Authentication, Authorization, and Accounting Protocols (AAA)
Authentication, Authorization, and Accounting Protocols (AAA)
Authentication, Authorization, and Accounting Protocols (AAA)
Page 1 of 45
Tutorial
Unix Configuring Tacacs IOS Tacacs Configuration Task List CatOS PIX OS Example - Authentication and Authorization Commands VPN Concentrator (3005, 3015, 3030, etc.) Configuring Radius IOS Radius Configuration Task List CatOS PIX OS Configuring Radius Authorization Configuring Kerberos IOS CatOS PIXOS
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 2 of 45
Conclusion References
Introduction
Imagine that you are the Chief Security Officer for a large ISP that has thousands of routers. You have just found out that a key employee is leaving the company for another opportunity. This employee has access to every router and switch in the company, and the departure is going to present a real security problem. How can we possibly go into every router and switch and manually change the passwords? It will take days. The answer is, of course, that we can't. Manually changing the passwords on every router and switch is totally impractical. Sure, we have all logged into routers and switches and entered either our username and password or a user level and enable level password in a lab situation, but this is not scalable for large deployments. Luckily, there are more sophisticated methods available for controlling access to network devices that provide much greater security and flexibility than simple usernames and passwords configured locally on each router, switch, firewall or other networking device. The preferred method for controlling access to networking devices in a large deployment is to use an Authentication, Authorization, and Accounting or AAA (pronounced "triple A") protocol such as Radius, Tacacs, or Kerberos. You may have used AAA in the past and not even been aware of it because AAA is not used just to control local access to networking devices. AAA is also used for many other applications. In the early days of the Internet, when most people dialed up their ISP using a modem for access, they probably used Radius during the PPP or SLIP login. Although Radius is frequently used for AAA of dial up and other remote access accounts, Cisco decided to develop another AAA system called Tacacs that is specifically designed to control access to common networking devices such as routers running IOS, switches running IOS and CatOS, PIX firewalls and more. The Unix community at MIT developed yet another AAA system called Kerberos and uses it extensively on the MIT campus. Today, we have taken the AAA concept and extended it even further by using tokens. A practical example is to use Tacacs with an RSA SecurID one time password token for even higher security, but just what does AAA do for us? AAA lets us identify exactly who is logged into a given network device. This means that one of the major functions of AAA is to use a client-server model where the networking devices such as routers, switches, firewalls, etc. are the clients, and the server is the AAA protocol server, i.e., the Radius, Tacacs, or Kerberos server. AAA is then used to control access to these devices. Another major function of AAA is to control access to the network's resources (where resources refers to other users, servers, printers, or networking devices themselves) for remote access users (i.e., someone connecting via dial up access, ISDN, DSL, etc.). These two functions are the first "A" of triple A, authentication. The next "A" of triple A is authorization. With authorization, we can specifically authorize every command that a given user may enter. Note however, that not all AAA protocols provide all three parts of AAA. Kerberos, for example, only uses authentication. Finally, the third "A" in triple A is accounting. Sure, accounting can be used in the traditional sense such as for billing purposes by monitoring usage for dial up accounts, but "accounting" doesn't mean just billing. In a broader concept, accounting is used to make some user or process "accountable" for every action. Accounting provides, in essence, an audit trail of actions taken by a given user on a given device. The accounting database provides a valuable audit trail to catch unauthorized changes or access and can be used as an additional troubleshooting tool. For example, suppose that the day shift in a NOC performed a scheduled change on a router, but the night shift receives a trouble ticket for the same device. The night shift engineer can then check the accounting database and see exactly what changes were made on the router and if they were in accordance with the planned change or if a step was missed, etc. AAA is useful not just for console or telnet/secure shell (SSH) access to networking devices. In this era
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 3 of 45
of VPNs, PSTN dialup access, and ISDN access, AAA can provide a more secure method of access beyond a simple username and password. AAA can even be used in situations where host applications check application logins. As a practical example of this, we recently deployed an SSL browser-based application where users must login and authenticate using an RSA SecurID. One logical question to ask is that although we know what AAA can do, just what are the limitations of AAA? Why don't we use AAA for everything? Although AAA is a very valuable security addition to the network, there are several limitations of AAA. One limitation is with Graphical User Interfaces (GUIs). Network devices that have GUIs may not be able to log every command like command line interface (CLI) devices can. You should remember that even though devices that use a GUI may not be capable of a full AAA deployment, they might be capable of at least authentication for administrator logins. A perfect example of this is the Cisco VPN concentrator. Another limitation is that not every Cisco device supports AAA. See Table 3 for an example of some devices that do not support AAA. For example, you may have a Local Director in your network. This older load balancer does not support AAA at all. Perhaps you have a CSS11050 load balancer. Unless you have the correct version of WebNS, you cannot configure Tacacs. Perhaps you have a firewall from another vendor such as a Nokia running CheckPoint. Since CheckPoint uses a GUI interface, you cannot get the same level of AAA support that you can get with a Cisco PIX firewall. This should bring up the question of just which Cisco devices support AAA. Again, the answer varies, but in general, anything running IOS, PIX OS, CatOS, certain versions of WebNS on the Cisco CSS load balancers, and VPN Concentrators will support AAA to some extent. This varies by component and must be checked. You should also be aware that not every device supports all three AAA protocols (Radius, Tacacs, and Kerberos). Keep in mind that you need to check the current Cisco exam blueprints to make sure of the relevance of each topic. In general, at the moment, Radius and Tacacs are present in the CCIE routing and switching exam blueprint, but Kerberos may not be. The CCIE Security exam blueprint, however, covers all three AAA protocols.
The Products
One of the reasons that I prefer equipment from Cisco is the tightly integrated support for the different networking components. It is simply much easier to build a network when you use routers, switches, firewalls, and load balancers from one vendor than to try to integrate equipment from multiple vendors such as Juniper routers with Foundry switches with F5 load balancers and Nokia/Checkpoint firewalls. One of the problems that you run into with multiple vendors is varying degrees of support for any given AAA protocol. It is difficult to deploy AAA in a network when some components support only Tacacs, but others support only Radius. Table 1 summarizes a list of Cisco equipment that supports AAA. This does not mean that these are the only Cisco products that support AAA, these are just the most common ones. Table 1. Products that use AAA Servers IOS Firewall Feature Set The only difference in configuring AAA with the Firewall Feature Set is that although there is no specific CBAC support for Kerberos, Radius, or Tacacs, because Context-based Access Control (CBAC) can support any UDP or TCP port, you may use CBAC to inspect AAA packets. Note: CBAC is generally used only on Internet-facing interfaces, so you wouldn't normally use it to inspect AAA packets.
CatOS Cisco Secure PIX Firewall VPN Concentrator Although the Cisco Secure PIX Firewall supports the authentication and authorization functions of AAA, as of PIX OS 6.3.3, auditing is not supported. The VPN concentrator can use AAA for authentication of the administrative users.
Table 2 presents some products that are AAA servers. There are many available choices for AAA servers including freeware, shareware productions, and commercial products from many different vendors.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 4 of 45
Table 2. Server Products Vendor Cisco Cisco Funk Software MIT Product CiscoSecure ACS for Windows CiscoSecure ACS for UNIX Steel-Belted Radius Kerberos (including Windows, MacOS, and Unix)
FreeRADIUS Server Project freeRadius (at http://www.freeradius.org/) Dialways Lucent Livingston DialWays v3.0 NaviRadius Livingston Radius
You should be aware that, for purposes of the CCIE lab, Cisco has stated that for the Routing and Switching exam, you will not be responsible for configuring CiscoSecure ACS. This is probably also true for the CCIE Security lab exam, but you should really check CCO for the latest information. This does not mean that there won't be a pre-configured CiscoSecure server available in the lab somewhere. Remember, anything in IOS is free game, so you could definitely be provided with the IP address of the CiscoSecure server, given the AAA key, and asked to configure a given device for AAA using a specified username/password from the AAA server. Table 3. End-of-sale and other Cisco products that do not use AAA servers Cisco Secure Policy This product has reached end-of-sale or end-of-life status; it cannot be Manager (formerly Cisco ordered and may no longer be supported. Cisco Secure Policy Manager Security Manager) has been replaced by Cisco Works VMS. Configuration of Cisco Works VMS is beyond the scope of this paper. Cisco Secure Intrusion Detection System (formerly NetRanger) Cisco Local Director Cisco Secure IDS does not support Tacacs.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 5 of 45
operations, which can be protected subprograms or protected entries. The Orange Book defines two levels of access control: "Discretionary Access Control - A means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)." "Mandatory Access Control - A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity."
