More Related Content
Similar to 3_poglavlje_AAA.pdf (20)
3_poglavlje_AAA.pdf
- 1. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 1
Chapter 3:
Authentication,
Authorization and
Accounting
CCNA-Security
- 2. Presentation_ID 2
© 2008 Cisco Systems, Inc. All rights reserved.
Chapter 3
3.0 Introduction
3.1 Purpose of AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based AAA Authorizing and Accounting
3.6 Summary
- 3. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 3
3.1 Purpose of AAA
- 4. Presentation_ID 4
© 2008 Cisco Systems, Inc. All rights reserved.
AAA Overview
Authentication without AAA
▪ Postoje više metoda za autentifikaciju koje se mogu realizovati na cisco
uređajima
▪ Svaka metoda za autentifikaciju pruža određeni nivo sigurnosti
▪ Najjednostavnija forma autentifikacije jeste putem passworda
▪ Password-only logins je najslabiji i najranjiviji vid autentifikacije,
podložan brute-force napadima, i ne pruža accountability (ne snimaju
se događaji koje autentifikovan korisnik izvršava).
▪ Autentifikacija uz pomoć kreirane lokalne baze korisničkih naloga pruža
dodatni nivo zaštite, jer napadač mora da zna korisničko ime i šifru
(username i password). Ovim se obezbeđuje veći nivo accauntability
jer se zapisuje korisničko ime nakon logovanja korisnika
▪ Bolje rešenje je da svi mrežni uređaji u mreži koriste zajedničku bazu
korisničkih naloga (usernames i passwords) smeštenu na centralnom
serveru.
- 5. Presentation_ID 5
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication without AAA
Telnet is Vulnerable to Brute-Force Attacks
- 6. Presentation_ID 6
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication without AAA (Cont.)
SSH and Local Database Method
- 7. Presentation_ID 7
© 2008 Cisco Systems, Inc. All rights reserved.
AAA Overview
AAA Components
Network and administrative AAA security u mreži cisco uređaja
obezbeđuje nekoliko funkcionalnosti:
▪ Authentication- Korisnici i administratori moraju na neki način da
dokažu da su autorizovani korisnici. Autentifikacija se može
ostvariti unosom username-a i password-a, odgovaranjem na
određena pitanja, unosom broja kreditne kartice i drugim
metodama.
▪ Authorization- nakon što se korisnik autentifikovao, servisi
autorizacije definišu kojim resursima autentifikovan korisnik može
da pristupa i koje komande može da koristi u svom radu.
▪ Accounting and auditing- Accounting obezbeđuje snimanje
onoga šta autentifikovan i autorizovan korisnik radi, uključujući
kojim resursima pristupa, vreme koje je proveo u pristupu datim
resursima, i promene koje je izvršio nad datim resursima
- 9. Presentation_ID 9
© 2008 Cisco Systems, Inc. All rights reserved.
AAA Characteristics
Authentication Modes
AAA može biti iskorišćen za autentifikaciju korisnika prilikom
administrativnog pristupa ili za autentifikaciju korisnika prilikom udaljenog
pristupa. U pitanju su dve metode pristupa koje mogu koristiti različite
modove AAA servisa.
Local AAA Authentication – koristi se lokalna baza korisničkih naloga za
autentifikaciju (usernames i passwords) koja je kreirana lokalno na cisco
ruteru.
Server-Based AAA Authentication – za autentifikaciju su postavljeni
posebni serveri sa svojom eksternom bazom korisničkih naloga. Za tu
svrhu se koriste RADIUS ili TACACS+ protokoli.
- 10. Presentation_ID 10
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication Modes
Local AAA
Authentication
• Korisnik uspostavlja konekciju sa ruterom
• AAA ruter zahteva od korisnika username i password
• Ruter autentifikuje unet username i password uz pomoć podataka iz svoje
kreirane lokalne baze
• Autentifikovan korisnik je potom i autorizovan na osnovu podataka iz lokalne
baze nakon čega autorizovani korisnik ima određena prava i privilegije u radu
na ruteru kome je pristupio
- 11. Presentation_ID 11
© 2008 Cisco Systems, Inc. All rights reserved.
Authentication Modes
Server-Based
AAA Authentication
• Korisnik uspostavlja konekciju sa ruterom
• AAA ruter zahteva od korisnika username i password
• Ruter autentifikuje unet username i password uz pomoć udaljenog AAA servera i
njegove baze
• Autentifikovan korisnik je potom i autorizovan na osnovu podataka iz baze AAA
servera nakon čega autorizovani korisnik ima određena prava i privilegije
- 12. Presentation_ID 12
© 2008 Cisco Systems, Inc. All rights reserved.
