Vous êtes sur la page 1sur 38

Cisco Networking Academy

CCNA Security
Configuring AAA on
a Cisco Router
Using the Local
Database
Pedro Gonzlez Mercado CCNA,CCNP - CCAI
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&2
AAA ModelNetwork Security Arc!itecture

Authentication
' (ho are you)
' *I am user stu"ent an" my +ass,or" !ali"ateme +ro!es it-

Authori.ation
'
(hat can you "o) (hat can you access)
' *User stu"ent can access host ser!er/01 using 2elnet-

Accounting
' (hat "i" you "o) 3o, long "i" you "o it)
3o, often "i" you "o it)
'
*User stu"ent accesse" host ser!er/01 using 2elnet for
$4 minutes-
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&5
Im"lementing Cisco AAA

Administrati#e access$ console, 2elnet, an" au6iliary access

%emote user network access$ "ial&u+ or 78# access


Cisco Secure ACS
for (in"o,s Ser!er Remote Client
9Dial&U+ Client:
#AS
Console
Remote Client
978# Client:
Router
Cisco Secure ACS
Solution ;ngine
8S2# < +ublic s,itche" tele+hone net,or=
Cisco Secure ACS
;6+ress
8S2#, ISD#
Internet
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&>
Im"lementing Aut!entication &sing
'ocal Ser#ices
$ 2he client establishes a connection ,ith the router
2 2he router +rom+ts the user for a username an" +ass,or"
5 2he router authenticates the username an" +ass,or" in the local
"atabase 2he user is authori.e" to access the net,or= base" on
information in the local "atabase
8erimeter
Router
Remote Client
(
)
*
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&4
Aut!enticating %outer Access
2elnet 3ost
LA#
Remote LA#
#et,or=
Access
Console
Router
Remote Router
A"ministrati!e
Access
Internet
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&?
%outer 'ocal Aut!entication
Con+iguration Ste"s
2he follo,ing are the general ste+s to configure a Cisco
router to su++ort local authentication@

A"" usernames an" +ass,or"s to the local router "atabase

;nable AAA globally on the router

Configure AAA +arameters on the router

Confirm an" troubleshoot the AAA configuration


2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&A
Con+iguring &ser Accounts &sing
Cisco S,M
Con+igure B Additional -asks B %outer Access B &ser Accounts./iew
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&8
0na1ling and ,isa1ling AAA &sing
Cisco S,M

AAA is enable" by
"efault in Cisco SDC

If you attem+t to
"isable AAA, a
,arning message
a++ears

Choose Con+igure B
Additional -asks B
AAA to !ie, or mo"ify
AAA settings
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&D
Con+iguring AAA Aut!entication &sing
Cisco S,M
Con+igure B Additional -asks B AAA B Aut!entication Policies B 'ogin
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$0
Additional AAA C'I Commands
aaa local authentication attempts max-fail
number-of-unsuccessful-attempts
router(config)#

Secures AAA user accounts by loc=ing out accounts that ha!e


e6cessi!e faile" attem+ts
show aaa local user lockout
router#

I"entifies loc=e" user accounts


clear aaa local user lockout
router#

Clears loc=e" user accounts


2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$$
Additional AAA C'I Commands 2Cont34
show aaa user all
router#