Two-Factor Authentication
Although simple passwords are easy to implement and use, they have security problems. For example, believe it or not, "Cisco" is one of the most common passwords used. Sure, passwords are easy to implement and use, but it is not easy to enforce good password discipline. All it takes to take advantage of password weaknesses is a sniffer and a user who uses an insecure protocol such as Telnet or FTP, and bingo, you have their password. For these reasons, recognizing that password systems can be weak, many companies have explored alternatives. Two-factor authentication is based on something you know (e.g., a password or PIN number) and something you have (e.g., a token card or other authenticator). This concept can be expanded further in that two-factor authentication is a purported userid, authenticated with at least one of something you know (e.g., a password), something you have (e.g., a token), or something you are (e.g., biometrics). Additionally, this can be strengthened with checks on where you are (access lists), time of attempts, etc. This approach provided a much more reliable level of user authentication and security than a simple password or other digital certificate scheme. Every time you go to the bank and use an ATM card, you are using two-factor authentication. Think about this practical example. You go to your ATM and insert your ATM card (the token) and then enter your PIN (something you know). Personally, I like to use an RSA SecurID token for two-factor authentication in conjunction with AAA. For more information on RSA SecurID, see the RSA Security website at http://www.rsasecurity.com/. A token can take many forms including challenge/response tokens, time-based tokens, end-user service tokens and one-time password tokens. Another alternative to a simple username/password system that some companies have explored is to use digital certificates. Depending on how they are implemented, digital certificates can provide varying degrees of security. For example, a digital certificate that is unprotected on a user's desktop does not provide strong assurance that the user presenting the certificate is in fact the person who is supposed to have the certificate. A digital certificate, however, that is present on a device controlled by a user such as smart card or other token device that can only be accessed after the user enters a PIN is a strong two-factor authentication solution. Just how does authentication work? Let's use a router running IOS. At its most basic, a user can telnet into a router and will simply be challenged for a password that an administrator has configured for the router. Here is an example.
Router1>telnet Router2 Trying Router2 (192.168.1.2)... Open User Access Verification Password: xxxxxxxx Router2>
We can get more sophisticated and login using not just a simple password, but a local username and password database that prompts you to make sure that you not only have a valid username, but a valid password as well. If you think about it, this is really an example of two-factor authentication at its simplest where the username is the first factor and the password is the second factor. Here is an
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 6 of 45
example where I supply the username as part of the SSH command. Notice what happens when I enter the wrong password, then the correct password.
Router1>ssh 192.168.1.2 -l dwolsefer [email protected]'s password: Permission denied, please try again. [email protected]'s password: Router2>enable Password: Router2#
These systems work fine if you are in a small office or have only a single home router, but what happens when you are a large corporation or a service provider with hundreds or thousands of routers? It isn't practical to configure and maintain a local database of usernames and passwords on each device. It would take hundreds of usernames and passwords for one thing, with people constantly joining and leaving the company. You also don't want to maintain a different enable password for each device. How would you keep track of them? You certainly don't want to use the same password for each router, and you don't want to have to change the password every time someone joins or leaves the company either. So, just what is a scalable solution?
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 7 of 45
database of usernames and matching passwords, to make sure that this user is authorized. This illustrates one of the advantages of AAA in a large environment. The database resides on an AAA server rather than locally on each router. If this user resigns tomorrow, all you have to do is disable the authorization at a central point rather than locally on every router.
Authorization/Credentialing
Once a user has been authenticated, then we know who they are. The next step in the process is to decide what the user is allowed to do based on that authentication. After all, we may want level 3 engineers to have enable access, but level 1 engineers to have access only to show commands. Perhaps we want to allow customers to view their own configurations with the show configuration command, but do not want them to be able to make any changes. We can use command authorization to decide just what level of access a given user should have for each networking device. IOS has privilege levels 0 through 15 to control which IOS commands the user can issue. A user with privilege level 0 cannot issue any commands, but a user with level 15 can issue any IOS command. You can set the privilege level for a given command either in the local database or by using a remote AAA server. For example, I like to change the privilege level of the clear line command for use on a terminal server where we want to limit the access that users have so that the users who only have level 1 access can still clear their hung sessions.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 8 of 45
router1>sh privilege Current privilege level is 1 router1>en Password: Router1# router1#show privilege Current privilege level is 15
Just how does authorization work with AAA? AAA determines which specific rights a given user has by associating attribute-value (AV) pairs, which define those rights with that appropriate user. As you can see, there are quite a few attributes. An external AAA server will then transmit the correct rights for the authenticated user back to the networking device.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 9 of 45
412 413
isakmp-initator-ip isakmp-group-id
Accounting/Logging/Audit
The final step in the AAA process is accounting. Accounting takes place once the user has passed the authentication and authorization phases. Accounting lets us keep better track of a user's activities by recording who logged in, when and for how long, how many bytes were transferred, and which commands were issued. You can view accounting information locally or on the central AAA security server. You can see local accounting information on a router by issuing the show accounting command. Here are a few examples:
termserver#show accounting Active Accounted actions on tty130, User user1 Priv 1 Task ID 539, EXEC Accounting record, 00:01:45 Elapsed task_id=539 start_time=1064194984 timezone=edt service=shell or router#show accounting Active Accounted actions on tty130, User user1 Priv 1 Task ID 555, EXEC Accounting record, 00:00:51 Elapsed task_id=555 start_time=1064195486 timezone=edt service=shell Overall Accounting Traffic Starts Stops Updates Exec 0 339 0 Network 0 0 0 Connect 0 0 0 Command 0 218 0 Rsrc-mgmt 0 0 0 System 0 0 0
Active 1 0 0 0 0 0
Drops 0 0 0 0 0 0
User creates:1554, frees:1552, Acctinfo mallocs:558, frees:556 Users freed with accounting unaccounted for: 0 Queue length: 1
Note: on newer versions of IOS, the command syntax has changed. Here is what you will see if this is the case:
router1#show accounting "show accounting" is no longer supported. Please use: "show aaa user all" instead
Accounting information can be very useful for several reasons. One reason is that an audit trail can be a valuable troubleshooting tool. For example, suppose that you work in a network operations center and just changed shifts. You get a call for a trouble ticket and realize that another engineer was working on the router in question on the previous shift. With accounting information, you can look at every command entered by the previous engineer and see what changes were made. This can help pinpoint the source of the problem and lead to a quicker resolution. Another reason is to enforce good discipline and proper change procedures. For example, without accounting, a user can go make changes at any time as long as they have the password. With accounting, however, a user will know that their activity will be tracked and thus stick to strict change procedures.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 10 of 45
The accounting information available locally is not as valuable as the accounting information available on the remote AAA server. Here is an example. Notice how the information is available for each user, the time and date the command was entered, what device the command was entered on and at what privilege level:
Digital signatures
Although we have already defined authentication in terms of Radius, Tacacs+, and Kerberos, we need to be aware of authentication in a broader sense. Strictly defined, authentication is the process through which one proves and verifies certain information. Sure, we may want to use authentication to verify the identity of a user, but there are other uses for authentication. Some examples of these other uses are to verify the origin of documents, the time and date documents were sent, and so on. We can use authentication so that participants in a transaction cannot later deny taking part in the transaction. We are used to seeing this in the form of a legal signature on paper documents in the presence of a notary, but there are also digital signatures. A digital signature is a cryptographic method through which many of these same things may be verified. Using both the document and the signer's private key to create a new piece of information creates the digital signature of a document. If you have ever used Phil Zimmerman's Pretty Good Privacy (PGP) software, you can see that this is typically created through the use of a hash function and
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 11 of 45
a private signing function (encrypting with the signer's private key). Every day, people sign their names to letters, credit card receipts, and other documents, demonstrating they are in agreement with the contents. That is, they authenticate that they are in fact the sender or originator of the item. This allows others to verify that a particular message did indeed originate from the signer. However, this is not foolproof, since people can 'lift' signatures off one document and place them on another, thereby creating fraudulent documents. Written signatures are also vulnerable to forgery because it is possible to reproduce a signature on other documents as well as to alter documents after they have been signed. Digital signatures and hand-written signatures both rely on the fact that it is very hard to find two people with the same signature. People use public-key cryptography to compute digital signatures by associating something unique with each person. When public-key cryptography is used to encrypt a message, the sender encrypts the message with the public key of the intended recipient. When publickey cryptography is used to calculate a digital signature, the sender encrypts the "digital fingerprint" of the document with his or her own private key. Anyone with access to the public key of the signer may verify the signature.
PKI
You may have heard of PKI if you have configured an IPSec VPN or perhaps if you have used Pretty Good Privacy (PGP), but just what is PKI? PKI stands for Public Key Infrastructure (PKI). The PKI ensures that data communications are private and protected from tampering. PKI can be used to ensure the following: verification of the identity of the parties involved in an electronic transmission that no party involved in an electronic transaction can deny involvement in the transaction the integrity of electronic transmissions by making sure that they are unaltered during their trip between parties. that data can be transmitted securely by being encrypted for transmission so that no one but the correct parties can read the data even if the data is intercepted. If you use PGP, then you can see exactly how all these functions operate. For example, you do not have to encrypt data with PGP. You can just attach a digital signature so that someone will know that the data (such as an email) is definitely from you. You can; however, both encrypt and digitally sign a message or file as well. PKI makes this possible because with PKI, you can use a combination of public keys, cryptography, and digital signatures to meet these needs. This paper is not meant to go in depth on certificates or PKI and does assume that the reader has a basic knowledge of these topics. If you do not have that knowledge or wish to learn more, please see Annlee Hines' Securing Communications I Study Guide. The way this works is that each party generates two keys. One key is private and the other is public. You send out your public key to anyone you want to be able to encrypt data that will be sent to you. The other party then encrypts the data and sends it to you. Even though they can encrypt the data to be sent to you, only you can decrypt it because decryption requires your private key. You can see an example of a digital signature in the form of digital certificates that you get at certain web sites. For example, a given vendor might obtain a Certificate of Authority from a company such as VeriSign that guarantees that the certificate issued is genuine. You see this a lot with SSL during secure transactions.
The Protocols
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 12 of 45
aaa authentication service listname method1 method2 ... method_n service is one of the named predefined services. listname is either a user-defined character string or the keyword default; and the methods are lists of predefined options. Some other keywords are as follows:
Table 5. Method List Keywords if-needed local Authenticate only if the user is not already authenticated Use local username lookup
local-case Use case-sensitive local username lookup none Do not authenticate (be careful using this. You can lock yourself out of the router)
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 13 of 45
Typical keywords for authorization are the same as for authentication, but services are usually either exec or network. The exec keyword is used to start an EXEC shell, used with scripted logins and TCP Clear. The network keyword is used to enable related network services, such as PPP. Finally, accounting method lists also use a similar syntax to authentication and authorization method lists:
enable Enables access at privilege level 15 login Enables login access, either through scripted login or telnet
With accounting, you also need to specify when to send accounting records to the AAA server. The available options are: Table 7. Accounting export options Startstop Stoponly Waitstop Send both start and stop records Send only stop records Same as for start-stop, but wait for the ACK of the start record before allowing the user session to proceed
You should be aware that there is another very useful accounting mode available, although it is not part of AAA. This method is known as NetFlow. It works in a fashion similar to AAA accounting in that NetFlow data is exported to a server. The key difference is that NetFlow accounts for different information than AAA accounting. NetFlow data is data that keeps track of data flows. This means that with NetFlow, you can keep track of the source IP of a data flow, the destination IP of a data flow, and the port and protocols used for the data flow. This information can be invaluable during DoS and other attacks. A detailed discussion of NetFlow is beyond the scope of this paper, but you should be aware that it exists. You can use the show aaa method-lists all command to find some more examples of possible method lists.
router1#show aaa method-lists all authen queue=AAA_ML_AUTHEN_LOGIN authen queue=AAA_ML_AUTHEN_ENABLE authen queue=AAA_ML_AUTHEN_PPP authen queue=AAA_ML_AUTHEN_SGBP authen queue=AAA_ML_AUTHEN_ARAP permanent lists name=Permanent Enable None valid=1 id=0 : ENABLE name=Permanent Enable valid=1 id=0 : ENABLE name=Permanent None valid=1 id=0 : NONE
NONE
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 14 of 45
name=Permanent Local valid=1 id=0 : LOCAL author queue=AAA_ML_AUTHOR_SHELL author queue=AAA_ML_AUTHOR_NET author queue=AAA_ML_AUTHOR_CONN author queue=AAA_ML_AUTHOR_IPMOBILE author queue=AAA_ML_AUTHOR_COMMAND author queue=AAA_ML_AUTHOR_RM author queue=AAA_ML_AUTHOR_CONFIG author queue=AAA_ML_AUTHOR_AUTH_PROXY author queue=AAA_ML_AUTHOR_PREAUTH author queue=AAA_ML_AUTHOR_FLTSV permanent lists name=local-list valid=1 id=0 : LOCAL acct queue=AAA_ML_ACCT_SHELL acct queue=AAA_ML_ACCT_AUTH_PROXY acct queue=AAA_ML_ACCT_NET acct queue=AAA_ML_ACCT_CONN acct queue=AAA_ML_ACCT_SYSTEM acct queue=AAA_ML_ACCT_RESOURCE acct queue=AAA_ML_ACCT_RM acct queue=AAA_ML_ACCT_COMMAND permanent lists name=Permanent None valid=1 id=0 Action=NOT_SET :
Terminal Access Controller Access Control System Plus (Tacacs+) Brief historical overview
Tacacs is a term commonly used to refer to Tacacs+, but actually applies to Tacacs, Extended Tacacs, and Tacacs+. There was a historical development of the original protocol from just plain old Tacacs to Extended Tacacs to the present Tacacs+ version. Although there are some differences between the three versions, each will authenticate a user against a username/password combination in a database and permit/deny access based on the authentication results and access authorization. Cisco developed Tacacs to fix a number of the deficiencies of Radius. It is critical that you understand the major differences between Radius and Tacacs.
Operation
There are many different Tacacs servers out there, but the one I use most is CiscoSecure Access Control Server (CiscoSecure ACS), which supports both Radius and Tacacs+. Note: CiscoSecure ACS is available in both a Unix (Solaris) version and a Windows version. You will have to check specific versions to determine exact operating system requirements. In general, Tacacs has the following features: Table 8. Comparing TACACS and Radius Radius AAA Support Radius combines authentication and authorization into one server. These functions cannot be separated across different servers. Radius supports only IP. Tacacs Tacacs uses the AAA architecture and can separate the three AAA functions across different servers. Tacacs supports other protocols, such as AppleTalk, NetBIOS, and
Multiprotocol Support
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 15 of 45
IPX. Packet Encryption Packet Delivery Transport Type Router Management Radius encrypts only the password in the access-request packet from the client to the server. UDP port 1812, UDP port 1813 is used for accounting. Radius does not allow users to control which commands can be executed on a router. Tacacs encrypts the entire body of the packet but leaves a standard Tacacs header. TCP port 49 Tacacs does allow control over which commands can be executed on a router.
Figure 3. TACACS connection request When a Tacacs server authenticates a user, the following events occur: 1. When the TCP connection is established, the router contacts the Tacacs server to obtain a username prompt, which is then displayed to the user. The user enters a username and the router contacts the Tacacs server to obtain a password prompt. The router then displays the password prompt to the user, the user enters a password, and the password is sent to the Tacacs server. 2. The router eventually receives one of the following four responses from the Tacacs server: ACCEPT - The user is authenticated and service can begin. If the router is configured to require authorization, authorization will occur next.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 16 of 45
REJECT - The user has failed authentication. The user will be prompted to retry the login sequence again or may just be denied further access, depending on the particular Tacacs+ server in use. ERROR - An error occurred at some time during authentication. This can be either at the daemon or in the network connection between the daemon and the router. CONTINUE - The user is prompted for additional authentication information. 3. PPP PAP and CHAP logins are similar to ASCII logins, except that the username and password arrive at the NAS in a PAP or CHAP protocol packet instead of being typed in by the user, so the user is not prompted. 4. If authorization is configured, it will happen once the user has been authenticated. At this point, the router will contact the Tacacs server again and the Tacacs server will return an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response will contain data in the form of attributes used to direct the EXEC or NETWORK session for that user. The packets exchanged between the router and the Tacacs server contain attribute-value pairs (AV pairs). The router sends Start packets and the Tacacs server responds with Response packets. The server can permit, deny, or modify commands requested by the end user. The data (that contains the full list of all username/password pairs) is stored in a local file defining what commands are permitted for each user. Possible services include the following: Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services Connection parameters, including the host or client IP address, access list, and user timeouts In the sample Tacacs debug output below, we see this happening. Notice how the debug trace picks up with the PASS from the authentication phase then proceeds to the authorization phase. We can then see the user data transmitted for authorization and the AVs sent. Finally, the server returns an "authorization successful" message.
Sep 21 21:49:48.249 edt: AAA/AUTHEN (251567022): status = PASS Sep 21 21:49:48.249 edt: AAA/MEMORY: free_user (0x61566E64) user='NULL' ruser='NULL' port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=ENABLE priv=15 Sep 21 21:50:51.498 edt: AAA/MEMORY: free_user (0x61568D90) user='test' ruser='NULL' port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=LOGIN priv=1 Sep 21 21:50:54.130 edt: AAA: parse name=tty130 idb type=-1 tty=-1 Sep 21 21:50:54.130 edt: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 Sep 21 21:50:54.130 edt: AAA/MEMORY: create_user (0x61566E64) user='NULL' ruser='NULL' ds0=0 port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0' Sep 21 21:51:10.490 edt: AAA/MEMORY: free_user_quiet (0x61566E64) user='test' ruser='NULL' port='tty130' rem_addr='172.16.1.1' authen_type=1 service=1 priv=1 Sep 21 21:51:10.490 edt: AAA: parse name=tty130 idb type=-1 tty=-1 Sep 21 21:51:10.490 edt: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 Sep 21 21:51:10.490 edt: AAA/MEMORY: create_user (0x615632AC) user='NULL' ruser='NULL' ds0=0 port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0' Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): Port='tty130' list='' service=EXEC
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 17 of 45
Sep 21 21:51:26.582 edt: AAA/AUTHOR/EXEC: tty130 (1739401331) user='test' Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): send AV service=shell Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): send AV cmd* Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): found list "default" Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): Method=tacacs+ (tacacs+) Sep 21 21:51:26.862 edt: AAA/AUTHOR (1739401331): Post authorization status = PASS_ADD Sep 21 21:51:26.862 edt: AAA/AUTHOR/EXEC: Authorization successful
You may choose which components of AAA to implement; not all phases are always needed. Once authorization is complete, the next optional phase is accounting. Tacacs accounting provides an audit record of what commands were completed. When accounting is configured on the router, the router sends a record of commands entered to the Tacacs server, and the Tacacs server sends a response acknowledging the accounting record.
Sep 21 21:49:16.829 edt: AAA/MEMORY: free_user (0x6157CDA0) user='test' ruser='NULL' port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=LOGIN priv=1 Sep 21 21:49:19.137 edt: AAA: parse name=tty130 idb type=-1 tty=-1 Sep 21 21:49:19.137 edt: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 Sep 21 21:49:19.137 edt: AAA/MEMORY: create_user (0x61568D90) user='NULL' ruser='NULL' ds0=0 port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0' Sep 21 21:49:19.137 edt: AAA/AUTHEN/START (4128140750): port='tty130' list='' action=LOGIN service=LOGIN Sep 21 21:49:19.137 edt: AAA/AUTHEN/START (4128140750): using "default" list Sep 21 21:49:19.137 edt: AAA/AUTHEN/START (4128140750): Method=tacacs+ (tacacs+)
Here we can see the response from the Tacacs server requesting the username as indicated by "GETUSER" and then the password as indicated by "GETPASS". You can then see the router respond, followed by the Tacacs server's response that the user has been authenticated successfully. The communications from the Tacacs server are indicated by the "TAC+" and "AAA" indicates communications from the router.
Sep 21 21:49:19.137 edt: TAC+: send AUTHEN/START packet ver=192 id=4128140750 Sep 21 21:49:19.417 edt: TAC+: ver=192 id=4128140750 received
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 18 of 45
AUTHEN status = GETUSER Sep 21 21:49:19.417 edt: AAA/AUTHEN (4128140750): status = GETUSER Sep 21 21:49:22.153 edt: AAA/AUTHEN/CONT (4128140750): continue_login (user='(undef)') Sep 21 21:49:22.153 edt: AAA/AUTHEN (4128140750): status = GETUSER Sep 21 21:49:22.153 edt: AAA/AUTHEN (4128140750): Method=tacacs+ (tacacs+) Sep 21 21:49:22.153 edt: TAC+: send AUTHEN/CONT packet id=4128140750 Sep 21 21:49:22.353 edt: TAC+: ver=192 id=4128140750 received AUTHEN status = GETPASS Sep 21 21:49:22.353 edt: AAA/AUTHEN (4128140750): status = GETPASS Sep 21 21:49:30.761 edt: AAA/AUTHEN/CONT (4128140750): continue_login (user='test') Sep 21 21:49:30.761 edt: AAA/AUTHEN (4128140750): status = GETPASS Sep 21 21:49:30.761 edt: AAA/AUTHEN (4128140750): Method=tacacs+ (tacacs+) Sep 21 21:49:30.761 edt: TAC+: send AUTHEN/CONT packet id=4128140750 Sep 21 21:49:33.061 edt: TAC+: ver=192 id=4128140750 received AUTHEN status = PASS Sep 21 21:49:33.061 edt: AAA/AUTHEN (4128140750): status = PASS Sep 21 21:49:33.341 edt: TAC+: (1469827943): received author response status = PASS_ADD Sep 21 21:49:35.929 edt: AAA/MEMORY: dup_user (0x615632AC) user='test' ruser='NULL' ds0=0 port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable'
Once the authentication phase is complete, the next step is the authorization phase. You can see that for authorization, the router uses the "default" method list and is requesting the service "shell" using Tacacs+. You can also see that the authorization was successful as indicated by the "Post authorization status = PASS_ADD." Now the user is authorized at privilege level 15.
Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): Port='tty130' list='' service=EXEC Sep 21 21:51:26.582 edt: AAA/AUTHOR/EXEC: tty130 (1739401331) user='test' Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): send AV service=shell Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): send AV cmd* Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): found list "default" Sep 21 21:51:26.582 edt: tty130 AAA/AUTHOR/EXEC (1739401331): Method=tacacs+ (tacacs+) Sep 21 21:51:26.582 edt: AAA/AUTHOR/TAC+: (1739401331): user=test Sep 21 21:51:26.582 edt: AAA/AUTHOR/TAC+: (1739401331): send AV service=shell Sep 21 21:51:26.582 edt: AAA/AUTHOR/TAC+: (1739401331): send AV cmd* Sep 21 21:51:26.862 edt: AAA/AUTHOR (1739401331): Post authorization status = PASS_ADD Sep 21 21:51:26.862 edt: AAA/AUTHOR/EXEC: Authorization successful Sep 21 21:51:30.270 edt: AAA/MEMORY: free_user (0x615661BC) user='NULL' ruser='NULL' port='tty130' rem_addr='172.16.1.1' authen_type=ASCII service=ENABLE priv=15
Next, the router uses Tacacs for accounting using the "default" method list with Tacacs. You can see that a positive response is received from the Tacacs server to start accounting and that the user entered the show accounting command. You can see that the user's next command no debug all is sent to the accounting server to be recorded into the accounting database. Finally, you can see that accounting stops and the TCP connection is closed.
Sep 21 21:52:00.122 edt: AAA/ACCT: user test, acct type 3 (4029509403): Method=tacacs+ (tacacs+) Sep 21 21:52:00.402 edt: TAC+: (4029509403):
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 19 of 45
received acct response status = SUCCESS Sep 21 21:52:18.598 edt: AAA/ACCT/CMD: User test, Port tty130, Priv 15: "show accounting <cr>" Sep 21 21:52:18.598 edt: AAA/ACCT/CMD: Found list "default" Sep 21 21:52:18.606 edt: AAA/ACCT: user test, acct type 3 (2680368157): Method=tacacs+ (tacacs+) Sep 21 21:52:18.886 edt: TAC+: (2680368157): received acct response status = SUCCESS Sep 21 21:53:45.207 edt: AAA/ACCT/CMD: User test, Port tty130, Priv 15: "no debug all <cr>" Sep 21 21:53:45.207 edt: AAA/ACCT/CMD: Found list "default" Sep 21 21:53:55.839 edt: TAC+: using previously set server 172.16.1.2 from group tacacs+ Sep 21 21:53:55.839 edt: TAC+: Opening TCP/IP to 172.16.1.2/49 timeout=5 Sep 21 21:53:55.919 edt: TAC+: Opened TCP/IP handle 0x615680B4 to 172.16.1.2/49 Sep 21 21:53:55.919 edt: TAC+: Opened 172.16.1.2 index=1 Sep 21 21:53:55.919 edt: TAC+: 172.16.1.2 (4141160261) ACCT/REQUEST/STOP queued Sep 21 21:53:56.119 edt: TAC+: (4141160261) ACCT/REQUEST/STOP processed Sep 21 21:53:56.119 edt: TAC+: (4141160261): received acct response status = SUCCESS Sep 21 21:53:56.119 edt: TAC+: Closing TCP/IP 0x615680B4 connection to 172.16.1.2/49
Some other useful debug commands are debug aaa authentication, debug aaa authorization, and debug aaa accounting. Here is some example output: In this sample output from the debug aaa authentication command, you can see an EXEC login that uses the "default" method list and the first method, Tacacs+, is displayed. The Tacacs server then sends a GETUSER request to prompt for the username and then a GETPASS request to prompt for the password. Next, you will see the PASS response to indicate a successful login. The number 1202654323 is the session ID, which is unique for each authentication. This session ID can be very helpful for troubleshooting when there are multiple authentication sessions occurring at the same time.
debug aaa authentication Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan 4 21:15:01.419 EST: AAA/AUTHEN/START (1202654323): port='tty130' list='' action=LOGIN service=LOGIN 4 21:15:01.419 EST: AAA/AUTHEN/START (1202654323): using "default" list 4 21:15:01.419 EST: AAA/AUTHEN/START (1202654323): Method=tacacs+ (tacacs+) 4 21:15:01.419 EST: TAC+: send AUTHEN/START packet ver=192 id=1202654323 4 21:15:01.699 EST: TAC+: ver=192 id=1202654323 received AUTHEN status = GETUSER 4 21:15:01.699 EST: AAA/AUTHEN (1202654323): status = GETUSER 4 21:15:04.023 EST: AAA/AUTHEN/CONT (1202654323): continue_login (user='(undef)') 4 21:15:04.023 EST: AAA/AUTHEN (1202654323): status = GETUSER 4 21:15:04.027 EST: AAA/AUTHEN (1202654323): Method=tacacs+ (tacacs+) 4 21:15:04.027 EST: TAC+: send AUTHEN/CONT packet id=1202654323 4 21:15:04.227 EST: TAC+: ver=192 id=1202654323 received AUTHEN status = GETPASS 4 21:15:04.227 EST: AAA/AUTHEN (1202654323): status = GETPASS 4 21:15:13.155 EST: AAA/AUTHEN/CONT (1202654323): continue_login (user='dwolsefer') 4 21:15:13.155 EST: AAA/AUTHEN (1202654323): status = GETPASS
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 20 of 45
4 21:15:13.155 EST: AAA/AUTHEN (1202654323): Method=tacacs+ (tacacs+) 4 21:15:13.155 EST: TAC+: send AUTHEN/CONT packet id=1202654323 4 21:15:15.455 EST: TAC+: ver=192 id=1202654323 received AUTHEN status = PASS 4 21:15:15.455 EST: AAA/AUTHEN (1202654323): status = PASS
The following is an example of the debug aaa authorization command. In this display, an EXEC authorization for user "dwolsefer" is performed. You can also see that the session number is 2116885857. Note that the username is authorized and that the next two lines' attribute-value (AV) pairs are also authorized. Next, you can see that the authorization method used is Tacacs+. The final line in the display indicates the status of the authorization process, which is a pass or successful in this case.
debug aaa authorization Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan 4 21:18:47.212 EST: tty130 AAA/AUTHOR/EXEC (2116885857): Port='tty130' list='' service=EXEC 4 21:18:47.212 EST: AAA/AUTHOR/EXEC: tty130 (2116885857) user='dwolsefer' 4 21:18:47.212 EST: tty130 AAA/AUTHOR/EXEC (2116885857): send AV service=shell 4 21:18:47.212 EST: tty130 AAA/AUTHOR/EXEC (2116885857): send AV cmd* 4 21:18:47.212 EST: tty130 AAA/AUTHOR/EXEC (2116885857): found list "default" 4 21:18:47.212 EST: tty130 AAA/AUTHOR/EXEC (2116885857): Method=tacacs+ (tacacs+) 4 21:18:47.212 EST: AAA/AUTHOR/TAC+: (2116885857): user=dwolsefer 4 21:18:47.212 EST: AAA/AUTHOR/TAC+: (2116885857): send AV service=shell 4 21:18:47.212 EST: AAA/AUTHOR/TAC+: (2116885857): send AV cmd* 4 21:18:47.492 EST: AAA/AUTHOR (2116885857): Post authorization status = PASS_ADD 4 21:18:47.492 EST: AAA/AUTHOR/EXEC: Authorization successful
The debug aaa accounting command is not as useful as the other two debug aaa commands. For more information about the accounting going on, you might be better off using the debug radius or debug tacacs specific commands instead. You can also use the show accounting command for more information.
