This section provides a short introduction to the AAA methodology and its implementation in Cisco equipment. We provide some examples of how this framework can be used to configure AAA on various Cisco devices.

Overview of AAA Methodology

The Authentication, Authorization, and Accounting methodology has been developed to control the levels of access to network resources dynamically, including the ability to monitor the network, enforce policies, account for network use, and provide information required to charge for network usage. You'll be hard pressed to find Cisco documentation that does not recommend the use of AAA even for the small-scale network infrastructure. We agree with that recommendation and suggest that you use the AAA principles as a foundation for secure and robust network deployment.

Cisco documentation outlines the following benefits of using the AAA framework:

  • Increased flexibility and control of access configuration

  • Scalability

  • Standardized authentication methods , such as RADIUS, TACACS+, and Kerberos

  • Multiple backup systems

Cisco and AAA

Cisco software and equipment provide a good example of the corporation-wide enforcement of the AAA framework throughout various deployment layers of network infrastructure. All Cisco equipment can be configured in such a way to allow users to be authenticated, authorized, and accounted for from a centralized database using either RADIUS, TACACS+, or another method such as Kerberos. Cisco Systems has developed the following products to support the AAA infrastructure, ranging from user -end Network Authentication Server (NAS) equipment to network-end routers and switches:

  • Cisco CNS Access Registrar

  • Cisco CNS Network Registrar

  • Cisco Global Roaming Server Software

  • Cisco Secure Access Control Server

  • Cisco Secure Access Control Server Solution Engine

  • Cisco Secure User Registration Tool

These products are discussed in greater detail in the following sections.

Cisco Client AAA Subsystem

All the Cisco devices ranging from SOHO equipment to high-end industry firewall, switch, and router appliances support AAA services. Configuring AAA for the client side is relatively simple and very similar throughout various equipment types. To enable security on a Cisco router or firewall using AAA, follow this process:

  1. Enable AAA by using the aaa new-model global configuration command.

  2. If you would like to use a separate AAA server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos in line with your needs.

  3. Define the method lists for authentication by using an aaa authentication command.

  4. Apply the method lists to a particular interface or line, if required.

  5. Configure authorization using the aaa authorization command.

  6. Configure accounting using the aaa accounting command.

  7. Do not forget to create a local user database on the device with a username < name > password <password> string and set it as a second selection after RADIUS/TACACS+ in your aaa authentication command (option local ). This will save you a lot of trouble should the central authentication server fail.


If you can afford it, it is a good idea to have a backup central authentication server running a redundancy protocol, such as Virtual Router Resilience Protocol (VRRP), between itself and the main authentication server.

Unfortunately, the scope of this chapter does not allow for in-depth coverage of command line interface (CLI) commands for the AAA framework. For the description of the used commands and their complete implementation, please refer to the "Authentication Commands" chapter of the Cisco IOS Security Command Reference.

Cisco CNS Access Registrar

Cisco CNS Access Registrar is a RADIUS-compliant access policy server designed to support AAA for delivery of dial, Integrated Services Digital Network (ISDN), cable, Digital Subscriber Line (DSL), wireless, and Voice over IP (VoIP) communications. Cisco CNS Access Registrar provides carrier-class performance and scalability as well as the extensibility required for integration with evolving service management systems. Cisco Access Registrar from version 3.0 also has the ability to make real-time AAA requests to billing systems to support the prepaid applications market such as wireless hotspots.

Following are some of the features of CNS Access Registrar:

  • Oracle database support via Open Database Connectivity (ODBC)

  • Prepaid billing

  • EAP-MD5 support

  • Enhanced configuration interface with

    • Automatic command completion

    • Context-sensitive list of options

    • Recall of values for speedy editing

    • Faster and easier user return-attribute configuration

    • Faster and easier check-items configuration

    • Detailed configuration-error messages

  • Prefix rule in policy engine

  • Lightweight Directory Access Protocol (LDAP) directory rebind

  • Increased multivendor support

  • Time-based accounting file rollover

  • User-password overriding

  • Optimized accounting-request handling, including improved algorithms for handling duplicate accounting requests containing Acct-Delay-Time.

Cisco Access Registrar software runs on Sun Solaris/SPARC hardware with Solaris 7/8 installed.

Cisco CNS Network Registrar

Cisco CNS Network Registrar is a full-featured DNS/DHCP system that provides scalable naming and addressing services for enterprise and service-provider networks. For cable ISPs, Cisco CNS Network Registrar additionally provides scalable DNS and Dynamic Host Configuration Protocol (DHCP) services and forms the basis of a Data Over Cable Service Interface Specification (DOCSIS) cable modem provisioning system.

