius Local
  23. 23. AAA CLI Configuration AT - 8000S
  24. 24. AT - 8000S AAA – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  25. 25. AT - 8000S – Line Mode • Use the following Global Mode command to enter the command line mode of console/telnet/ssh: line {console | telnet | ssh} Example – entering telnet line mode: console# con console(config)# line telnet console(config-line)#
  26. 26. AT - 8000S – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  27. 27. AAA – Line Password • Use the following Line Configuration Mode command to specify a password for a line. To remove the password, use the no form of this command: password password [encrypted] no password encrypted - Encrypted password you enter, copied from another device configuration.
  28. 28. AAA – Line Password • Notes: – Each line (console, telnet, ssh) is configured with its own password and only that PW will apply for that line. – Each line has only 1 PW – entering a new PW will cancel previous one – There is no “show” command to view line PW
  29. 29. AT - 8000S – Line PW Example • Example – configuring a PW for each of the lines (console; telnet and SSH) console(config)# line console console(config-line)# password PW_Console console(config-line)# exit console(config)# line telnet console(config-line)# password PW_Telnet console(config-line)# exit console(config)# line SSH console(config-line)# password PW_SSH console(config-line)#
  30. 30. AAA – Enable Password • Use the following Global Mode command to set a local password for different privilege levels. Use the no form of this command to remove the password requirement. enable password [ level level ] password [encrypted] no enable password [ level level ] • level - Level for which the password applies. If not specified the level is 15. • Encrypted - Encrypted password you enter, copied from another device configuration
  31. 31. AAA – Enable Password • Notes: – Only 1 PW can be defined for each level (new PW settings for a level will erase previous entry) – Only levels 15 and 1 are implemented in current version – There is no “show” command to view enable PW – If enable is the method used for login (authentication), the user must enter the PW for level 1. If user will use PW for level 15 – access will be denied.
  32. 32. AAA – Local User Name • Use the following Global Mode command to establish a username-based authentication system. Use the no form to remove a user name: username name [password password] [Level level] [encrypted] no username name • name & password - The name and authentication password of the user. • level - Specifies the user level. If not specified the privilege level is 15.
  33. 33. Enable & User Example • Example – Configuring enable PW level 15 and level 1 – Configuring local DB user name and PW console(config)# console(config)# enable password level 15 high console(config)# enable password level 1 low console(config)# username david password david level 15 console(config)# username george password george level 1 console(config)#
  34. 34. AAA - RADIUS Server • Use the following Global Mode command to specify a RADIUS server host. To delete the specified host, use the no form of command: radius-server host ip-address [auth-port auth-port-number] [timeout timeout] [retransmit retries] [deadtime deadtime] [key key-string] [source source] [priority priority] [usage type] no radius-server host ip-address
  35. 35. RADIUS – Global Parameters • Each of the parameters in the radius server host command can be used as individual commands to configure Global Radius configuration (Applied to a server if host command did not include this parameter): radius-server key radius-server retransmit (default 3) radius-server source-ip (default 0.0.0.0) radius-server timeout (default 3) radius-server deadtime (default 0) • “no” form of command can be used with each command type to return value to default
  36. 36. AT - 8000S - Radius Example • Example – Configuring a radius server with IP 10.1.1.100 port 1645 and priority 1 – Defining Global retransmit value of 5 console(config)# console(config)# radius-server host 10.1.1.100 auth-port 1645 priority 1 console(config)# radius-server retransmit 5
  37. 37. AT - 8000S – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  38. 38. Login Authentication Method • Use the following Global Mode command to define authentication methods lists at login. use the no form of this command to erase defined name aaa authentication login {default | list-name} method1 [method2...] no aaa authentication login {default | list-name} • default - The device’s default list of methods. Using the “no” option on “default” returns it to the device default • list-name - name of a (user defined) list of authentication methods which can be activated when a user logs in.
  39. 39. Login Authentication Method • method1 [method2...] - at least one of the following:
  40. 40. Login Authentication Method • The additional methods in a list (if such were defined) are used only if the previous method returns an error, not if it denies login. To ensure that the login succeeds even if all methods return an error (but not if they denied access), specify none as the final method. • The default and optional list names defined with the aaa authentication login command are attached to a line using the login authentication command (line mode)
  41. 41. Enable Authentication Method • Use the following Global Mode command to set Authorization when the user attempts to access a higher privilege level. To remove a list (or return “default” list to original setting) use the no form of this command: aaa authentication enable {default | list-name} method1 [method2...] no aaa authentication enable {default | list-name}
  42. 42. Enable Authentication Method method1 [method2...] - At least one of the following:
  43. 43. Enable Authen. Method • The additional methods on a list (if such were defined) are used only if the previous method returns an error, not if it authentication fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method • All aaa authentication enable requests sent by the router to a RADIUS or TACACS server include the username "$enabx$.", where x is the requested privilege level (15 for the highest) • The default and optional list names that you define with the aaa authentication enable command are applied to a line with the enable authentication (line configuration mode) command.