Dis+lays statistics of logge" in users


show aaa sessions
router#

Dis+lays the current AAA sessions an" their uniEue IDs


2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$2
AAA Con+iguration 05am"le
aaa new-model
aaa local authentication attempts max-fail 10
!
!
aaa authentication login default local
enable secret 5 $1$x1$!!"#d$%&%'hb()0"!*t+!,
enable password * 151-1.051*$.$-
!
username admin1 password * 1-1/1/0/050"*0*.*-*1/0
username admin$ secret 5 $1$r(l$b5r234*5567kx#84s*7r00
username """admin pri'ilege 15 'iew root secret 5
$1$099:$15,(0hh*;+so1c<=k''$30
!
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$5
-rou1les!ooting AAA &sing t!e de1ug
aaa aut!entication Command
router# debug aaa authentication
11!1$!> ?eb - 10>11>1.,!05 :=&> """8@@A65> createBuser (0x/1.:-.-0) userCDD
ruserCDD portCDttE1D remBaddrCDasEnc8115/0D authenBtEpeC"=:FF ser'iceC)A9F3 pri'C1
11!1$-> ?eb - 10>11>1.,!05 :=&> """8";&738=&"6& ($*1-0.*/.0)> portCDttE1D listCDD
actionC)A9F3 ser'iceC)A9F3
11!1$5> ?eb - 10>11>1.,!05 :=&> """8";&738=&"6& ($*1-0.*/.0)> using GdefaultG list
11!1$/> ?eb - 10>11>1.,!05 :=&> """8";&738=&"6& ($*1-0.*/.0)> @ethodC)A:")
11!1$*> ?eb - 10>11>1.,!05 :=&> """8";&73 ($*1-0.*/.0)> status C 9&;=6
11!1$1> ?eb - 10>11>$/,!05 :=&> """8";&738:A3& ($*1-0.*/.0)> continueBlogin
(userCD(undef)D)
11!1$.> ?eb - 10>11>$/,!05 :=&> """8";&73 ($*1-0.*/.0)> status C 9&;=6
11!1!0> ?eb - 10>11>$/,!05 :=&> """8";&738:A3& ($*1-0.*/.0)> @ethodC)A:")
11!1!1> ?eb - 10>11>$/,!05 :=&> """8";&73 ($*1-0.*/.0)> status C 9&H"==
11!1!$> ?eb - 10>11>$1,1-5 :=&> """8";&738:A3& ($*1-0.*/.0)> continueBlogin
(userCDdiallocalD)
11!1!!> ?eb - 10>11>$1,1-5 :=&> """8";&73 ($*1-0.*/.0)> status C 9&H"==
11!1!-> ?eb - 10>11>$1,1-5 :=&> """8";&738:A3& ($*1-0.*/.0)> @ethodC)A:")
11!1!5> ?eb - 10>11>$1,1-5 :=&> """8";&73 ($*1-0.*/.0)> status C H"==
debug aaa authentication
router#

3el+s troubleshoot AAA authentication +roblems


Cisco Networking Academy
CCNA Security
Configuring AAA on
a Cisco Router to
Use Cisco Secure
ACS
Pedro Gonzlez Mercado - CCAI
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$4
6!y &se Cisco Secure ACS7

Using the local "atabase for AAA im+lementation on a Cisco


router "oes not scale ,ell

Cisco Secure ACS systems can manage the user an"


a"ministrati!e access for an entire net,or=

Cisco Secure ACS systems can ,or= ,ith e6ternal "atabases to


authenticate users to le!erage the ,or= alrea"y in!este" in
buil"ing the e6ternal "atabase
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$?
Im"lementing Aut!entication &sing
05ternal Ser#ers
$ 2he client establishes a connection ,ith the router
2 2he router +rom+ts the user for a username an" +ass,or"
5 2he router +asses the username an" +ass,or" to the Cisco Secure ACS
9ser!er or engine:
> 2he Cisco Secure ACS authenticates the user 2he user is authori.e" to
access the router 9a"ministrati!e access: or the net,or= base" on
information foun" in the Cisco Secure ACS "atabase
8erimeter
Router
Remote Client
Cisco Secure
ACS for (in"o,s
Ser!er
Cisco Secure
ACS
Solution ;ngine
(
)
*
8
Cisco Secure
ACS ;6+ress
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$A
Cisco Secure ACS
Cisco Secure ACS is a
AAA system ,ith these
features@

Use" ,ith fire,alls, "ial&u+


access ser!ers, an" routers

Im+lemente" at net,or=
access +oints to authenticate
remote users

Use" ,ith e6tranet


connections to au"it acti!ities
an" control authentication
an" authori.ation for
business +artners
( ) *
8 9 :
;
<
= >
*
:
=
(
8
;
)
9
<
>
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$8
Cisco Secure ACS ?eatures

;asy&to&use ,eb FUI

Scalable "ata re+lication an"


re"un"ancy ser!ices

Su++ort for LDA8, Acti!e


Directory, #o!ell Directory
Ser!ices, an" GDHC "atabases

Iull accounting an" user re+orting


features

;asy an" fle6ible control of


changes to the security +olicy o!er
all of the "e!ices in a net,or=

Su++ort for RADIUS an"


2ACACSJ

2ight integration ,ith Cisco IGS


routers an" Cisco 78# solutions

Su++ort for thir"&+arty G28s

Dynamic Euotas to restrict access


2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&$D
Cisco Secure ACS 05"ress 93<

;ntry&le!el ACS

2ACACSJ an"
RADIUS su++ort

Sim+lifie" feature set

Su++ort for u+ to 40
AAA "e!ices

Su++ort for u+ to 540


uniEue user ID logins
in a 2>&hour +erio"
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&20
Cisco Secure ACS /iew 83<

A"!ance" re+orting an"


alerting solution for Cisco
Secure ACS 7ersion >6
' Interacti!e re+orts
' Canne" an" custom
re+orts
' Sche"ule" re+orts
' 2hreshol"&base" alerts