Autorizacija predstavlja utvrđivanje prava i privilegija autentifikovanog
korisnika.
AAA Characteristics
Authorization
• Kada se korisnik autentifikovao, uspostavlja se sesija sa AAA serverom
• Ruter upućuje zahtev za autorizaciju korisnika ka AAA serveru
• AAA server odgovara ruteru slanjem PASS/FAIL za traženu autorizaciju
- 13. Presentation_ID 13
© 2008 Cisco Systems, Inc. All rights reserved.
AAA Characteristics
Accounting
Accounting je proces
prikupljanja informacia i
formiranja izveštaja o
korišćenim podacima od
strane autorizovanog
korisnika, što se kasnije
može iskoristiti za provere i
naplate
• Kada se korisnik autentifikuje, AAA accounting generiše start poruku čime se
započinje accounting proces
• Kada korisnik završi sa radom, stop poruka se snimi i prekida se accounting
proces
- 14. Presentation_ID 14
© 2008 Cisco Systems, Inc. All rights reserved.
AAA Characteristics
Accounting
Types of accounting
information:
▪ Network
▪ Connection
▪ EXEC
▪ System
▪ Command
▪ Resource
- 15. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 15
3.2 Local AAA
Authentication
- 16. Presentation_ID 16
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Local AAA Authentication with CLI
Authenticating Administrative Access
▪ Lokalna AAA autentifikacija je slična korišćenju login local
komande, ali sa jednim izuzetkom, a to je da AAA omogućava
definisanje backup metode za autentifikaciju.
▪ Konfigurisanje lokalnih AAA servisa za autentifikaciju administrativnog
pristupa zahteva nekoliko osnovnih koraka:
Step 1. Kreiranje korisničkih naloga (usernames i passwords) u lokalnoj bazi podataka
rutera za korisnike kojima je potreban administratorski pristup ruteru
Step 2. Uključivanje AAA globally na ruteru.
Step 3. Konfigurisanje AAA parametara na ruteru. Kreira se imenovana lista metoda
za autentifikaciju koje će ruter primenititi prilikom autentifikacije korisnika (onim
redom kako su metode navedene prilikom oglašavanja liste metoda za
autentifikaciju). Kreirana lista se potom postavlja na željeni interfejs ili liniju.
Step 4. Provera i troubleshoot AAA konfiguracije.
Primer jedne imenovane
liste metode za
autentifikaciju
- 17. Presentation_ID 17
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Local AAA Authentication with CLI
Authentication Methods
▪ Za uključenje AAA, koristiti
komandu aaa new-
model u globalnom
konfiguracionom modu.
▪ Da bi se konfigurisala
autentifikacija na vty
portovima, asinhronim
linijama (tty), auxiliary portu,
ili konzolnom portu,
neophodno je definisati
imenovanu listu metoda za
autentifikaciju, a potom
postaviti kreiranu listu na
različite interfejse.
▪ Za definisanje imenovane
liste metoda za
autentifikaciju, koristiti
komandu the aaa
authentication
login globalnom
konfiguracionom modu
rutera.
▪ Primer: da bi se omogućilo lokalno autentifikovanje korišćenjem predefinisane
lokalne baze podataka na ruteru, koristiti local ili local-case (case-
sensitive) za tip metode u komandi aaa authentication login.
▪ Ukoliko se želi specificirati da korisnik za autentifikaciju koristi enable password,
za tip metode se u tom slučaju navodi enable.
▪ Metode za autentifikaciju, redosled metoda koje će se primeniti prilikom
autentifikacije korisnika na uređaju
▪ Minimalan broj metoda koji se mogu navesti u komandi aaa
authentication login je 1, maksimalan je 4
- 18. Presentation_ID 18
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Local AAA Authentication with CLI
Authentication Methods Cont.
- 19. Presentation_ID 19
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Local AAA Authentication with CLI
Default and Named Methods
▪ Definisana lista metoda za autentifikaciju mora biti postavljena na određene
interfejse ili linije. Različite metode se mogu postaviti na različite interfejse ili
linije.
▪ Da bi se omogućila i aktivirala kreirana aaa lista metoda za autentifikaciju na
konzolnoj, aux ili vty liniji, koristiti komandu:
login authentication list-name u linijskom konfiguracionom modu.