  44. 44. Method Lists - Example • Example – Configuring 3 different login method lists – Changing login “default” method list – Configuring 3 different enable method lists console(config)# aaa authentication login log1 local none console(config)# aaa authentication login log2 radius enable console(config)# aaa authentication login log3 line console(config)# aaa authentication login default line console(config)# aaa authentication enable en1 enable none console(config)# aaa authentication enable en2 line console(config)# aaa authentication enable en3 radius none
  45. 45. AT - 8000S – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  46. 46. Assigning Login Authentication-list to Line • Use the following Line Configuration Mode command to specify login authentication method list. To return to the default list use the no form of this command: login authentication {default | list-name} no login authentication • default / list-name – as specified in the Global Mode aaa authentication login command. • Command is applied separately to each line (console, telnet, SSH) via its own command line
  47. 47. Assigning Enable Authentication-list to a Line • Use the following Line Configuration Mode command to specify an autherization method list when the user requests to access a higher privilege level. To return to the default list use the no form of this command. enable authentication {default | list-name} no enable authentication • default / list-name – as specified in the Global Mode aaa authentication enable command. • Command is applied separately to each line (console, telnet, SSH) via its own command line
  48. 48. Method Lists - Example • Example - Assigning login and enable method lists to lines (assign default list to console login) console(config)# line console console(config-line)# login authentication default console(config-line)# enable authentication en1 console(config-line)# exit console(config)# line telnet console(config-line)# login authentication log2 console(config-line)# enable authentication en2 console(config-line)# exit console(config)# line telnet console(config-line)# login authentication log3 console(config-line)# enable authentication en3
  49. 49. AT - 8000S AAA – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  50. 50. HTTP Authentication List • Use the following Global Mode command to specify authentication method(s) for http server users. To return to the default (local), use the no form of this command: ip http authentication method1 [method2...] no ip http authentication • method1 [method2...] - At least one from: Local, Radius, TACACS, None. • Default method is “local”
  51. 51. HTTPS Authentication List • Use the following Global Mode command to specify authentication methods for https server users. To return to the default (local), use the no form of this command: ip https authentication method1 [method2...] no ip https authentication • method1 [method2...] - At least one from: Local, Radius, TACACS, None. • Default method is “local”
  52. 52. HTTP/HTTPS AAA - Example • Example: – Apply radius method on HTTPS for AAA services – Apply TACACS method on HTTP for AAA services console(config)# console(config)# ip https authentication radius console(config)# ip http authentication tacacs
  53. 53. AT - 8000S AAA – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  54. 54. AT - 8000S AAA – CLI Configuration • Entering Line configuration mode • Configuring databases • Creating method lists • Applying method lists to lines • Applying methods to HTTP/HTTPS • Show commands
  55. 55. AAA – Show commands • Use the following EXEC mode command to display information about the authentication methods show authentication methods • The command will show: – Login method list – Enable method list – Line – method list association – HTTP/HTTPS/dot1x-method association
  56. 56. AAA – Show commands console# sh authentication methods Login Authentication Method Lists ---------------------------------- Default : Enable logm : Enable Enable Authentication Method Lists ---------------------------------- Default : Enable enm : Enable … See next slide
  57. 57. AAA – Show commands …from previous slide Line Login Method List Enable Method List ------- ----------------- ------------------- Console logm enm Telnet Default Default SSH Default Default http : Local https : Local dot1x :
  58. 58. Show RADIUS Server • Use the following EXEC mode command to display the RADIUS servers settings: show radius-servers console# sh radius-servers IP address Auth. TimeOut Retran. DeadTime source IP Prio. Usage --------------- ----- ------- ------- -------- --------------- ----- ----- 9.1.1.1 1812 Global Global Global Global 0 all Global values -------------- TimeOut : 3 Retransmit : 3 Deadtime : 0 Source IP : 0.0.0.0 console#
  59. 59. Thank You!!!

×