Methods and Types - Security

Certain pieces must be put in place before security can be enforced. As you just saw, the access device must be configured to query one or more security servers for authenticationand authorization, and the user database must have profiles containing attributes that define what the user is permitted to do on the network. But what exactly happens when the query hits the TACACS+ or RADIUS database? What steps are taken to verify the user’s identity and figure out what services that person is permitted?

AAA command statements in an access device’s config file tell the device what to do when a user tries to log in. The root AAA commands authenticate, authorization, and accounting are used in conjunction with various keywords to code config file instructions on how connection attempts are to be handled. As mentioned earlier, these instruction parameters are modular in that they can be applied per user and per service. The instructions are implemented in the access device’s config file using methods and types.

• A method is a prepackaged computer program that performs a specific function. For example, radius is a method to query a RADIUS server.
• A type is the entity to which the method applies. For example, a radius method is applied to a ppp type so that when a user attempts to make a connection using the PPP protocol, the access device queries its RADIUS server to authenticate the person’s identity.

Because there are almost always multiple security parameters set for a device, AAA configurations are referred to as named method lists. They’re called named methods because they are named by the administrator in the device config file and applied to one or more specific secured entity types. Figure 8-10 shows how named method lists and types work together to enforce security.

 
Figure 8-10.  Named method lists enforce security policies in access device interfaces. 

---

NOTE: There are unnamed methods in the form of the default method list. If an interface or line has no named method list configured, a default method list is automatically put into force for it. To have no AAA security, it must be explicitly configured this way by using the none method. Cisco makes it hard to have no security in force.

---

Named method lists are entered into the config file of the access device being secured— usually an access server or a router. IOS applies methods in the sequence in which they appear in the configuration, initially trying the first method and then turning to the following ones until an ACCEPT or REJECT is returned. Figure 8-11 explains a typical named method list.

The last part of the AAA configuration in Figure 8-11 specifies lines because authentication deals with individual users. Traffic-based security can be applied on the interface level because the firewall or router monitors information in the header of each packet— a process that is done either to all or none of the packets passing through an interface. By contrast, user-based security controls individuals as they make a remote network connection via an access server, or log into IOS inside a router or switch within the network. Each of these two scenarios involves using a line.

Figure 8-11.  The basic parts of a device security configuration model

AAA Authentication Methods and Types AAA has several methods to authenticate user identity. Only one method may be used per user line (except when the Local method is configured as backup to one of the three client-server methods). Table 8-1 lists Cisco’s authentication methods.

The list of AAA methods in Table 8-1 varies slightly according to the password mechanism being used. Remember that AAA is an architectural model that must be adapted to differences in the way other vendors design their products. For example, AAA supports Guest and Auth-Guest methods for the password protocol in Apple’s ARAP.

It’s possible to configure different authentication methods on different lines within the same access device. For example, you might want to configure PPP connections to query the user database on a RADIUS server, but to check the local user database for login connections made from the console or AUX ports.

Connection Types Because authentication is applied to user lines, named authentication methods are applied to connection types. A connection type is the communications protocol used to make a connection. To explain, remote connections to ISPs and internetworks nowadays are usually PPP connections. But when a network administrator logs into IOS in order to work on a device, that connection is via a Telnet session (if over the network) or a terminal emulator (if over the console or AUX port). Table 8-2 explains the authentication types.

IOS Command Keyword	AAA Authentication Method
RADIUS	Authenticates using the RADIUS protocol and user database.
TACACS+	Authenticates using the TACACS+ protocol and user database.
Krb5	Authenticates using the Kerberos 5 protocol and user database. (Note: Kerberos can only be used with the PAP password protocol.)
Local	Authenticates using a user database stored in memory in the access device, or for backup if the security server does not respond.
Enable	Authenticates using Enable Secret passwords in the access device’s config file.
If-needed	Does not require authentication if the user has already been authenticated on a VTY or TTY line.
None	Uses no authentication.
Table 8-1. Authentication Methods in IOS

 

IOS Command Keyword	AAA Authentication Type
Login	Line connections made to Ethernet or Token Ring network interfaces using Telnet, or to console or AUX ports using virtual terminal (VTY)
PPP	Dial-in line connections made to serial network interfaces
	using Point-to-Point Protocol
SLIP	Dial-in line connections made to serial network
	interfaces using Serial Line Internet Protocol
ARAP	Dial-in line connections made to serial network
	interfaces using AppleTalk Remote Access Protocol
Table 8-2. Entity Types Secured by AAA Authentication Methods

The following example statement illustrates a serial interface on an access server being configured to use TACACS+ to authenticate persons making PPP network connections:

MyAccessServer(config)#aaa new-model
MyAccessServer(config)#aaa authentication ppp MyList tacacs+ local
MyAccessServer(config)#interface serial0
MyAccessServer(config-if)#ppp authentication pap MyList
MyAccessServer(config-if)#tacacs-server host 10.1.13.10
MyAccessServer(config-if)#tacacs-server key DoNotTell

The aaa new-model command activates (enables) the AAA inside the device’s IOS software. Then the statement specifies that a TACACS+ security protocol be used and that the local user database should be used if the TACACS+ server fails to respond. The interface serial0 command points the configuration to all lines on the access server’s serial network interface named serial0. The ppp authentication pap MyList tacacs+ local specifies that the PAP password protocol be used for PPP connections and applies the named method list MyList to be used as the test.

The next statement specifies that the TACACS+ server resides on the host computer at IP address 10.1.13.10. The next line specifies that the encryption key DoNotTell be used for all communications between the security server and the client access device being configured here. The shared encryption key also must be configured on the security server(s) with which the client access device will communicate.

