Securing your Remote Access Network • Chapter 8 337 Configuring TACACS+ Parameters The tacacs-server command is used to set TACACS+ server parameters in global configuration mode. With this command you can set the IP address of the TACACS+ server, the encryption key used by the server, client-server timeouts, maximum number of failed attempts at executing commands, and other server-specific settings. Defining a TACACS+ Server Host The optional timeout keyword sets the amount of time a server will wait for a host to reply before timing out. The optional key keyword sets the encryption key used between the access server and the TACACS+ daemon. Any timeout or key settings made here for this specific host will override any global settings for these values. router(config)#tacacs-server host name [timeout integer] [key string] Optional TACACS+ Commands Table 8.2 details optional configuration commands that might suit your security requirements. www.syngress.com Table 8.2 Optional TACACS+ Commands Command Description router(config)#tacacs-server retransmit retries router(config)#tacacs-server timeout seconds router(config)#tacacs-server attempts count router(config)#tacacs-server key key Specifies the number of times the server searches the list of TACACS+ servers before stopping. Sets the amount of time a server will wait for a host to reply before timing out. Sets the number of login attempts that can be made on the line. Sets the encryption key used between the access server and the TACACS+ daemon. 93_sbcran_08 10/16/00 11:41 AM Page 337 338 Chapter 8 • Securing your Remote Access Network Configuring RADIUS Parameters The radius-server command is used to set RADIUS server parameters in global configuration mode. Defining a RADIUS Server Host The auth-port and acct-port keywords specify port numbers used for authentication and accounting, respectively. router(config)#radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] Optional TACACS+ Commands Table 8.3 lists optional RADIUS configuration commands. www.syngress.com Table 8.3 Optional RADIUS Commands Command Description router(config)#radius-server key string router(config)#radius-server retransmit retries router(config)#radius-server timeout seconds router(config)#radius-server deadtime minutes router(config)#radius-server vsa send [accounting | authentication] Specifies the shared secret string used between the router and RADIUS server. Specifies the number of times the server searches the list of RADIUS servers before stopping. The default is 3. Sets the amount of time a server will wait for a host to reply before timing out. Sets the amount of time a RADIUS server will continue to be used if no authentication requests are acknowl- edged. Enables the NAS to use and recognize RADIUS IETF attribute 26 vendor- specific-attributes. This allows more Cisco-specific attribute-value pairs to be recognized by RADIUS. 93_sbcran_08 10/16/00 11:41 AM Page 338 Securing your Remote Access Network • Chapter 8 339 Configuring AAA Authentication There are many different authentication types defined by AAA—including login, enable, arap, nasi, and ppp. The following are the most commonly used types of authentication. The aaa authentication login Command The aaa authentication login command is used to enable AAA authenti- cation, regardless of the authentication method you decide to use. With this command, you define a list of one or more login authorization methods that will be tried when a user logs in, and then apply this list to an inter- face. To create a local login authentication list use: router(config)#aaa authentication login {default | list-name} method1 [method2 ] The list-name is a character string used to identify the method-list. It is this name you use when you apply the list to a line. There can be one or more methods that identify which authentication methods are attempted and in which order. If you want to allow a user access even if all authentication methods fail, add the none keyword at the end of the method-list. Table 8.4 lists supported methods and their descriptions. www.syngress.com Table 8.4 AAA Authentication Login Method Types Keyword Description Enable If-needed Krb5 Krb5-telnet Line Local None Radius Tacacs+ Use enable password for authentication. Do not authenticate if a user has already been authenti- cated on a TTY line. Use Kerberos version 5 for authentication. User Kerberos 5 Telnet authentication when using Telnet to connect to the router. If used, must be the first method in the method-list. Use line password for authentication. Use local username for authentication. Use no authentication. Use RADIUS authentication. Use TACACS+ authentication. 