Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.

Published byEsmond Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security."— Presentation transcript:

1 © 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security

2 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-2 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe network access server port types and access control methods Configure the network access server to enable AAA processes to use a local database with a CiscoSecure NAS Test the network access server AAA configuration using applicable debugging and testing commands

3 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-3 CA Server PIX Firewall Web Surfer Remote Branch Internet Web Server Protected DMZ “Dirty” DMZ NetRanger Sensor Dialup NAS ClientServer Campus Router Bastion Host SMTP Server DNS Server IS NetRanger Director NetSonar Windows NT PC Sales CSNT and NAS used to Perform AAA Bastion Host Perimeter Router Internet NT Server: CiscoSecure, Web, FTP, TFTP, Syslog Server TACACS+ or RADIUS protocol

4 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-4 © 1999, Cisco Systems, Inc. www.cisco.com 3-4 AAA Secures Network Access

5 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-5 AAA Model—Network Security Architecture A A uthentication Who are you? “I am user student and my password validateme proves it” A A uthorization What can you do? What can you access? “User student can access host NT_Server with Telnet” A A ccounting What did you do? How long did you do it? How often did you do it? “User student accessed host NT_Server with Telnet 15 times”

6 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-6 AAA Secures Network Access Character (line) mode access Console, Telnet (tty, vty, aux, cty) Packet (interface) mode access Async, group-async, BRI, serial (PRI) Security Server Remote Client (SLIP, PPP, ARAP) NAS Telnet Host Console Terminal PSTN/ISDN

7 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-7 © 1999, Cisco Systems, Inc. www.cisco.com 3-7 Authentication Methods

8 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-8 Authentication Methods and Ease of Use Token Cards/Soft Tokens (OTP) One-Time Password (OTP) S/Key (OTP for terminal login) Username/Password (aging) Username/Password (static) No Username or Password Strong Weak Authentication Ease of Use HighLow

9 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-9 Authentication—Remote Client Username and Password Windows 95 Dialup Networking screen Username and Password fields Security Server Windows 95 Remote Client Network Access Server PSTN/ISDN username/password (TCP/IP PPP)

10 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-10 Authentication—One-Time Passwords—S/Key List of one-time passwords Generated by S/Key program hash function Sent in cleartext over network Server must support S/Key 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4 S/Key PasswordsWorkstation Security Server Supports S/Key S/Key Password (cleartext) 308202A8 30820211 A0030201 02020438 0500301B 310B3009 06035504 06130255 1E170D39 39313032 32313730 3634375A C84DFBC0 4C7BD4B1 F79FC2ED 30A02EA4

11 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-11 Authentication—Token Cards and Servers 1.2. 4. 3. CiscoSecure [OTP] Token Server Uses algorithm based on PIN or time-of-day to generate secure password Server uses same algorithm to decrypt password Sends password to network access server or security server to complete authentication

12 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-12 © 1999, Cisco Systems, Inc. www.cisco.com 3-12 PAP and CHAP Authentication

13 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-13 Authentication via PPP Link TCP/IP PPP Client PPP PSTN or ISDN PPP PAP = Password Authentication Protocol –Cleartext, repeated password –Subject to eavesdropping and replay attacks CHAP = Challenge Handshake Authentication Protocol –Secret password, per remote user –Challenge sent on link (random number) –Challenge can be repeated periodically to prevent session hijacking –The CHAP response is an MD5 hash of (challenge + secret) provides authentication –Robust against sniffing/replay attacks Network Access Server

14 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-14 © 1999, Cisco Systems, Inc. www.cisco.com 3-14 Network Access Server AAA Configuration Process

15 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-15 Authenticated NAS Port Types CiscoSecure ACS Server Telnet host vty BRI, serial (PRI) ISDN B channels tty, aux, async cty Console Terminal NAS AsyncISDN

16 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-16 Network Access Server AAA Configuration Process General steps to configure the NAS for AAA: Secure access to privileged EXEC and configuration modes (enable and enable secret) Enable AAA globally on the network access server with the aaa new model command Configure AAA authentication profiles Configure AAA authorization for use after the user has passed authentication Configure the AAA accounting options for how you want to write accounting records Verify the configuration

17 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-17 Secure Privileged EXEC and Configuration Mode CiscoSecure ACS Server NAS 10.1.1.4 Router(config)#enable password changeme Router(config)#enable secret supersecret Router(config)#service password-encryption lightweight_encrypt Router(config)#enable password changeme Router(config)#enable secret supersecret Router(config)#service password-encryption lightweight_encrypt Telnet to NAS 10.1.1.1

18 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-18 Begin the AAA Configuration CiscoSecure ACS Server NAS 10.1.2.4 Router(config)#aaa new-model Router(config)#aaa authentication login default enable Router(config)#aaa authentication login console-in local Router(config)#aaa authentication login is-in local Router(config)#aaa authentication login tty-in local Router(config)#aaa authentication ppp dial-in local

19 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-19 © 1999, Cisco Systems, Inc. www.cisco.com 3-19 AAA Security Servers

20 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-20 AAA with a Local Security Database 1.User establishes PPP connection with NAS 3.NAS authenticates username and password in local database 5.NAS tracks user traffic and compiles accounting records as specified in local database 4.NAS authorizes user to access network based on local database 2.NAS prompts user for username/password 2 1 3 4 5 Network Access Server

21 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-21 Remote Alternatives: TACACS+ and RADIUS Two different protocols used to communicate between the security server and router, NAS, or firewall CiscoSecure supports both TACACS+ and RADIUS –TACACS+ remains more secure and more scalable than RADIUS –RADIUS has a robust API, strong accounting CiscoSecure ACS Firewall Router Nework Access Server TACACS+RADIUS Security Server

