This section provides a short introduction to the AAA methodology and its implementation in Cisco equipment. We provide some examples of how this framework can be used to configure AAA on various Cisco devices.
The Authentication, Authorization, and Accounting methodology has been developed to control the levels of access to network resources dynamically, including the ability to monitor the network, enforce policies, account for network use, and provide information required to charge for network usage. You'll be hard pressed to find Cisco documentation that does not recommend the use of AAA even for the small-scale network infrastructure. We agree with that recommendation and suggest that you use the AAA principles as a foundation for secure and robust network deployment.
Cisco documentation outlines the following benefits of using the AAA framework:
Increased flexibility and control of access configuration
Standardized authentication methods , such as RADIUS, TACACS+, and Kerberos
Multiple backup systems
Cisco software and equipment provide a good example of the corporation-wide enforcement of the AAA framework throughout various deployment layers of network infrastructure. All Cisco equipment can be configured in such a way to allow users to be authenticated, authorized, and accounted for from a centralized database using either RADIUS, TACACS+, or another method such as Kerberos. Cisco Systems has developed the following products to support the AAA infrastructure, ranging from user -end Network Authentication Server (NAS) equipment to network-end routers and switches:
Cisco CNS Access Registrar
Cisco CNS Network Registrar
Cisco Global Roaming Server Software
Cisco Secure Access Control Server
Cisco Secure Access Control Server Solution Engine
Cisco Secure User Registration Tool
These products are discussed in greater detail in the following sections.
All the Cisco devices ranging from SOHO equipment to high-end industry firewall, switch, and router appliances support AAA services. Configuring AAA for the client side is relatively simple and very similar throughout various equipment types. To enable security on a Cisco router or firewall using AAA, follow this process:
Enable AAA by using the aaa new-model global configuration command.
If you would like to use a separate AAA server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos in line with your needs.
Define the method lists for authentication by using an aaa authentication command.
Apply the method lists to a particular interface or line, if required.
Configure authorization using the aaa authorization command.
Configure accounting using the aaa accounting command.
Do not forget to create a local user database on the device with a username < name > password <password> string and set it as a second selection after RADIUS/TACACS+ in your aaa authentication command (option local ). This will save you a lot of trouble should the central authentication server fail.
If you can afford it, it is a good idea to have a backup central authentication server running a redundancy protocol, such as Virtual Router Resilience Protocol (VRRP), between itself and the main authentication server.
Unfortunately, the scope of this chapter does not allow for in-depth coverage of command line interface (CLI) commands for the AAA framework. For the description of the used commands and their complete implementation, please refer to the "Authentication Commands" chapter of the Cisco IOS Security Command Reference.
Cisco CNS Access Registrar is a RADIUS-compliant access policy server designed to support AAA for delivery of dial, Integrated Services Digital Network (ISDN), cable, Digital Subscriber Line (DSL), wireless, and Voice over IP (VoIP) communications. Cisco CNS Access Registrar provides carrier-class performance and scalability as well as the extensibility required for integration with evolving service management systems. Cisco Access Registrar from version 3.0 also has the ability to make real-time AAA requests to billing systems to support the prepaid applications market such as wireless hotspots.
Following are some of the features of CNS Access Registrar:
Oracle database support via Open Database Connectivity (ODBC)
Enhanced configuration interface with
Automatic command completion
Context-sensitive list of options
Recall of values for speedy editing
Faster and easier user return-attribute configuration
Faster and easier check-items configuration
Detailed configuration-error messages
Prefix rule in policy engine
Lightweight Directory Access Protocol (LDAP) directory rebind
Increased multivendor support
Time-based accounting file rollover
Optimized accounting-request handling, including improved algorithms for handling duplicate accounting requests containing Acct-Delay-Time.
Cisco Access Registrar software runs on Sun Solaris/SPARC hardware with Solaris 7/8 installed.
Cisco CNS Network Registrar is a full-featured DNS/DHCP system that provides scalable naming and addressing services for enterprise and service-provider networks. For cable ISPs, Cisco CNS Network Registrar additionally provides scalable DNS and Dynamic Host Configuration Protocol (DHCP) services and forms the basis of a Data Over Cable Service Interface Specification (DOCSIS) cable modem provisioning system.