93_sbcran_08 10/16/00 11:41 AM Page 339 340 Chapter 8 • Securing your Remote Access Network To apply an authentication login list to a line or set of lines, use: router(config)#line [aux | console | tty | vty ] line number [end-line- number] router(config-line)#login authentication {default | list-name} The following configuration is an example of how a router may be con- figured to use AAA login authentication. The authentication list is first defined, then applied to the appropriate interfaces. router(config)#aaa new-model router(config)#aaa authentication login default tacacs+ radius router(config)#aaa authentication login customers tacacs+ radius local none router(config)#line 0 router(config-line)#login authentication default router(config-line)#exit router(config)#line 1-16 router(config-line)#login authentication customers The aaa authentication ppp Command The aaa authentication ppp command is used to specify authentication methods for use on serial interfaces using PPP. To create a ppp authentica- tion list, use: router(config)#aaa authentication ppp {default | list-name} method1 [method2 ] Table 8.5 details the methods supported by aaa authentication ppp. www.syngress.com Table 8.5 AAA Authentication PPP Method Types Keyword Description Local Krb5 If-needed None Radius Tacacs+ Local username database used for authentication. Kerberos 5 used for authentication (PAP only). Does not authenticate if user has already been authenti- cated on a TTY line. No authentication used. RADIUS used for authentication TACACS+ used for authentication. 93_sbcran_08 10/16/00 11:41 AM Page 340 Securing your Remote Access Network • Chapter 8 341 The method-list is then applied to an interface using: router(config)#interface interface-type interface-number router(config-line)#ppp authentication {chap | pap | chap pap | pap chap } [if-needed] {default | list-name} [callin] The following configuration is an example of how a router may be con- figured to use AAA PPP authentication. The authentication list is first defined, then applied to serial interface 0. router(config)#aaa new-model router(config)#aaa authentication ppp default tacacs+ radius router(config)#interface s0 router(config-if)#encapsulation ppp router(config-if)#ppp authentication chap default In the example above, a default PPP authentication method-list has been created. Initially, TACACS+ is used to try to authenticate the user, then RADIUS is used. If both authentication methods fail, authentication fails. The default method-list is then applied to interface serial 0. The aaa authentication enable default Command The aaa authentication enable default command is used to determine whether a user can access the privileged-command level. router(config)#aaa authentication enable default method1 [method2 ] Table 8.6 lists methods supported by aaa authentication enable; if no method is specified then no authentication is used. Therefore, access is always allowed. www.syngress.com Table 8.6 AAA Authentication Enable Method Types Keyword Description Line If-needed None Radius Tacacs+ Line password used for authentication. Does not authenticate if user has already been authenti- cated on a TTY line. No authentication used. RADIUS used for authentication TACACS+ used for authentication. 93_sbcran_08 10/16/00 11:41 AM Page 341 342 Chapter 8 • Securing your Remote Access Network Configuring AAA Authorization Once the user has been authenticated, authorization is used to restrict access. The aaa authorization global command is used to configure AAA authorization. AAA supports four types of authorization: Network This applies to network connections, including PPP, ARAP, or Serial Line Internet Protocol (SLIP). EXEC Applies to the user EXEC terminal session. Commands Applies to EXEC mode commands issued by a user. Authorization is attempted for all EXEC mode commands associated with a particular access level. Reverse access Applies to reverse Telnet sessions. AAA supports six authorization methods used to determine a user’s access to each of the authorization types: If authenticated The user is allowed to access the requested feature if successfully authenticated. Local The access server uses its local database to provide authorization for the requested feature. The local database is defined using the user- name command and can only be used to authorize certain functions. None Authorization is not performed for this function. RADIUS A RADIUS server is used to provide authorization functions. This is performed by associating attributes held in the RADIUS database with a particular