! on serial lines using PPP. If the RADIUS server fails ! to respond, then local network authorization will be performed. aaa authorization network dialup2 radius local ! username and password to be used for the PPP CHAP username staff password letmein radius-server host 144.254.9.6 radius-server key myRaDiUSpassWoRd interface group-async 1 group-range 1 16 encapsulation ppp ! selects CHAP as the method of PPP authentication and applies ! the "dialup" method list to the specified interfaces. ppp authentication chap dialup ! applies the dialup2 network authorization method list to the ! specified interfaces. ppp authorization dialup2 line 1 16 ! command used to allow a PPP session to start up automatically autoselect ppp ! command used to display the username and password prompt without ! pressing the Enter key. After the user logs in, the autoselect ! function (in this case, PPP) begins. autoselect during-login Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (22 of 103) [02/02/2001 17.33.17] ! command used to apply the staff method list for login authentication login authentication staff ! command to configure modems attached to the selected lines to accept ! only incoming calls modem dialin Sample TACACS+ Database Syntax Listing 10-3 shows the syntax used in CiscoSecure, the Cisco TACACS+ Access Control Server, for its TACACS+ database. The syntax may change as more functionality is added; this example is given to show what you can configure on the TACACS+ server side. Most TACACS+ servers employ similar functionality and often also have a simple-to-use graphical user interface that creates the appropriate database for you. Listing 10-3 The Syntax for the CiscoSecure Server [unknown_user] = { [user | group] = [<user name> | <group name>] { password = [clear | chap | arap | pap | des] ["password"] [from "dd mmm yy" until "dd mmm yy" | until "dd mmm yy"] password = [skey | system | no_password] [from "dd mmm yy" until "dd mmm yy" | until "dd mmm yy"] password = file <"file name"> [from "dd mmm yy" until "dd mmm yy" | until "dd mmm yy"] privilege = [clear | des ] "<password>" [0-15] privilege = [skey] [0-15] Listing 10-3 Continued default service = [permit | deny] prohibit service = <service name> Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (23 of 103) [02/02/2001 17.33.17] default attribute = [permit | deny] allow <"nas name"> <"port name"> <"rem_addr"> refuse <"nas name"> <"port name"> <"rem_addr"> expires = [<"month day year"> | <"dd mmm yy">] valid = [<"month day year"> | < "dd mmm yy">] member = <group name> service = shell { default attribute = [permit | deny] default cmd = [permit | deny] prohibit cmd = <command> set acl = <access-class number> set autocmd = <"command"> set noescape = [ true | false] set nohangup = [ true | false] set priv-lvl = [ 0-15 ] set timeout = <minutes> set callback-dialstring = <phone number> set callback-line = <line number> set callback-rotary = <rotary number> set nocallback-verify = 1 cmd = <command> { [deny | permit] <"command arg"> default attribute = permit Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (24 of 103) [02/02/2001 17.33.17] } time = [<Mo, Tu, We, Th, Fr, Sa, Su 0000 - 2359> | <Any 0000 - 2359>] } service = ppp { default protocol = [permit | deny] prohibit protocol = <protocol> protocol = lcp { default attribute = [permit | deny] set callback-dialstring = <phone number> set callback-line = <line number> set callback-rotary = <rotary number> set nocallback-verify = 1 time = [<Mo, Tu, We, Th, Fr, Sa, Su 0000 - 2359> | <Any 0000 - 2359>] } protocol = vpdn { set tunnel-id = <NAS name> set ip-addresses = <"x.x.x.x x.x.x.x"> } protocol = ip { default attribute = [permit | deny] set addr = <ip address> set addr-pool = <ip local pool name> set inacl = <input access-list number> Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (25 of 103) [02/02/2001 17.33.17] set outacl = <output access-list number> set route = <"destination_address mask gateway"> set routing = [ true | false ] time = [<Mo, Tu, We, Th, Fr, Sa, Su 0000 - 2359> | <Any 0000 - 2359>] } protocol = ipx { default attribute = [permit | deny] set acl = <access-list number> time = [<Mo, Tu, We, Th, Fr, Sa, Su 0000 - 2359> | <Any 0000 - 2359>] } protocol = atalk { default attribute = [permit | deny] set zonelist = <zonelist> time = [<Mo, Tu, We, Th, Fr, Sa, Su 0000 - 2359> | <Any 0000 - 2359>] } } The Lock-and-Key Feature Lock-and-key is a traffic-filtering security feature in Cisco IOS devices that dynamically filters IP protocol traffic. It can be used to authorize temporary access to specified areas of a corporate network. Lock-and-key is configured using IP dynamic extended access lists and can be used in conjunction with other standard access lists and static extended access lists. When triggered, lock-and-key reconfigures the interface's existing IP access list to permit designated users to reach specified areas of the network. When it is finished, lock-and-key reconfigures the interface back to its original state. For a user to gain access to a host through a router with lock-and-key configured, the user must first Telnet to the router. When a user initiates a standard Telnet session to the router, Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (26 of 103) [02/02/2001 17.33.17] lock-and-key automatically attempts to authenticate the user. If the user is authenticated, he or she then gains temporary access through the router and can reach the destination host. Currently, a user at a remote site can use WAN technology such as Asynchronous Transfer Mode (ATM), dial-on-demand routing (DDR), Frame Relay, ISDN, PPP, or X.25 to connect to the corporate office using lock-and-key. The following steps describe the lock-and-key access operation (see Figure 10-4): Step 