Client Configuration


Numerous network and security devices have become a part of the Cisco product family through many acquisitions. Due to this fact, you might encounter a few different operating systems across the Cisco platforms. Because the operating systems differ, so does the configuration of AAA across different platforms.

To begin configuring devices for AAA, you need at least one entry for every network device in your network if you want ACS to communicate. Likewise, you need to configure those network devices to communicate with ACS.

To add an AAA client to the ACS database and enable communications using the TACACS+ or RADIUS protocols, you use the following steps. After you have completed the following steps for an AAA client, you can then configure that AAA client using the appropriate commands to communicate as well.

Step 1.

Select Network Configuration.

Step 2.

Select the NDG that you place this device in. You should already be able to configure NDGs.

Step 3.

Select Add Entry under the AAA client table.

Step 4.

Enter the host name of the AAA client, or if this is going to be a group of devices, enter a name that makes it easily recognizable.

NOTE

The use of the word group in the preceding step does not mean a NDG; instead, it means the ability to specify more than one IP address in an entry.

As you can see in Figure 9-16, the host name is set to EAST_COAST_RTRs.

Figure 9-16. Adding AAA Clients


Step 5.

Enter the IP addresses of each router that is an AAA client to ACS. To delimitate them, use the Enter key. While you lose some management visibility here by adding more than one AAA client to an entry, this is helpful in adding hundreds or thousands of clients. Also, wildcards per octet and numeric ranges per octet are legal characters. For example, a valid entry would be 10.1.80.* or 10.1.0.1236.

Step 6.

Enter a secret key to be used for encryption. In this configuration, every router in the entry needs this same key configured. This is not necessarily the best security practice.

Step 7.

Select Submit + Restart.

Upon completion of this configuration, you now have a number of devices defined in the ACS device as AAA clients.

The next step would be to configure the AAA client devices, as discussed in the following subsections.

Cisco IOS Routers

To configure a Cisco router for AAA, follow these steps:

Step 1.

Begin your router configuration by enabling AAA with this command:

 aaa new-model 

Step 2.

To add an AAA server to a Cisco IOS router using TACACS+, use the following configuration commands in global configuration mode:

 tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string] 

or

[View full width]

tacacs-server host ip_address [single-connection] [port integer] [timeout integer] [key string]

You can use the no form of the command in the previous step sequence to delete the specified name or address. This is seen in Example 9-1.

Example 9-1. Removing a TACACS Server
 no tacacs-server host hostname 

Note that the single-connection switch in the configuration command is optional and specifies that the router keeps a single open connection for confirmation from an AAA/TACACS+ server. This command fails if ACS is not running.

You can optionally define a port number using the port tag. This option then overrides the default port 49. If the port is changed on the router, it needs to be changed on the server as well. You also have the capability of specifying a timeout on the router using the timeout tag. This overrides the timeout only for this server.

The key that you can optionally define is an authentication and encryption key. This must match the key used by the TACACS+ daemon in ACS that you define in the AAA client configuration. Specifying this key overrides the key set by the global command tacacs-server key for this server only. This command was first available in Cisco IOS Release 10.0. The Cisco IOS Software searches for hosts in the order in which you specify them. Therefore, you have the ability to define multiple TACACS+ servers.

You use only the single-connection, port, timeout, and key options when running an AAA/TACACS+ server. In RADIUS, there is no connection, so these options are not available. Also, because some of the parameters of the tacacs-server host command can be modified to override global settings made by the tacacs-server timeout and tacacs-server key commands, you can use this command to enhance security on your network by creating a unique policy on each device in your network. As seen in Example 9-2, each tag changes all aspects of the TACACS server 10.1.1.1.

Example 9-2. Defining Additional TACACS+ Options
 tacacs-server host 10.1.1.1 single-connection port 789 timeout 5 key mykey 

When you use RADIUS, both sets of ports, 1645/1646 and 1812/1813, are in use on ACS. Also, if you use the host name in the command statement, you need to have DNS resolution enabled. To add AAA to a Cisco IOS router using the RADIUS protocol, use the following configuration command in global configuration mode:

[View full width]

radius-server host hostname |ip-address [auth-port port-number] [acct-port port-number][timeout seconds] [retransmit retries] [key string]

Cisco IOS Switches

To add an AAA server to a Cisco IOS switch using TACACS+, add the following configuration commands in global configuration mode:

 tacacs-server host hostname [single-connection] [port integer] [timeout integer]   [key string] 

or

[View full width]

tacacs-server host ip_address [single-connection] [port integer] [timeout integer] [key string]

Note that this command and arguments are similar to the router configurations.

To add an AAA server to a Cisco IOS switch using RADIUS, add the following configuration commands in global configuration mode:

[View full width]

radius-server host hostname|ip-address [auth-port port-number] [acct-port port-number][timeout seconds] [retransmit retries] [key string]

Note again that this command and arguments are similar to the router configurations.

Cisco Set-Based Switches

To add an AAA server to a Cisco set-based switch using TACACS+, add the following commands into enable mode:

 set tacacs server ip_address primary set tacacs key key set tacacs attempts n set tacacs timeout n 

To add an AAA server to a Cisco set-based switch using RADIUS, add the following commands into enable mode:

 set radius server ip_address primary set radius key key set radius attempts n set radius timeout n 

Cisco PIX Firewalls

To add an AAA server to a Cisco PIX Firewall using TACACS+, add the following commands in configuration mode:

 aaa-server MYACS protocol TACACS+ aaa-server MYACS (interface_name) host 10.1.1.1 secretkey 

To add an AAA server to a Cisco PIX Firewall using RADIUS, add the following commands in configuration mode:

 aaa-server MYACS protocol RADIUS aaa-server MYACS (interface_name) host 10.1.1.1 secretkey 

Cisco 3000 Series VPN Concentrators

To add an AAA server to a Cisco 3000 series virtual private network (VPN) concentrator for administrator authentication using the TACACS+ protocol, follow these steps:

Step 1.

Select Administration > Access-Rights > AAA Servers > Authentication.

Step 2.

Select Add in the right panel.

Step 3.

Enter the server IP, port, timeout, retries, and server secret.

Step 4.

Select Add.

NOTE

You can use TACACS+ only for administrative authentication on the 3000 series concentrators. This discussion is beyond the scope of this book. For user authentication, use a RADIUS server.


To add an AAA server to a Cisco 3000 series VPN concentrator for user authentication using the RADIUS protocol, follow these steps:

Step 1.

Select Configuration > System > Servers > Authentication > Add.

Step 2.

Select RADIUS as the server type.

Step 3.

Enter the IP address of the RADIUS server, the server port, timeout, retries, and server secret.

Step 4.

Select Add.

Cisco Wireless Access Points

To add an AAA server to a Cisco Wireless access point, follow these steps:

Step 1.

From the Summary Status page, click Setup.

Step 2.

In the Services menu, click Security.

Step 3.

Click Authentication Server.

Step 4.

Select the version of 802.1x to run on this Access Point (AP) in the 802.1x Protocol Version drop-down menu. Please note that Draft 7 is no longer supported.

Step 5.

Configure the server IP, server type, port, shared secret, and Retran_Int, and Max Retran.

Step 6.

Select EAP Authentication.

Step 7.

Select OK.

Although many other devices in the Cisco product line support TACACS+ or RADIUS, it is beyond the scope of this book to give explicit examples of each device. The idea in mind is more toward giving an understanding of some common network devices and their configurations. For more information on configuring TACACS+ or RADIUS on a device that is not listed here, please see the Cisco website.




Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net