Configuring AAA Support

20 Mar

Configuring AAA Support

Cisco Catalyst switches support the use of the AAA architecture that was discussed in Chapter 2. Catalyst switches allow for the configuration of any combination of these authentication methods to control access to the switch:

-Local authentication—Uses the locally configured login and enable passwords to authenticate login attempts.

-RADIUS authentication—Uses the AAA server to authenticate login attempts using the RADIUS protocol.

-TACACS+ authentication—Uses the AAA server to authenticate login attempts using the TACACS+ protocol.

-Kerberos authentication—Uses a trusted Kerberos server to authenticate login attempts.

Note All configurations in this section are related to switches that use the CatOS software. To configure for AAA support a Catalyst that uses Native IOS software, please refer to Chapter 2.

Use the following commands to enable authorization for the Catalyst switch (local login and enable authentication are enabled for both console and Telnet connections by default):

set authentication login tacacs disable console
set authentication login tacacs enable telnet primary
set authentication login tacacs enable http primary
set authentication enable tacacs disable console
set authentication enable tacacs enable telnet primary
set authentication enable tacacs disable http
set authentication login local enable console
set authentication login local enable telnet
set authentication login local enable http
set authentication enable local enable console
set authentication enable local enable telnet
set authentication enable local enable http

To view the results of enabling authorization on the switch, issue the show authentication command. The following output is an example of issuing the show authentication command:

Authorization is also supported in the Catalyst model switches. It controls the functions that are permitted by an authenticated user on the switch. Authorization is supported on the Catalyst Ethernet switches for the following:

-Commands—User must supply username and password that is verified by the AAA server to EXECute certain commands. Authorization for all commands can be enabled only for enable mode commands.

-EXEC mode—User must supply a valid username and password that is verified by the AAA server to gain access to EXEC mode.

-Enable mode—User must supply a valid username and password that is verified by the AAA server to gain access to enable mode.

Authentication is supported for three different connections attempts; however, authorization is supported for only two, Console and Telnet:

-Console—Authorization is performed for all console sessions.

-Telnet—Authorization is performed for all Telnet sessions.

Just as with routers, switches can be configured to support the use of methods to provide authorization services. The methods are sometimes referred to as options, and the option configured is known as the primary option. Any option configured after the primary option is known as a fallback option. Fallback options are used only in the event of an error condition or failure of the primary option. The Catalyst switches support the use the following options:

-TACACS+—Uses a defined TACACS+ server to provide authorization services.
-If−Authenticated—If authentication has already taken place for a session, authorization succeeds.
-Deny—If the authentication server fails to respond to a request for authorization, the authentication request fails.
-None—If the authentication server fails to respond, authentication succeeds.

Use the following commands to enable authorization for the Catalyst switch:

1.Use this command to enable authorization for EXEC mode access:

set authorization exec enable <option><fallbackoption>
<console | telnet>

2.Use this command to enable authorization for privileged mode access to the switch:

set authorization enable enable <option> <fallbackoption>
<console | telnet>

3.Use this command to enable authorization of configuration commands:

set authorization commands enable <config | all> <option>
<fallbackoption> <console | telnet>

The following output displays an example of enabling authorization on the Catalyst switch:

set authorization exec disable console
set authorization exec enable tacacs+ if−authenticated telnet
set authorization enable disable console
set authorization enable disable telnet
set authorization commands disable console
set authorization commands enable config tacacs+
if−authenticated telnet

To view the results of enabling authorization on the switch, issue the show authorization command. The following output displays an example of issuing the show authorization command:

Accounting allows you to track user activity to a specified host, suspicious connection attempts in the network, and unauthorized changes. The accounting information is sent to the accounting server where it is saved in the form of a record. Accounting information typically consists of the user’s action and the duration for which the action lasted. You can use the accounting feature for security, billing, and resource allocation purposes.

Accounting on the Catalyst switches can be configured for the following types of events:

-EXEC mode—Accounting information about EXEC mode sessions on the switch is recorded when this mode of accounting is configured.

-Connect—All outbound connection requests made from the switch are accounted for when this mode of accounting is performed.

-System—Accounting information on system events that are not user related is recorded. This information includes system reset, system boot, and user configuration of accounting.

-Command—Accounting information for each command entered into the switch by a user is recorded when this mode of accounting is configured.

