Based AAA Subsystem.pdf

8/13/2019 Based AAA Subsystem.pdf

1/20

C H A P T E R

4-1

Cisco AAA Implementation Case Study

4

Implementing the Server-Based AAA Subsystem

This chapter focuses on the following server-based AAA implementation topics:

4.1 Implementing Server-Based TACACS+ Dialup Authentication

• 4.2 Implementing Server-Based TACACS+ Dialup Authorization

• 4.3 Implementing Server-Based RADIUS Dialup Authentication

• 4.4 Implementing Server-Based RADIUS Dialup Authorization

• 4.5 Implementing Server-Based TACACS+ Router Authentication

• 4.6 Implementing Server-Based TACACS+ Router Authorization

Caution The example configuration fragments used throughout this chapter include IP addresses,

passwords, authentication keys, and other variables that are specific to this case study. If

you use these fragments as foundations for you own configurations, be sure that your

specifications apply to your environment.

Note See Chapter 2, “Implementing the Local AAA Subsystem,” for specifics of local AAA

implementation. See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions

of authentication, authorization, and accounting as they relate to AAA security

implementation.

http://c262c2.pdf/http://c262c1.pdf/http://c262c1.pdf/http://c262c2.pdf/


2/20

4-2


Chapter4 Implementing the Server-Based AAA Subsystem

4.1 Implementing Server-Based TACACS+Dialup Authentication

Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based

AAA components, including a AAA server and its associated AAA database.

Figure4-1 Basic AAA Case Study Environment

4.1 Implementing Server-Based TACACS+Dialup

AuthenticationThe following section focuses on server-based dialup authentication configuration. In this context,

server-based refers to actions dependent upon an external AAA server. These actions are described in

a series of general steps along with related commands, server configurations, and diagnostic steps as

appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.

Figure4-2 Server-Based Dial Environment (TACACS+)

Internet

3 5 0 8 9

Clients Modems

Network element

management server(NTP, Syslog, SNMP)

AAAserver

Internetfirewall

Defaultgateway

Cisco AS5x00with integrated

modems

PSTNPRI linesAnalog lines

DNSserver

Oracle dB server

IP intranet

IP

AAA server

3 5 0 5 1

Server-based

dial access

PSTN

Modem


3/20

4-3



4.1 Implementing Server-Based TACACS+Dialup Authentication

These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authentication on NAS.

2. Configure a user profile in the database.

3. Verify the AAA server-based user configuration.

4. Verify and troubleshoot authentication from the AAA server.

5. Verify and troubleshoot PPP authentication from the NAS.

Step 1 Configure TACACS+ server-based authentication on NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based

dial access authentication control with TACACS+:

aaa new-modelaaa authentication login default group tacacs+aaa authentication ppp default if-needed group tacacs+!tacacs-server host 172.22.53.101 key ciscorules

Note See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A,

“AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA

commands.

Step 2 Configure a user profile in the database.

Create a user in the AAA server by entering the following AddProfile command:

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules –a'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp{\n }\n }\n’

Caution When entering AddProfile to create users or groups, it is possible to successfully createusers or groups that have invalid database parameters that result in profile errors viewable

in /var/log/csuslog.

Step 3 Verify the AAA server-based user configuration.

Enter this server command to view the AAA server-based user configuration:

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial

user = tac_dial{profile_id = 23profile_cycle = 1password = pap "********"service=ppp {

protocol=ip {set addr-pool=defaultset inacl=110}protocol=lcp {}}

}

http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/


4/20

4-4



4.2 Implementing Server-Based TACACS+Dialup Authorization

Step 4 Verify and troubleshoot authentication from the AAA server.

Enter the tail command:.

$tail -f /var/log/csuslog

Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for a

description of relevant diagnostic output.

Step 5 Verify and troubleshoot PPP authentication from the NAS.

Enter the debug aaa authentication and debug ppp authentication commands to confirm

authentication from the NAS perspective.

Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for

relevant diagnostic output.

4.2 Implementing Server-Based TACACS+Dialup AuthorizationThis section focuses on implementing of server-based dialup authorization and presents applicable

configuration segments, server commands and file listings, and diagnostic steps.


1. Configure TACACS+ server-based authorization on the NAS.



4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.

5. Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Step 1 Configure TACACS+ server-based authorization on the NAS.


dial access authorization with TACACS+:

aaa new-modelaaa authentication login default group tacacs+aaa authentication ppp default if-needed group tacacs+aaa authorization exec default group tacacs+ if-authenticatedaaa authorization network default group tacacs+ if-authenticated!tacacs-server host x.x.x.x key ciscorules



commands.

http://c262ap3.pdf/http://c262ap3.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap3.pdf/http://c262ap3.pdf/


5/20

4-5



4.2 Implementing Server-Based TACACS+Dialup Authorization



$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules –pwpap,ciscorules –a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\nset addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’


Enter this UNIX server command to view the AAA server-based user configuration:

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest

An example of a ViewProfile output of the user profile looks like this:

User Profile Informationuser = dialtest{profile_id = 25profile_cycle = 1password = pap "********"service=shell {default_cmd=permit

}service=ppp {protocol=ip {set addr-pool=defaultset inacl=110}protocol=lcp {}}

}

Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.

Enter the following UNIX server command to confirm that the authorization is operating correctly:


Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.”

Step 5 Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Enter the debug aaa authorizat ion command to verify server-based authorization is operating correctly

for dial access.

Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.”

http://c262ap3.pdf/http://c262ap3.pdf/http://c262ap3.pdf/http://c262ap3.pdf/


6/20

4-6



4.3 Implementing Server-Based RADIUS Dialup Authentication

4.3 Implementing Server-Based RADIUS Dialup AuthenticationThis section focuses on the configuration of server-based, RADIUS dialup authentication configuration.

In this context, server-based refers to actions that depend on an external AAA server. Figure 4-3

illustrates a simplified server-based dial environment.


1. Configure RADIUS server-based authentication on access server.



4. Enter the debug aaa authentication and debug ppp authorization commands to confirm

authentication from NAS perspective.

Figure4-3 Server-Based Dial Environment (RADIUS)

IP

AAA server

3 5 0 5 1

Server-based

dial access

PSTN

Modem


7/20

4-7



4.3 Implementing Server-Based RADIUS Dialup Authentication

Step 1 Configure RADIUS server-based authentication on access server.


dial access authentication control with RADIUS:

aaa new-modelaaa authentication login default group radiusaaa authentication ppp default if-needed group radius!interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue

no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48!line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output lat pad telnet rlogin udptn v120 lapb-ta

radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules



commands.


a. Create a RADIUS NAS configuration by entering the following AddProfile command:

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary="DICTIONARY.Cisco"\n }\n'

b. Create a user in the AAA server by entering the following AddProfile command:

$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules-a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'

Description of attributes specified in AddProfile configuration:

– 6=2 (meaning Framed-Protocol=ppp)

– 7=1 [meaning User-Service-Type (Framed-User)]



8/20

4-8



4.4 Implementing Server-Based RADIUS Dialup Authorization


a. Enter this server command to view the AAA server-based NAS configuration:

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105User Profile Informationuser = NAS.172.22.53.105{profile_id = 76profile_cycle = 1NASName="172.22.53.105" {SharedSecret="ciscorules"RadiusVendor="Cisco"Dictionary="DICTIONARY.Cisco"}

}

b. Enter this command to verify the AAA server user configuration:

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dialUser Profile Informationuser = rad_dial{profile_id = 62

profile_cycle = 1password = pap "********"radius=Cisco {reply_attributes= {6=27=1}}

}

Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm

authentication from NAS perspective.

Note See “C.3 Server-Based RADIUS Dialup Authentication Diagnostics.”

4.4 Implementing Server-Based RADIUS Dialup AuthorizationThese steps help you to accomplish the following tasks:

1. Configure RADIUS server-based authorization on the NAS.



4. Verify and troubleshoot RADIUS network authorization on the NAS.

5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.

http://c262ap3.pdf/http://c262ap3.pdf/


9/20

4-9



4.4 Implementing Server-Based RADIUS Dialup Authorization

Step 1 Configure RADIUS server-based authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS

authorization assigning access-list 110 to the user, rad_dial:

aaa new-modelaaa authentication login default group radiusaaa authentication ppp default if-needed group radiusaaa authorization exec default group radiusaaa authorization network default group radius if-authenticated!radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules!access-list 110 permit tcp any any eq telnetaccess-list 110 permit tcp any any eq ftpaccess-list 110 permit tcp any any eq ftp-dataaccess-list 110 deny tcp any any



commands.



$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n'


Enter the following command:

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dialUser Profile Informationuser = rad_dial{profile_id = 62profile_cycle = 1password = pap "********"radius=Cisco {reply_attributes= {6=27=19,1="ip:inacl=110"}}

}

Note The Cisco AVP inacl=110 is included to enable an input access-list.

Step 4 Verify and troubleshoot RADIUS network authorization on the NAS.

Enter the debug aaa authorization command to verify dial access server-based authorization is

operating correctly for dial access.

Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.”

http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap3.pdf/http://c262ap3.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/


10/20

4-10



4.5 Implementing Server-Based TACACS+Router Authentication

Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command.

Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.”

4.5 Implementing Server-Based TACACS+RouterAuthentication

This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a

router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for

a router.


1. Configure TACACS+ server-based authentication on the router.

2. Configure and verify the group rtr_basic:

3. Create the member rtr_test and assign this user to group rtr_basic.

4. Verify user rtr_test.

5. Log in to the router and verify proper authentication.

Figure4-4 Server-Based VTY Access (Telnet)

IP

AAA server

Server-based

VTY access (Telnet)

3 5 0 5 0



11/20

4-11




Step 1 Configure TACACS+ server-based authentication on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce AAA

server-based command authorization on a router (excluding the console port):

aaa new-modelaaa authentication login default group tacacs+aaa authentication login NO_AUTHENT none

!ip http serverip http authentication aaaip tacacs source-interface Loopback0!tacacs-server host 172.22.53.201 key ciscorules!line con 0 login authentication NO_AUTHENT

Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A,

“AAA Device Configuration Listings” for notes regarding key Cisco IOS AAAcommands.

Step 2 Configure and verify the group rtr_basic:

a. Create the group rtr_basic by entering the following AddProfile command:

$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a'service=shell{\ndefault cmd=deny\n}\n'Profile Successfully Added

b. Verify the group rtr_basic by entering the ViewProfile command

$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basicGroup Profile Information

group = rtr_low{profile_id = 66profile_cycle = 1service=shell {default cmd=deny}

}

Step 3 Create the member rtr_test and assign this user to group rtr_basic.


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -prrtr_basicProfile Successfully Added



12/20

4-12




Step 4 Verify user rtr_test .


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_testUser Profile Informationuser = rtr_test{profile_id = 66profile_cycle = 1member = rtr_basicpassword = des "********"}

Step 5 Log in to the router and verify proper authentication.

Enter the login command to access the router command interface and monitor the output of debug aaa

authentication from a separate shell session. Monitor the output of the AAA server by consulting the

csuslog file using the tail command.

Note See “C.5 Server-Based TACACS+ Router Authentication Diagnostics.”



13/20

4-13



4.6 Implementing Server-Based TACACS+Router Authorization

4.6 Implementing Server-Based TACACS+Router AuthorizationThe following examples, including authorization-related IOS command listings and AAA server

profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups

are created with low (rtr_low), medium (rtr_tech), and high (rtr_super ) access. The default_cmd AVP

(defined in the AAA server profile) is used to control access to privilege level 15 commands. In thiscase, privilege level 15 is the highest level of command access privilege allowed and is reserved for

super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated

with each of the administrative groups defined in this section.

Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization

between a router and an AAA server. Troubleshooting and verifying is divided into three stages:

authentication, EXEC authorization and command authorization. Each stage is accompanied by

information particular to that stage:

• Cisco IOS Configuration Fragments (on left)

• Troubleshooting and verification methods for the router and AAA server (on right)

Table4-1 Group Profile Command Summary

Group

Cisco IOS Command rtr_super rtr_tech rtr_low

debug all Denied Denied Denied

debug * Permitted Permitted Denied

clear *Permitted Permitted Denied

reload Permitted Denied Denied

show running-config

write terminalPermitted Denied Denied

copy running-config startup-config

write memoryPermitted Permitted Denied

configure terminal Permitted Denied Denied


14/20

4-14




Figure4-5 TACACS+ Authentication and Authorization Verification Methodology


1. Configure TACACS+ server-based authorization from the console port on the router.

2. Configure, verify, and test operation of the AAA server group rtr_low.

3. Configure, verify, and test operation of the AAA server group rtr_tech.

4. Configure, verify, and test operation of AAA server Group rtr_super.

3 5 0 7 6

AAA authorizationcommand begins

(command)

AAA authorizationbegins (EXEC)

Router user

requests loginto TACACS+ server.

aaa new-model

aaa authentication login default group tacacs+

tacacs-server host ip-address key secret-key

aaa authorization exec default grouptacacs+ if-authenticated

aaa authorization commands 15 defaulttacacs+ if-authenticated

Authentication

Cisco IOS Client Decision Flow Troubleshoot/Verify

No

Yes

Did

authenticationsucceed?

Didauthorization

succeed?

Didauthorization

succeed?

