Professional Documents
Culture Documents
FNS10 Mod04
FNS10 Mod04
following tasks:
• Describe the components of a basic AAA implementation.
• Configure a perimeter router for AAA using a local database.
• Test the perimeter router AAA implementation using applicable
debug commands.
• Describe the features and architecture of Cisco Secure ACS 3.0 for
Windows NT or Windows 2000.
• Configure Cisco Secure ACS for Windows NT or Windows 2000 to
perform AAA functions.
• Describe the features and architecture of Cisco Secure ACS 2.3 for
UNIX.
• Configure the network access server to enable AAA processes to
use a TACACS remote service.
• AAA
• NAS
• TACACS+
• RADIUS
• OTP
• Kerberos
• LDAP
PSTN/ISDN
Corporate
Console file server
Remote client
(Cisco VPN Client)
Internet
Cisco Secure ACS
Router appliance
Remote client
Perimeter
router
1
2
3
Perimeter
router
Cisco Secure
1 2
ACS
3
4 Cisco Secure
Remote client ACS appliance
• Generated by S/Key
308202A8 30820211 A0030201 02020438
0500301B 310B3009 06035504 06130255
1E170D39 39313032 32313730 3634375A
S/Key
S/Key passwords Workstation password
(clear text)
© 2003, Cisco Systems, Inc. All rights reserved. FNS 1.0—4-15
Authentication—
Token Cards and Servers
1. 2.
3. 4.
(OTP)
Cisco Secure Token server
ACS
and PPP
client ISDN access
server
Telnet host
LAN
Console
Router
Internet
Remote router Remote LAN
administrative network
access access
router(config)#
aaa new-model
router(config)#
router(config)#
aaa authentication enable default method1 [method2...]
router#
debug aaa authorization
• Use this command to help troubleshoot AAA problems.
router#
debug aaa accounting
• Use this command to help troubleshoot AAA problems.
• 802.1x support
RADIUS Network
Cisco Secure ACS NT/2000 server access
server
Cisco Secure TACACS+
ACS NT/2000 server or RADIUS Network
access
• TACACS+ support for: server
– Access lists (named or numbered)
– Controls time of day and day of week access
– ARA support
– Enable privilege support levels
• RADIUS support for:
– IETF RADIUS
– Cisco RADIUS AV-pair
– Proprietary RADIUS extensions
• Single TACACS+ or RADIUS database for simultaneous support
Network
Cisco Secure access
• Authentication ACS NT or 2000
server
forwarding.
• Fallback on failed
connection.
• Remote and
centralized Cisco Secure
Cisco Secure ACS NT/2000
accounting. ACS NT/2000
• Database replication
Network
• RDBMS Cisco Secure
access
ACS NT/2000
synchronization server
• ODBC import
ODBC
database
Cisco Secure
ACS NT/2000
servers
• Comprises seven modular
NT/2000 services all operating Authentication service
together on one PC Authorization service
TACACS+ service
NAS 1
RADIUS service
NAS 2 Logging service
CSDBSynch
NAS 3 CSMonitor
Authentication NT or 2000
Authorization
confirmed User DB
Authorization
Accounting
information
Windows NT or Windows 2000
TACACS+ or ACS NT or 2000 Windows NT or
RADIUS authentication and 2000 user login
Token card server Cisco Secure
Proprietary protocols
TACACS+
or RADIUS
• Token servers supported:
– CRYPTOCard, ActivCard, and
Vasco
– RSA ACE/Server
Token card – Secure computing SafeWord
3 1 7 8 4 5 4
– AXENT Defender
3.0.
• Verify connection between NT or 2000 server
and network access server!!!!
• Install Cisco Secure ACS 3.0 on the NT or 2000 server.
• Initially configure ACS NT or 2000 via web browser.
• Configure network access server for AAA.
• Verify correct installation and operation.
• User setup
• Group setup
• Network configuration
• System configuration
• Interface configuration
• Administration control
• External user databases
• Reports and activity
• Online documentation
• Open the User Interface
• Insert screen shot
• Use the Failed Attempts Report under
Reports and Activity as a starting point.
• Provides a valuable source of
troubleshooting information.