▪ Postoji mogućnost da se kreira podrazumevano (default) ime liste. Kada se
AAA prvi put uključi, AAA lista metoda za autentifikaciju koja je nazvana
„default“ se automatski postavlja na sve sesije I pristupne linije. Za
ostale je neophodno manuelno postaviti.
- 20. Presentation_ID 20
© 2008 Cisco Systems, Inc. All rights reserved.
▪ Kreirana je lokalna baza korisničkih naloga (dva korisnička naloga)
▪ Uključuje se AAA na ruteru
▪ Kreiraju se dve imenovane liste metoda za autentifikaciju:
1. Prva je default lista metoda koja se postavlja na svim sesijama i pristupnim linijama, SSH, Telnet,
vty, console, aux
2. Druga je imenovana TELNET-LOGIN
Configuring Local AAA Authentication with CLI
Default and Named Methods – primer 1
▪ Drugom konfigurisanom imenovanom listim je definisano da se provera unetog korisničkog naloga za
autentifikaciju korisnika obavi samo nad kreiranom lokalnom bazom naloga (running-config), pri čemu
treba voditi računa o unetim malim i velikim slovima, local-case.
▪ Prvom konfigurisanom listom
metoda (default) je definisano da
se provera unetog korisničkog
naloga za autentifikaciju korisnika
obavi prvo nad kreiranom lokalnom
bazom naloga (running-config), pri
čemu treba voditi računa o unetim
malim i velikim slovima, local-
case. Ukoliko se uneti korisnički
nalog ne nalazi u lokalnoj bazi,
onda se proverava da li je to
možda enable secret šifra
▪ Druga konfigurisana imenovana lista je postavljena na vty linijama 0-4.
▪ Konfigurisana imenovana lista metoda za autentifikaciju mora biti postavljena na nekoj od pristupnih
linija da bi uopšte bila aktivna
- 21. Presentation_ID 21
© 2008 Cisco Systems, Inc. All rights reserved.
▪ Sledeđa lista metoda za autentifikaciju je imenovana lista nazvana MY-
LIST-1.
▪ Ova kreirana lista definiše sledeći redosled primena metoda za
autentifikaciju:
1. Prvi pokušaj za proveru korisničkog imena i šifre prilikom autentifikacije korisnika
mora biti realizovan pomoću jednog iz grupe tacacs servera (group of tacacs
servers) gropu tacacs
2. Ukoliko tacacs server ne odgovara, onda se provera korisničkog imena i šifre vrši u
lokalnoj bazi korisničkih naloga (running-config) local
3. Ukoliko se uneti korisnički nalog od strane korisnika ne nalazi ni u lokalnoj bazi
korisničkih naloga, onda se proverava enable secret šifra za pristup uređaju enable
▪ Kreirana lista metoda za autentifikaciju nazvana MY-LIST-1 mora biti
postavljena na nekoj od pristupnih linija kako bi postala aktivna. U
suprotnom, na snazi je default imenovana lista metoda za autentifikaciju
(prethodno konfigurisana)
R1(config)# aaa authentication login MY-LIST-1
group tacacs local enable
Configuring Local AAA Authentication with CLI
Default and Named Methods – primer 2
- 22. Presentation_ID 22
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Local AAA Authentication with CLI
Refine the Authentication Configuration
▪ Dodatna zaštita AAA autentifikacije na pristupnoj liniji može biti
implementirana korišćenjem komande u globalnom konfiguracionom modu:
▪ Router(config)# aaa local authentication attempts
max-fail number-of-unsuccessful-attempts
▪ Ova komanda štiti AAA korisničke naloge njihovim zaključavanjem,
ukoliko se premaši max broj neuspelih pokušaja za autentifikaciju
▪ Komanda za prikaz zaključanih korisničkih naloga:
- 23. Presentation_ID 23
© 2008 Cisco Systems, Inc. All rights reserved.
Fine-Tuning the Authentication
Configuration
Show Unique ID
of a Session
Display Locked
Out Users
Command
Syntax
- 24. Presentation_ID 24
© 2008 Cisco Systems, Inc. All rights reserved.
Troubleshooting Local AAA Authentication
Debug Options
▪ The debug aaa
authentication command
is instrumental when
troubleshooting AAA
problems.
▪ Look specifically for
GETUSER and GETPASS
status messages. These
messages are helpful when
identifying which method list
is referenced.
- 25. Presentation_ID 25
© 2008 Cisco Systems, Inc. All rights reserved.