user. TACACS+ A TACACS+ server is used to provide authorization functions. Authorization is performed by associating a user with attribute-value pairs stored in the TACACS+ security database. Kerberos instance map The instance defined by the kerberos instance map command is used. When using basic AAA authorization only a single method is used to attempt to authorize a user. If this method fails, no authorization is granted. router(config)#aaa authorization {network | exec | commands level | reverse-access} {if-authenticated | local | none | radius | tacacs+ | krb5-instance } For example, the command aaa authorization exec tacacs+ would cause the access server to use a TACACS+ database to provide authentica- www.syngress.com 93_sbcran_08 10/16/00 11:41 AM Page 342 Securing your Remote Access Network • Chapter 8 343 tion for EXEC mode commands. By using an authorization method-list, several authorization methods may be used in sequence to attempt to authorize a user to carry out a particular function. router(config)#aaa authorization {network | exec | commands level | reverse-access}{default | list-name} [method1 [method2…]] The authorization method-list is assigned to a line as follows: router(config)#line [aux | console | tty | vty ] line-number [ending- line-number] router(config-line)#authorization {arap | commands level | exec | reverse-access} {default | list-name} The authorization method-list is assigned to an interface as follows: router(config)#interface interface-type interface-number router(config-if)#ppp authorization {default | list-name} The following sample shows how a router can be configured to use AAA authorization: router(config)#aaa new-model router(config)#aaa authorization network default tacacs+ local if- authenticated router(config)#aaa authorization exec admins tacacs+ local router(config)#interface serial 0 router(config-if)#ppp authorization default router(config)#line console 0 router(config-line)#authorization admins In the example above, two authorization method-lists are defined, a network ‘default’, and ‘admins.’ The ‘default’ network list attempts autho- rization by TACACS+, and then checks the NAS database. If both these methods fail, the if-authenticated keyword will cause the user to be granted authorization only if they have been successfully authenticated. The ‘admins’ exec list attempts to authorize access to an EXEC session first by TACACS+, then by the local user database. If both fail, authoriza- tion is denied. The ‘default’ network method-list is applied to interface serial 0. The ‘admins’ method-list is applied to the console line. www.syngress.com 93_sbcran_08 10/16/00 11:41 AM Page 343 344 Chapter 8 • Securing your Remote Access Network Configuring AAA Accounting Accounting is a very powerful network auditing feature, allowing user- activity information to be collected and stored on your security server. The aaa accounting global command is used to configure AAA accounting. AAA supports five types of accounting: Network Will monitor and report information on network connections, including PPP, ARAP, or SLIP. Information recorded includes items such as byte or packet count, protocol used, username, and start and stop times. EXEC Reports on information about user EXEC terminal sessions on the NAS. Information includes start and stop times, IP address of the NAS, and the number that dialed in for dial-up users. Commands Reports on all EXEC terminal commands executed by a user, recording information such as the command used, privilege level of the command, and username. Cisco command accounting can be used only with TACACS+ security servers. System System accounting reports on all system level events, such as reboots and when accounting is turned on or off. Cisco system accounting can only be used with TACACS+ security servers, and does not support named method-lists (default only). Connection Reports on outbound connections made from the NAS, such as Telnet, local-area transport (LAT), packet assembler/disassembler (PAD), TN3270, and rlogin. AAA supports only two accounting methods: RADIUS A RADIUS server is used to record accounting information. Only limited types of accounting are supported. TACACS+ A TACACS+ server is used to record accounting information. Basic AAA accounting is enabled using the following command: router(config)#aaa accounting {system | network | connection | exec | commands level } {start-stop | wait-start | stop-only} {tacacs+ | radius} Table 8.7 lists the options used when an accounting record is to be generated. For example, the aaa accounting connection stop-only tacacs+ global configuration command would report on outbound connections from the NAS to a TACACS+, only when the event has ended. By using an accounting method-list, accounting records may be sent to several accounting servers. www.syngress.com 93_sbcran_08 10/16/00 11:41 AM Page 344 Securing your Remote Access Network • Chapter 8 345 router(config)#aaa accounting {system | network | connection | exec | commands level } {default | list-name} {start-stop | wait-start | stop- only} [method1 [method2…]] The following commands apply an accounting method-list to a line: router(config)#line [aux | console | tty | vty ] line-number [ending- line-number] router(config-line)#accounting {arap | commands level | exec | connection} {default | list-name} Using the arap keyword will report on network accounting events. The following commands are used to apply an accounting method-list to an interface: router(config)#interface interface-type interface-number router(config-if)#ppp accounting {default | list-name} The following configuration commands show how accounting can be configured on a router and then applied to a group of lines. router(config)#aaa new-model router(config)#aaa accounting connection sessions stop-only tacacs+ router(config)#aaa accounting network users wait-start tacacs+ router(config)#aaa accounting commands 10 admins start-stop tacacs+ radius router(config)#line tty 8 16 router(config-line)#accounting connection sessions router(config-line)#accounting arap users router(config-line)#accounting commands 10 admins www.syngress.com Table 8.7 AAA Accounting Report Triggers Keyword Description Start-stop Wait-start Stop-only An accounting record is sent when a process to be reported on starts, and again when it ends. An accounting record is sent when a process to be reported on starts. The security server must acknowledge that the record has been received before the user can continue with the process. An accounting record is only sent at the end of the process to be reported on. 93_sbcran_08 10/16/00 11:41 AM Page 345 346 Chapter 8 • Securing your Remote Access Network In the example above, three accounting method-lists are defined: ses- sions, users, and admins. Sessions reports outbound connections from the NAS to a TACACS+ server on their completion. The users method-list reports network events to a TACACS+ server; however the TACACS+ server must acknowledge receipt of the accounting record before the user may proceed. Admins reports information on privilege level 10 commands when they begin, and when they end. A TACACS+ server is sent records first, and a RADIUS server is used if TACACS+ fails. The three method-lists are applied to TTY lines 8 through 16. Virtual Profiles and AAA Virtual profiles are an exceptionally powerful feature, allowing per-user configurations defined on central security servers to be applied to dialer interfaces. This is a PPP-specific feature, and can be used in conjunction with dialer profiles to provide a unique interface to each user. Virtual pro- files are totally independent of the media used for the dial-in call; Integrated Services Digital Network (ISDN) and Public Switched Telephone Network (PSTN) dial-in users, for example, could use the same profiles. Virtual profile configuration can be derived from a virtual interface con- figuration, per-user configuration stored on an AAA security server, or from a combination of the two. Virtual profiles are used to overcome current network scalability limita- tions: AAA implementation Currently per-user configuration is limited by the AV pairs defined by the AAA implementation. Virtual profiles allow more Cisco-specific attributes to be used. Media Each interface currently can be accessed only by statically defined users associated with that interface. Using virtual profiles allows a user configuration to be dynamically bound to an interface when it is accessed. Network protocols When using virtual profiles, network numbers are assigned dynamically on dial-in. Dial-on-demand routing (DDR) DDR is designed to add routers when a temporary link comes up, but not remove them when they are torn down. Dynamically adding and removing routes improves scalability. Dialer profiles Dialer profiles solve some of the limitations of legacy DDR, but are limited by the number of physical interfaces on the router. Virtual profiles can scale to many thousands of dial-in users. www.syngress.com 93_sbcran_08 10/16/00 11:41 AM Page 346 [...]... 