After the switch is configured for accounting of services on the switch, accounting records are created. There are two types of accounting records: start records and stop records. Start records include information that pertains to the beginning of an event and stop records include the complete information of the event. To configure the switch for accounting, perform the following steps:

1.Use this command to enable accounting for connection events:

set accounting connect enable <start−stop | stop−only>
<tacacs+ | radius>

2.Use this command to enable accounting for EXEC mode events:

set accounting exec enable <start−stop | stop−only>
<tacacs+ | radius>

3.Use this command to enable accounting for system events:

set accounting system enable <start−stop | stop−only>
<tacacs+ | radius>

4.Use this command to enable accounting of all configuration commands:

set accounting commands enable <config | all> <stop−only>
<tacacs+>

5.Use this command to enable suppression of unknown user events:

set accounting suppress null−username enable

It is best to use the following command to disable this command so that information about unknown user events is accounted for:

set accounting suppress null−username disable

An example of configuring a Catalyst switch for accounting service is shown here:

set accounting exec enable stop−only tacacs+
set accounting connect disable
set accounting system enable stop−only tacacs+
set accounting commands enable config stop−only tacacs+
set accounting suppress null−username disable

To view the results of enabling authorization on the switch, issue the show accounting command. The following output is an example of issuing the show accounting command:

GC05−6509A> (enable) sh accounting
Event Method Mode
−−−−− −−−−−− −−−−
exec: tacacs+ stop−only
connect: − −
system: tacacs+ stop−only
commands:
config: tacacs+ stop−only
all: − −
TACACS+ Suppress for no username: disabled
Update Frequency: new−info

Accounting information:
−−−−−−−−−−−−−−−−−−−−−−−
Active Accounted actions on tty0, User (null) Priv 0
Active Accounted actions on tty−2106106732, −
User testuser Priv 15
Task ID 807, exec Accounting record, 0,00:00:44 Elapsed
task_id=807 start_time=1011372975 timezone=CST service=shell
Overall Accounting Traffic:
Starts Stops Active
−−−−−− −−−−− −−−−−−
Exec 0 489 1
Connect 0 0 0
Command 0 0 0
System 0 43 0

List of Figures
Chapter 1: Securing the Infrastructure
Figure 1.1: Using privilege levels to create administrative levels.
Figure 1.2: Router A configured for SNMP.
Figure 1.3: Router A and Router B configured for RIP authentication.
Figure 1.4: Router A and Router B configured for OSPF authentication.
Figure 1.5: Router B configured with an inbound route filter.
Figure 1.6: User Jeff needs HTTP access to the router.
Chapter 2: AAA Security Technologies
Figure 2.1: One−way PAP authentication.
Figure 2.2: Three−way CHAP authentication.
Figure 2.3: TACACS+ packet header.
Figure 2.4: TACACS+ authentication.
Figure 2.5: TACACS+ authorization.
Figure 2.6: RADIUS authentication process.
Figure 2.7: RADIUS accounting process.
Figure 2.8: Single TACACS+ server.
Figure 2.9: Multiple TACACS+ servers.
Figure 2.10: Remote client PPP connection.
Figure 2.11: Cisco Secure ACS server interface
Figure 2.12: Console of the Cisco Secure ACS server
Chapter 3: Perimeter Router Security
Figure 3.1: ICP three−way handshake.
Figure 3.2: Example of CEF network.
Figure 3.3: Unicast RPF.
Figure 3.4: An example TCP Intercept network.
Figure 3.5: Static NAT.
Figure 3.6: Example static NAT and route map network.
Figure 3.7: Dynamic NAT network example.
Figure 3.8: Router 1 Dynamic NAT with route map.
Figure 3.9: Rate−limiting Denial of Service.
Figure 3.10: A network design with logging defined.
Chapter 4: IOS Firewall Feature Set
Figure 4.1: Basic operation of CBAC.
Figure 4.2: Sample CBAC network.
Figure 4.3: Network configured for Java blocking.
Figure 4.4: Router 3 configured for CBAC with three interfaces.
Figure 4.5: CBAC and NAT network design.
Figure 4.6: Network layout for PAM.
Figure 4.7: Host that needs PAM configuration.
Figure 4.8: Simple firewall IDS network design.
Chapter 5: Cisco Encryption Technology