Cisco CNS Network Registrar includes a standards-compliant DNS server that offers an advanced feature set, including support for incremental zone transfers, dynamic updates, and notify. The Cisco CNS Network Registrar DHCP server supports DHCP Safe Failover (redundant DHCP servers), dynamic DNS updates, DOCSIS cable modems, and integration with directory services using LDAPv3. CNS Network Registrar is available for Solaris 8/9, Windows 2000 servers, and various Linux platforms.

CiscoSecure Global Roaming Server Software

CiscoSecure Global Roaming Server (GRS) is a specialized security software solution for AAA. CiscoSecure GRS turns existing dial-in infrastructures into virtual Points of Presence (PoPs). Using GRS, a network access provider can offer wholesale dial access services such as Internet roaming, intranet roaming (roaming virtual private dial network [VPDN]), and VPDN access. At the time of writing, the CiscoSecure GRS software is supported only on the SPARC Solaris platform. More information about this software platform can be found at .

Cisco Access Server-Based AAA Subsystem

This section highlights various Cisco access server models used for dial-in authentication and authorization for both RADIUS and TACACS+. You'll find several access server platforms manufactured by Cisco. Access server models usually start with AS followed by a four-digit number, depending on the capabilities of the required platform. For instance, an AS5800 series gateway is the highest capacity and a high availability product from the Cisco access server types. This platform is designed to meet the demands of large, dynamic service providers, supporting up to 5 channelized T3s (CT3s), 96 T1s, 86 E1s, or 2 STM-1 (108 E1s) of data, voice, and fax services, on any port at any time supporting up to 3360 concurrent users. Whereas, the Cisco AS5350 gateway is a cost-effective platform that supports 2-, 4-, or 8-port T1/7-port E1 configurations and provides universal port data, voice, and fax services on any port at any time. AS5350 has a modular design and is ideally suited for smaller scale ISPs and enterprise companies. The midrange AS5400 series access server is an ideal solution for dial-in access of the medium- size organization that does not require the performance of a high-scale solution such as AS5800.

Cisco Secure Access Control Server

Cisco's deployment of the AAA server platform comes in two variants. One is implemented in software, which is available for both Windows and UNIX platforms, named Cisco Secure Access Control Server (ACS).

The other type of ACS is a highly scalable hardware platform called Cisco Secure Access Control Server Solution Engine. It feeds authentication, authorization, and accounting data from a centralized RADIUS or TACACS+ protocol. The hardware engine helps to ensure enforcement of assigned policies by allowing network administrators to control the following:

  • Who can log into the network

  • The privileges each user has in the network

  • Recorded security audit or account billing information

  • Access and command controls that are enabled for each configuration's administrator

The hardware engine has the following specifications:

  • CPU: Intel Pentium 4 3.2 GHz

  • Memory: 1GB of RAM

  • Hard Drive: 80GB of free disk space

  • Network: Two built-in 10/100 Ethernet controllers and floppy disk drive

Cisco Secure User Registration Tool

Cisco User Registration Tool (URT) is a dynamic authorization and policy control tool that manages access to LAN resources by splitting user traffic through VLANs. It provides an increased LAN security by identifying and authenticating users as they start accessing the network. Cisco URT associates users to the network resources they are authorized to use by dynamically assigning them to their appropriate VLAN. Cisco URT can monitor and manage user identification, locations, and access times and allow users to be mobile throughout the organization and securely access their resources and services from any available network port.

From version 2.5 and upward, URT introduces a web front-end client and RADIUS-based back-end authentication infrastructure, making it suitable for an extended range of customer network sizes and applications. The administration server of URT is available for a range of Windows servers, while the front-end client software is available for Windows, Linux, and MacOS platforms.

To get a better understanding of how AAA methodology works in practice, take a look at Figure 2-1. Here, clients connect to an ISP using a dial-up or similar method. The NAS server requests authentication credentials from users and passes it to the RADIUS/ TACACS+ ACS server. After successful authorization, the NAS equipment grants the clients access to the network resources. If accounting functionality has been enabled, the NAS equipment would send all necessary details to the ACS accounting server to monitor the clients' network usage.

image from book
Figure 2-1: Typical AAA network security configuration

Hacking Exposed Cisco Networks
Hacking Exposed Cisco Networks: Cisco Security Secrets & Solutions
ISBN: 0072259175
EAN: 2147483647
Year: 2005
Pages: 117

Similar book on Amazon © 2008-2017.
If you may any questions please contact us: