The last half of this chapter discusses how to secure your switch as well as the additional security features that the switch supports to secure your network. This section is by no means an all-inclusive discussion of all the Catalyst switches' security features, but it does describe some of the major ones. What to SecureWith a basic security setup, you'll want to secure access to the EXEC modes on the Catalyst switch. Listing 10.4 shows the basic commands to do so. Listing 10.4 Basic Security SetupSwitch(config)# line console 0 Switch(config-line)# password password Switch(config-line)# exit Switch(config)# line vty 0 4 Switch(config-line)# login Switch(config-line)# password password Switch(config-line)# access-class standard_ACL_# in Switch(config-line)# exit Switch(config-line)# access-list 1-99 permit source_address [wildcard_mask] Switch(config)# enable secret Privilege_EXEC_password By default, the switch has no preconfigured passwords. To assign a password to console access, go into the console line (line console 0) and use the password command. To restrict Telnet access, access your VTYs (line vty 0 4), enable password authentication with the login command, and assign a password with the password command. Optionally, create a standard ACL (access-list) that defines management stations and activate it on your VTYs with the access-class command. To restrict Privilege EXEC access, assign a password with the enable secret command. You should already be familiar with these commands from preparing for your CCNA exam.
Table 10.1 lists some other things you should do to secure your switch.
Authentication, Authorization, and AccountingOne of the problems with authentication in the previous section is that no matter who accesses your switch, that person uses the same password based on the type of EXEC access she is attempting. For example, all administrators accessing Privilege EXEC mode must use the same password. First, this creates accountability problems: You never know who made what changes on the switch because you don't know specifically who logged in to the switch. Second, you can't limit what an administrator does on the switch. Privilege EXEC access is an all-or-nothing proposition. Third, it's difficult to manage your passwords. If you need to change the Privilege EXEC password for administrator access, you probably need to do it on all of your switches, which is cumbersome. Overview of AAAAAA centralizes authentication, authorization, and accounting functions and solves the three problems just discussed. AAA breaks up security into three components:
Enable AAABefore I begin a discussion of how to implement AAA, I must mention that the configuration information is a brief overview of setting up AAA. For a more thorough discussion, review Cisco's SECUR materials (formerly MCNS). The configuration of AAA on an IOS-based switch is actually the same as configuring it on an IOS-based router. Please see the "Need to Know More?" section at the end of this book for more information regarding AAA. The very first thing you need to do is to activate AAA on your switch: Switch(config)# aaa new-model
There are two basic ways that you can use AAA on your switch: have the switch itself act as a security server or use an external security server, such as Cisco Secure ACS. To configure the switch to hold usernames and passwords, use the username command: Switch(config)# username user's_name password password The username command creates a user's name and password that will be used to authenticate access to the switch. One major disadvantage of using the switch as a server is that, unfortunately, it can only perform AAA functions for itself it can't act as a server for other devices. To use an external AAA server, you'll have to specify a security protocol to use, the AAA server itself, and a key used to authenticate access to the server. There are two security protocols: TACACS+ (Cisco-proprietary) and RADIUS (open-standard). The following commands accomplish this: Switch(config)# aaa new-model Switch(config)# tacacs-server host AAA_server's_IP_address key string Switch(config)# radius-server host AAA_server's_IP_address key string The aaa new-model command enables AAA. The tacacs-server command specifies access to a TACACS+ server, and the radius-server command specifies access to a RADIUS server. Here's a simple example of using 192.168.1.5 as a security server: Switch(config)# aaa new-model Switch(config)# tacacs-server host 192.168.1.5 key ThisPasswordIsSecret Authentication ConfigurationWhen you've enabled AAA and either defined a local username database or an external security server, you're ready to configure login authentication and how it should be performed. This is accomplished with the aaa authentication login command: Switch(config)# aaa authentication login default|list_name method1 method2... There are actually many things AAA can authenticate, but this book focuses only on login authentication using the aaa authentication login command. If you specify the default parameter, this command is used for all login authentication processes on the switch. You can override this by specifying a list name and then, for specific type of access, referencing the list for authentication, like this: Switch(config)# aaa authentication login telnet tacacs+ Switch(config)# line vty 0 4 Switch(config-line)# login authentication telnet In this example, I'm overriding the default authentication process for VTY access and specifying the aaa authentication login command with the list name of telnet. The last thing you specify with the aaa authentication login command is how login authentication can be checked. There are actually many ways you can check authentication, but I'm only going to cover three of them: local, group tacacs+, and group radius. If you specify local for a method, the username commands are used to verify authentication. If you use group tacacs+ or group radius, the appropriate external AAA server is used. Please note that you can list more than one method. If more than one method is listed, the switch processes them in the order that you specified them. The switch tries the first method, and if it cannot access or find the information, it tries the second method. For example, you might list group tacacs+ and then local to specify that if the TACACS+ server isn't reachable, username commands on the switch should be used as a backup. Listing 10.5 shows a simple example. Listing 10.5 AAA Authentication ExampleSwitch(config)# username administrator password cisco Switch(config)# aaa authentication login telnet group tacacs+ Switch(config)# aaa authentication login default group tacacs+ local Switch(config)# line vty 0 4 Switch(config-line)# login authentication telnet In this example, the VTYs use TACACS+ to perform authentication. Any other form of access (such as the console) uses the default method: try the TACACS+ server first, and if that fails, use the local username database. AuthorizationAuthorization is used to restrict what tasks a user can perform after he is authenticated. The aaa authorization command is used. You can again enable authorization for many functions of the switch and router. However, I'm going to discuss only three of them. Here's the command you should use to enable authorization: Switch(config)# aaa authorization exec|commands command_level|configuration default|list_name method1 method2... Specifying the exec parameter has the switch verify authorization as to whether the user is allowed to access an EXEC level, such as Privilege EXEC. The commands parameter enables you to specify which levels of commands users are allowed to execute. These numbers can range from 0 15, where 1 is User EXEC and 15 is Privilege EXEC. You can assign commands to different levels than their defaults with the privilege command, but doing so is beyond the scope of this book. The configuration parameter authorizes access to Configuration mode. The remainder of the command is the same as the aaa authentication login command. Here's a simple authorization example: Switch(config)# aaa authorization configuration default group tacacs+ In this example, anyone attempting to configure the switch must first be authorized via the configured TACACS+ server. AccountingAAA's accounting is used to keep track of what a user has done. Unlike authentication and authorization, to keep track of AAA events, you must have an external AAA security server. You can't record AAA events local to the switch itself. Use the aaa accounting command to set up accounting: Switch(config)# aaa accounting event_type record_method default group tacacs+|group radius Table 10.2 lists the types of events that you can capture accounting information for. Please note that there are more events in addition to those listed, but Table 10.2 covers the most common ones.
There are three ways the event can be recorded, as shown in Table 10.3. After specifying the recording method, you need to specify the type of AAA server: RADIUS or TACACS+.
Here's a simple example of setting up accounting that records a single record to a TACACS+ server whenever a system event takes place: Switch(config)# aaa accounting system stop-only default group tacacs+
|