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : (9 876 735263): Method=RADIUS *Jul 19 04: 37: 23: AAA/AUTHOR (9 876 735263athorization status = PASS_ADD *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV service=ppp *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV protocol=ip *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV addr*10.26.2.1 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP:... BR0/0:1 AAA/AUTHOR/LCP (306 476 8 274 ): Port='BRI0/0:1' list='general' service=NET 00:08:58: AAA/AUTHOR/LCP: BR0/0:1 (306 476 8 274 ) user='mark' 00:08:58: BR0/0:1 AAA/AUTHOR/LCP (306 476 8 274 ): send AV service=ppp 00:08:58: BR0/0:1 AAA/AUTHOR/LCP (306 476 8 274 ): send AV protocol=lcp 00:08:58: BR0/0:1 AAA/AUTHOR/LCP (306 476 8 274 ): found list "general" 00:08:58: BR0/0:1 AAA/AUTHOR/LCP (306 476 8 274 ): Method=radius (radius)... 19 04: 37: 23: AAA/AUTHOR: Virtual -Access1 : parse_cmd 'ip route 50.0.0.0 255.0.0.0 10.26.2.1' ok (0) *Jul 19 04: 37: 23: AAA/AUTHOR: Virtual -Access1 : enqueue peruser IP txt=no ip route 50.0.0.0 255.0.0.0 10.26.2.1 *Jul 19 04: 37: 23: AAA/AUTHOR: parse 'ip access- list standard VirtualAccess1#0' ok (0) *Jul 19 04: 37: 23: AAA/AUTHOR: parse 'deny 10.26.2.1' ok (0) central# show ip access- lists Standard IP access. .. "3620" 00: 07: 05: BR0/0:1 CHAP: I RESPONSE id 5 len 25 from "mark" 00: 07: 06: BR0/0:1 CHAP: O SUCCESS id 5 len 4 00: 07: 06: %LINK-3-UPDOWN: Interface Virtual -Access1 , changed state to up 00: 07: 06: Vi1 PPP: Treating connection as a dedicated line 00: 07: 07: %LINEPROTO-5-UPDOWN: Line protocol on Interface BRI0/0:1, changed state to up 00: 07: 07: %LINEPROTO-5-UPDOWN: Line protocol on Interface VirtualAccess1,... AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV route=40.0.0.0 255.0.0.0 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV route=50.0.0.0 255.0.0.0 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV inacl#5=deny 20.0.0.1 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : authorization succeeded www.syngress.com 93_sbcran_08 10/16/00 11:41 AM Page 3 57 Securing your Remote Access Network... Securing your Remote Access Network • Chapter 8 3 57 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : done: her address 20.0.0.1, we want 20.0.0.1 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : authorization succeeded *Jul 19 04: 37: 23: AAA/AUTHOR: Virtual -Access1 : parse_cmd 'ip route 40.0.0.0 255.0.0.0 10.26.1.2' ok (0) *Jul 19 04: 37: 23: AAA/AUTHOR: Virtual -Access1 : enqueue peruser IP txt=no ip route... 10.26.2.1:1645, Access- Accept, len 126 00:14:18: Attribute 2 8 6A6F7264 00:14:18: Attribute 6 6 00000002 00:14:18: Attribute 7 6 00000001 00:14:18: Attribute 26 38 0000000901062269 00:14:18: Attribute 6 6 00000002 00:14:18: Attribute 7 6 00000001 00:14:18: Attribute 8 6 FFFFFFFE 00:14:18: Attribute 18 30 0A4 175 74 show interface virtual -access number shows the configuration of the virtual -access interface... 93_sbcran_08 10/16/00 11:41 AM Page 3 67 Securing your Remote Access Network • Chapter 8 3 67 00:58:54: Vi1 VTEMPLATE: Hardware address 0010.7b1b.c761 00:58:54: Vi1 VTEMPLATE: Has a new cloneblk vtemplate, now it has vtemplate 00:58:54: Vi1 VTEMPLATE: ************* CLONE VACCESS1 ***************** 00:58:54: Vi1 VTEMPLATE: Clone from Virtual-Template1 interface Virtual -Access1 default ip address no ip address... 93_sbcran_08 370 10/16/00 11:41 AM Page 370 Chapter 8 • Securing your Remote Access Network Q: I want to use virtual profiles on my Cisco network access servers What is the minimum Cisco IOS requirement? A: Any IOS release supporting Multilink PPP with one of the following hardware platforms will support virtual profiles: Cisco 1003, 1004, 2500, and 4000 series; AS5200; 70 00, 72 00, and 75 00 series www.syngress.com... applied to the virtual -access interface configuration when the user dials in The IP routes to networks 40.0.0.0/8 and 50.0.0.0/8 are added with a next hop of 10.26.2.1 (the IP address of the dialing-in interface), along with an access list denying traffic from 10.26.2.1 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : (0): send AV protocol=ip *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : (0): send . 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : (9 876 735263): Method=RADIUS *Jul 19 04: 37: 23: AAA/AUTHOR (9 876 735263athorization status = PASS_ADD *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 :. along with an access list denying traffic from 10.26.2.1. *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : (0): send AV protocol=ip *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : (0):. AV service=ppp *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV protocol=ip *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: Virtual -Access1 : Processing AV addr*10.26.2.1 *Jul 19 04: 37: 23: AAA/AUTHOR/IPCP: