Feedback
Table Of Contents
Enabling Management Protocols: NTP, SNMP, and Syslog
Task 1. Enabling the Network Time Protocol
Task 4. Disabling the Logging of Access Interfaces
Task 5. Confirming the Final Running Configuration
Local and Remote Server Authentication
RADIUS Configuration Task List
Configuring Gateway to RADIUS Server Communication
Configuring Gateway to Use Vendor-Specific RADIUS Attributes
Configuring Gateway for Vendor-Proprietary RADIUS Server Communication
Configuring Gateway to Query RADIUS Server for Static Routes and IP Addresses
Configuring Gateway to Expand Network Cisco AS5850 Port Information
Specifying RADIUS Authentication
Specifying RADIUS Authorization
RADIUS Cisco IOS Software Support
Securing Access to Privileged EXEC and Configuration Mode
Communicating Between the Access and Security Servers
Configuring Authentication on a TACACS+ Server
Defining Authentication Method Lists
Authentication Method List Examples
Applying Authentication Method Lists to Lines and Interfaces
Configuring Authorization on the Security Server
Configuring Authorization (Network or EXEC)
Specifying an Authorization Method
Specifying Authorization Parameters on a TACACS+ Server
Administration
This chapter describes network administrative tasks using management software and protocols, and network-gateway security and control functionality with AAA and Remote Authentication Dial-In User Service (RADIUS) servers.
Note
For details on implementing and operating a dial network management system (NMS), and on management functionality for a Dial Internet Access Service (DIAS), refer to the Basic Dial NMS Implementation Guide case study, available online at http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/as5850/index.htm
Network Management Software
The Cisco Universal Gateway Manager (CiscoUGM) can configure and manage the Cisco AS5850 fault, performance, and security functions. CiscoUGM is a UNIX-based solution that can be run from a Cisco Element Management Framework (EMF) server. CiscoUGM provides the following administrative management tasks:
•
•
•
•
Remote Monitoring
Remote monitoring (RMON) is an Internet Engineering Task Force (IETF) monitoring standard (RFC 1757) by which console systems and network monitors exchange statistical and functional data through RMON-compliant console managers and network probes. RMON data includes fault diagnostics, planning, and performance information.
RMON delivers information in nine unique RMON monitoring-element groups. Although some groups depend on others for support, each is optional so it is not necessary for vendors to support all groups within a management information base (MIB). See Table 3-1 for RMON group functions.
Enabling Management Protocols: NTP, SNMP, and Syslog
This section describes how to enable basic management protocols on a Cisco AS5850 as part of a dial-access service. It does not describe how to integrate Cisco IOS software with Microsoft Windows NT or UNIX servers. It describes management protocols only from the perspective of the Cisco IOS software.
Network Management Basics
Figure 3-1 shows how management protocols interact between Cisco IOS software (client) and a network-element-management server. Dashed lines represent different protocols and functions. In the figure, the following occurs:
•
•
•
Figure 3-1 NTP, SNMP, and Syslog Interactions
Table 3-2 provides the RFCs and websites for the management protocols described in this section.
Table 3-2 Management Protocol RFCs
NTP
1305
http://www.ietf.org/rfc/rfc1305.txt
SNMP
1157
http://www.ietf.org/rfc/rfc1157.txt
Note
Task 1. Enabling the Network Time Protocol
The Network Time Protocol (NTP) provides a common time base for networked routers, servers, and other devices. A synchronized time enables you to correlate syslog and Cisco IOS debug output to specific events. For example, you can find call records for specific users within one millisecond.
Comparing logs from various networks is essential for troubleshooting, fault analysis, and tracking of security incidents. Without precise time synchronization between all the various logging, management, and AAA functions, time comparisons are not possible.
An NTP-enabled network usually gets its time from an authoritative time source, such as a Cisco router, radio clock, or atomic clock attached to a timeserver. NTP then distributes this time across the network. NTP is extremely efficient; no more than one packet per minute is necessary to synchronize two machines to within a millisecond of each another. NTP runs over UDP, which in turn runs over IP.
Note
To enable NTP, perform the following steps.
Step 1
Step 2
AS5850# ntp update-calendarAS5850# ntp server 172.22.66.18 preferStep 3
AS5850# show ntp statusClock is synchronized, stratum 5, reference is 172.22.66.18nominal freq is 250.0000 Hz, actual freq is 250.0000 Hz, precision is 2**24reference time is BB944312.4451C9E7 (23:11:30.266 PDT Wed Sep 22 1999)clock offset is 0.5343 msec, root delay is 13.26 msecroot dispersion is 18.02 msec, peer dispersion is 0.09 msecAS5850#The following command identifies how often the network gateway is polling and updating to the stratum clock. An asterisk (*) next to the NTP servers IP address indicates successful synchronization with the stratum clock.
AS5850# show ntp associationaddress ref clock st when poll reach delay offset disp*~172.22.66.18 172.60.8.1 16 46 64 377 1.0 0.53 0.1* master (synced), # master (unsynced), + selected, - candidate, ~ configuredAS5850#
Task 2. Enabling Syslog
Cisco IOS software can send syslog messages to one or more element manager servers. Syslog messages are then collected by a standard UNIX-type or Windows NT-type syslog daemon.
Syslog enables you to do the following:
•
•
•
Figure 3-2 shows the Cisco IOS software sending syslog data to an element manager. Syslog data either stays in the Cisco IOS software buffer or is pushed out and written to the hard disk on the element manager.
Figure 3-2 Syslog Messages Written to Hard Disk
Note
Step 1
AS5850# service timestamps debug datetime msec localtime show-timezoneAS5850# service timestamps log datetime msec localtime show-timezoneStep 2
AS5850# show loggingSyslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)Console logging: level debugging, 1523 messages loggedMonitor logging: level debugging, 0 messages loggedBuffer logging: level debugging, 911 messages loggedTrap logging: level informational, 44 message lines loggedAS5850(config)# no logging consoleAS5850(config)# ^ZAS5850# show loggingSyslog logging: enabled (0 messages dropped, 1 flushes, 0 overruns)Console logging: disabledMonitor logging: level debugging, 0 messages loggedBuffer logging: level debugging, 912 messages loggedTrap logging: level informational, 45 message lines logged
Caution
Step 3
AS5850# logging 172.22.66.18AS5850# logging buffered 10000 debuggingAS5850# logging trap debuggingThe commands in this example are as follows.
If you are working with multiple network gateways, assign a different logging facility tag to each server. Syslog information can be collected and sorted into different files on the syslog server. For example, assign local1 to network-gateway 1, local2 to network-gateway 2, and local3 to network-gateway 3. Assigning a different tag to each device enables you to intelligently sort and view syslog messages.
AS5850# logging facility local7Step 4
AS5850# show loggingSyslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)Console logging: disabledMonitor logging: level debugging, 0 messages loggedBuffer logging: level debugging, 2 messages loggedTrap logging: level debugging, 53 message lines loggedLogging to 172.22.66.18, 2 message lines loggedLog Buffer (10000 bytes):Sep 26 16:32:02.848 PDT: %SYS-5-CONFIG_I: Configured from console by admin on consoleSep 26 16:33:16.069 PDT: %SYS-5-CONFIG_I: Configured from console by admin on consoleAS5850#
Task 3. Enabling SNMP
The SNMP traps generated by Cisco gateways provide information on potentially harmful environmental conditions, processor status, port status, and security issues. Cisco IOS software generates SNMP traps based on the features that the Cisco IOS software supports.
Figure 3-3 shows the interactions and timing of the SNMP protocol between the EM (SNMP manager) and the network gateway (SNMP agent). Traps are unsolicited messages sent from the gateway to the EM. The four functions of SNMP include Get request, Get next, Set request, and Trap.
Figure 3-3 SNMP Event Interaction and Timing
Note
Step 1
•
•
AS5850(config)# snmp-server contact admin user@the.docAS5850(config)# snmp-server location AS5850-corporateAS5850(config)# snmp-server community poptarts RO 8AS5850(config)# snmp-server community pixysticks RW 5AS5850(config)# snmp-server host 172.22.66.18 maddogAS5850(config)# snmp-server trap-source Loopback0AS5850(config)# snmp-server enable traps snmpAS5850(config)# access-list 5 permit 172.22.67.1AS5850(config)# access-list 5 permit 0.0.0.1 172.22.68.20AS5850(config)# access-list 8 permit 172.22.67.1AS5850(config)# access-list 8 permit 0.0.0.1 172.22.68.20The commands in this example are as follows.
Caution
Step 2
Note
AS5850# show snmpChassis: 11811596Contact: admin user@the.docLocation: AS5850-corporate0 SNMP packets input0 Bad SNMP version errors0 Unknown community name0 Illegal operation for community name supplied0 Encoding errors0 Number of requested variables0 Number of altered variables0 Get-request PDUs0 Get-next PDUs0 Set-request PDUs0 SNMP packets output0 Too big errors (Maximum packet size 1500)0 No such name errors0 Bad values errors0 General errors0 Response PDUs0 Trap PDUsSNMP logging: enabledLogging to 172.22.66.18.162, 0/10, 0 sent, 0 dropped.AS5850#
Task 4. Disabling the Logging of Access Interfaces
Limit the amount of output logged from the group-async interface and ISDN D channels. Carefully choose the data sources for system management purposes. AAA accounting and the modem-call record terse feature provide the best data set for analyzing ISDN remote-node device activity.
Note
The following configuration fragment disables logging on access interfaces:
! for E1interface Serial 0/0:23no logging event link-statusno snmp trap link-status! for T3interface Serial 1/0:1:23no logging event link-statusno snmp trap link-status!interface Group-Async 1no logging event link-statusno snmp trap link-status!Task 5. Confirming the Final Running Configuration
The following is an example of the Cisco AS5850 running configuration with Cisco IOS Release 12.0(4) XL1 installed.
AS5850# show running-configBuilding configuration...Current configuration:!version 12.0service timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname AS5850!logging buffered 10000 debuggingno logging consoleaaa new-modelaaa authentication login default localaaa authentication ppp default if-needed localenable secret 5 $1$LKgL$tgi19XvWn7fld7JGt55p01!username user password 7 045802150C2Eusername admin password 7 044E1F050024!!resource-pool disable!modem-pool Defaultpool-range 2/0-10/143!!spe 2/0 10/11firmware ios-bundled defaultmodem recovery action noneip subnet-zerono ip source-routeip host guessme 172.22.100.9ip domain-name the.netip name-server 172.22.11.10ip name-server 172.22.12.11!async-bootp dns-server 172.30.10.1 172.30.10.2isdn switch-type primary-niisdn voice-call-failure 0!!controller T3 0/0framing m23cablelength 0t1 4 controller!!voice-port 0/0:4:D!!process-max-time 200!interface Loopback0ip address 172.22.99.1 255.255.255.255no ip directed-broadcast!interface Loopback1ip address 172.22.90.1 255.255.255.0no ip directed-broadcast!interface FastEthernet1/0ip address 172.22.66.23 255.255.255.0no ip directed-broadcast!interface Serial0/0:4:23no ip addressno ip directed-broadcastno snmp trap link-statusisdn switch-type primary-niisdn incoming-voice modemno cdp enable!interface Group-Async0ip unnumbered FastEthernet1/0no ip directed-broadcastencapsulation pppasync mode interactiveno snmp trap link-statuspeer default ip address pool addr-poolno cdp enableppp authentication chap papgroup-range 2/00 10/143!ip local pool addr-pool 172.22.90.2 172.22.90.254ip classlessip route 0.0.0.0 0.0.0.0 172.22.66.1no ip http server!logging trap debugginglogging 172.22.66.18access-list 5 permit 172.22.67.1access-list 5 permit 0.0.0.1 172.22.68.20access-list 8 permit 172.22.67.1access-list 8 permit 0.0.0.1 172.22.68.20snmp-server engineID local 00000009020000D0D3424C1Csnmp-server community poptarts RO 8snmp-server community pixysticks RW 5snmp-server community maddog view v1default ROsnmp-server trap-source Loopback0snmp-server location AS5850-Austinsnmp-server contact admin dude@the.netsnmp-server enable traps snmpsnmp-server enable traps isdn call-informationsnmp-server enable traps configsnmp-server enable traps entitysnmp-server enable traps envmonsnmp-server enable traps syslogsnmp-server enable traps rsvpsnmp-server enable traps frame-relaysnmp-server enable traps rtrsnmp-server enable traps dialsnmp-server enable traps dsp card-statussnmp-server enable traps bgpsnmp-server enable traps voice poor-qovsnmp-server host 172.22.66.18 maddog!banner login ^CThis is a secured device.Unauthorized use is prohibited by law.^C!line con 0transport input noneline aux 0transport input telnetline vty 0 4line 2/00 10/143autoselect during-loginautoselect pppmodem InOutno modem log rs232!ntp update-calendarntp server 172.22.66.18 preferendAccess Service Security
The Cisco AS5850 is designed to support a security paradigm providing authentication, authorization, and accounting (AAA) security measures using RADIUS and TACACS+.
•
•
•
This section describes how to configure security using a local database resident on your Cisco AS5850 or using a remote security database for Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and RADIUS. Refer to the "Local and Remote Server Authentication" section for local and remote authentication definitions.
Note
Local and Remote Server Authentication
This section describes the differences between local and remote security databases and the basic authentication process for each. Remote security databases described in this section include Terminal Access Controller Access Control System with Cisco proprietary enhancements (TACACS+) and RADIUS.
Generally the size of the network and type of corporate security policies and control determine whether you use a local or remote security database.
Local Security Database
If you have one or more centralized gateways providing access to your network, storing username and password security information on one of these servers (Cisco AS5850) for access to other nodes on the network is referred to as local authentication.
Remote Security Database
As your network expands, you need a centralized security database that provides username and password information to each gateway in the network. This centralized security database resides in a security server.
A centralized security database helps establish consistent remote-access policies throughout a corporation. An example of a remote security database server is the CiscoSecure product from Cisco Systems. CiscoSecure is a UNIX security daemon, with which you create a database that defines network users and their privileges. CiscoSecure uses a central database that stores user and group profiles with authentication and authorization information.
The Cisco AS5850 exchanges user-authentication information with a TACACS+ or RADIUS database on the security server by transmitting encrypted TACACS+ or RADIUS packets across the network.
Note
Configuring RADIUS
This section describes the Remote Authentication Dial-In User Service (RADIUS) security system, defines its operation, and identifies appropriate and inappropriate network environments for using RADIUS technology. The "RADIUS Configuration Task List" section describes how to configure RADIUS with the authentication, authorization, and accounting (AAA) command set. The "RADIUS Configuration Examples" section offers two possible implementation scenarios.
Note
RADIUS Overview
RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server. The server contains all user-authentication and network-service access information.
RADIUS is a fully open protocol, distributed in source-code format, that can be modified to work with any security system currently available on the market.
Cisco supports RADIUS under its AAA security paradigm. RADIUS can be used with other AAA security protocols, such as TACACS+, Kerberos, or local username lookup. RADIUS is supported on all Cisco platforms.
RADIUS has been implemented in a variety of network environments that require high levels of security while maintaining network access for remote users. Use RADIUS in the following network environments that require access security:
•
•
•
•
•
•
RADIUS is not suitable in the following network security situations:
•
–
–
–
–
•
•
RADIUS Operation
When a user attempts to log in and authenticate to a Cisco AS5850 using RADIUS, the following events occur:
1.
2.
3.
–
–
–
–
The ACCEPT or REJECT response is bundled with the following additional data needed for EXEC or network authorization:
•
•
RADIUS Configuration Task List
To configure RADIUS on your Cisco AS5850, use the following commands in global configuration mode (AS5850(config)# prompt).
aaa new-model
Enables AAA. AAA must be configured if you plan to use RADIUS.
aaa authentication
Define method lists for RADIUS authentication. For more information, see the "Specifying RADIUS Authentication" section.
line
and
interfaceEnable the defined method lists to be used. For more information, see the "Specifying RADIUS Authentication" section.
aaa authorization
Optional. Authorizes specific user functions. For more information, see the "Specifying RADIUS Authorization" section.
aaa accounting
Enables accounting for RADIUS connections. Use is optional. For more information, see the "Specifying RADIUS Accounting" section.
Configuring Gateway to RADIUS Server Communication
The RADIUS host is normally a multiuser system running RADIUS server software from Livingston, Merit, Microsoft, or another software provider. A RADIUS server and a Cisco gateway use a shared secret text string to encrypt passwords and exchange responses.
To configure RADIUS to use the AAA security commands, you must specify the host running the RADIUS server daemon and a secret text string that it shares with the gateway. Use the radius-server commands in global configuration mode (AS5850(config)# prompt) as follows.
Configuring Gateway to Use Vendor-Specific RADIUS Attributes
The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific information between the network Cisco AS5850 and the RADIUS server by using a vendor-specific attribute (Attribute 26). Vendor-specific attributes (VSAs) allow vendors to support their own extended attributes not suitable for general use.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option has vendor type 1, named "cisco-avpair." Other vendors have their own vendor IDs, options, and associated VSAs. The value is a string of the following format:
protocol : attribute {= | *} value
•
•
•
This allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes the Cisco multiple named ip address pools feature to be activated during IP authorization (during PPP's IPCP address assignment):
cisco-avpair= "ip:addr-pool=first"The following example causes a NAS-prompt user to have immediate access to EXEC commands:
cisco-avpair= "shell:priv-lvl=15"To configure the gateway to recognize and use VSAs, use the following radius-server command in global configuration mode (AS5850(config)# prompt).
radius-server vsa send
[accounting | authentication]Enables the network Cisco AS5850 to recognize and use VSAs as defined by RADIUS IETF attribute 26.
Note
Configuring Gateway for Vendor-Proprietary RADIUS Server Communication
Although the IETF draft standard for RADIUS specifies a method for communicating vendor-specific information between the network Cisco AS5850 and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
To configure RADIUS (whether IETF draft-compliant or vendor-proprietary), you must specify the host running the RADIUS server daemon and the secret text string that it shares with the Cisco device. You must also identify whether the RADIUS server is using a vendor-proprietary implementation of RADIUS; vendor-proprietary attributes are not supported unless you do so.
To specify a vendor-proprietary RADIUS server host and a shared secret text string, use the following radius-server commands in global configuration mode (AS5850(config)# prompt).
Configuring Gateway to Query RADIUS Server for Static Routes and IP Addresses
Some vendor-proprietary implementations of RADIUS let you define static routes and IP pool definitions on the RADIUS server, instead of on each individual network with a Cisco AS5850. Each network queries the RADIUS server for static route and IP pool information.
To have the Cisco AS5850 query the RADIUS server for static routes and IP pool definitions when the device first starts up, use the following radius-server command in global configuration mode.
Configuring Gateway to Expand Network Cisco AS5850 Port Information
In some situations, PPP or login authentication occurs on an interface different from the one on which the call itself comes in. For example, in a V.120 ISDN call, login or PPP authentication occurs on a virtual asynchronous interface ttt, but the call itself occurs on one of the channels of the ISDN interface.
You can configure RADIUS to expand the size of the NAS-port attribute (RADIUS IETF Attribute 5) field to 32 bits. The upper 16 bits of the NAS-port attribute display the type and number of the controlling interface; the lower 16 bits indicate the interface undergoing authentication.
To display expanded interface information in the NAS-port attribute field, use the following radius-server command in global configuration mode (AS5850(config)# prompt).
On platforms with multiple interfaces (ports) per slot, the Cisco RADIUS implementation does not provide a unique NAS-port attribute to distinguish between the interfaces. For example, if a dual PRI interface is in slot 1, calls on both Serial1/0:1 and Serial1/1:1 appear as NAS-port = 20101. This is due to the 16-bit field-size limitation associated with the RADIUS IETF NAS-port attribute. In this case, replace the NAS-port attribute with a vendor-specific attribute (RADIUS IETF Attribute 26). The Cisco vendor ID is 9, and the Cisco-NAS-port attribute is subtype 2.
To turn on VSAs and to display extended field information, use the following commands in global configuration mode (AS5850(config)# prompt).
The standard NAS-port attribute (RADIUS IETF Attribute 5) continues to be sent. If you do not want it to be sent, suppress it by using the no radius-server attribute nas-port command.
Specifying RADIUS Authentication
After you identify the RADIUS server and define the RADIUS authentication key, you need to define method lists for RADIUS authentication. Because RADIUS authentication is facilitated through AAA, you need to enter the aaa authentication command and specify RADIUS as the authentication method.
Note
Specifying RADIUS Authorization
AAA authorization lets you set parameters that restrict user access to the network. Authorization using RADIUS provides one method for remote access control, including one-time authorization or authorization for each service; per-user account list and profile; user group support; and support of IP, IPX, ARA, and Telnet. Because RADIUS authorization is facilitated through AAA, you need to issue the aaa authorization command, specifying RADIUS as the authorization method.
Specifying RADIUS Accounting
The AAA accounting feature enables you to track services that users access and the amount of network resources that they consume. Because RADIUS accounting is facilitated through AAA, you need to issue the aaa accounting command, specifying RADIUS as the accounting method.
RADIUS Attributes
The network Cisco AS5850 monitors the RADIUS authorization and accounting functions defined by RADIUS attributes in each user profile.
The IETF draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network Cisco AS5850 and the RADIUS server. Some vendors, nevertheless, have extended the RADIUS attribute set in a unique way. Cisco IOS software supports a subset of vendor-proprietary RADIUS attributes.
RADIUS Configuration Examples
RADIUS configuration examples in this section include the following:
•
•
•
RADIUS Authentication and Authorization Example
The following configuration fragment example shows a gateway configuration to authenticate and authorize using RADIUS:
aaa authentication login use-radius radius localaaa authentication ppp user-radius if-needed radiusaaa authorization exec radiusaaa authorization network radiusThe commands in this example are as follows.
aaa authentication login user-radius radius local
Configures the gateway to use RADIUS for authentication at the login prompt. If RADIUS returns an error, the user is authenticated using the local database. In this example, user-radius is the name of the method list that specifies RADIUS and then local authentication.
aaa authentication ppp user-radius if-needed radius
Configures the Cisco IOS software to use RADIUS authentication for lines using Point-to-Point Protocol (PPP) with CHAP1 or PAP2 if the user is not already authorized. If the EXEC facility has authenticated the user, RADIUS authentication is not performed. In this example, user-radius is the name of the method list defining RADIUS as the if-needed authentication method.
aaa authorization exec radius
Sets the RADIUS information that is used for EXEC authorization, autocommands, and access lists.
aaa authorization network radius
Sets RADIUS for network authorization, address assignment, and access lists.
1 Challenge-Handshake Authentication Protocol
2 Password Authentication Protocol
RADIUS Authentication, Authorization, and Accounting Example
The following example is a general configuration using RADIUS with the AAA command set:
radius-server host 123.45.1.2radius-server key myRaDiUSpassWoRdusername root password ALongPasswordaaa authentication ppp dialins radius localaaa authorization network radius localaaa accounting network start-stop radiusaaa authentication login admins localaaa authorization exec localline 1 16autoselect pppautoselect during-loginlogin authentication adminsmodem ri-is-cdinterface group-async 1encaps pppppp authentication pap dialinsThe commands in this example are as follows.
Vendor-Proprietary RADIUS Configuration Example
The following sample is a general configuration using vendor-proprietary RADIUS with the AAA command set:
radius-server host alcatraz non-standardradius-server key myRaDiUSpassWoRdradius-server configure-nasusername root password ALongPasswordaaa authentication ppp dialins radius localaaa authorization network radius localaaa accounting network start-stop radiusaaa authentication login admins localaaa authorization exec localline 1 16autoselect pppautoselect during-loginlogin authentication adminsmodem ri-is-cdinterface group-async 1encaps pppppp authentication pap dialinsThe commands in this example are as follows.
RADIUS Cisco IOS Software Support
The following Cisco IOS software support is available for RADIUS:
•
•
•
Configuring TACACS+
To configure basic security, use the following commands in global configuration mode (AS5850(config)# prompt).
TACACS+ Authentication
Use the AAA facility to authenticate users with either a local or remote security database. For more information about a local and remote security database, see the "Local and Remote Server Authentication" section.
Whether you maintain a local or remote security database, or use TACACS+ or RADIUS authentication and authorization, the process of configuring the Cisco AS5850 for these different databases and protocols is similar. The basic process of configuring the Cisco IOS software for authentication requires the following tasks:
•
•
•
–
–
–
–
•
Securing Access to Privileged EXEC and Configuration Mode
The first step is to secure access to enable (privileged EXEC) mode. Enable mode provides access to configuration mode, which enables any type of configuration change to the Cisco AS5850.
To secure privileged EXEC mode access, use one of the following commands.
The enable-secret password takes precedence over the enable password. The same password cannot be used for both commands. You can view the encrypted version of the enable secret password using the show running-config or show startup-config commands. The encrypted version of the password is noted with * in the following example.
AS5850# show running-config...hostname AS5850enable secret 5 $1$60L4$X2JYOwoDc0.kqa1lo0/w8/*...
Note
Caution
To provide an encrypted password, use the following commands. Begin in global configuration mode (AS5850(config)# prompt).
You can specify additional protection for privileged EXEC mode, including the following:
•
•
•
•
Note
Communicating Between the Access and Security Servers
This section describes the Cisco IOS software commands that enable the Cisco AS5850 to communicate with a security server. This procedure is similar for communicating with TACACS+ and RADIUS servers.
If you are using a remote security server for authentication and authorization, you must configure the security server before performing the tasks described in this section. The "TACACS+ Security Examples" section shows some typical TACACS+ and RADIUS server entries corresponding to the Cisco AS5850 security configurations.
Communicating with a TACACS+ Server
To enable communication between the TACACS+ security (database) server and the Cisco AS5850, use the following commands in global configuration mode (AS5850(config)# prompt).
For example, to enable the remote TACACS+ server to communicate with the Cisco AS5850, enter the commands as follows:
AS5850# configure terminalAS5850(config)# tacacs-server host alcatrazAS5850(config)# tacacs-server key abra2cadThe host name of the TACACS+ server in the previous example is alcatraz. The key in the previous example (abra2cad) is the encryption key shared between the TACACS+ server and the Cisco AS5850. Substitute your own TACACS+ server host name and password for those shown.
Note
Configuring Authentication on a TACACS+ Server
On most TACACS+ security servers, there are three ways to authenticate a user for login:
•
The following is the configuration for global authentication:
user = birdman {global = cleartext "birdman global password"}
To assign different passwords for CHAP and a normal login, you must enter a string for each user. Each string must specify the security protocols, state whether the password is cleartext, and specify if the authentication is performed with a DES card. The following example shows a user aaaa, who has authentication configured for CHAP and login. The user's CHAP password, "chap password," is shown in cleartext, and the login password is encrypted.
user = aaaachap = cleartext "chap password"login = des XQj4892fjk}•
The default authentication is to deny authentication. Instead, you can specify, at the top level of the configuration file, that the default password(5) file be used by entering the following command:
default authentication = /etc/passwd•
user= bbbb {login = skey}On the Cisco AS5850, configure authentication on all lines, including the VTY and console lines, by entering the following commands:
AS5850# configure terminalAS5850(config)# aaa new-modelAS5850(config)# aaa authentication login default tacacs+ enable
Caution
Enabling AAA Globally
To use the AAA security facility in the Cisco IOS software, enter the aaa new-model command from global configuration mode.
AS5850# configure terminalAS5850(config)# aaa new-modelWhen you do so, all lines on the Cisco AS5850 receive the implicit login authentication default method list, and all interfaces with PPP enabled have an implicit ppp authentication pap default method list applied.
Caution
Note
Defining Authentication Method Lists
After you enable AAA globally on the Cisco AS5850, you need to define authentication method lists, which you then apply to lines and interfaces. These authentication method lists are security profiles that indicate the protocol (PPP) or login and authentication method (TACACS+, RADIUS, or local authentication).
To define an authentication method list, do the following. Each step is described in detail on the following pages.
Step 1
Step 2
Step 3
Step 4
Step 5
After defining these authentication method lists, apply them to your interfaces (synchronous or asynchronous) configured for PPP. Refer to the "Applying Authentication Method Lists to Lines and Interfaces" section for information about applying these lists.
Issuing the aaa authentication Command
Begin by entering the aaa authentication command in global configuration mode (AS5850(config)# prompt).
AS5850(config)# aaa authenticationSpecifying Protocol or Login Authentication
You must specify one of the following dial-in protocols as applicable for your network:
•
•
You can specify only one dial-in protocol per authentication method list. However, you can create multiple authentication method lists with each of these options. You must give each list a different name, as described in the "Identifying a List Name" section.
If you specify ppp, the default authentication method for is PAP. For greater security, specify CHAP. The full command is aaa authentication ppp chap.
For example, if you specify PPP authentication, the configuration looks like this:
AS5850# configure terminalAS5850(config)# aaa authentication pppIdentifying a List Name
A list name identifies each authentication list. You can use the keyword default, or you can choose any other name that describes the authentication list. For example, you can name the list ppp-radius if you intend to apply it to interfaces configured for PPP and RADIUS authentication. The list name can be any alphanumeric string. Use default as the list name for most lines and interfaces, and use different names on an exception basis.
You can create different authentication method lists and apply them to lines and interfaces selectively. You can even create a named authentication method list that you do not apply to a line or interface, but intend to apply at some later point, such as when you deploy a new login method for users.
After you define a list name, you must identify additional security attributes (such as local authentication versus TACACS+ or RADIUS).
In the following example, the default authentication method list for PPP dial-in clients uses the local security database:
AS5850(config)# aaa authentication ppp defaultIn the following example, the PPP authentication method list name is insecure:
AS5850(config)# aaa authentication ppp insecureIn the following example, the login authentication method list name is deveng:
AS5850(config)# aaa authentication login devengSpecifying the Authentication Method
After you identify a list name, you must specify an authentication method to identify how users are authenticated.
To specify an authentication methods for PPP, use the following aaa authentication commands. Begin in global configuration mode (AS5850(config)# prompt).
Step 1
aaa new-model
Configures for AAA.
Step 2
aaa authentication ppp {default | list-name} method1 [method2]
Creates a local authentication list. Methods include if-needed, krb5, local, none, radius, tacacs+.1
Step 3
ppp authentication {chap | pap | chap pap | pap chap} [if-needed] {default | list-name} [callin]
Applies the authentication list to a line or set of lines.
Step 4
Ctrl-Z
Returns to privileged EXEC mode.
Step 5
copy running-config startup-config
Saves your changes.
1 The keyword list-name is any character string used to name the list you are creating. The keyword method refers to the actual method that the authentication algorithm tries. Additional methods are used only if the previous method returns an error, not if it fails. To specify that authentication should succeed even if all methods return an error, specify none as the final method in the command line.
Tip
You can specify multiple authentication methods for each authentication list. The following example for PPP first queries a TACACS+ server, then a RADIUS server, then the local security database. Multiple authentication methods can be useful if you have multiple types of security servers on the network, and one or more types of security server do not respond.
AS5850(config)# aaa authentication ppp testbed tacacs+ radius localIf you specify more than one authentication method and the first method (TACACS+ in the previous example) is not available, the Cisco IOS software attempts to authenticate using the next method (such as RADIUS). If, in the previous example, the RADIUS server has no information about the user, or if no RADIUS server can be found, the user is authenticated using the local username database that was populated with the username command.
If authentication fails using the first method listed, the Cisco IOS software does not permit access. It does not attempt to authenticate using the subsequent security methods if the user entered the incorrect password.
Populating the Local Username Database, If Necessary
If you specify local as the security method, you must specify username profiles for each user who might log in.
To do so, use the following commands in global configuration mode (AS5850(config)# prompt).
To show the encrypted version of the password, use the show running-config command as follows.
AS5850# show running-configBuilding configuration...Current configuration:!version 11.3 AA! most of config omittedusername xxx password 7 0215055500070C294D
Note
Authentication Method List Examples
This section includes authentication-method-list examples for the following:
•
Users Logging In to the Cisco AS5850
To handle users logging in to the Cisco AS5850, use any one of the following commands in global configuration mode (AS5850(config)# prompt).
Users Dialing In Using PPP
To handle users dialing in using PPP, use the following command in global configuration mode (AS5850(config)# prompt).
Applying Authentication Method Lists to Lines and Interfaces
To apply authentication method lists to lines or interfaces, use the login authentication or ppp authentication command, as described in Table 3-3.
Table 3-3 Line and Interface Authentication Method Lists
login authentication
Logs directly in to the Cisco AS5850.
Console port or VTY lines
aaa authentication login
ppp authentication1
Uses PPP to access IP or IPX network resources.
Interface
aaa authentication ppp
1 If you issue the ppp authentication command, you must specify either CHAP or PAP authentication. PAP is enabled by default, but Cisco recommends that you use CHAP because it is more secure. For more information, refer to the Security Configuration Guide, which is part of the Cisco IOS configuration guides and command references documentation.
You can create more than one authentication list or profile for login and protocol authentication and apply them to different lines or interfaces. The following examples show the line or interface authentication commands that correspond to the aaa authentication global-configuration command.
Login Authentication Example
The following example applies the default login authentication list to the console port and the default virtual terminal (VTY) lines on the Cisco AS5850:
AS5850(config)# aaa authentication login default localAS5850(config)# line console 0AS5850(config-line)# login authentication defaultAS5850(config-line)# line vty 0 69AS5850(config-line)# login authentication defaultThe following example creates the login authentication list named rtp2-office, which uses RADIUS authentication. It is applied to all 54 lines on and configured with a channelized T1 PRI card, including the console (CTY) port, the 48 physical asynchronous (TTY) lines, the auxiliary (AUX) port, and 69 virtual terminal (VTY) lines.
AS5850(config)# aaa authentication login rtp2-office radiusAS5850(config)# line 0 118AS5850(config-line)# login authentication rtp2-officeThe following sample output shows lines and their status on the Cisco AS5850:
AS5850# show lineTty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns* 0 CTY - - - - - 0 0 0/0I 1 TTY 115200/115200 - inout - - - 0 0 0/0I 2 TTY 115200/115200 - inout - - - 0 0 0/0...I 48 TTY 115200/115200 - inout - - - 0 0 0/049 AUX 9600/9600 - - - - - 0 0 0/050 VTY - - - - - 0 0 0/051 VTY - - - - - 0 0 0/052 VTY - - - - - 0 0 0/053 VTY - - - - - 0 0 0/054 VTY - - - - - 0 0 0/0PPP Authentication Example
The following example creates the PPP authentication list marketing, which uses TACACS+, and RADIUS authentication. The list marketing requires authentication only if the user is not authenticated on another line. It is then applied to asynchronous lines 1-48 on a Cisco AS5850 and uses CHAP authentication instead of the PAP default.
AS5850(config)# aaa authentication ppp marketing if-needed tacacs+ radiusAS5850(config)# line slot/1 slot/48AS5850(config-line)# ppp authentication chap marketingTACACS+ Authorization
You can restrict user access to the network so that users can perform only certain functions after successful authentication. As with authentication, authorization can be used with either a local or remote security database. This guide describes only remote authorization.
A typical configuration often uses EXEC and network authorization. EXEC authorization restricts access to the EXEC; network authorization restricts access to network services, including PPP.
Authorization must be configured on both the Cisco AS5850 and the security daemon. The default authorization is different on the Cisco AS5850 and the security server:
•
•
Tip
Configuring Authorization on the Security Server
You typically have the following methods for configuring default authorization on the security server:
•
default authorization = permit•
default service = permit•
a.
b.
c.
d.
e.
f.
g.
h.
i.
Configuring Authorization (Network or EXEC)
To configure network and EXEC authorization, use the following commands. Begin in global configuration mode (AS5850(config)# prompt).
Note
Specifying an Authorization Method
Authorization methods are defined as optional keywords in the aaa authorization command.
To configure both network and EXEC AAA authorization, use the following commands. Begin in global configuration mode (AS5850(config)# prompt). Table 3-4 describes the various authorization methods.
Step 1
aaa authorization {if-authenticated | local | none | radius | tacacs+}
Prevents unauthorized users from accessing network resources. Table 3-4 defines the authorization methods.
Step 2
Ctrl-Z
Returns to privileged EXEC mode.
Step 3
copy running-config startup-config
Saves your changes.
Specifying Authorization Parameters on a TACACS+ Server
When you configure authorization, you must ensure that the parameters established on the Cisco AS5850 correspond to those set on the TACACS+ server.
Authorization Examples
The following example uses a TACACS+ server to authorize the use of network services, including PPP. If the TACACS+ server is not available or has no information about a user, no authorization is performed, and the user can use all network services.
AS5850(config)# aaa authorization network tacacs+ noneThe following example permits the user to run the EXEC process if the user is authenticated. If the user is not authenticated, the Cisco IOS software defers to a RADIUS server for authorization information.
AS5850(config)# aaa authorization exec if-authenticated radiusThe following example configures network authorization. If the TACACS+ server does not respond or has no information about the username being authorized, the RADIUS server is polled for authorization information for the user. If the RADIUS server does not respond, the user still can access all network resources without authorization requirements.
AS5850(config)# aaa authorization network tacacs+ radius noneTACACS+ Security Examples
The following examples show complete security configuration components of a configuration file on a Cisco AS5850. Each example shows authentication and authorization.
Local TACACS+ Security Example
The following sample configuration uses AAA to configure default authentication using a local security database on the Cisco AS5850. All lines and interfaces have the default authentication lists applied. Users aaaa, bbbb, and cccc have been assigned privilege level 7. This prevents them from issuing ppp and slip commands, because these commands have been assigned to privilege level 8.
aaa new-modelaaa authentication login default localaaa authentication arap default localaaa authentication ppp default localaaa authorization exec localaaa authorization network localaaa authorization!username aaaa privilege exec level 7 privilege network level 8 password 7 095E470B1110username bbbb privilege network level 7 password 7 0215055500070C294Dusername cccc privilege network level 7 password 7 095E4F10140A1916!privilege exec level 8 pppprivilege exec level 8 slipline console 0login authentication default!The following configuration displays the sign-on dialog from a remote PC.
atdt5551234CONNECT 14400/ARQ/V32/LAPM/V42BISUser Access VerificationUsername: usernamePassword: passwordAS5850> enablePassword: passwordAS5850#TACACS+ Security Example for Login and PPP
The following example shows how to create and apply the following authentication lists:
•
•
•
Note
hostname AS5850!tacacs-server host aaatacacs-server key 007!aaa authentication login rtp-office tacacs+aaa authentication ppp marketing if-needed tacacs+!line console0login authentication rtp-office!tacacs-server host aaatacacs-server key 007!aaa authentication login rtp-office tacacs+aaa authentication ppp marketing if-needed tacacs+!line console0login authentication rtp-office!interface group-async0ppp authentication chap marketinggroup-range 2/0 2/47!line 2/0 2/47The following example shows how to create the following authentication lists:
•
•
•
radius-server host aaaradius-server key 007!privilege exec level 14 configureprivilege exec level 14 reloadprivilege exec level 8 ppp!aaa authentication login fly radiusaaa authentication ppp itsme if-needed radiusaaa authorization network radiusaaa authorization exec radius!line 1/0 1/53login authentication fly!interface group-async6ppp authentication chap itsmegroup-range 2/0 2/47