Debugging AAA Authentication
Understanding Debug Output
- 26. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 26
3.2 Local AAA
Authorization
- 27. Presentation_ID 27
© 2008 Cisco Systems, Inc. All rights reserved.
Authorization method lists
▪ Na sličan način kao što se konfiguriše lista metoda za autentifikaciju, tako se kreira i lista
metoda za autorizaciju, koja može biti podrazumevana default ili imenovana lista.
▪ Kreirna imenovana lista metoda za autorizaciju ne može biti aktivna dok se ne postavi na
nekoj od pristupnih linija (primer vty linije)
▪ Primeri imenovanih listi metoda za autorizaciju:
1. Prva lista metoda za autorizaciju je nazvana TAC1 i predstavlja autorizaciju svih
komandi u korisničkom modu nivoa privilegije 1, commands 1. Svaki korisnik koji je
autentifikovan sa nivom privilegije 1 ili većim, autorizovan je da koristi sve komande u
korisničkom modu
R1(config)# aaa authorization commands 1 TAC1 group tacacs+
local
1. Prva lista metoda za autorizaciju je nazvana TAC15 i predstavlja autorizaciju svih
komandi u privilegovanom exec modu nivoa privilegije 15, commands 15. Svaki
korisnik koji je autentifikovan sa nivom privilegije 15, autorizovan je da koristi sve
komande u privilegovanom modu
R1(config)# aaa authorization commands 15 TAC15 group tacacs+
local
- 28. Presentation_ID 28
© 2008 Cisco Systems, Inc. All rights reserved.
Authorization method lists
R1(config)# aaa authorization commands 1 TAC1 group tacacs+
local
R1(config)# aaa authorization commands 15 TAC15 group tacacs+
local
▪ U oba primera, ukoliko se konfigurisane imenovane liste metoda za autorizaciju nazvane
TAC1 i TAC15 postave na pristupnim linijama console ili vty, pre svakog izvešenja
komande u korisničkom ili privilegovanom modu, ruter će prvo komunicirati sa jednim od
tacacs+ servera i proveriti da li je korisnik autorizovan da koristi date komande group
tacacs+
▪ Ukoliko pomenuti ACS serveri nisu dostupni, ruter će proveriti svoju lokalnu bazu
korisničkih naloga kako bi utvrdio da li je ulogovan korisnik sa dovoljno visokim nivoom
privilegija kako bi mogao da koristi date komande u korisničkom, odnosno privilegovanom
modu.(za privilegovani mod - nivo privilegije 15, za korisnički mod – nivo privilegije 1 ili
veći)
- 29. Presentation_ID 29
© 2008 Cisco Systems, Inc. All rights reserved.
Primena Authentication and Authorization method
lists primer 1
▪ Creating a user with level 15 access on the local router is a good idea, in the event the
ACS server can't be reached, and a backup method has been specified as the local
database.
▪ R1(config)# username admin privilege 15 secret 4Je7*1swEsf
▪ Creating authentication method list
▪ R1(config)# aaa authentication login MY-LIST-1 group tacacs
local enable
▪ Applying the named method lists is what puts them in motion. By applying the method lists
to the VTY lines any users connecting to these lines will be authenticated by the methods
specified by the lists that are applied and also accounting will occur, based on the lists that
are applied.
▪ R1(config)# line vty 0 4
▪ R1(config-line)# login authentication MY-LIST-1
▪ R1(config-line)# authorization commands 1 TAC1
▪ R1(config-line)# authorization commands 15 TAC15
▪ Note: on the console and AUX ports, the default list will be applied, due to no custom
method list being applied directly to the console or AUX ports.
- 30. Presentation_ID 30
© 2008 Cisco Systems, Inc. All rights reserved.
Primena Authentication and Authorization method
lists primer 2
▪ Local user in the database has a privilege level of 15
▪ R4(config)# username admin privilege 15 secret cisco
▪ This method list, if applied to a line, will specify local authentication
▪ R4(config)# aaa authentication login AUTHEN_Loc local
▪ This next method list, if applied to a line, will require authorization before giving the
administrator an exec shell. If the user has a valid account in the running configuration, the
exec shell will be created for the authenticated user, and it will place the user in their
privilege level automatically
▪ R4(config)# aaa authorization exec AUTHOR_Exec_Loc local
▪ This method list, if applied to a line, will require authorization for each and every level 15
command issued. Because the user is at privilege level 15 the router will say "yes" to any
level 15 commands that may be issued by the user
▪ R4(config)# aaa authorization commands 15 AUTHOR_Com_15
local
- 31. Presentation_ID 31
© 2008 Cisco Systems, Inc. All rights reserved.