debug aaa accounting Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan Jan 4 21:22:12.938 EST: AAA/ACCT/CMD: User dwolsefer, Port tty130, Priv 15: "clear logging <cr>" 4 21:22:12.938 EST: AAA/ACCT/CMD: Found list "default" 4 21:22:12.938 EST: AAA/ACCT: user dwolsefer, acct type 3 (3915005986): Method=tacacs+ (tacacs+) 4 21:22:13.330 EST: TAC+: (3915005986): received acct response status = SUCCESS 4 21:22:16.038 EST: AAA/ACCT/ACCT_DISC: Found list "default" 4 21:22:16.038 EST: tty130 AAA/DISC: 1/"User Request" 4 21:22:16.038 EST: AAA/ACCT/ACCT_DISC: Found list "default" 4 21:22:16.038 EST: tty130 AAA/DISC/EXT: 1020/"User Request" 4 21:22:16.038 EST: AAA/ACCT/ACCT_DISC: Found list "default" 4 21:22:16.038 EST: tty130 AAA/DISC: 9/"NAS Error" 4 21:22:16.038 EST: AAA/ACCT/ACCT_DISC: Found list "default" 4 21:22:16.038 EST: tty130 AAA/DISC/EXT: 1002/"Unknown" 4 21:22:16.042 EST: AAA/ACCT: no attribute "elapsed_time" to replace, adding it 4 21:22:16.042 EST: AAA/ACCT/EXEC/STOP: cannot retrieve modem speed
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 21 of 45
Jan
4 21:22:16.042 EST: AAA/ACCT/EXEC/STOP User dwolsefer, Port tty130: task_id=1071 start_time=1073269127 timezone=EST service=shell disc-cause=1 disc-cause-ext=1020 connect-progress=40 elapsed_time=209 nas-rx-speed=0 nas-tx-speed=0 4 21:22:16.046 EST: AAA/ACCT: user dwolsefer, acct type 0 (3564001228): Method=tacacs+ (tacacs+) 4 21:22:16.426 EST: TAC+: (3564001228): received acct response status = SUCCESS 4 21:22:16.426 EST: AAA/MEMORY: free_user (0x61564FC4) user='dwolsefer' ruser='NULL' port='tty130' rem_addr='192.168.1.1' authen_type=ASCII service=LOGIN priv=1 4 21:22:18.258 EST: AAA: parse name=tty130 idb type=-1 tty=-1 4 21:22:18.262 EST: AAA: name=tty130 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=130 channel=0 4 21:22:18.262 EST: AAA/MEMORY: create_user (0x6156468C) user='NULL' ruser='NULL' ds0=0 port='tty130' rem_addr='192.168.1.1' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0' 4 21:22:34.282 EST: AAA/ACCT/EXEC/START User dwolsefer, port tty130 4 21:22:34.282 EST: AAA/ACCT/EXEC: Found list "default" 4 21:22:34.282 EST: AAA/ACCT/EXEC/START User dwolsefer, Port tty130, task_id=1078 start_time=1073269354 timezone=EST service=shell
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 22 of 45
RFC, along with the Radius accounting and Radius extensions RFCs, have become the official standards for Radius implementers." [RADIUSrising.pdf]
Operation
Like Tacacs, Radius is also a client-server system in which the router sends authentication requests to a Radius server. Radius is now defined in RFC 2865 (which superceded RFC 2138). One thing to note about Radius is that the early deployment of RADIUS was done using UDP port number 1645, but this conflicts with the "datametrics" service, so the officially assigned port number for RADIUS was changed to UDP port 1812. Note: Radius accounting is now defined in RFC 2866 (which superceded RFC 2139). The early deployment of RADIUS Accounting was done using UDP port number 1646, which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is now 1813. When a RADIUS server authenticates a user, the following events occur: 1. The user is prompted for and enters a username and password. 2. The username and encrypted password are sent over the network to the Radius server. 3. The user receives one of the following responses from the Radius server: ACCEPT - The user is authenticated. ACCEPT-REJECT - The user is not authenticated and is prompted to re-enter the username and password, or access is denied. The Radius server sends this response when the user enters an invalid username/password pairing. CHALLENGE - A challenge is issued by the Radius server. The challenge collects additional data from the user. CHANGE PASSWORD - The Radius server issues a request asking the user to select a new password. An ACCEPT or REJECT - response can contain additional information for services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections, and PPP, Serial Line Internet Protocol (SLIP), or EXEC services. Radius is commonly used when PPP is used, especially with dial up. RFC 2865 defines a number of attributes that can be sent between the client and the Radius server. These attributes carry specific details about AAA functions. Table 9 provides details from some of the most common attributes. Be aware that many vendors define proprietary attributes, and simply saying something runs RADIUS does not guarantee multi-vendor interoperability. Table 9. Representative RADIUS attributes Attribute type 1 2 Attribute contents User-Name (defines usernames, such as numeric, simple ASCII characters, or a Simple Mail Transfer Protocol [SMTP] address) User-Password (defines the password, which is encrypted using Message Digest 5 [MD5])
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 23 of 45
3 4 5 6 7 8 9 10 11 12 13 19 26 61
CHAP-Password (used only in access-request packets) NAS-IP-Address (defines the NAS's IP address; used only in access request packets) NAS-Port (this is not the User Datagram Protocol (UDP) port number; it indicates the NAS's physical port number, ranging from 0 to 65,535) Service-Type (Type of service requested or type of service to be provided). Not supported by Cisco IOS. Framed-Protocol (defines required framing; for example, PPP is defined when this attribute is set to 1 and Serial Line Internet Protocol [SLIP] is set to 2) Framed-IP-Address (defines the IP address to be used by the remote user) Framed-IP-Netmask (defines the subnet mask to be used by the remote user) Framed-Routing Filter-ID Framed-MTU Framed-Compression Callback-ID Vendor-Specific. Cisco (vendor-ID 9) uses one defined option: vendor type 1 named cisco-avpair; this attribute transmits Tacacs A/V pairs NAS-Port-Type
SCHO-TermSRV#debug aaa ? accounting Accounting administrative Administrative authentication Authentication authorization Authorization per-user Per-user attributes pod AAA POD processing
Here is an example that is specific to Radius.
router# debug aaa authentication 12:12:45: AAA/AUTHEN (1202654323): Method=Radius 12:12:45: AAA/AUTHEN (1202654323): status = GETPASS 12:13:50: AAA/AUTHEN/CONT (1202654323): continue_login 12:13:50: AAA/AUTHEN (1202654323): status = GETPASS 12:13:54: AAA/AUTHEN (1202654323): status = PASS
The other major debug command for Radius is the debug radius command. Here is some sample output.
router# debug radius 04:34:52: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xA, len 57 04:34:52: Attribute 4 6 AC150E5A
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 24 of 45
04:34:52: Attribute 5 6 0000000A 04:34:52: Attribute 1 7 62696C6C 04:34:52: Attribute 2 18 49C28F6C 04:34:57: Radius: Received from 172.16.1.1:1645, Access-Reject, id 0xA, len 20
Operation
Here is an example that explains the process. In this example, a remote user initiates a Telnet session.
