Escolar Documentos
Profissional Documentos
Cultura Documentos
4.1 Implementing Server-Based TACACS+ Dialup Authentication 4.2 Implementing Server-Based TACACS+ Dialup Authorization 4.3 Implementing Server-Based RADIUS Dialup Authentication 4.4 Implementing Server-Based RADIUS Dialup Authorization 4.5 Implementing Server-Based TACACS+ Router Authentication 4.6 Implementing Server-Based TACACS+ Router Authorization
Caution
The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment.
Note
See Chapter 2, Implementing the Local AAA Subsystem, for specifics of local AAA implementation. See 1.1 AAA Technology Summary, in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation.
4-1
Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based AAA components, including a AAA server and its associated AAA database.
Figure 4-1 Basic AAA Case Study Environment
PSTN
PRI lines
4-2
35051
AAA server
35089
Internet
Chapter 4
Implementing the Server-Based AAA Subsystem 4.1 Implementing Server-Based TACACS+ Dialup Authentication
Configure TACACS+ server-based authentication on NAS. Configure a user profile in the database. Verify the AAA server-based user configuration. Verify and troubleshoot authentication from the AAA server. Verify and troubleshoot PPP authentication from the NAS.
Configure TACACS+ server-based authentication on NAS. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ ! tacacs-server host 172.22.53.101 key ciscorules
Note
See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.
Step 2
Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules a 'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n
Caution
When entering AddProfile to create users or groups, it is possible to successfully create users or groups that have invalid database parameters that result in profile errors viewable in /var/log/csuslog. Verify the AAA server-based user configuration. Enter this server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial user = tac_dial{ profile_id = 23 profile_cycle = 1 password = pap "********" service=ppp { protocol=ip { set addr-pool=default set inacl=110 } protocol=lcp { } } }
Step 3
4-3
Step 4
Verify and troubleshoot authentication from the AAA server. Enter the tail command:.
<CSUserver>$tail -f /var/log/csuslog
Note
See C.1 Server-Based TACACS+ Dialup Authentication Diagnostics for a description of relevant diagnostic output.
Step 5
Verify and troubleshoot PPP authentication from the NAS. Enter the debug aaa authentication and debug ppp authentication commands to confirm authentication from the NAS perspective.
Note
See C.1 Server-Based TACACS+ Dialup Authentication Diagnostics for relevant diagnostic output.
Configure TACACS+ server-based authorization on the NAS. Configure a user profile in the database. Verify the AAA server-based user configuration. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. Verify and troubleshoot shell-initiated PPP authorization on the NAS.
Configure TACACS+ server-based authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authorization with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ aaa authorization exec default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated ! tacacs-server host x.x.x.x key ciscorules
Note
See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.
4-4
Chapter 4
Implementing the Server-Based AAA Subsystem 4.2 Implementing Server-Based TACACS+ Dialup Authorization
Step 2
Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules pw pap,ciscorules a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n
Step 3
Verify the AAA server-based user configuration. Enter this UNIX server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest
Step 4
Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. Enter the following UNIX server command to confirm that the authorization is operating correctly:
<CSUServer>$tail -f /var/log/csuslog
Note Step 5
Verify and troubleshoot shell-initiated PPP authorization on the NAS. Enter the debug aaa authorization command to verify server-based authorization is operating correctly for dial access.
Note
4-5
Configure RADIUS server-based authentication on access server. Configure a user profile in the database. Verify the AAA server-based user configuration. Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.
Server-Based Dial Environment (RADIUS)
Figure 4-3
4-6
35051
AAA server
Chapter 4
Implementing the Server-Based AAA Subsystem 4.3 Implementing Server-Based RADIUS Dialup Authentication
Step 1
Configure RADIUS server-based authentication on access server. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with RADIUS:
aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48 ! line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output lat pad telnet rlogin udptn v120 lapb-ta radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules
Note
See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.
Step 2
b.
Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'
4-7
Step 3
Enter this server command to view the AAA server-based NAS configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105 User Profile Information user = NAS.172.22.53.105{ profile_id = 76 profile_cycle = 1 NASName="172.22.53.105" { SharedSecret="ciscorules" RadiusVendor="Cisco" Dictionary="DICTIONARY.Cisco" } }
b.
Step 4
Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.
Note
Configure RADIUS server-based authorization on the NAS. Configure a user profile in the database. Verify the AAA server-based user configuration. Verify and troubleshoot RADIUS network authorization on the NAS. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.
4-8
Chapter 4
Implementing the Server-Based AAA Subsystem 4.4 Implementing Server-Based RADIUS Dialup Authorization
Step 1
Configure RADIUS server-based authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS authorization assigning access-list 110 to the user, rad_dial:
aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius if-authenticated ! radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules ! access-list 110 permit tcp any any eq telnet access-list 110 permit tcp any any eq ftp access-list 110 permit tcp any any eq ftp-data access-list 110 deny tcp any any
Note
See A.3 NAS AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.
Step 2
Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n' -a
Step 3
Verify the AAA server-based user configuration. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial User Profile Information user = rad_dial{ profile_id = 62 profile_cycle = 1 password = pap "********" radius=Cisco { reply_attributes= { 6=2 7=1 9,1="ip:inacl=110" } } }
Note
Step 4
Verify and troubleshoot RADIUS network authorization on the NAS. Enter the debug aaa authorization command to verify dial access server-based authorization is operating correctly for dial access.