Primena Authentication and Authorization method
lists primer 2
▪ Next we will apply the 3 custom method lists to vty lines 0-4, so that when anyone
connects via these vty lines, they will be subject to the login authentication, the exec
authorization, and the level 15 command authorizations for the duration of their session.
▪ R4(config)# line vty 0 4
▪ R4(config-line)# login authentication AUTHEN_Loc
▪ R4(config-line)# authorization exec AUTHOR_Exec_Loc
▪ R4(config-line)# authorization commands 15 AUTHOR_Com_15
▪ R4(config-line)# exit
▪ Autentifikacija I autorizacija korisnika biće vršena samo nad onim korisnicima koji
su pristupili uređaju preko vty linija
- 32. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 32
3.2 Local AAA
Accounting
- 33. Presentation_ID 33
© 2008 Cisco Systems, Inc. All rights reserved.
Accounting method lists
▪ Na sličan način kao što se konfigurišu liste metoda za autentifikaciju i autorizaciju, tako se
kreira i lista metoda za accounting – snimanje izvršenih događaja, koja može biti
podrazumevana default ili imenovana lista.
▪ Kreirna imenovana lista metoda za accounting ne može biti aktivna dok se ne postavi na
nekoj od pristupnih linija (primer vty linije)
▪ The next 2 method lists are accounting method lists that will record the commands issued
at level 1 and 15 if the lists are applied to a line, and if an administrator connects to this
device via that line. Accounting method lists can have multiple methods, but can't log to
the local router.
▪ R1(config)# aaa accounting commands 1 TAC-act1 start-stop
group tacacs+
▪ R1(config)# aaa accounting commands 15 TAC-act15 start-stop
group tacacs+
▪ Creating a user with level 15 access on the local router is a good idea, in the event the
ACS server can't be reached, and a backup method has been specified as the local
database.
▪ R1(config)# username admin privilege 15 secret 4Je7*1swEsf
- 34. Presentation_ID 34
© 2008 Cisco Systems, Inc. All rights reserved.
Acounting method lists
▪ Postavljanje imenovanih listi metoda za accounting na vty pristupnim linijama:
▪ R1(config)#line vty 0 4
▪ R1(config-line)# accounting commands 1 TAC-act1
▪ R1(config-line)# accounting commands 15 TAC-act15
▪ R1(config-line)# end
▪ R1#
- 35. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 35
3.3 Server-Based AAA
- 36. Presentation_ID 36
© 2008 Cisco Systems, Inc. All rights reserved.
Comparing Local AAA and Server-Based AAA
Implementations
Server-based authentication:
1. Korisnik uspostavlja konekciju sa
ruterom
2. Ruter od korisnika traži da unese
odgovarajući username i
password
3. Ruter prosledjuje unet username
and password ka Cisco Secure
ACS (server or engine)
4. The Cisco Secure ACS
autentifikuje korisnika
Lokalna autentifikacija:
1. Korisnik uspostavlja konekciju sa ruterom
2. Ruter od korisnika traži da unese odgovarajući
username i password
3. Unet username i password ruter proverava sa
podacima iz svoje lokalne baze i autentifikuje
korisnika
- 37. Presentation_ID 37
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Characteristics
Comparing Local and Server-Based AAA
Imlementacija AAA
kreiranjem lokalne baze na
ruteru nije dobro rešenje za
velike mreže.
U velikim mrežama
implementiraju se jedan ili
više ACS servera koji
autentifikuju i autorizuju sve
logovane korisnike.
ACS - Cisco Access Control
Server
- 38. Presentation_ID 38
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Characteristics
Why use ACS server?
• Most midsize and large companies using Cisco
equipment are also going to use ACS servers so that
they can centrally manage the users and control
what those users are authorized to do.
• By configuring users locally on the ACS server, and
then having the dozens or hundreds of routers and
switches act as clients to the ACS server, you can
use the Cisco ACS server as a central clearinghouse
for the authentication of users.
• This way, you can create a user account one time on
the ACS server, and configure the routers and
switches to use the ACS server for any type of user,
whether an administrator trying to access the router
for configuration or an end user who just needs
access through a router for some network
application or service such as browsing the web.
• If all your network devices use the ACS server, you
can avoid having to create that same user account
on each of the individual routers’ and switches’ local
database (in their running config).
- 39. Presentation_ID 39
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Characteristics
Why use ACS server?
