Bài giảng CCNA Security - Chapter 3: Authentication, Authorization, and Accounting

ponse status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS login activity • For successful TACACS+ login attempts, a status message of PASS results Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Debug RADIUS, TACACS • R1# debug radius ? • accounting RADIUS accounting packets only • authentication RADIUS authentication packets only • brief Only I/O transactions are recorded • elog RADIUS event logging • failover Packets sent upon fail-over • local-server Local RADIUS server • retransmit Retransmission of packets • verbose Include non essential RADIUS debugs • • R1# debug radius R1# debug tacacs ? accounting TACACS+ protocol accounting authentication TACACS+ protocol authentication authorization TACACS+ protocol authorization events TACACS+ protocol events packet TACACS+ packets Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Debug RADIUS, TACACS Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Server-Based AAA Authorization show version Display “show version” output configure terminal Do not permit “configure terminal” Command authorization for user JR-ADMIN, command “show version”? Accept Command authorization for user JR-ADMIN, command “config terminal”? Reject .The TACACS+ protocol allows the separation of authentication from authorization. .Can be configured to restrict the user to performing only certain functions after successful authentication. .Authorization can be configured for - character mode (exec authorization) - packet mode (network authorization) .RADIUS does not separate the authentication from the authorization process Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Refer: 3.5.1.1 Configuring Server-Based AAA Authorization R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ • To configure command authorization, use: aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] • Service types of interest include: – commands level For exec (shell) commands – exec For starting an exec (shell) – network For network services. (PPP, SLIP, ARAP) R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SDM to Configure Authorization Character Mode • 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization window Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Using SDM to Configure Authorization Packet Mode • 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization pane Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: Configure Authorization • Requirement: – Assign the privilege level=5 for remote users, using the Telnet service – The users can use the show, router and interface with all sub-option commands – Do not authenticate for console access Example: Configure Authorization • Router#show run | section aaa aaa new-model aaa authentication login AUTHEN group tacacs+ local aaa authentication login NO-AUTHEN none aaa authorization exec EXEC-AUTHO group tacacs+ aaa authorization commands 5 COM-AUTHO group tacacs+ • Router#show run | section tacacs-server tacacs-server host 192.168.220.133 key cisco123 • Router#show run | section privilege username student privilege 15 password 0 cisco privilege configure all level 5 router privilege configure all level 5 interface privilege exec level 5 configure terminal privilege exec level 5 configure Example: Configure Authorization • Router#show run | begin line con 0 line con 0 logging synchronous login authentication NO-AUTHEN line aux 0 line vty 0 4 authorization commands 5 COM-AUTHO authorization exec EXEC-AUTHO login authentication AUTHEN Example: Configure Authorization Example: Configure Authorization Example: Configure Authorization Example: Configure Authorization Example: Configure Authorization Configuring Server-Based AAA Accounting • Provides the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered • To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] • Supports 6 different types of accounting: network, connection, exec, system, commands level, and resource. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Configuring Server-Based AAA Accounting R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local- case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ • aaa accounting exec default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for user EXEC terminal sessions. • aaa accounting network default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for all network-related service requests. R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Example: Configure Accounting • aaa accounting exec default start-stop group tacacs+ • aaa accounting commands 5 default start-stop group tacacs+ Example: Configure Accounting Chapter Summary • The Authencation, Authorization, and Accounting (AAA) protocol provides a scalable framework for enabling access security. • AAA controls who is allowed to connect to the network, what they are allowed to do, and keeps records of what was done. • In small or simple networks, AAA authentication can be implemented using a local database. • Local AAA can be configured using CLI and SDM. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Chapter Summary • In large or complex networks, AAA authentication can be implemented using server-based AAA. • AAA servers can use RADIUS or TACACS+ protocols to communicate with client routers. • The Cisco Access Control Server (ACS) can be used to provide AAA server services. • Server-based AAA authentication can be configured using CLI or SDM. • Server-based AAA authorization and accounting can be configured using CLI or SDM. Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com