Figure 5.1: An Example of the Scytale cipher.
Figure 5.2: Example of symmetric key encryption.
Figure 5.3: Example of asymmetric key encryption.
Figure 5.4: Verbal authentication process.
Figure 5.5: CET network topology.
Chapter 6: Internet Protocol Security
Figure 6.1: IP packet.
Figure 6.2: AH in transport mode.
Figure 6.3: ESP in transport mode.
Figure 6.4: AH in tunnel mode.
Figure 6.5: ESP in tunnel mode.
Figure 6.6: Basic network using IPSec.
Figure 6.7: Full mesh IPSec network
Figure 6.8: Network using manual IPSec Keys
Figure 6.9: Tunnel EndPoint Discovery
Chapter 7: Additional Access List Features
Figure 7.1: Truth table for Boolean operations.
Figure 7.2: Example of traffic initiated on an internal network with reflexive access lists
configured.
Figure 7.3: Example of Host B accessing Host A through Router A configured with dynamic
access lists.
Figure 7.4: Standard access list network.
Figure 7.5: Two routers configured for extended access lists.
Figure 7.6: TCP access list for Router C.
Figure 7.7: Router C permitting and denying traffic.
Figure 7.8: Dynamic access list security.
Figure 7.9: Reflexive access list network.
Figure 7.10: External reflexive access list.
Appendix B: Securing Ethernet Switches
Figure B.1: Catalyst switch using IP permit lists.

List of Tables
Chapter 2: AAA Security Technologies
Table 2.1: Authorization command parameters.
Table 2.2: Accounting command parameters.
Chapter 3: Perimeter Router Security
Table 3.1: Logging messages and severity level.
Chapter 4: IOS Firewall Feature Set
Table 4.1: System−defined port application services.
Chapter 5: Cisco Encryption Technology
Table 5.1: Flag field messages.
Chapter 6: Internet Protocol Security
Table 6.1: Transform combinations.
Table 6.2: Security association states.
Chapter 7: Additional Access List Features
Table 7.1: Access list type and numbers.
Table 7.2: Protocols available with extended access lists.
Table 7.3: Precedence values for extended access lists.
Table 7.4: Type−of−service values for extended access lists.
Appendix A: IOS Firewall IDS Signature List
Table A.1: IOS Firewall Network Security Database signatures.

List of Listings
Chapter 1: Securing the Infrastructure
Listing 1.1: Router A’s configuration with MD5 authentication.
Listing 1.2: Router B’s configuration with MD5 authentication.
Listing 1.3: The output of the command debug ip rip displays how Router A receives RIP
routing updates from Router B.
Listing 1.4: The output of the command debug ip rip displays how Router B receives RIP
routing updates from Router A.
Listing 1.5: Router A’s configuration with MD5 authentication.
Listing 1.6: Router B’s configuration with MD5 authentication.
Listing 1.7: Route table of Router A with correct authentication configured.
Listing 1.8: Route table of Router A with incorrect authentication configured.
Listing 1.9: Router A configured to authenticate OSPF packets using plain text
authentication.
Listing 1.10: Router B configured to authenticate OSPF packets using plain text
authentication.
Listing 1.11: Router A configured for MD5 authentication.
Listing 1.12: Router B configured for MD5 authentication.
Listing 1.13: Router A configured with multiple keys and passwords.
Listing 1.14: Router B configured with multiple keys and passwords.
Listing 1.15: Router A configuration.
Listing 1.16: Router B configuration.
Listing 1.17: Router B’s route table.
Listing 1.18: Router B configured with an inbound route filter.
Listing 1.19: Router B’s route table with inbound route filter permitting only one network.
Listing 1.20: Route table of Router A.
Listing 1.21: Router A configured with an inbound route filter.
Listing 1.22: Router A’s route table with inbound route filter permitting only one network.
Listing 1.23: Router A’s configuration.
Listing 1.24: Router B’s configuration.
Listing 1.25: Router A configured with an outbound route filter.
Listing 1.26: Route table of Router B after applying an outbound route filter on Router A.
Listing 1.27: Router B configured with an outbound route filter.
Listing 1.28: Route table of Router A after applying an outbound route filter on Router B.

Chapter 2: AAA Security Technologies
Listing 2.1: Debugging TACACS+ events output.
Listing 2.2: Router Seminole authentication configuration.
Listing 2.3: Successful login authentication output.
Listing 2.4: Failed login authentication output.
Listing 2.5: Authentication debug output.
Listing 2.6: PPP network access server.
Listing 2.7: Remote authentication using TACACS+.
Listing 2.8: Authorization configuration.
Listing 2.9: Authorization process.
Listing 2.10: Accounting configuration.
Listing 2.11: Accounting process.
Listing 2.12: Output of the Users.txt file.
Listing 2.13: Output of the dump.txt file.

