Certain pieces must be put in place before security can be enforced. As you just saw, the access device must be configured to query one or more security servers for authenticationand authorization, and the user database must have profiles containing attributes that define what the user is permitted to do on the network. But what exactly happens when the query hits the TACACS+ or RADIUS database? What steps are taken to verify the user’s identity and figure out what services that person is permitted?
AAA command statements in an access device’s config file tell the device what to do when a user tries to log in. The root AAA commands authenticate, authorization, and accounting are used in conjunction with various keywords to code config file instructions on how connection attempts are to be handled. As mentioned earlier, these instruction parameters are modular in that they can be applied per user and per service. The instructions are implemented in the access device’s config file using methods and types.
Because there are almost always multiple security parameters set for a device, AAA configurations are referred to as named method lists. They’re called named methods because they are named by the administrator in the device config file and applied to one or more specific secured entity types. Figure 8-10 shows how named method lists and types work together to enforce security.
Named method lists are entered into the config file of the access device being secured— usually an access server or a router. IOS applies methods in the sequence in which they appear in the configuration, initially trying the first method and then turning to the following ones until an ACCEPT or REJECT is returned. Figure 8-11 explains a typical named method list.
The last part of the AAA configuration in Figure 8-11 specifies lines because authentication deals with individual users. Traffic-based security can be applied on the interface level because the firewall or router monitors information in the header of each packet— a process that is done either to all or none of the packets passing through an interface. By contrast, user-based security controls individuals as they make a remote network connection via an access server, or log into IOS inside a router or switch within the network. Each of these two scenarios involves using a line.
AAA Authentication Methods and Types AAA has several methods to authenticate user identity. Only one method may be used per user line (except when the Local method is configured as backup to one of the three client-server methods). Table 8-1 lists Cisco’s authentication methods.
The list of AAA methods in Table 8-1 varies slightly according to the password mechanism being used. Remember that AAA is an architectural model that must be adapted to differences in the way other vendors design their products. For example, AAA supports Guest and Auth-Guest methods for the password protocol in Apple’s ARAP.
It’s possible to configure different authentication methods on different lines within the same access device. For example, you might want to configure PPP connections to query the user database on a RADIUS server, but to check the local user database for login connections made from the console or AUX ports.
Connection Types Because authentication is applied to user lines, named authentication methods are applied to connection types. A connection type is the communications protocol used to make a connection. To explain, remote connections to ISPs and internetworks nowadays are usually PPP connections. But when a network administrator logs into IOS in order to work on a device, that connection is via a Telnet session (if over the network) or a terminal emulator (if over the console or AUX port). Table 8-2 explains the authentication types.
The following example statement illustrates a serial interface on an access server being configured to use TACACS+ to authenticate persons making PPP network connections:
The aaa new-model command activates (enables) the AAA inside the device’s IOS software. Then the statement specifies that a TACACS+ security protocol be used and that the local user database should be used if the TACACS+ server fails to respond. The interface serial0 command points the configuration to all lines on the access server’s serial network interface named serial0. The ppp authentication pap MyList tacacs+ local specifies that the PAP password protocol be used for PPP connections and applies the named method list MyList to be used as the test.
The next statement specifies that the TACACS+ server resides on the host computer at IP address 10.1.13.10. The next line specifies that the encryption key DoNotTell be used for all communications between the security server and the client access device being configured here. The shared encryption key also must be configured on the security server(s) with which the client access device will communicate.
AAA Authorization Methods and Types AAA has five methods for authorization. There are actually six, but the none method is a request not to do any authorization procedure. Table 8-3 explains the AAA authorization methods. Each method is a keyword for use as an argument with the root aaa authorization command. These, in turn, are applied to secured entity types.
As mentioned, RADIUS and TACACS+ can coexist on the same access device. Depending on the connection being attempted and how the device is configured, the client will query either the RADIUS or the TACACS+ servers, which are separate user databases.
The if-authenticated command waives authorization if the user has already been authenticated elsewhere. This is important, because during a single session a user may make dozens of connections to entities secured by AAA authorization (such as IOS command modes), and it would be unwieldy for the client device to query the TACACS+ or RADIUS server each time.
Generally, a device’s local user database contains only usernames and passwords. Remember that network devices don’t have hard disks, and they must store permanent information in NVRAM memory, already burdened with storing a boot image of IOS and even daily AAA accounting logs. For this reason, local user databases generally do not hold authorizations for users. Therefore, if a security server were unavailable when a user logged in, that person would likely be unable to access any services configured to require authorization. Figure 8-12 shows how a local user database coexists with the server database(s).
If no authorization is to be executed on a secured entity, this should be explicitly configured by using the none command. Otherwise, the IOS software will automatically put the default authorization methods into force. The four types of secured objects to which AAA authorization methods can be applied are explained in Table 8-4.
The four authorization entity types can be broken down into two pairs:
On Cisco access devices, the aaa authorization config-commands command is enabled by default. That way the device has security right out of the box, in case the administrator installs it without configuring security. The following example statement illustrates a router being configured to require authorization for any type of network connection. This would apply, for example, whether the connection was being made via a console TTY login, a Telnet VTY login, or a PPP dial-in login:
MyRouter(config)# aaa new-mode
The preceding command specifies that the TACACS+ security protocol be used to check users against the NetTeam named method list, and to use the local user database for backup. By default, this authorization is applied to all network interfaces on the device (as opposed to authentication methods, which must be applied to specific lines).
But, as mentioned earlier, sometimes having authorizations stored on the device itself isn’t practical. To accommodate this, the restriction could be loosened using the none command to allow a network connection if the TACACS+ server fails to respond:
MyRouter(config)# aaa authorization network NetTeam tacacs+ none
In the preceding command, the user’s identity must have already been authenticated with a password to get this far into the AAA configuration. The none command goes into effect only when the TACACS+ server fails to respond. The following code statement configures a somewhat more sophisticated authorization:
MyRouter(config)# aaa authorization commands 15 SeniorTechs MyRouter(config)# line vty 0 5
The preceding statement shows an example of configuration by line, as opposed to network interface. Here, the six virtual terminal (VTY) lines are secured. In this example, the named method list SeniorTechs is declared as necessary for an administrator to use IOS command level 15 in this device. We mentioned earlier that the IOS level command can be employed to authorize the use of a group of commands. By default, all Privileged EXEC mode commands are grouped into level 15, and all User EXEC mode commands are grouped into level 0. Therefore, the preceding code snippet specifies that only administrators with user profiles configured with the SeniorTechs attributes will be permitted to use the Privileged EXEC commands.
blog comments powered by Disqus