Note
4-9
Step 5
Verify that access-list 110 is assigned to user rad_dial with the show caller user command.
Note
Configure TACACS+ server-based authentication on the router. Configure and verify the group rtr_basic: Create the member rtr_test and assign this user to group rtr_basic. Verify user rtr_test. Log in to the router and verify proper authentication.
Server-Based VTY Access (Telnet)
Figure 4-4
AAA server
4-10
35050
Chapter 4
Implementing the Server-Based AAA Subsystem 4.5 Implementing Server-Based TACACS+ Router Authentication
Step 1
Configure TACACS+ server-based authentication on the router. Include the following Cisco IOS configuration commands in your configuration to enforce AAA server-based command authorization on a router (excluding the console port):
aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 login authentication NO_AUTHENT
Note
See A.2 Router AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.
Step 2
b.
Step 3
Create the member rtr_test and assign this user to group rtr_basic. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr rtr_basic Profile Successfully Added
4-11
Step 4
Step 5
Log in to the router and verify proper authentication. Enter the login command to access the router command interface and monitor the output of debug aaa authentication from a separate shell session. Monitor the output of the AAA server by consulting the csuslog file using the tail command.
Note
4-12
Chapter 4
Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization
Group Cisco IOS Command debug all debug * clear * reload show running-config write terminal copy running-config startup-config write memory configure terminal rtr_super Denied Permitted Permitted Permitted Permitted Permitted Permitted rtr_tech Denied Permitted Permitted Denied Denied Permitted Denied rtr_low Denied Denied Denied Denied Denied Denied Denied
Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization between a router and an AAA server. Troubleshooting and verifying is divided into three stages: authentication, EXEC authorization and command authorization. Each stage is accompanied by information particular to that stage:
Cisco IOS Configuration Fragments (on left) Troubleshooting and verification methods for the router and AAA server (on right)
4-13
Figure 4-5
Cisco IOS Client Authentication Router user requests login to TACACS+ server. aaa new-model aaa authentication login default group tacacs+ tacacs-server host ip-address key secret-key
Decision Flow
Troubleshoot/Verify
From Cisco IOS Client debug aaa authentication From AAA Server tail -f /var/log/csuslog Verify user user=rtr_geek password=des
Yes
EXEC Authorization AAA authorization begins (EXEC) aaa authorization exec default group tacacs+ if-authenticated Did No authorization succeed? From Cisco IOS Client debug aaa authorization From AAA Server tail -f /var/log/csuslog Verify user or group service=shell
Yes Command Authorization AAA authorization command begins (command) aaa authorization commands 15 default tacacs+ if-authenticated Did No authorization succeed?
From Cisco IOS Client debug aaa authorization From AAA Server tail -f /var/log/csuslog Verify user or group default_cmd=permit or priv_lvl=15 or cmd=permit
35076
Configure TACACS+ server-based authorization from the console port on the router. Configure, verify, and test operation of the AAA server group rtr_low. Configure, verify, and test operation of the AAA server group rtr_tech. Configure, verify, and test operation of AAA server Group rtr_super.
4-14
Chapter 4
Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization
Note
Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see Appendix B, AAA Impact on Maintenance Tasks.
Step 1
Configure TACACS+ server-based authorization from the console port on the router. Include the following Cisco IOS configuration commands in your configuration to enforce router-based security with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none aaa authorization commands 15 NO_AUTHOR none aaa authorization exec default group tacacs+ aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default group tacacs+ ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT
Note
See A.2 Router AAA Command Implementation Descriptions in Appendix A, AAA Device Configuration Listings for notes regarding key Cisco IOS AAA commands.
4-15
Step 2
Configure, verify, and test operation of the AAA server group rtr_low. The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the requirements specified in Table 4-1:
a.
b.
c.
Create the member rtr_dweeb and assign this user to group rtr_low. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw des,ciscorules Profile Successfully Added
d.
e.
Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:
Simultaneously monitor the output of debug aaa authorization from a console shell session
Note
4-16
Chapter 4
Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization
Step 3
Configure, verify, and test operation of the AAA server group rtr_tech. The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the requirements specified in Table 4-1:
a.
b.
c.
Create the member rtr_techie and assign this user to group rtr_tech. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw des,ciscorules Profile Successfully Added
d.
e.
Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:
Simultaneously monitor the output of debug aaa authorization from a console shell session
4-17
From the AAA server, enter the following command to obtain the matching csuslog content:
<CSUserver>$tail -f /var/log/csuslog
Note Step 4
Configure, verify, and test operation of AAA server Group rtr_super. The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with the requirements specified in Table 4-1:
a.
b.
c.
Create the member rtr_geek and assign this user to group rtr_super. Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek des,ciscorules Profile Successfully -pr rtr_super -pw
d.
e.
Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:
Simultaneously monitor the output of debug aaa authorization from a console shell session
4-18
Chapter 4
Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization
Log in to the router by using a new terminal window with the rtr_geek account and enter the
Note
4-19
4-20