Professional Documents
Culture Documents
Chapter 7
Network Management
Chapter 7 Network Management
AAA 305
– Authentication Options 307
– RADIUS and TACACS+ Overview 308
– RADIUS Authentication Process 309
– TACACS+ Authentication Process 310
– Configuring AAA 311
– Configuring RADIUS for Console and vty Access 311
– Configuring TACACS+ for Console and vty Access 312
– AAA Authorization 313
– AAA Accounting 314
– Limitations of TACACS+ and RADIUS 315
2
Chapter 7 Network Management
3
Chapter 7 Network Management
SNMP 336
– SNMP Overview 337
– SNMP Versions 339
– SNMP Best Practices 339
– SNMPv3 Configuration Example 340
– Verifying SNMP Version 3 Configuration 342
4
AAA
AAA 305
– Authentication Options 307
– RADIUS and TACACS+ Overview 308
– RADIUS Authentication Process 309
– TACACS+ Authentication Process 310
– Configuring AAA 311
– Configuring RADIUS for Console and vty Access 311
– Configuring TACACS+ for Console and vty Access 312
– AAA Authorization 313
– AAA Accounting 314
– Limitations of TACACS+ and RADIUS 315
6
Easy to configure but limited and does not
Password Only Method scale well.
7
However,greater
Provides it also does
security
not than
scaleawell
simple
as the
Local Database Method password,
local and has
database it’sSolution?
atocost
be replicated
effective and
on easily
several devices
implemented …
security solution.
Username: Admin
Password: cisco1
% Login invalid
Username: Admin
Password: cisco12
% Login invalid
8
Using AAA
Accounting
What did you spend it on?
9
Local AAA Authentication
Local AAA Authentication
Method stores usernames and passwords locally in the Cisco router, and users
authenticate against the local database.
– Also called “Self-contained AAA”
Client enters
The client usernamea and
establishes password.
connection with the router.
Establish
ADMIN SSH
/ cisco123
connection
Username / Password
Pass! Router>please …
11
AAA Local Authentication
12
Configuring Local AAA Authentication
1. Add usernames and passwords to the local router database for users that need
administrative access to the router.
13
aaa new-model
Router(config)#
aaa new-model
CAUTION:
– Do not issue the command unless you are prepared to configure AAA authentication.
Could force Telnet users to authenticate with a username, even if no username database or
authentication method is configured.
14
The list-name This
If
must the identifies
authentication
then the type of methods
method denies
Define a list-name
Use default to apply When
Up to
to apply
thea
fouruser a attempts
methods canto logdefined,
be in, the
aaa authentication login applied
specific
specified
to a
AAA
line that
the
using
authentication the
first
will
user
methods
method
providing
method list
users. to
be
login
all
queried
access,
list theto authenticate
authentication
listed methods
fallback is used. should one
the
authentication
to a line. •list-name
process
If there stops and no other
is no response, then (and only
lines method
including console, VTY,
authenticationnot
andbe available.
methods aremethod
allowed.
line configuration command.then) would the subsequent be
AUX. used.
Router(config)#
aaa authentication login {default | list-name} method1 … [method4]
Parameter Description
• Uses the listed authentication methods that follow this keyword as the default list of
default
methods when a user logs in.
• Character string used to name the list of authentication methods activated when a
list-name
user logs in.
• Identifies the list of methods that the AAA authentication process can query in the
method1 … [method4] given sequence.
• At least one method must be specified and up to 4 methods can be specified.
local • The local database. The username is not case-sensitive but the password is.
local-case • The local database. The username and password are case-sensitive.
none • Nothing …. The user would successfully authenticate. Use only in test or lab environments.
15
Configuring Local AAA Authentication
16
Server-Based AAA Authentication
Server-Based AAA Authentication
Method requires the services of one or more AAA servers (e.g., Cisco Secure ACS)
to manage the administrative access needs for an entire corporate network.
18
Server-Based AAA Authentication
R1>
Establish
ADMIN SSH
/ cisco123
connection ADMIN / cisco123
RADIUS or TACACS+
Username / Router>
Password please … Pass!
19
TACACS+ and RADIUS
TACACS+ and RADIUS are protocols that are used to communicate between a
AAA router and AAA servers.
20
TACACS+ Authentication
JR-ADMIN JR-ADMIN
Password prompt?
Accept/Reject
21
RADIUS Authentication
Access-Request
Username? (JR_ADMIN, “Str0ngPa55w0rd”)
JR-ADMIN Access-Accept
Password?