1 A user opens a Telnet session to a border (firewall) router configured for lock-and-key. The user connects using the virtual terminal port on the router. Step 2 The Cisco IOS software receives the Telnet packet, opens a Telnet session, prompts for a password, and performs a user authentication process. The user must pass authentication before access through the router is allowed. The authentication process can be done by the router or by a central access security server, such as a TACACS+ or RADIUS server. Step 3 When the user passes authentication, he or she is logged out of the Telnet session, and the software creates a temporary entry in the dynamic access list. (Per your configuration, this temporary entry can limit the range of networks to which the user is given temporary access.) Step 4 The user exchanges data through the router/firewall. The software deletes the temporary access list entry when a configured timeout is reached or when the system administrator manually clears the entry. The configured timeout can either be an idle timeout or an absolute timeout. Figure 10-4: A Lock-and-Key Operation Note The temporary access list entry is not automatically deleted when the user terminates a session. The temporary access list entry remains until a configured timeout is reached or until the entry is cleared by the system administrator. When lock-and-key is triggered, it creates a dynamic opening in the firewall by temporarily reconfiguring an interface to allow user access. While this opening exists, another host can spoof the authenticated user's address to gain access behind the firewall. Lock-and-key does not cause the address spoofing problem; the problem is only identified here as a concern to the user. Spoofing is a problem inherent to all access lists, and lock-and-key does not specifically address this problem. To prevent spoofing, you can configure network data encryption as described in the last section of this chapter. Configure encryption so that traffic from the remote host is encrypted at a secured remote router Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (27 of 103) [02/02/2001 17.33.17] and is decrypted locally at the router interface that provides the lock-and-key service. You want to ensure that all traffic using lock-and-key is encrypted when entering the router. In this way, no hackers can spoof the source address because they are unable to duplicate the encryption or to be authenticated (a required part of the encryption setup process). Lock-and-Key Authentication There are three possible ways to configure an authentication query process: Configure a security server. Use a network access security server such as a TACACS+ server. This method requires additional configuration steps on the TACACS+ server but allows for stricter authentication queries and more sophisticated tracking capabilities. ● Router# login tacacs Configure the username command. This method is more effective than the preceding one because authentication is determined on a user basis. ● Router# username name password password Configure the password and login commands. This method is less effective than the first method because the password is configured for the port, not for the user. Therefore, any user who knows the password can authenticate successfully. ● Router# password password Router# login local Note It is recommended that you use the TACACS+ server for your authentication query process. TACACS+ provides authentication, authorization, and accounting services. It also provides protocol support, protocol specification, and a centralized security database. Lock-and-Key Examples The first lock-and-key example is shown in Figure 10-5. Here we show how to configure lock-and-key access from a telecommuter to a NAS, with authentication occurring locally at the campus NAS. Lock-and-key is configured on the BRI 0 interface of the NAS. The configuration looks as follows: ! Telecommuter who will come in using lock-and-key username telecommuter password 7 0758364708452A isdn switch-type basic-dms100 ! interface ethernet 0 ip address 144.254.166.6 255.255.255.0 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (28 of 103) [02/02/2001 17.33.17] interface BRI0 ip unnumbered ethernet 0 encapsulation ppp dialer idle-timeout 3600 dialer wait-for-carrier-time 100 dialer map ip 171.73.34.33 name merike dialer-group 1 isdn spid1 8316333715291 isdn spid2 8316339371566 ppp authentication chap ip access-group 101 in ! ip classless ip route 0.0.0.0 0.0.0.0 144.254.166.6 ip route 144.254.166.6 255.255.255.255 BRI0 ! allows Telnet from telecommuter to this router access-list 101 permit tcp any host 144.254.166.6 eq telnet ! allows telecommuter to have access anywhere inside campus after Telneting ! to router and successful authentication access-list 101 dynamic telecommuter timeout 120 permit ip any any ! dialer-list 1 protocol ip permit line vty 0 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (29 of 103) [02/02/2001 17.33.17] login local autocommand access-enable timeout 5 Figure 10-5: Lock-and-Key for Telecommuter Access The first access-list entry allows only Telnet sessions into the router. The second access-list entry is always ignored until lock-and-key is triggered. After a user Telnets into the router, the router attempts to authenticate the user. If authentication is successful, autocommand executes and the Telnet session terminates. The autocommand command creates a temporary inbound access list entry at the Serial 0 interface, based on the second access-list entry (telecommuter). This temporary entry expires after 5 minutes, as specified by the timeout value. The second lock-and-key example is shown in Figure 10-6. This example shows how to configure lock-and-key access