• Most companies using ACS servers have
many users, and it is time-consuming to
create all the user accounts manually in ACS.
• One convenient feature of an ACS server is
that all the users do not have to be locally
configured on the ACS server, either; instead,
the ACS server can use an external database
that already exists that contains the
usernames and passwords.
• An example is Microsoft Active Directory,
where all the users and their credentials are
already in place.
- 40. Presentation_ID 40
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Characteristics
Introducing Cisco Secure Access Control Server
The Cisco Secure ACS family of products podržavaju oba protokola za
komunikaciju između ACS servera i rutera:
• Terminal Access Control Access Control Server Plus (TACACS+)
• Remote Authentication Dial-In User Services (RADIUS)
TACACS+ i RADIUS su protokoli za komunikaciju između cisco-vog ACS
servera i cisco-vog uređaja-klijenta (rutera) na kome se korisnik želi
autentifikovati
- 41. Presentation_ID 41
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
Introducing TACACS+ and RADIUS
TACACS+ i RADIUS su protokoli za autentifikaciju logovanih
korisnika sa različitim capabilities and functionality.
TACACS+ versus RADIUS
- 42. Presentation_ID 42
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
Introducing TACACS+ and RADIUS
TACACS+ i RADIUS su protokoli za autentifikaciju logovanih
korisnika sa različitim capabilities and functionality.
TACACS+ versus RADIUS
Traditionally, and in common practice, if you are authenticating and
authorizing administrators for command-line access, it is likely that you
will configure TACACS+ on both the ACS server and the router for their
communication with each other.
A large reason for this is because TACACS+ has clearly defined and
separate techniques and configurations for each aspect of AAA.
For example, if you want to tell the router to check authorization for each
individual command before allowing an administrator to put that
command in, and only give the administrator a subset or portion of
commands, TACACS+ and its authorization component allows extremely
granular control in communicating which commands would be allowed.
- 43. Presentation_ID 43
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
Introducing TACACS+ and RADIUS
TACACS+ i RADIUS su protokoli za autentifikaciju logovanih
korisnika sa različitim capabilities and functionality.
TACACS+ versus RADIUS
RADIUS, however, does not have the same level of granular control as
TACACS+ command-by-command authorization.
If you are authenticating and authorizing end users who just want their
packets to go through a network device (when authentication and
authorization are required), it is likely that you are using RADIUS as the
communications method between the ACS server on the router.
You may configure the router and ACS server to use both TACACS+ and
RADIUS simultaneously between the ACS server and its client, the
router.
- 44. Presentation_ID 44
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
TACACS+ Authentication
TACACS+ je potpuno nov protokol koji nije kompatibilan sa ranijim
verzijama TACACS protokola.
TACACS+ podržan je od Cisco family of routers and access servers,
tj. Cisco proprietary protokol. Danas je samo ova verzija aktuelna
▪ TACACS+ offers multiprotocol support.
▪ TACACS+ vrši enkripciju svakog AAA paketa pre nego što se pošalje
kroz mrežu između ACS servera i rutera .
▪ TACACS+ koristi TCP port 49.
- 45. Presentation_ID 45
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
TACACS+ Authentication
- 46. Presentation_ID 46
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
RADIUS Authentication
RADIUS is an open IETF standard AAA protocol for applications such
as network access or IP mobility.
▪ RADIUS works in both local and roaming situations, and is commonly
used for accounting purposes.
▪ RADIUS hides passwords during transmission.
▪ RADIUS combines authentication and authorization as one process.
▪ RADIUS is widely used by VoIP service providers.
- 47. Presentation_ID 47
© 2008 Cisco Systems, Inc. All rights reserved.
Server-Based AAA Communication Protocols
RADIUS Authentication
- 48. Presentation_ID 48
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS
TACACS+ and RADIUS with Cisco Secure ACS
Cisco Secure ACS for Windows Server is a single solution that offers
AAA for both TACACS+ and RADIUS, and the following benefits:
▪ Extends access security by combining authentication, user access,
and administrator access with policy control within a centralized
identity networking solution.
▪ Allows greater flexibility and mobility, increased security, and user-
productivity gains.
▪ Enforces a uniform security policy for all users, regardless of how
they access the network.
▪ Reduces the administrative and management burden when scaling
user and network administrator access to the network.