Figure 4. Kerberos flow Unlike Tacacs and Radius, Kerberos is used only for authentication, not authorization and accounting. Kerberos is quite different from Tacacs and Radius. It is not just a simple client-server model. The way that Kerberos works is to have a trusted Kerberos server, known as the Key Distribution Center (KDC), issue tickets (also known as credentials) to remote users. The term "user" also has a different definition from Tacacs or Radius. With Kerberos, a "user" can be either a person or a device such as a router. The tickets have a limited life span and are stored in a user's credential cache for use in place of the standard username/password combination. With Kerberos, terminology is very important. A Kerberos "ticket" or "credential" is a general term that refers to authentication tickets, such as ticket-granting
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 25 of 45
tickets (TGTs) and service credentials. Kerberos credentials verify the identity of a user or service. If a network service decides to trust the Kerberos server that issued a ticket, it can be used in place of retyping a username and password. By default, credentials have a life span of eight hours. A TGT is a specific credential that the KDC issues to authenticated users. When users receive a TGT, they can authenticate to network services within the Kerberos realm represented by the KDC. A "service credential" is another type of credential for a network service that is issued by the KDC. It includes the user's TGT, and is encrypted with the password shared by the network service and the KDC. Another important term for Kerberos is the "SRVTAB". An "SRVTAB" is a password that a network service shares with the KDC. A network service authenticates an encrypted service credential using the SRVTAB (also known as a KEYTAB) to decrypt it. Kerberos uses an idea called "single logon." The whole idea behind the "single logon" concept is that a user has to authenticate only once. After that successful logon, the user will be issued a credential that allows the user to logon with secure authentication wherever that credential is accepted. Later improvements to Kerberos include Timestamps to aid in the prevention of replay attacks. This is the reason that NTP is a requirement for Kerberos on Cisco IOS devices. Another important term used when discussing Kerberos is the concept of a Kerberos Realm. A Kerberos Realm is a domain that consists of all the users, hosts, and network services that are registered with a KDC. The Kerberos Realm must always be in uppercase characters. The Kerberos realm is also used to map a DNS domain to a Kerberos realm. TCP fragmentation must be enabled on the KDC. Here is a summary of Kerberos features: Table 10. Kerberos features Feature Packet Delivery Packet Description Telnet Support Description Kerberos uses a number of ports, including: TCP/UDP ports 88, 543, 749, and TCP ports754, 2105, and 4444. Supports username/password encryption. Telnet sessions can be encrypted (this is known as Kerberized Telnet)
Although Kerberos is not as common as Radius and Tacacs, Kerberos is still in use. For example, Microsoft 2000 uses Kerberos for internal authentication in Active Directory. For more information about Kerberos, visit MIT's Kerberos site: http://itinfo.mit.edu/product?name=kerberos
Router# debug aaa authentication AAA/AUTHEN/START (214431325): Method=KRB5 AAA/AUTHEN (214431325): status = GETUSER AAA/AUTHEN/CONT (214431325): continue_login AAA/AUTHEN (214431325): status = GETUSER AAA/AUTHEN (214431325): Method=KRB5 AAA/AUTHEN (214431325): status = GETPASS AAA/AUTHEN/CONT (214431325): continue_login AAA/AUTHEN (214431325): status = GETPASS AAA/AUTHEN (214431325): Method=KRB5 AAA/AUTHEN (214431325): password incorrect AAA/AUTHEN (214431325): status = FAIL
Here is an example of debug kerberos in which the login attempt is successful. You can also see the request sent to the KDC and the response from the KDC.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 26 of 45
Router# debug kerberos Kerberos: Kerberos: Kerberos: Kerberos: Requesting TGT with expiration date of 820911631 Sent TGT request to KDC Received TGT reply from KDC Received valid credential with endtime of 820911631
Windows
Here is a sample configuration that shows the basics of CiscoSecure ACS for Windows. Naturally, you can get a lot more complicated than this example, so you will have to experiment.
Figure 5. Cisco Secure ACS for Windows Click on the User Setup icon on the left. Type in the user to add and then click Add/Edit.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 27 of 45
Figure 6. User Setup in ACS Fill in the Supplementary User Info fields.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 28 of 45
Figure 7. Supplementary User in ACS Select CiscoSecure Database for authentication and enter a password. Notice that some of the other authentication methods include CiscoSecure Database, Windows NT/2000, and RSA SecurID Token Server.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 29 of 45
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 30 of 45
Figure 9. ACS User Group Click the Submit button to create the user.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 31 of 45
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 32 of 45
Figure 11. Adding AAA Clients Under AAA Clients, click the Add Entry button.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 33 of 45
Figure 12. Adding Client Entries Enter the device name, IP address, and key. Then click on the Submit+Restart button for the changes to take effect.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 34 of 45
Figure 13. Tacacs Accounting Information Select the Tacacs Administration file with the appropriate date to examine the accounting data.
Unix
Configuration of Cisco Secure ACS for Unix is beyond the scope of this paper. You can find the basics on CCO. Configuration of the Unix Cisco Secure ACS is also very dependent on which Unix version you are running.
Configuring Tacacs
IOS Tacacs Configuration Task List
To configure a router to support Tacacs+, you must perform the following tasks:
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 35 of 45
tacacs-server host hostname [single-connection] [port integer] [timeout integer] [key string]
Here is a practical example:
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 36 of 45
accounting method lists. Note: You can define multiple Tacacs servers by defining the servers with the IOS command tacacsserver server_ip_address. This is often used for redundancy in case the first server becomes unavailable. If the first server does not respond within a timeout period (default 5 seconds), the next server is queried, and so forth. For example, to define three servers use the IOS configuration:
! New York Tacacs Server tacacs-server host 1.1.1.1 ! London Tacacs Server tacacs-server host 2.2.2.2 ! Tokyo Tacacs Server tacacs-server host 3.3.3.3 tacacs-server key TheBirdIsSinging
Note: One thing to look out for when configuring Tacacs is to make sure to define the Tacacs servers first. Do this because, if you make a mistake configuring the method lists and do not allow local fallback, you can lock yourself out of the router if the Tacacs server is not defined. This will then require a password recovery procedure to fix. Here is the safe way to configure Tacacs on IOS devices and not lock yourself out. 1. Verify that the router has a route to the Tacacs server(s). 2. Verify that the router is able to ping the Tacacs server(s). Verify that TCP port 49 is open all the way from the router to the Tacacs server(s). 3. Verify that the IP address of the router is configured as an AAA client in the CiscoSecure ACS server, with the correct key. 4. Telnet to the CiscoSecure ACS server on port 49. Remember that you may need extra controlshift-6 characters if you are running through multiple forward or reverse telnet sessions. Do not proceed unless you can make a connection. Hit a couple of carriage returns to close the connection.
tacacs-server host 172.16.1.1 tacacs-server key key aaa new-model aaa authentication login default group tacacs+ local aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ ! ! For termservers, disable authentication for reverse telnet. ! aaa authentication login 1 none
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 37 of 45
line 33 64 login authentication 1 ! ! Specify source interface if required. ! ip tacacs source-interface int
8. Log out of the Telnet session. 9. Telnet back in. The router should now prompt for a username. Test Tacacs authentication by logging back in with a valid Tacacs account.
CatOS
Here is the safe way to configure Tacacs on CatOS switches. 1. Verify that the switch has a route to the Tacacs server. 2. Verify that the switch is able to ping the CiscoSecure ACS server. Verify that TCP port 49 is open between the switch and the Tacacs server. 3. Verify that the IP address of the switch is configured as an AAA client in the CiscoSecure ACS server, with the correct key. 4. Telnet to the CiscoSecure ACS server on port 49. Do not proceed unless you can make a connection.
switch (enable) telnet 172.16.1.1 49 Trying 172.16.1.1... Connected to 172.16.1.1. Escape character is '^]'.
5. Backup the current config to a TFTP server. 6. Open 2 simultaneous sessions to the switch: 1 via console and 1 via telnet from the loghost. If you run into any issues, back out the changes via the console session. 7. Enter the following commands on the console session in the same order. Keep the Telnet session open.
tacacs server 172.16.1.1 tacacs key key authentication login tacacs enable console primary authentication login tacacs enable telnet primary accounting commands enable all stop-only tacacs+
8. Log out of the Telnet session. 9. Telnet back in. The switch should now prompt for a username. Test Tacacs authentication by logging back in with a valid Tacacs account.
PIX OS
This section describes how to implement authentication and authorization for traffic through the PIX
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 38 of 45
Firewall, using a server. These commands are in addition to the required basic firewall configuration. Note that the PIX supports only authentication and authorization. It does not support accounting. In the example below, the aaa-server command specifies the IP address of the Tacacs authentication server. The aaa authentication command statement specifies that users on network 192.168.10.0 starting FTP, HTTP, and Web connections from the inside interface be prompted for their usernames and passwords before being permitted access to the servers on other interfaces. The aaa authorization command statement lets the users on 192.168.10.0 access FTP, HTTP, or Telnet, and any TCP connections to anywhere, as authorized by the AAA server. Even though it appears that the aaa commands let the PIX Firewall set security policy, the authentication server actually does the work, deciding which users are authenticated and what services they can access when authentication is permitted.
aaa-server ciscosecure protocol tacacs+ aaa-server ciscosecure (interface) host 172.16.1.1 key timeout 10 aaa authentication serial console ciscosecure aaa authentication telnet console ciscosecure
8. Log out of the secondary PIX or the Telnet/SSH session.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 39 of 45
9. The PIX should now prompt for a username. Test Tacacs authentication by logging back in with a valid Tacacs account. 10. Disable Telnet or SSH if enabled in step 6.