for a branch router, with authentication on a TACACS+ server. Lock-and-key access is configured on the BRI 0 interface of the NAS. Figure 10-6: Lock-and-Key for Branch Router Access The configuration on the NAS is as follows: aaa new-model aaa authentication login lockkey tacacs+ enable aaa authorization exec tacacs+ ! isdn switch-type basic-dms100 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (30 of 103) [02/02/2001 17.33.17] ! interface Ethernet0 ip address 144.254.166.6 255.255.255.0 ! interface BRI0 ip unnumbered Ethernet0 ip access-group 101 in no ip mroute-cache encapsulation ppp dialer idle-timeout 300 dialer map ip 192.150.42.1 name Branchrouter 97328866 dialer-group 1 isdn spid1 8316333715291 isdn spid2 8316339371566 no fair-queue compress stac ppp multilink ! router eigrp 100 network 144.254.0.0 ! ip classless ip route 0.0.0.0 0.0.0.0 192.150.42.1 Securing Dial-In Access http://wwwin.cisco.com/cpress/cc/td/cpress/internl/dns/ch10.htm (31 of 103) [02/02/2001 17.33.17] [...]... for the remote router Eesti crypto key pubkey-chain dss named-key Eesti signature serial-number 07124346 key-string 44EF0246 9EF0E99E 79BA3629 142D4C0E 923D02EF 5B358A1C 089 468CE 8B3562F8 3 986 92A8 A38D99F8 0703913C 2F51F7B6 9217128C 29BA6251 AA77E442 2EE00A63 quit ! ! Crypto map for the connection between Vancouver-gw and Eesti, ! this defines the remote crypto peer, what traffic to encrypt ! It is... firewall: One over a network that http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (55 of 103) [02/02/2001 17.33.17] Securing Dial-In Access q q has a registered IP address, and the other over a network with the private network address A filter is placed on the corporate home gateway router to ensure that only virtual private network routes are passed on the private network link to the... callback-dialstring=23456 78 } service = exec { callback-dialstring=3456 789 callback-line=7 nocallback-verify=1 } } Additional Considerations for Virtual Dial-In Environments When using a virtual dial-in environment in which dial-in access is provided by using an ISP's public infrastructure, additional security measures must be taken to ensure that the data traversing the public http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm... example in Figure 10 -8 shows a branch router located in Estonia that is connecting to the corporate network in Vancouver over the Internet Figure 10 -8: Virtual Dial-In Using GRE with CET The following security policy is defined for this scenario: q Private addresses are used for the remote branch router and the corporate network q Communications from the remote branch to the corporate network must be private... the network according to per-user network privileges WARNING Double authentication can cause certain undesirable events if multiple hosts share a PPP connection to a NAS If user Belvekdoir initiates a PPP session and activates double authentication at the NAS, any other user automatically has the same network privileges as Belvekdoir until Belvekdoir's PPP http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm... interface Cisco IOS software supports the following two methods for accounting: Method Description http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (45 of 103) [02/02/2001 17.33.17] Securing Dial-In Access TACACS+ The NAS reports user activity to the TACACS+ security server in the form of accounting records Each accounting record contains accounting AV pairs and is stored on the security. .. mostly a network management function, keeping a historical database of dial-in usage patterns can alert the network administrator to any unusual activity and can serve as a historical paper trail when an intrusion does occur The important parameters to keep track of include the following: q Origin of connection q Destination of connection q Duration of connection http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm... http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (56 of 103) [02/02/2001 17.33.17] Securing Dial-In Access username admin password ComeOnIN ! ! Change the encryption key every 24 hours crypto cisco key-timeout 1440 ! ! Public key for the remote router Eesti crypto key pubkey-chain dss named-key Eesti signature serial-number 07124346 key-string 44EF0246 9EF0E99E 79BA3629 142D4C0E 923D02EF 5B358A1C... http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm (42 of 103) [02/02/2001 17.33.17] Securing Dial-In Access no ip route-cache no ip mroute-cache dialer idle-timeout 500 dialer map ip 192.150.42.1 name Brabch2 55547 68 dialer-group 1 no cdp enable ! **The following command specifies that device authentication occurs via PPP ! CHAP: ppp authentication chap ! router eigrp 109 redistribute static network. .. user activity to the RADIUS security server in the form of accounting records Each accounting record contains accounting AV pairs and is stored on the security server In the following sample configuration, RADIUS-style accounting is used to track all usage of EXEC commands and network services such as SLIP, PPP, and ARAP: aaa accounting exec start-stop radius aaa accounting network start-stop radius . 192.150.42.1 name Branchrouter 973 288 66 dialer-group 1 isdn spid1 83 16333715291 isdn spid2 83 16339371566 no fair-queue compress stac ppp multilink ! router eigrp 100 network 144.254.0.0 ! ip classless ip. password 7 07 583 647 084 52A isdn switch-type basic-dms100 ! interface ethernet 0 ip address 144.254.166.6 255.255.255.0 Securing Dial-In Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm. without ! pressing the Enter key. After the user logs in, the autoselect ! function (in this case, PPP) begins. autoselect during-login Securing Dial-In Access http://wwwin .cisco. com/cpress/cc/td/cpress/internl/dns/ch10.htm