---

NOTE: Three types of protocols play a major role in AAA: dial-in protocols such as PPP, security protocols such as RADIUS, and password protocols such as CHAP. Dial-in protocols are network protocols that handle signals over phone lines, keeping the IP packets together between the access server and the remote user. Security protocols provide the client-server messaging system to the centralized user database. Password protocols are relatively simple mechanisms to deal with the person logging in. Some dial-in protocols incorporate their own password protocol—ARAP, for example.

---

AAA Authorization Methods and Types AAA has five methods for authorization. There are actually six, but the none method is a request not to do any authorization procedure. Table 8-3 explains the AAA authorization methods. Each method is a keyword for use as an argument with the root aaa authorization command. These, in turn, are applied to secured entity types.

As mentioned, RADIUS and TACACS+ can coexist on the same access device. Depending on the connection being attempted and how the device is configured, the client will query either the RADIUS or the TACACS+ servers, which are separate user databases.

The if-authenticated command waives authorization if the user has already been authenticated elsewhere. This is important, because during a single session a user may make dozens of connections to entities secured by AAA authorization (such as IOS command modes), and it would be unwieldy for the client device to query the TACACS+ or RADIUS server each time.

IOS Command Keyword	AAA Authorization Method
TACACS+	Sends a message requesting authorization information from the TACACS+ server.
RADIUS	Sends a message requesting authorization information from the RADIUS server.
If-authenticated	Allows access to the requested function if the user has already been authenticated. (If here is the word if, as in "depending on," not the mnemonic IOS uses for network interface in the config prompt.)
Local	Uses the local user database to execute the authorization
	program.
Krb5-instance	Uses an instance defined in the Kerberos instance map.
None	Does not execute any authorization methods on this access device.
Table 8-3. AAA’s Six Named Methods for User Authentication

Generally, a device’s local user database contains only usernames and passwords. Remember that network devices don’t have hard disks, and they must store permanent information in NVRAM memory, already burdened with storing a boot image of IOS and even daily AAA accounting logs. For this reason, local user databases generally do not hold authorizations for users. Therefore, if a security server were unavailable when a user logged in, that person would likely be unable to access any services configured to require authorization. Figure 8-12 shows how a local user database coexists with the server database(s).

If no authorization is to be executed on a secured entity, this should be explicitly configured by using the none command. Otherwise, the IOS software will automatically put the default authorization methods into force. The four types of secured objects to which AAA authorization methods can be applied are explained in Table 8-4.

The four authorization entity types can be broken down into two pairs:

• The EXEC and Command methods each deal with access to IOS commands.
• The Network and Reverse Access methods both deal with connections, but those which go in different directions.

On Cisco access devices, the aaa authorization config-commands command is enabled by default. That way the device has security right out of the box, in case the administrator installs it without configuring security. The following example statement illustrates a router being configured to require authorization for any type of network connection. This would apply, for example, whether the connection was being made via a console TTY login, a Telnet VTY login, or a PPP dial-in login:

Figure 8-12.  A user database can be stored in the access device's NVRAM for local use.

Type	AAA Authorization Type
Network	Applies method to network-related service requests, including direct Login connections (via console or AUX), Telnet connections (via IP or IPX), or dial-in connections (via PPP, SLIP, or ARAP).
Reverse Access	Applies method to Telnet sessions in which the user attempts to connect from the secured access device to another host—
	a common maneuver by a hacker who has broken into a network device.
EXEC	Applies method to sessions in the User EXEC command mode and can be applied by user, date, and start and stop times.
Commands	Applies method to restrict access to specific commands. Command methods must be applied to an IOS command level group. There are two default groups, numbers 0 and 15 (user EXEC and privileged EXEC modes, respectively). The Command method can be applied by user, date, and start and stop times.
Table 8-4. IOS’s Four Authorization Types

MyRouter(config)# aaa new-mode
MyRouter(config)# aaa authorization network NetTeam tacacs+ local

The preceding command specifies that the TACACS+ security protocol be used to check users against the NetTeam named method list, and to use the local user database for backup. By default, this authorization is applied to all network interfaces on the device (as opposed to authentication methods, which must be applied to specific lines).

But, as mentioned earlier, sometimes having authorizations stored on the device itself isn’t practical. To accommodate this, the restriction could be loosened using the none command to allow a network connection if the TACACS+ server fails to respond:

MyRouter(config)# aaa authorization network NetTeam tacacs+ none

In the preceding command, the user’s identity must have already been authenticated with a password to get this far into the AAA configuration. The none command goes into effect only when the TACACS+ server fails to respond. The following code statement configures a somewhat more sophisticated authorization:

MyRouter(config)# aaa authorization commands 15 SeniorTechs MyRouter(config)# line vty 0 5
MyRouter(config-line)# authorization commands 15 SeniorTechs

The preceding statement shows an example of configuration by line, as opposed to network interface. Here, the six virtual terminal (VTY) lines are secured. In this example, the named method list SeniorTechs is declared as necessary for an administrator to use IOS command level 15 in this device. We mentioned earlier that the IOS level command can be employed to authorize the use of a group of commands. By default, all Privileged EXEC mode commands are grouped into level 15, and all User EXEC mode commands are grouped into level 0. Therefore, the preceding code snippet specifies that only administrators with user profiles configured with the SeniorTechs attributes will be permitted to use the Privileged EXEC commands.

>>> More Security Articles          >>> More By McGraw-Hill/Osborne

blog comments powered by Disqus