22 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-22 AAA Authentication Commands (config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]] (config)#aaa authentication {login | enable | arap | ppp | nasi}{default} method1 [method2 [method3] method4]]] login enable krb5 line local none tacacs+ radius krb5- telnet enable krb5 line local none tacacs+ radius krb5- telnet enable default enable line none tacacs+ radius enable line none tacacs+ radius arap guest auth- guest line local tacacs+ radius guest auth- guest line local tacacs+ radius ppp if–needed krb5 local none tacacs+ radius if–needed krb5 local none tacacs+ radius nasi enable line local none tacacs+ enable line local none tacacs+

23 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-23 AAA Authentication Example Configuration aaa authen login tech-pubs tacacs+ local aaa authen ppp mktg if-needed tacacs+ (config)#line console 0 (config-line)#login authen tech-pubs (config)#int s3/0 (config-line)#ppp authen chap mktg

24 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-24 AAA Authorization Commands aaa authorization {network | exec | command level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} CiscoSecure ACS Server Network Access Server router(config)#

25 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-25 CiscoSecure ACS Server (Orion) AAA Authorization Example Configuration aaa author command 1 Orion local aaa author command 15 Andromeda local aaa author network Pisces local none aaa author exec Virgo if-authenticated router(config)# Network Access Server

26 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-26 AAA Accounting Commands aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method 1 [method2…]] aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method 1 [method2…]] router(config)# CiscoSecure ACS Server Network Access Server

27 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-27 AAA Accounting Example Configuration aaa account system wait-start local aaa account network stop-only local aaa account exec start-stop local aaa acc command 15 wait-start local router(config)# CiscoSecure ACS Server Network Access Server

28 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-28 AAA Troubleshooting router#debug aaa authentication router#debug aaa authorization router#debug aaa accounting Displays detailed AAA information

29 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-29 © 1999, Cisco Systems, Inc. www.cisco.com 3-29 Lab Exercise

30 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-30 Lab Objectives Upon completion of this lab, you will be able to perform the following tasks: Configure the network access server to secure enable mode access to the network access server Configure AAA services using the local security database Test the network access server AAA configuration using applicable debugging and testing commands

31 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-31 PIX1 Firewall Protected DMZ “Dirty” DMZ 192.168.X.0 /24.2 Outside.1 192.168.1X.0/24.1 DMZ Inside.3 NAS1 IS.1 10.X.2.1 /24 10.X.2.2 to 10.X.2.10 /24 Windows NT PC NT1 NT Server: CiscoSecure NT, IIS FTP and Web Server Cisco Security Manager, Syslog Server, TFTP Server.4 Instructor NT Server: FTP, HTTP, CA 192.168.255.2/24 172.16.X.1 /30 Perimeter1 Router 10.X.1.0 /24 Bastion Host: Web Server FTP Server.3 Sales Dialup Frame Relay (Internet) Telco Simulator 100X MCNS Lab Environment Generic.1.2 X = POD #

32 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-32 © 1999, Cisco Systems, Inc. www.cisco.com 3-32 Summary and Review Questions

33 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-33 Summary In local-server AAA, the local NAS performs AAA services. Character and packet modes can be secured with AAA. Network access server AAA configuration should follow an orderly progression. Use the aaa authentication command to specify the authentication process and method. Use aaa debug commands selectively to troubleshoot AAA. Use the no aaa new-model command to remove AAA commands from the configuration.

34 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-34 Review Questions 1. What are the two network access server modes that can be secured by AAA commands? A.Character (line mode) with tty, vty, aux, and cty ports B.Packet (interface mode) with async, group- async, BRI, and serial (PRI) ports

35 © 1999, Cisco Systems, Inc. www.cisco.com MCNSv2.0—3-35 Review Questions (cont.) 2.What is being configured in each of the fields of the following command? aaa authentication ppp sales if-needed local A.aaa authen ppp–Specifies the PPP operation for this authentication process B.sales–Assigns the profile name sales to this process C.if-needed–Specifies the if-needed authentication method for the PPP authentication operation, which requires no authentication if the user is already authenticated D.local–If the if-needed method fails, uses the local database method for PPP authentication

Download ppt "© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security."

Similar presentations

Authentication.

Authentication.
Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.

Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.
Point-to-Point Protocol Semester 4, Chapter 4. PPP and Data Links PPP operates at the Data Link layer. Components of PPP include:  A method for encapsulating.

Point-to-Point Protocol Semester 4, Chapter 4. PPP and Data Links PPP operates at the Data Link layer. Components of PPP include:  A method for encapsulating.
Point-to-Point Protocol

Point-to-Point Protocol
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—5-1 Establishing Serial Point-To-Point Connections Configuring Serial Point-To-Point Encapsulation.

© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—5-1 Establishing Serial Point-To-Point Connections Configuring Serial Point-To-Point Encapsulation.
Sem 6 – Chap 2 All You Need to Know about Modems.

Sem 6 – Chap 2 All You Need to Know about Modems.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.

Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
1 CCNA 4 v3.1 Module 3. 2 CCNA 4 v3.0 Module 3 PPP.

1 CCNA 4 v3.1 Module 3. 2 CCNA 4 v3.0 Module 3 PPP.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Authentication, Authorization, and Accounting

Authentication, Authorization, and Accounting
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Remote Networking Architectures

Remote Networking Architectures
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Similar presentations

Ads by Google