Str0ngPa55w0rd
22
TACACS+ vs. RADIUS
RADIUS TACACS+
• Livingston Enterprise
Developer • Cisco proprietary
• Now an Open/RFC standard
23
Configuring Server-Based AAA Authentication
24
Commands will only appear if
Configure TACACS Server Specifics aaa new-model has been
preconfigured.
Enhance TCP performance by having the TCP connection maintained for the life of
the session.
Router(config-server-tacacs)#
single-connection
Configure the shared secret key to encrypt the data transfer between the
TACACS+ server and AAA-enabled router.
Router(config-server-tacacs)#
key secret-key
25
Configure RADIUS Server Specifics
By default, Cisco routers use UDP port 1645 for the authentication and UDP port 1646 for the
accounting.
However, the IANA has reserved ports 1812 for authentication and port 1813 for the accounting
If a custom UDP port is desired, then configure port integer command.
Configure the shared secret key to encrypt the data transfer between the RADIUS
server and AAA-enabled router.
Router(config-radius-server)#
key secret-key
26
Along with the methods enable, local,
local-case, and none, we can also specify
aaa authentication login TACACS+ or RADIUS servers.
Router(config)#
aaa authentication login {default | list-name} method1 … [method4]
Parameter Description
• Uses the listed authentication methods that follow this keyword as the default list of
default
methods when a user logs in.
• Character string used to name the list of authentication methods activated when a
list-name
user logs in.
• Identifies the list of methods that the AAA authentication process can query in the
method1 … [method4] given sequence.
• At least one method must be specified and up to 4 methods can be specified.
27
Configuring Server-Based AAA Authentication
28
Configuring Server-Based AAA Authentication
R1(config)#
R1(config)# aaa authentication login default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R1(config)#
R1(config)# aaa authentication login default group tacacs+ group radius local-case
R1(config)#
29
AAA Authorization
Authorization
The RADIUS does not separate the authentication from the authorization process.
– Once a user is authenticated, that user has authorization
31
AAA Authorization
User enters the The AAA router requests command authorization from
show version a AAA server to verify that the JR-ADMIN user has the
command. authorization to use the show version command.
R1>
show R1> show version Permit show version?
version
TACACS+
32
aaa authorization
Router(config)#
aaa authorization {network | exec | commands level} {default | list-name}
method1 … [method4]
Parameter Description
network • For network services such as PPP.
33
Configuring Server-Based AAA Authorization
R1(config)#
R1(config)# aaa authorization exec default group ?
WORD Server-group name
ldap Use list of all LDAP hosts.
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R1(config)#
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)#
34
Server-Based Accounting
Accounting
With AAA accounting activated, the router reports user activity to the TACACS+
security server in the form of accounting records.
36
Server-Based AAA Accounting
R1> User:
User: JR-ADMIN,
JR-ADMIN, Start:
Stop: 14:36:01
14:45:41
show
version
RADIUS or TACACS+
37
aaa accounting
Router(config)#
aaa accounting {network | exec | connection} {default | list-name}
{start-stop | stop-only | none} {broadcast} method1 … [method4]
Parameter Description
network • Runs accounting for all network-related service requests, including PPP.
connection • Runs accounting on all outbound connections such as SSH and Telnet.
Parameter Description
• Sends a "start" accounting notice at the beginning of a process and a "stop"
start-stop
accounting notice at the end of a process.
stop-only • Sends a "stop" accounting record for all cases including authentication failures.
38
Identity-Based Networking
AAA 305
– Authentication Options 307
– RADIUS and TACACS+ Overview 308
– RADIUS Authentication Process 309
– TACACS+ Authentication Process 310
– Configuring AAA 311
– Configuring RADIUS for Console and vty Access 311
– Configuring TACACS+ for Console and vty Access 312
– AAA Authorization 313
– AAA Accounting 314
– Limitations of TACACS+ and RADIUS 315
40
The RADIUS security system with EAP extensions
Port-Based Authentication is the only supported authentication server.
41
EAPOL EAP
802.1X Port-Based Authentication
EAPOL-Start
EAP-Request/Identity
Port Authorized
EAPOL-Logoff
Port Unauthorized
42
Configuring IEEE 802.1X
1. Enable AAA:
Switch(config)# aaa new-model
43
aaa authentication dot1x
Parameter Description
• Uses the listed authentication methods that follow this keyword as the default list of
default
methods when a user logs in.
• Character string used to name the list of authentication methods activated when a
list-name
user logs in.
44
dot1x system-auth-control
45
Commands will only appear if
authentication port-control switchport mode access
has been preconfigured.
