Method and Types Continued - Security

Accounting Methods and Types AAA accounting methods configure user activities to track within a secured access device. Accounting methods gather data from TACACS+ and RADIUS packets and log it into a file stored on the access device. The security server comes around each day and collects the data into a central AAA accounting database. Table 8-5 explains how the two work.

Notice that the only accounting methods are the security protocols themselves. This is because accounting data is, by default, collected for the entire device. The reason for the two methods is that the accounting data must travel either in TACACS+ or RADIUS packets to the server (AAA accounting isn’t done without servers).

AAA has five accounting secured entity types, slightly different from those for authorization. Table 8-6 explains them.

The system accounting keyword only collects a default set of variables. It cannot be configured to collect only certain events. The reason for this is that a system event simply happens—a user does not request permission to cause it. An example system event would be a network interface going down at 11:32:28 Tuesday, January 9, 2005. AAA accounting does not automatically associate the system event with a security transaction, but comparing accounting and authorization logs for that date and time would make it easy for a system administrator to figure out who the culprit was.

Like authorization, AAA accounting named method lists must be applied to all network interfaces they are meant to secure, and then applied to an indicated accounting type. For example, the MyRouter(config)# aaa accounting network tacacs+ command configures IOS to keep track of all SLIP, PPP connections made over a network interface that are authorized using TACACS+.

Accounting is a little more complicated in how it tracks requests, though. AAA accounting relies on so-called accounting notices to gather data. An accounting notice is a special packet notifying the accounting method of an event. This information is recorded in the accounting log file for upload to the appropriate security server. One of three AAA accounting keywords must be used to specify exactly when during the service request process the notices are to be sent. The terminology can get a bit confusing, but Figure 8-13 will help you visualize how the three work:

• Stop-only For minimal accounting. Has RADIUS or TACACS+ send a stop recording accounting data notice at the end of the requested service. Stop-only accounting is good only for tracking who went where. This is important information for security purposes.
• Start-stop For more accounting. Has RADIUS or TACACS+ send a start accounting notice at the beginning of the requested service and a stop accounting notice at the end of the service. Start-stop accounting yields the elapsed time of a connection.
• Wait-start For maximum accounting. Has RADIUS or TACACS+ wait until the start notice is received by AAA accounting before the user’s request process begins. Most regard wait-start as overkill and an inconvenience to users, so its use is limited to very sensitive services.

Figure 8-13.  AAA accounting can use any of the three methods to track user activity.

To select a method, include any one of the three keywords as arguments to the root aaa accounting command in the configuration statement. The three options give differing levels of accounting control. For example, if an administrator requests entry into a secured device’s User EXEC mode, the stop-only process records only the end of the administrator’s session within User EXEC mode. The start-stop process records the beginning and the end of the session. The wait-start process ensures that no connection is made prior to the accounting notice having been received and acknowledged.

The following example shows an AAA accounting configuration. Lines 2, 3, and 4 show all three AAA functions being configured together, the normal practice in the real world.

MyAccessServer(config)# aaa new-model
MyAccessServer(config)# aaa authentication login NetTeam local
MyAccessServer(config)# aaa authentication ppp RemoteWorkers tacacs+ local
MyAccessServer(config)# aaa authorization network NetTeam tacacs+ local
MyAccessServer(config)# aaa accounting network WeWillBillYou
MyAccessServer(config)#
MyAccessServer(config)# tacacs-server host BigUnixBox
MyAccessServer(config)# tacacs-server key JustBetweenUs
MyAccessServer(config)#
MyAccessServer(config)# interface group-async 1
MyAccessServer(config-if)# group-range 1 16
MyAccessServer(config-if)# encapsulation ppp
MyAccessServer(config-if)# ppp authentication chap RemoteWorkers
MyAccessServer(config-if)# ppp authorization NetTeam
MyAccessServer(config-if)# ppp accounting WeWillBillYou

The accounting commands are woven in with the others, to give you an idea of how statements really look. As configured here, full start-stop accounting records will be logged for all network connections made by the network team through any of the 16 asynchronous ports on the device, MyRouter.

Exactly what gets logged depends on how the named method list WeWillBillYou is configured. Most network managers, at a minimum, would use the network command to account for connection times. Generally speaking, the command-oriented parameters exec and commands are useful only for security audits.

RADIUS and TACACS+ Attributes

A security protocol is largely defined by the attributes it supports. After all, they define the raw material used to operate the user-based security system. RADIUS and TACACS+ are separate protocols packaged into the AAA command structure within IOS. The major differences between the two come into play inside the user database, where each user has a security profile containing attributes that define what that person may do. As separate technologies, RADIUS and TACACS+ have their own attributes.

RADIUS is an open standard under the auspices of the IETF and defines nearly 60 attributes. We won’t list them all here, but Table 8-7 shows several to help you see what’s involved in user-based security.

Seventeen RADIUS attributes are so-called vendor-proprietary attributes. These are items that vendors can customize to extend functionality within their products. Table 8-8 shows a few Cisco extensions to give you an idea of what vendors like to customize.

TACACS+ has over 50 attributes (attribute-value pairs). While TACACS+ and RADIUS both support the three AAA functions, TACACS+ is more sophisticated. For example, it has attributes such as Tunnel-ID to help secure VPN connections. This is why internetworks that use RADIUS for authenticating dial-in users will frequently use TACACS+ for authorization and accounting. Table 8-9 shows example TACACS+ attributes to give you a feel for the protocol.

The sampling of AV pairs in Table 8-9 shows two areas in which TACACS+ is stronger than RADIUS. First, TACACS+ offers stricter internal security than RADIUS by locking down commands and access lists. The first thing a hacker would do upon breaking into an IOS device would be to make new entries into its access lists, which makes file transfers possible. These AV pairs not only help to stop hackers, they also let the network manager specify which devices, IOS commands, or access lists individual administrators may work with. Locking out certain team members helps avoid configuration errors.

The second area in which TACACS+ is stronger is protocol support. For example, TACACS+ has AV pairs to enhance security of VPNs, which are exploding in popularity. As would be expected, TACACS+ also has accounting attributes to go along with the areas where it expands beyond RADIUS. For example, the cmd= xAV pair lets you keep track of which IOS commands an administrator uses while working on a device. This can be useful information for diagnosing how a configuration error was made.