Cisco CNS Network Registrar includes a standards-compliant DNS server that offers an advanced feature set, including support for incremental zone transfers, dynamic updates, and notify. The Cisco CNS Network Registrar DHCP server supports DHCP Safe Failover (redundant DHCP servers), dynamic DNS updates, DOCSIS cable modems, and integration with directory services using LDAPv3. CNS Network Registrar is available for Solaris 8/9, Windows 2000 servers, and various Linux platforms.
CiscoSecure Global Roaming Server (GRS) is a specialized security software solution for AAA. CiscoSecure GRS turns existing dial-in infrastructures into virtual Points of Presence (PoPs). Using GRS, a network access provider can offer wholesale dial access services such as Internet roaming, intranet roaming (roaming virtual private dial network [VPDN]), and VPDN access. At the time of writing, the CiscoSecure GRS software is supported only on the SPARC Solaris platform. More information about this software platform can be found at http://www.cisco.com/en/US/products/sw/secursw/ps2109/index.html .
This section highlights various Cisco access server models used for dial-in authentication and authorization for both RADIUS and TACACS+. You'll find several access server platforms manufactured by Cisco. Access server models usually start with AS followed by a four-digit number, depending on the capabilities of the required platform. For instance, an AS5800 series gateway is the highest capacity and a high availability product from the Cisco access server types. This platform is designed to meet the demands of large, dynamic service providers, supporting up to 5 channelized T3s (CT3s), 96 T1s, 86 E1s, or 2 STM-1 (108 E1s) of data, voice, and fax services, on any port at any time supporting up to 3360 concurrent users. Whereas, the Cisco AS5350 gateway is a cost-effective platform that supports 2-, 4-, or 8-port T1/7-port E1 configurations and provides universal port data, voice, and fax services on any port at any time. AS5350 has a modular design and is ideally suited for smaller scale ISPs and enterprise companies. The midrange AS5400 series access server is an ideal solution for dial-in access of the medium- size organization that does not require the performance of a high-scale solution such as AS5800.
Cisco's deployment of the AAA server platform comes in two variants. One is implemented in software, which is available for both Windows and UNIX platforms, named Cisco Secure Access Control Server (ACS).
The other type of ACS is a highly scalable hardware platform called Cisco Secure Access Control Server Solution Engine. It feeds authentication, authorization, and accounting data from a centralized RADIUS or TACACS+ protocol. The hardware engine helps to ensure enforcement of assigned policies by allowing network administrators to control the following:
Who can log into the network
The privileges each user has in the network
Recorded security audit or account billing information
Access and command controls that are enabled for each configuration's administrator
The hardware engine has the following specifications:
CPU: Intel Pentium 4 3.2 GHz
Memory: 1GB of RAM
Hard Drive: 80GB of free disk space
Network: Two built-in 10/100 Ethernet controllers and floppy disk drive
Cisco User Registration Tool (URT) is a dynamic authorization and policy control tool that manages access to LAN resources by splitting user traffic through VLANs. It provides an increased LAN security by identifying and authenticating users as they start accessing the network. Cisco URT associates users to the network resources they are authorized to use by dynamically assigning them to their appropriate VLAN. Cisco URT can monitor and manage user identification, locations, and access times and allow users to be mobile throughout the organization and securely access their resources and services from any available network port.
From version 2.5 and upward, URT introduces a web front-end client and RADIUS-based back-end authentication infrastructure, making it suitable for an extended range of customer network sizes and applications. The administration server of URT is available for a range of Windows servers, while the front-end client software is available for Windows, Linux, and MacOS platforms.
To get a better understanding of how AAA methodology works in practice, take a look at Figure 2-1. Here, clients connect to an ISP using a dial-up or similar method. The NAS server requests authentication credentials from users and passes it to the RADIUS/ TACACS+ ACS server. After successful authorization, the NAS equipment grants the clients access to the network resources. If accounting functionality has been enabled, the NAS equipment would send all necessary details to the ACS accounting server to monitor the clients' network usage.