- 49. Presentation_ID 49
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS
Cisco Secure ACS Features
Cisco Secure ACS server
obezbeđuje dodatne funkcije:
▪ Automatic service monitoring
▪ Database synchronization and
importing of tools for large-scale
deployments
▪ Lightweight Directory Access
Protocol (LDAP) user authentication
support
▪ User and administrative access
reporting
▪ Restrictions to network access
based on criteria such as the time
of day and the day of week
▪ User and device group profiles
- 50. Presentation_ID 50
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS
Cisco Secure ACS High Performance and Scalability
Cisco Secure ACS has many high-performance and scalability features:
▪ Ease of use - A web-based user interface simplifies and distributes the
configuration.
▪ Scalability - Cisco Secure ACS is built to provide large networked
environments with support for redundant servers, remote databases, and
database replication and backup services.
▪ Extensibility - LDAP authentication forwarding supports the authentication of
user profiles that are stored in directories from leading directory vendors,
including Sun, Novell, and Microsoft.
▪ Management - Microsoft Windows Active Directory support.
▪ Administration - Different access levels for each Cisco Secure ACS
administrator and the ability to group network devices together.
▪ Product flexibility - Can be used across virtually any network access server
that Cisco sells.
- 51. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 51
3.4 Server-Based AAA
Authentication
- 52. Presentation_ID 52
© 2008 Cisco Systems, Inc. All rights reserved.
Introduction to Server-Based AAA
Authorization
Authentication vs. Authorization
▪ Authentication ensures a device or end-user is legitimate
▪ Authorization allows or disallows authenticated users access to certain
areas and programs on the network.
TACACS+ vs. RADIUS
▪ TACACS+ separates authentication from authorization
▪ RADIUS does not separate authentication from authorization
- 53. Presentation_ID 53
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authentication
Configuring Server-Based AAA Authentication with CLI
Server-based AAA must identify various TACACS+ and RADIUS
servers that the AAA service should consult when authenticating and
authorizing users.
- 54. Presentation_ID 54
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authentication
Configuring the CLI for TACACS+ and RADIUS Servers
▪ Globally enable AAA by using the aaa new-model command.
▪ Configure a TACACS+ Server and Encryption Key
• Use the tacacs-server host ip-address single-
connection command to configure a TACACS+ server.
• Use the tacacs-server key key command to configure the
shared secret key.
- 55. Presentation_ID 55
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authentication
Configuring the CLI for TACACS+ and RADIUS Servers Cont.
▪ Configure a RADIUS Server and Encryption Key
• Use the radius-server host ip-address command.
• To configure the shared secret key, use the radius-server
key key command.
▪ Configure Authentication to Use the AAA Server - Use the aaa
authentication login default group radius group
tacacs+ local-case command.
- 56. Presentation_ID 56
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authentication
Configuring the CLI for TACACS+ and RADIUS Servers Cont.
Sample Configuration
- 57. Presentation_ID 57
© 2008 Cisco Systems, Inc. All rights reserved.
Troubleshooting Server-Based AAA Authentication Traffic
Monitoring Authentication Traffic
Other debugging Commands
• debug radius and debug tacacs
• debug tacacs events
- 58. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 58
3.5 Server-Based AAA
Authorization and
Accounting
- 59. Presentation_ID 59
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authorization
Introduction to Server-Based AAA Authorization
▪ Autorizacija dozvoljava i nedozvoljava autentifikovanim korisnicima
pristup određenim oblastima i programima u mreži
▪ TACACS+ protokol dozvoljava razdvajanje (separation) autentifikacije od
autorizacije
▪ Ruter može biti konfigurisan da ograniči korisnika da koristi samo
određene funkcije nakon njegove autentifikacije
▪ Autorizacija može biti konfigurisana za oba moda (exec authorization) i
packet mode (network authorization).
TACACS+ vs. RADIUS
▪ TACACS+ separates authentication from authorization
▪ RADIUS does not separate authentication from authorization
- 60. Presentation_ID 60
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authorization
AAA Authorization Types
Authorization Method Lists
Command Syntax
Example AAA Authorization
Authorization Method Lists
- 61. Presentation_ID 61
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Authorization
AAA Authorization Types
AAA Authorization Example
- 62. Presentation_ID 62
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Accounting
Introduction to Server-Based AAA Accounting
▪ Kompanije često moraju da beleže resurse koje individualni korisnici i
grupe koriste nakon svoje autentifikacije.
▪ AAA accounting enables usage tracking, such as dial-in access, to log
the data gathered to a database, and to produce reports on the data
gathered.
▪ One security issue (addressed by accounting) is the creation of a
user list and the time of day a user dialed into the system.