Chapter 3: Perimeter Router Security
Listing 3.1: The adjacency table of Router B.
Listing 3.2: An example CEF table for Router B.
Listing 3.3: An example of the show cef interface command.
Listing 3.4: An example Unicast RPF logging configuration.
Listing 3.5: TCP Intercept configuration of Router B.
Listing 3.6: The output of show tcp intercept statistics.
Listing 3.7: Example of show TCP intercept connections output.
Listing 3.8: Example output from debug ip tcp intercept.
Listing 3.9: Example Intercept aggressive mode configuration.
Listing 3.10: Final TCP Intercept configuration.
Listing 3.11: Static NAT configuration.
Listing 3.12: Router 1 static NAT with route map configuration.
Listing 3.13: Dynamic NAT configuration.
Listing 3.14: Display of NAT translations.
Listing 3.15: Display of NAT statistics.
Listing 3.16: Router 1 Dynamic NAT with route map configuration.
Listing 3.17: PAT configuration example.
Listing 3.18: Router A configured for rate−limiting.
Listing 3.19: Rate limit configuration of Router A.
Listing 3.20: Verifying the operation of CAR.
Listing 3.21: Router B configuration.
Listing 3.22: Multiple rate−limiting policies configuration.
Listing 3.23: Router B’s logging configuration.
Listing 3.24: Show logging output.
Listing 3.25: Show logging history output.
Listing 3.26: Show logging history.

Chapter 4: IOS Firewall Feature Set
Listing 4.1: Example configuration of Router 3 for CBAC.
Listing 4.2: Output of the show ip inspect command.
Listing 4.3: Audit trail messages on Router 3.
Listing 4.4: Updated output from the show ip inspect command.
Listing 4.5: Configuring Router 3 for Java blocking.
Listing 4.6: Debug output of Java blocking.
Listing 4.7: CBAC configuration of Router 3 with three interfaces.
Listing 4.8: Router 3 configured for CBAC and NAT.
Listing 4.9: PAM configuration for Router 3.
Listing 4.10: Port mapping table on Router 3.
Listing 4.11: Default PAM table of Router 3.
Listing 4.12: Attempt to map over a system−defined entry.
Listing 4.13: Creating host−defined entries on Router 3.
Listing 4.14: Display of the host−defined PAM table entries.
Listing 4.15: Subnet−defined PAM configuration.
Listing 4.16: Output of the PAM table on Router 3.
Listing 4.17: Router 3 configured to override system−defined entries.
Listing 4.18: Display of PAM table on Router 3.
Listing 4.19: Configuration of mapping different hosts to the same port.
Listing 4.20: Final configuration of Router 3.
Listing 4.21: Complete PAM table for Router 3.

Listing 4.22: IDS configuration of Router 3.
Listing 4.23: Output of the show ip audit statistics command.
Listing 4.24: Router 3 audit configuration.
Listing 4.25: Denying devices from inspection.
Listing 4.26: Access list configuration.
Listing 4.27: Verification of disabled attack signatures.
Listing 4.28: Disabling attack signatures on a per−host basis.
Listing 4.29: Complete intrusion detection configuration.
Chapter 5: Cisco Encryption Technology

