Authentication, Authorization, and Accounting, more commonly simply abbreviated AAA, is a major part of securing network management. Even though you undoubtedly saw a number of questions regarding it on the SECUR exam (or its predecessor, the MCNS exam), you should be prepared to see questions about it again on the CIS exam. AAA is a significant piece of the SAFE Architecture. In case it has been a little while since you've reviewed the material, we include a brief overview of each function and how it is implemented in the SAFE Blueprint. Authentication
Nursery rhymes and other children's fables come down through the generations to teach fundamental lessons (often gruesomely, of course). In this case, the lesson is all too clear: Not everyone is whom they appear to be. (Of course, we could also cite "The Three Little Pigs,"on keeping intruders at bay.) The whole point of authentication is to verify rather than assume the identity of those attempting to access critical information resources. Authentication might be as simple as storing a username and password in a local database on the device, or it might use a stronger program operating on a server inside the protected perimeter. Although Cisco supports servers using TACACS+, RADIUS, and Kerberos, the SAFE Reference Implementation in the Validation Lab uses TACACS+, and this is strongly preferred. Briefly, the possible forms of authentication are as follows :
If only a few users are to be authenticated against only a few devices, Cisco states that using local username and password databases on the individual network devices is acceptable. However, when you have more than a few of either (and the meaning of "a few" is not explicit, but most people have a feel for it), it is better to use a dedicated database on a separate server. In that way, the database is more likely to be managed properlykept current and with appropriate permissions. Back DoorsCisco recommends securing access to your routers and switches via authentication. However, Cisco also knows that things happen and thus recommends setting a back door to get in, just in case (SAFE is about practical security because, if it's not practical, it won't be used). That means it's useful to have at least a limited local user database, even if you're using a AAA server for normal authentication. Configuring AuthenticationIf authentication is against a local database, you must add username and password combinations to the device. If you use a AAA server, this local database is still available; it can be one of the methods used for a type of authentication. On a router, in global configuration mode, use this to add a user and password to the local database: username name password password On a switch, use this command in global configuration mode: username name secret {05} password The option on the secret (the password) means that the password is stored without encryption, while the option 5 means that the password is encrypted with the MD5 algorithm. Needless to say, encryption ( 5 ) is safer. If you are using a local database instead of an AAA server, dialup sessions to a router carried by PPP need to be authenticated using PAP, CHAP, or MS-CHAP. This requires you to turn on (enable) PPP encapsulation, after which you can specify the authentication method. In line configuration mode, use these commands: encapsulation ppp ppp authentication {papchap} {default list-name } Using a list-name is permitted only with AAA. Be aware that passwords are sent in clear text when using PAP, but CHAP involves sending a challenge and then comparing the hashed response returned against the hash calculated locally. With CHAP, passwords are not sent in the clear, so it is strongly preferred if you not use an AAA server. Worth noting is that Cisco does not recommend ever using PAP, if it can possibly be avoided. MS-CHAP operates a little differently; it is a Microsoft extension of the CHAP protocol. To use it, again in line configuration mode, you enter these commands: encapsulation ppp ppp authentication ms-chap If you use AAA instead of a local database, you must enable AAA on the device and then establish the method(s) to be used for itthe sources to be checked, in the order in which they will be checked. Note that the first actual response (whether accepting or rejecting the login) ends the authentication process (this does not include an ERROR response, which means that the server could not evaluate the authentication). At some point in the AAA configuration, you must also identify the server holding the database (including the server type as well as its IP address), so it is included here as well. On a router, in global configuration mode, enter these commands: aaa new-model aaa authentication login {default list-name } [method1 [method2] tacacs-server host ip_addr tacacs-server key key Remember, the aaa new-model command is necessary only when creating AAA when it is not already present. You might have several lines of authentication methods (method lists): a default list (to be used wherever a method list is not specified), a named list for incoming lines (such as vty or console), and a named list for PPP. Note that, with the PPP method list, the optional command if-needed is available. This refers to the fact that the methods that follow will be used only if other authentication has not already been made. Enabling AAA and setting the methods on a switch is just as simple. For TACACS+, use the following commands: set tacacs server ip_addr set tacacs key key set authentication login tacacs enable telnet set authentication login local disable telnet The second pair of commands show that you're willing to allow Telnet if the party is authenticated by the TACACS+ server; local database Telnet authentication is not allowed. Remember, local login and enable authentication are both enabled by default; you are changing that to permit Telnet login only if TACACS+ authentication has been met. AuthorizationAuthorization is granting permission to do something. Especially when under stress during the exam, it's easy to confuse authentication and authorization (it doesn't help that the words look so much alike at their beginnings and ends, which reinforces the need to read every question carefully ). If you are using a local database on a router, it is useful to assign the various commands to specific privilege levels (remember that they range from 0 to 15, with 0 being user EXEC and 15 being privileged EXEC ). The command to assign users privileges (in global configuration mode) is as follows: username name privilege level On a switch, the commands are similar, though more limited (to config , enable , and all ), and the authorization can be applied to console , telnet , or both (the default): set authorization commands enable {configenableall} [console telnet both] Again, this is useful only if you have a few users and a few devices to be configured; otherwise , you should use AAA. To use AAA for your authorization, on a router, use the appropriate commands to authorize exec privileges, network access (for PPP, SLIP, and ARAP, the AppleTalk Remote Access Protocol), commands, and reverse-access. The same command must authorize a source for authorization. The source might include if-authenticated , which means that authorization is granted automatically if the user has been authenticated.
This command invokes AAA for authorization on a router (you can enter it several times, with a different name each time, for different services): [View full width]
Notice that you have three sets of choices, and you must choose at least one from each of them. On a switch, the choices are somewhat different: [View full width]
This time, you must choose from four sets, but the principle is the same. The second set of options is the primary authorization method; the third set is the fallback option. Notice that although a router can use RADIUS and Kerberos, a switch running the Catalyst OS cannot. AccountingAccounting is boring, is a pain, and is where security violations often are first detected . If you don't appreciate that, read the excellent book The Cuckoo's Egg , by Clifford Stoll. Accounting is your opportunity to track not only accesses (including when they began and ended), but also which services were usedand all this can be tracked by user. To configure accounting on a router, use the following command (again, you can enter the command several times, depending on the options you want to use): [View full width]
The list-name option includes the following choices: auth-proxy , commands , connection , exec , network , and resource . The timing options include accounting for both the start and stop of activity ( start-stop ); only the stop ( stop-only ), the start and the stop, with the start beginning after accounting is initialized ( wait-start ); and none . Notice that a maximum of two methods is allowed; this is different from authentication and authorization: Authentication allows up to four methods, and authorization allows one method per authorization command. On a switch, you can see the now-familiar pattern of the same idea, expressed in Catalyst OS syntax. However, depending on what you want to do, you might need one or more commands to get the job done: set accounting commands enable {configenableall} [stop-only] tacacs+ set accounting {connectexecsystem} {start-stopstop-only} (tacacs+radius} Notice that the accounting for commands is a separate command, with different options than those for outgoing connections from the switch ( connect ), exec activities, and system activities.
|