▪ Another reason to implement accounting is to create a list of changes
occurring on the network, the user that made the changes, and the
exact nature of the changes.
- 63. Presentation_ID 63
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Accounting
AAA Accounting Configuration with CLI
Accounting Methods Lists
Command Syntax
Example AAA Accounting
Accounting Method Lists
- 64. Presentation_ID 64
© 2008 Cisco Systems, Inc. All rights reserved.
Configuring Server-Based AAA Accounting
AAA Accounting Configuration with CLI
AAA Accounting Example
- 65. ITE PC v4.1
Chapter 1 65
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Primer
This command enables the configuration of the rest of the AAA. If it is in the
configuration, it doesn't need to be put in again.On most IOS systems, the default has
aaa new-model disabled.
R1(config)# aaa new-model
This authentication method list, when applied to a line such as the VTY lines will tell
the router to prompt the user who is accessing that line for a username and password
in order for that user to login.
When the user supplies the username and password at the login prompt the router will
send the credentials to a configured TACACS+ server and then the server can reply
with a pass or fail message. This command indicates "group tacacs+" as the first
method as there could be more than one server configured. If no ACS server
responds after a short timeout the router will then try the second method in the
method list which is "local" which means the router will then check the running config
to see if there is a username and matching password
R1(config)# aaa authentication login AUTHEN_via_TACACS group
tacacs+ local
- 66. ITE PC v4.1
Chapter 1 66
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Primer
This next authorization method list, when applied to a line, will cause the router to
check with the AAA server to verify that the user is authorized to gain access to the
CLI.
The CLI represents an Exec Shell. Not only can the ACS indicate to the router
whether or not the user is authorized but it can also indicate what privilege level the
user is placed into. Both the username and password will need to be created on the
ACS server for the previous authentication method, and the authorization for a CLI will
also need to be configured on that same ACS server.
This authorization list will use one or more configured ACS servers via TACACS+, and
if there are no servers that respond, then the router will check locally regarding
whether the command is authorized for this user based on privilege level of the user,
and privilege level of the command being attempted.
R1(config)# aaa authorization exec Author-Exec_via_TACACS group
tacacs+ local
- 67. ITE PC v4.1
Chapter 1 67
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Primer
It is important to note that before we apply either of these method lists to the VTY
lines, we should create at least one local user as a backup in the event the ACS
server is unreachable, or not yet configured. In the example below it will create a user
on the local database of the router including a username, password as well as a
privilege level for that user. It is highly recommended that you use strong passwords
when configuring any user or device credentials.
R1(config)# username admin privilege 15 secret cisco
- 68. ITE PC v4.1
Chapter 1 68
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Primer
Next we need to create a least one ACS server that the router should try to use via
TACACS+. This is the equivalent of creating a server group of one. The password is
used as part of the encryption of the packets, and whatever password we configure
here, we also need to configure on the ACS server.
R1(config)# tacacs-server host 192.168.1.252 key cisco123
Verifying that the IP addresses reachable is a test that can be done even before the
full ACS configuration is complete on the AAA server
R1(config)# do ping 192.168.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.252, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
8/13/28 ms
- 69. ITE PC v4.1
Chapter 1 69
© 2007 – 2010, Cisco Systems, Inc. All rights reserved. Cisco Public
Primer
Next, for the authentication method list and authorization method list to be used we
would need to apply them. In the example below we are applying both method lists to
the first five VTY lines.
R1(config)# line vty 0 4
R1(config-line)# authorization exec Author-Exec_via_TACACS
R1(config-line)# login authentication AUTHEN_via_TACACS
Users connecting to these vty lines will now be subject to both authentication and
authorization, based on the lists that are applied to these lines
- 70. © 2008 Cisco Systems, Inc. All rights reserved.
Presentation_ID 70
3.6 Summary
- 71. Presentation_ID 71
© 2008 Cisco Systems, Inc. All rights reserved.
Chapter 3
Summary
▪ The AAA protocol provides a scalable framework for enabling
administrative access.
▪ AAA controls who is allowed to connect to the network, what they are
allowed to do, and tracks records of what was done.
▪ In small or simple networks, AAA authentication can be implemented
using the local database.
▪ In larger or complex networks, AAA authentication should be
implemented using server-based AAA.
▪ AAA servers can use RADIUS or TACACS+ protocols to communicate
with client routers.
▪ The Cisco ACS can be used to provide AAA server services.
▪ Local AAA and server-based AAA authentication can be configured
using the CLI or CCP.