Configuring Radius
There are many Radius servers available, both commercial and freeware. Radius is also available for most platforms including Microsoft Windows 2000 servers and various flavors of UNIX such as Solaris.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 40 of 45
You can use the aaa accounting command to enable Radius accounting. Examples are the best way to show the enormous IOS command set that is available for configuring Radius support with AAA. Here is an example config:
aaa new-model aaa authentication login authRadius group radius local aaa authentication ppp R-user if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius radius-server 192.168.1.1 radius-server key TheBirdIsSinging
The command lines in this Radius authentication and authorization configuration are explained below. 1. aaa new-model enables AAA. 2. The aaa authentication login authRadius group radius local command tells the router to use Radius for authentication at the login prompt with a fallback to the local user database. In this example, authRadius is the name of the method list. If the Radius server returns the REJECT response, the user is denied access and the router will not check its local database. 3. In this example, R-user is the name of the method list defining Radius as the if-needed authentication method in the next line of the configuration: aaa authentication ppp R-user if-needed group radius. This command configures the router to use Radius authentication for lines using PPP with either PAP or CHAP, if the user is not already authenticated. If the user has already been authenticated using the EXEC facility, then Radius authentication will not be performed again. 4. The aaa authorization exec default group radius command sets the Radius information used for EXEC authorization, autocommands, and access lists. 5. The aaa authorization network default group radius command sets Radius for network authorization, address assignment, and access lists. 6. The radius-server 192.168.1.1 command defines the NAS. 7. The radius-server key TheBirdIsSinging command defines the shared secret text string that will be used between the router and the Radius server. Each method list defines the authentication methods used, in sequence, to authenticate a user. Method lists are used to designate one or more security protocols to be used for authentication, including alternatives for authentication in case the initial method fails. This is most commonly used to allow for local authentication in case the Radius server is either unreachable or down. This process continues until there is successful communication with a listed authentication method or the authentication method list is exhausted, in which case authentication fails.
CatOS
CatOS commands for configuring AAA are highly dependent on the particular version the switch is running. Assume here that we are using CatOS 7.5.1. To configure basic Radius on CatOS switches, proceed as follows: 1. Make sure there is a back door into the switch in case something goes wrong by issuing the set
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 41 of 45
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 42 of 45
else:
access-list user permit ip any server1 255.255.255.255 access-list user permit ip any server2 255.255.255.255 access-list user deny ip any any
In this example, the CiscoSecure configuration would need the vendor-specific attribute string set to acl=user to identify the correct access-list name. The PIX Firewall will receive this attribute from CiscoSecure and extract the string and put it in a user's uauth entry. What happens is that when a user tries to open a connection through the PIX, the PIX checks the access list in the user's uauth entry, and permits or denies the connection based on the access-list match. When a connection is denied, PIX Firewall generates a corresponding Syslog message. As with all access lists on the PIX and IOS, there is an implicit deny rule. To enable Radius authorization, perform the following steps: 1. Enable Radius authentication with the aaa authentication command. 2. Define the desired access-list statements to list the services that hosts are authorized to use with Radius in the PIX Firewall. 3. Configure the Radius server with the vendor-specific acl=acl_ID identifier to specify the access-list ID. Here is a practical example:
PIX525(config)# aaa-server RADIUS protocol radius PIX525(config)# aaa-server AuthOutbound protocol radius PIX525(config)# aaa-server AuthOutbound (inside) host 192.168.1.1 TheBirdIsSinging timeout 10 PIX525(config)# aaa authentication telnet console RADIUS PIX525(config)# aaa authentication enable console RADIUS
Configuring Kerberos
IOS
To configure Kerberos support on a Cisco router, you need to complete the following tasks: 1. Define the realm for the router. Here is the syntax:
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 43 of 45
kerberos local-realm MIT.EDU kerberos server MIT.EDU 192.168.1.1 kerberos realm.mit.edu MIT.EDU
CatOS
Before you can configure Kerberos on a CatOS switch, you need to configure the Kerberos server. You need to create a database for the KDC and add the switch to the database. Note: Cisco recommends that you enable DNS and you must enable NTP to configure Kerberos. (Notice also that the realm, e.g.. MIT.EDU, must be all capitals.) 1. To configure the Kerberos server, you need to create the database that the KDC will use. Here is an example for a database called mit.edu.
ank host/[email protected]
3. Now add the username:
ank [email protected]
4. Next, add the administrative principles:
ank user1/[email protected]
5. Create the entry for the switch in the database, using the admin.local ktadd command.
ktadd host/[email protected]
6. Move the keytab file to a place where the switch can reach it. 7. Start the KDC server:
/usr/local/sbin/krb5kdc /usr/local/sbin/kadmind
Now that we have the KDC server running, we can configure Kerberos on the switch. For more information on the Kerberos protocol and server, see http://web.mit.edu/kerberos/www/. To configure Kerberos on the switch, do the following: 1. Specify Kerberos as the authentication method using the set authentication login kerberos enable [all | console | http | telnet] [primary] command. 2. Verify with the show authentication command. Here is an example
switch> (enable) show authentication Login Authentication: Console Session Telnet Session --------------------- ---------------- ----------------
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 44 of 45
Enable Authentication:Console Session Telnet Session ---------------------- ----------------- ---------------tacacs disabled disabled radius disabled disabled kerberos disabled enabled(primary) local enabled(primary) enabled
3. Define the Kerberos local realm with the set kerberos local-realm kerberos_realm command. 4. Verify with the show kerberos command. Here is an example:
switch> (enable) set kerberos local-realm MIT.EDU Kerberos local realm for this switch set to MIT.EDU. switch> (enable) show kerberos Kerberos Local Realm:MIT.EDU Kerberos server entries: Realm:MIT.EDU, Server:192.168.1.1, Port:88 Kerberos Domain<->Realm entries: Domain:mit.edu, Realm:MIT.EDU Kerberos Clients NOT Mandatory Kerberos Credentials Forwarding Enabled Kerberos Pre Authentication Method set to None Kerberos config key: Kerberos SRVTAB Entries Srvtab Entry 1:host/[email protected] 0 932423923 1 1 8 01;;8>00>50;0=0=0 switch> (enable)
5. Next, specify the Kerberos server to use (and optionally the port number) by issuing the set
PIXOS
The PIX Firewall does not support Kerberos. The PIX uses only Tacacs and Radius for AAA.
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005
Page 45 of 45
Conclusion
AAA is an important topic to master, both from a practical real world sense and from a CCIE (especially CCIE Security) perspective. Simply put, I do not know of any service providers that are not using some sort of AAA and many enterprises use it as well. This becomes especially important when you have an environment with a large number of devices. It is just too difficult to manually keep up with users and passwords if you have more than a few devices. Also an accounting audit trail can be very helpful for both troubleshooting and making sure that engineers are following proper change procedures. For the CCIE lab, it is important to remember that anything in IOS is fair game for the Routing and Switching lab. For the Security lab, this is true of other equipment as well. You really need to understand the syntax of method lists and how to troubleshoot and debug AAA because if you get a question about AAA during the lab exam, these should be easy points for you. You don't want to find yourself with no experience or knowledge of AAA as you frantically search the documentation CD. My recommendation is that you practice with both Radius and Tacacs until you are comfortable enough with them that you can configure AAA quickly without any errors. You must be proficient at it and have attention to detail about how you are implementing it so you don't lock yourself out of a router. You don't need to waste time doing a password recovery because you don't know how to configure Tacacs safely.
References
[OrangeBook 1985] 1985 Orange Book - Trusted Computer System Evaluation Criteria, (DOD-5200.28-STD) http://www.dynamoo.com/orange/fulltext.htm [Ada 1995] 1995 Ada Reference Model http://www.adaic.org/standards/95lrm/html/RM-9-4.html [RADIUSrising] http://www.interlinknetworks.com/graphics/news/cs_RADIUSrising.pdf
[IE-AAA-WP1-F02] [2004-02-18-02]
http://www.certificationzone.com/cisco/studyguides/component.html?module=studyguides... 5/31/2005