Parameter Description
• (Default setting) Disables 802.1x port-based authentication and causes the port to
force-authorized
allow normal traffic without authenticating the client.
• Causes the port to remain in the unauthorized state, ignoring all attempts by the client
force-unauthorized to authenticate because the switch cannot provide authentication services.
• Can be enabled to prevent connections from any users from unauthorized ports.
46
IEEE 802.1X Configuration Example
47
IEEE 802.1X Configuration Example
48
Network Time Protocol
The system clock can be set using the set clock privileged EXEC command.
Some Cisco devices also have a battery powered hardware clock that is configured using
the calendar set hh:mm:ss < 1-31 > month year command.
51
How do you change the system clock on a device?
52
Network Time Protocol (NTP)
– Public key infrastructure X.509 certificates which are valid for specific time periods.
Network devices synchronize their time using the Network Time Protocol (NTP).
– NTP client poll NTP servers in intervals of 64 and 1024 seconds (1 minute to 17 minutes).
– NTP uses UDP port 123 and is documented in RFC 1305.
– Current versions include NTPv3 and NTPv4.
53
Network Time Protocol (NTP)
Broadcast / • Special “push” mode of NTP server where the local LAN is flooded with updates.
Multicast • Used only when time accuracy is imperative.
54
NTP Design Principles
55
Configuring NTP Master
56
Configuring NTP Server
Each router will act both as a client and server with every other router.
Two or three routers should be configured to synchronize their time with external
time servers as a best practice to ensure redundancy to external time servers.
58
NTP in a Broadcast Network
59
Verifying NTP
First column has flags that tell us the status of association with each server.
• ~ means configured
• * means it is a peer
• + means it is a candidate
60
NTP Security
The time that a machine keeps is a critical resource, so the security features of
NTP should be used to avoid the accidental or malicious setting of incorrect time
For example:
– To create an NTP access list restricting peers
61
Configuring NTP Authentication
62
NTP Configuration Example
63
NTP Versions
Router(config)#
ntp server ipv6-address version 4
64
SNMP
SNMP 336
– SNMP Overview 337
– SNMP Versions 339
– SNMP Best Practices 339
– SNMPv3 Configuration Example 340 NMS
– Verifying SNMP Version 3 Configuration 342
Network Management
Systems (NMSs) collect
and process data using
SNMP.
Network Management System (NMS)
– Intelligent notifications:
Includes configurable alerts that will respond to
specific network scenarios by paging, emailing,
calling or texting a network administrator.
69
Simple Network Management Protocol (SNMP)
70
Management Information Base (MIB)
Get-Request
Get-Next-Request
Get-Bulk-Request
SNMP
Set-Request Agent
SNMP
Manager Response
Trap
Inform-Request
To another Manager
Report
72
SNMP Manager
http://www.kiwisyslog.com/products/kiwi-syslog-server/product-overview.aspx
73
SNMP Versions
74
SNMPv1 and SNMPv2 Security Concerns
Trap
Get-Request
Set-Request
75
SNMPv3
Version Description
Message integrity and • Ensures that a packet has not been tampered with in transit, and is from a
authentication valid source
Access control • Restricts each principal to certain actions on specific portions of data
76
SNMPv1
SNMP read-only community
and SNMPv2
read-write strings
stringscan
use community
community can
SNMP Security Models be used
string as to get
set information
passwords from
to access
on an an SNMP-
router
SNMP-
enabled device.
SNMP agents.
77
Configuring SNMPv3
78
Configuring SNMPv3 – Identify Management Network
79
Configuring SNMPv3 – Configure a View
– Include only the MIB OIDs that are necessary for monitoring and managing the network.
– To identify the subtree, specify a name or a text string consisting of numbers (e.g.,
1.3.6.2.4)
Replace a single subidentifier with the asterisk (*) wildcard to specify a subtree family (e.g., 1.3.*.4).
– included adds to the view while excluded explicitly excludes from the view.
80
Configuring SNMPv3 – Configure a Group Specifics
81
Configuring SNMPv3 – Configure an SNMP User
82
Verify SNMPv3
Notice how the user information snmp-server user BOB ADMIN v3 auth sha
cisco12345 priv aes 128 cisco54321 is not displayed for security purposes.
83
Verify SNMPv3
Use the show snmp user command to view the user information.
R1#
84
Verify that the data
SNMP was
manager
encrypted
canby
send
get requests
running a protocol
by using
analyzer,
an SNMPsuch as
SNMP Manager management
Wireshark, and
tool,
capture
such the
as the
SNMP
ManageEngine’s SNMP MIB Browser.
packets
85
CCNP Switch
Chapter 7
Network Management