Listing 5.1: Initial configuration of Router A.
Listing 5.2: Initial configuration of Router B.
Listing 5.3: Layer 3 connectivity verified on Router A.
Listing 5.4: Layer 3 communication verified on Router B.
Listing 5.5: Generating Router A’s key.
Listing 5.6: Generating Router B’s key.
Listing 5.7: Router A saving private key to NVRAM.
Listing 5.8: Router B saving private key to NVRAM.
Listing 5.9: Viewing Router A’s public key.
Listing 5.10: Viewing Router B’s public key.
Listing 5.11: Router B enabling DSS key exchange.
Listing 5.12: Router A enabling DSS key exchange.
Listing 5.13: Router B asking to accept Router A’s public key.
Listing 5.14: Router B asks to send Router A its public key.
Listing 5.15: Router A receives Router B’s public key.
Listing 5.16: Router A viewing Router B’s public key.
Listing 5.17: Router B viewing Router A’s public key.
Listing 5.18: Router A’s configuration after exchanging keys.
Listing 5.19: Router B’s configuration after exchanging keys.
Listing 5.20: Configuring a global encryption policy on Router A.
Listing 5.21: Configuring a global encryption policy on Router B.
Listing 5.22: Viewing encryption algorithms in use on Router A.
Listing 5.23: Viewing encryption algorithms in use on Router B.
Listing 5.24: Encryption access list configuration on Router A.
Listing 5.25: Encryption access list configuration on Router B.
Listing 5.26: Access list configuration of Router A.
Listing 5.27: Access list configuration of Router B.
Listing 5.28: Crypto map configuration of Router A.
Listing 5.29: Crypto map configuration of Router B.
Listing 5.30: Viewing the crypto map configuration of Router A.
Listing 5.31: Viewing the crypto map configuration of Router B.
Listing 5.32: Applying the crypto map to Router A.
Listing 5.33: Applying the crypto map to Router B.
Listing 5.34: The ping command issued on Router A.
Listing 5.35: DEBUG output from the ping command on Router A.
Listing 5.36: Output of show commands on Router A.
Listing 5.37: Final CET configuration of Router A.
Listing 5.38: Final CET configuration of Router B.
Chapter 6: Internet Protocol Security

Listing 6.1: IPSec configuration of Router A.
Listing 6.2: IPSec configuration of Router B.
Listing 6.3: Enabling the debug commands and the Ping request.
Listing 6.4: Security association request.
Listing 6.5: IKE verification process.
Listing 6.6: IKE negotiation.
Listing 6.7: Completion of security association setup process.
Listing 6.8: Security association database on Router B.
Listing 6.9: IKE security association database.
Listing 6.10: IPSec configuration of Router A.
Listing 6.11: IPSec configuration of Router B.
Listing 6.12: IPSec configuration of Router C.
Listing 6.13: Manual AH configuration of Router 1.
Listing 6.14: Manual AH configuration of Router 2.
Listing 6.15: Manual security associations on Router 2.
Listing 6.16: Security association process on Router 2.
Listing 6.17: Manual AH and ESP configuration of Router 1.
Listing 6.18: Manual AH and ESP configuration of Router 2.
Listing 6.19: Manual security associations on Router 1.
Listing 6.20: Changing keys on Router 2.
Listing 6.21: Router 2 deleting security associations.
Listing 6.22: Router 2’s failed attempt to set a security association.
Listing 6.23: Tunnel EndPoint Discovery configuration of Router A.
Listing 6.24: Tunnel EndPoint Discovery configuration of Router B.
Listing 6.25: Complete Tunnel EndPoint process for Router A.
Chapter 7: Additional Access List Features

Listing 7.1: Raul’s numbered access list configuration.
Listing 7.2: Chris’s numbered access list configuration.
Listing 7.3: Issuing the ping command on Raul.
Listing 7.4: Results of the debug IP packet command.
Listing 7.5: Issuing the ping command again on Raul.
Listing 7.6: Results of the debug IP packet command on Raul.
Listing 7.7: Extended access list configuration of Raul.
Listing 7.8: Extended access list configuration of Chris.
Listing 7.9: Ping attempt to 192.168.50.50 from 192.168.30.31.
Listing 7.10: Output of the debug IP packet command on Raul.
Listing 7.11: Ping attempt to 192.168.50.50 from 192.168.30.30.
Listing 7.12: Output of the debug IP packet command on Raul.
Listing 7.13: TCP established configuration of Router C.
Listing 7.14: Established TCP connection output.
Listing 7.15: Named access list configuration of Raul.
Listing 7.16: Named access list configuration of Chris.
Listing 7.17: Output of the show IP interface command on Chris.
Listing 7.18: Commented named access list on Router C.
Listing 7.19: Commented numbered access list on Router C.
Listing 7.20: Configuration of Router 1 for dynamic access lists.
Listing 7.21: Configuration of Router 2 for dynamic access lists.
Listing 7.22: Temporary access list entries on Router 1.
Listing 7.23: Show logging on Router 1.
Listing 7.24: New configuration of Router 1.

Listing 7.25: Reflexive access list configuration of Router 2.
Listing 7.26: Display of the access lists defined on Router 2.
Listing 7.27: Displaying the reflexive access list on Router 2.
Listing 7.28: External reflexive access list on Router 2.
Listing 7.29: Timed access list using numbered access list.
Listing 7.30: Timed access list using named access list.

Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.