From Cisco IOS Client

debug aaa authentication

From AAA Servertail -f /var/log/csuslogVerify useruser=rtr_geekpassword=des

From Cisco IOS Clientdebug aaa authorization

From AAA Servertail -f /var/log/csuslogVerify user or groupservice=shell

From Cisco IOS Clientdebug aaa authorization

From AAA Servertail -f /var/log/csuslogVerify user or groupdefault_cmd=permitor priv_lvl=15or cmd=permit

No

No

Yes

Yes

AAA accountingbegins

EXEC Authorization

Command Authorization


15/20

4-15




Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to

disable AAA authentication and authorization before changing to boot ROM

mode. For configuration notes regarding disabling AAA to access boot ROM

mode, see Appendix B, “AAA Impact on Maintenance Tasks.”

Step 1 Configure TACACS+ server-based authorization from the console port on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce router-based

security with TACACS+:

aaa new-modelaaa authentication login default group tacacs+aaa authentication login NO_AUTHENT noneaaa authorization commands 15 NO_AUTHOR noneaaa authorization exec default group tacacs+aaa authorization exec NO_AUTHOR noneaaa authorization commands 15 default group tacacs+!ip http server

ip http authentication aaaip tacacs source-interface Loopback0!tacacs-server host 172.22.53.201 key ciscorules!line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT

Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A,


commands.

http://c262ap2.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap1.pdf/http://c262ap2.pdf/


16/20

4-16




Step 2 Configure, verify, and test operation of the AAA server group rtr_low.

The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the

requirements specified in Table 4-1:

a. Create the group rtr_low.


$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a'service=shell{\ndefault cmd=deny\n}\n'Profile Successfully Added

b. Verify the group rtr_low.


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low Group Profile Informationgroup = rtr_low{profile_id = 66profile_cycle = 1service=shell {default cmd=deny

}

}

c. Create the member rtr_dweeb and assign this user to group rtr_low.


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pwdes,ciscorulesProfile Successfully Added

d. Verify the user rtr_dweeb.


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweebUser Profile Informationuser = rtr_dweeb{profile_id = 66profile_cycle = 1member = rtr_lowpassword = des "********"}

e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:

– Simultaneously monitor the output of debug aaa authorization from a console shell session

and the AAA server csuslog file.

– Log in to the router by using a new terminal window with the rtr_dweeb account and enter the

commands shown in Table 4-1.

– From the AAA server, enter the following command to obtain the matching csuslog content:


Note See “C.6 Server-Based TACACS+ Router Authorization Diagnostics.”



17/20

4-17




Step 3 Configure, verify, and test operation of the AAA server group rtr_tech.

The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the

requirements specified in Table 4-1:

a. Create the group rtr_tech.


$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndenyall\n}\ncmd=configure{\ndeny .*}\n}\n'

b. Verify the group rtr_tech.


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_techGroup Profile Informationgroup = rtr_tech{profile_id = 47profile_cycle = 1service=shell {default cmd=permit

cmd=debug {deny allpermit .*}cmd=reload {deny all}cmd=configure {deny .*}}

}

c. Create the member rtr_techie and assign this user to group rtr_tech.


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pwdes,ciscorulesProfile Successfully Added

d. Verify the user rtr_techie.


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techieUser Profile Informationuser = rtr_techie{profile_id = 39profile_cycle = 1member = rtr_techpassword = des "********"}

e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:



– Log in to the router by using a new terminal window with the rtr_techie account and enter the



18/20

4-18







Step 4 Configure, verify, and test operation of AAA server Group rtr_super.

The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with

the requirements specified in Table 4-1:

a. Create the group rtr_super .


$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n'Profile Successfully Added

b. Verify the group rtr_super .


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_superGroup Profile Informationgroup = rtr_super{profile_id = 40profile_cycle = 1service=shell {default cmd=permitcmd=debug {deny allpermit .*}}

}

c. Create the member rtr_geek and assign this user to group rtr_super .


$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek -pr rtr_super -pwdes,ciscorulesProfile Successfully

d. Verify the user rtr_geek .


$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geekUser Profile Informationuser = rtr_geek{profile_id = 45profile_cycle = 1member = rtr_superpassword = des "********"}

e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:





19/20

4-19




– Log in to the router by using a new terminal window with the rtr_geek account and enter the







20/20

Ci AAAI l t ti C St d



Date post:	04-Jun-2018
Category:	Documents
Upload:	behzad
View:	220 times
Download:	0 times

Based AAA Subsystem.pdf

Documents