TACACS+
Network
Remote user access security
server server
PSTN/ISDN
Corporate
TACACS+ network
Client
• TCP • Supports PAP, CHAP, and
MSCHAP
• Supports AAA
• Autocommand support
• Encrypted link
• Callback
• LAN and WAN security
• Peruser access lists
• SLIP, PPP, ARA, NASI
aaa new-model
Cisco Secure
ACS server
10.1.2.4
NAS
these two
commands router(config)# tacacs-server key 2bor!2b@?
as shown
here… router(config)#
router(config)#
aaa authorization {network | exec | commands level |
reverse-access} {default | list-name}
{if-authenticated | local | none | radius | tacacs+ |
krb5-instance}
router(config)#
aaa accounting {system | network | exec | connection |
commands level}{default | list-name} {start-stop |
wait-start | stop-only | none} [method1 [method2]]
• Tracing TACACS+ packets
router#
debug tacacs
router#
(AUTHEN/START)
13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 10.1.1.4/49
13:53:35: TAC+ (416942312): received authen response status = GETUSER
13:53:37: TAC+: send AUTHEN/CONT packet
13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 10.1.1.4/49
(AUTHEN/CONT)
13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 10.1.1.4/49
13:53:37: TAC+ (416942312): received authen response status = GETPASS
13:53:38: TAC+: send AUTHEN/CONT packet
13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 10.1.1.4/49
(AUTHEN/CONT)
13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 10.1.1.4/49
13:53:38: TAC+ (416942312): received authen response status = FAIL
13:53:40: TAC+: Closing TCP/IP connection to 10.1.1.4/49
RADIUS was developed by Livingston
Enterprises, now part of Lucent
Technologies. It contains a:
• Protocol with a frame format that
uses UDP.
• Server.
• Client.
router(config)#
• HTTP-based authentication
• Provides dynamic, per-user authentication and
authorization via TACACS+ and RADIUS
protocols
• Valid for all types of application traffic
• Works on any interface type for inbound or
outbound traffic
• AAA accounting is not supported
inside outside
User
Outbound Inbound
Enter the
new service:
auth-proxy.
Select
auth-proxy.
Select
Custom
attributes.
Enter ACLs to
apply after the
user
authenticates.
Enter the
privilege level of
the user; it must
be 15 for all
users.
priv-lvl=15
• The privilege level must be set to 15 for all users
Router(config)#
aaa new-model
• Enables the AAA functionality on
the router (default = disabled)
Router(config)#
aaa authentication login default group
method1 [method2]
• Defines the list of authentication methods that will
be used
• Methods: TACACS+, RADIUS, or both
Router(config)#
Router(config)#
Router(config)#
tacacs-server key string
• Specifies the TACACS+ server key
Router(config)#
Router(config)#
radius-server key string
• Specifies the RADIUS server key
Router(config)#
ip http server
• Enables the HTTP server on the router
Router(config)#
ip http authentication aaa
• Sets the HTTP server authentication method to AAA
• Proxy uses the HTTP server for communication with a
client
Router(config)#
ip auth-proxy auth-cache-time min
• Authorization cache timeout value in
minutes (default = 60 minutes)
Router(config)# ip auth-proxy
auth-cache-time 120
[auth-cache-time min]
• Creates an authorization proxy rule
Router(config-if)#
ip auth-proxy auth-proxy-name
• Applies an authorization proxy rule to an interface
– For outbound authentication, apply to inside interface
– For inbound authentication, apply to outside interface
Router(config)#
Router(config)#
show ip auth-proxy cache
show ip auth-proxy configuration
show ip auth-proxy statistics
• Displays statistics, configurations, and
cache entries of authentication proxy
subsystem
Router(config)#
debug ip auth-proxy ftp
debug ip auth-proxy function-trace
debug ip auth-proxy http
debug ip auth-proxy object-creation
debug ip auth-proxy object-deletion
debug ip auth-proxy tcp
debug ip auth-proxy telnet
debug ip auth-proxy timer
• Helps with troubleshooting
Router(config)#
clear ip auth-proxy cache * | ip_addr
• Clears authentication proxy entries from the
router