7ie,s for a"ministrati!e


access control

(eb&base" user interface

Centrali.e" "ata
management
' Correlation of "ata from
multi+le Cisco Secure
ACS ser!ers
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&2$
-ACACS@ and %A,I&S AAA Protocols

2ACACSJ an" RADIUS are use"


to communicate bet,een the AAA
security ser!ers an"
authenticating "e!ices

Cisco Secure ACS su++orts both


2ACACSJ an" RADIUS@
' 2ACACSJ remains more
secure than RADIUS
' RADIUS has a robust
a++lication +rogramming
interface an" strong
accounting
Cisco Secure ACS
Iire,all
Router #AS
2ACACSJ RADIUS
Security Ser!er
S,itch
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&22
-ACACS@ A#er#iew

Is not com+atible ,ith its +re"ecessors 2ACACS


an" /2ACACS

Se+arates authentication an" authori.ation

Su++orts a large number of features

;ncry+ts all communication

Utili.es 2C8 +ort >D


2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&25
%A,I&S A#er#iew

RADIUS ,as "e!elo+e" by Li!ingston ;nter+rises

RADIUS +ro6y ser!ers are use" for scalability

RADIUS combines authentication an" authori.ation as one


+rocess

DIAC;2;R is the +lanne" re+lacement

2echnologies that use RADIUS inclu"e


'
Remote access 9ie, "ial&u+ an" DSL:
' 802$/
' SI8
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&2>
-ACACS@.%A,I&S Com"arison
Campus
TACACS+ Server
Dial
TACACS+ Client
RADIUS Client
RADIUS Server
2ACACSJ RADIUS
Iunctionality Se+arates AAA
Combines
authentication an"
authori.ation
Stan"ar"
Costly Cisco
su++orte"
G+enKRIC
2rans+ort
8rotocol
2C8 UD8
C3A8 Hi"irectional Uni"irectional
8rotocol
Su++ort
Culti+rotocol su++ort
#o ARA, no
#etH;UI
Confi"entiality
;ntire +ac=et
encry+te"
8ass,or"
encry+te"
Customi.ation
8ro!i"es authori.ation
of router comman"s on
a +er&user or
+er&grou+ basis
3as no o+tion to
authori.e router
comman"s on a
+er&user or
+er&grou+ basis
Accounting Limite" ;6tensi!e
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&24
Cisco Secure ACS PrereBuisites

Cisco IGS AAA clients must run Cisco IGS Release $$2 or later

Cisco "e!ices that "o not run Cisco IGS Soft,are must be
configure" ,ith 2ACACSJ, RADIUS, or both

Dial&u+, 78#, or ,ireless clients must be able to connect to the


a++licable AAA clients

2he Cisco Secure ACS ser!er must be able to +ing all AAA
clients

Fate,ay "e!ices in the +ath to the Cisco ACS ser!er must +ermit
the necessary +rotocols an" +orts

2he Cisco Secure ACS ser!er must ha!e a su++orte" ,eb


bro,ser installe"

All #ICs in the Cisco Secure ACS ser!er must be enable"


2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&2?
Cisco Secure ACS 83( Come"age
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&2A
Network Con+iguration
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&28
Inter+ace Con+iguration
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&2D
05ternal ,ata1ases
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&50
6indows ,ata1ase
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&5$
Adding a AAA Ser#er
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&52
Creating a AAA 'ogin Aut!entication
Policy
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&55
A""lying an Aut!entication Policy
6outer(config)#line 'tE 0 -
6outer(config-line)#login authentication &":":=B=6%6
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&5>
Creating a AAA 05ec Aut!orization
Policy
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&54
Creating a AAA Network Aut!orization
Policy
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&5?
AAA Accounting Con+iguration
aaa accounting IsEstem J network J exec J connection J
commands levelKIdefault J list-nameK Istart-stop J wait-
start J stop-onlE J noneK Lmethod1 Lmethod2MM
router(config)#
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&5A
AAA Con+iguration +or -ACACS@
05am"le
aaa new-model
!
aaa authentication login &":":=B=6%6 tacacsN local
aaa authoriOation exec tacacsN
aaa authoriOation network tacacsN
aaa accounting exec start-stop tacacsN
aaa accounting network start-stop tacacsN
!
!
tacacs-ser'er host 10,0,1,11
tacacs-ser'er keE ciscosecure
!
line 'tE 0 -
login authentication &":":=B=6%6
2008 Cisco Systems, Inc All rights reser!e" II#S !$0%2&58