Security: CNIT 221 1 Ver.2

1
2005 Cisco Systems, Inc. All rights reserved.

1 1 1 2004, Cisco Systems, Inc. All rights reserved.
CNIT 221 Security 1 ver.2
Module 5
City College of San Francisco
Spring 2006
2
Network Security 1
Module 5 Cisco Secure Access Control
Server
3
Learning Objectives
5.1 Cisco Secure Access Control Server for
Windows
5.2 Configuring RADIUS and TACACS+ with
CSACS
4
Module 5 Cisco Secure Access
Control Server

5.1 Cisco Secure Access Control Server for
Windows
5
Cisco Access Control Server
Cisco Secure Access Control Server (ACS) network
security software helps you authenticate users by
controlling access to an AAA client.
Router, switch or VPN Concentrator

The AAA client can be any one of many network
devices that can be configured to defer
authentication and authorization of network users to
an AAA server.
AAA - Authentication, Authorization and Accounting
AAA can be implemented on a device locally or managed
from a central server running RADIUS or TACACS+
protocols.
6
Cisco Secure ACS Products
Cisco Secure ACS
for Windows
Server
Remote client
(Dial-up)
NAS
Console
PSTN/ISDN
Internet
Remote client
(VPN Client)
Router
Cisco Secure ACS
Solution Engine
7
What Is Cisco Secure ACS for Windows
Server?
Provides AAA services to network devices that function as AAA clients,
such as routers, NASs, PIX Security Appliances, or VPN Concentrators
Helps centralize access control and accounting, in addition to router
and switch access management
Allows network administrators to quickly administer accounts and
globally change levels of service offerings for entire groups of users
Although the use of an external user database is optional, Cisco Secure
ACS for Windows Server supports many popular user repository
implementations
Uses the TACACS+ and RADIUS protocols to provide AAA services that
ensure a secure environment
Can authenticate against many popular token servers
Cisco Secure ACS supports any token server that is a RADIUS
server compliant with IETF RFC 2865.
8
Cisco Secure ACS General Features
NAS
Cisco Secure ACS for
Windows Server
TACACS+
RADIUS
PAP
CHAP
MS-CHAP
Uses TACACS+ or RADIUS between Cisco Secure ACS
and NAS
Allows authentication against Windows 2000 user database, ACS
user database, token server, or other external databases
Supports PAP, CHAP, and MS-CHAP authentication on
the NAS
9
Authentication and User Databases
Cisco Secure ACS supports several
external user databases

Windows NT/2000 User Database
Generic LDAP
NDS
ODBC-compliant relational databases
CRYPTOCard token server
SafeWord token server
AXENT token server
RSA SecureID token server
ActivCard token server
Vasco token server
10
Cisco Secure ACS System Architecture
Provides ACS to multiple Cisco
authenticating devices
Comprises several modular Windows
2000 services, operating together on
one server
Authentication service
Authorization service
Logging service
RADIUS service
TACACS+ service
Administration service
Sync service
Monitor service
NAS 1
NAS 2
NAS 3
11
Cisco Secure ACS Windows Services
CSAdminProvides the HTML interface for administration of
Cisco Secure ACS.
CSAuthProvides authentication services.
CSDBSyncProvides synchronization of the CiscoSecure user
database with an external RDBMS application.
CSLogProvides logging services, both for accounting and system
activity.
CSMonProvides monitoring, recording, and notification of
Cisco Secure ACS performance, and includes automatic response to
some scenarios.
CSTacacsProvides communication between TACACS+ AAA clients
and the CSAuth service.
CSRadiusProvides communication between RADIUS AAA clients
and the CSAuth service.
12
Cisco Secure ACS User Database
NAS 1
NAS 2
NAS 3
ACS user
database
Cisco Secure ACS authorizes network services for users based upon group membership
and specific user settings found in the Cisco Secure ACS user database.
13
Using the ACS Database Alone
Authorization
information
Authentication
confirmed
Username and
password
Dial-up
client
NAS
Requests and
responses
ACS
TACACS+ or
RADIUS service
TACACS+ or
RADIUS service
directs the request
to the appropriate
administrative
service.
Request is
authenticated
against ACS
database,
associated
authorizations
assigned, and
accounting
information logged.
Windows 2000 Server
ACS
authentication and
authorization
service
Windows 2000
Server user login
process
Windows 2000
user database
Authentication
Authorization
Accounting
NAS is directed to Cisco Secure ACS
for Windows Server for AAA
services:
Authentication of the client
Authorization privileges
assignment
Accounting information
destination
14
Using the Windows Database
Authorization
information
Authentication
confirmed
Username and
password
Dial-up
Client
NAS
Requests and
responses
ACS
TACACS+ or
RADIUS service
Authorization
Accounting
Windows 2000 Server
Windows 2000
Server user login
process
Windows 2000
user database
TACACS+ or
RADIUS service
directs the request
to the appropriate
administrative
service.
Username or
password
sent to Windows 2000
database for
authentication. If
approved,
confirmation and
associated
authorization
assigned
in ACS for that user
are sent to NAS.
Accounting
information is logged.
Username or
password
submitted to
Windows 2000 and
Grant dial-in as a
local user.
Response is
returned to ACS
and authorizations
assigned, which
makes single login
for dial-in access
and network login
possible.
RAS data
grant dial
ACS
authentication and
authorization service
Authentication
NAS is directed to Cisco Secure
ACS for Windows Server for AAA
services:
Authentication of the client
Authorization privileges
assignment
Accounting information
destination
15
Using External User Databases
NAS 1
NAS 2
NAS 3
ACS user
database
External
user
database
16
Using Token Cards
3 1 7 8 4 5 4
Token card
TACACS+
or RADIUS
Token card server
Cisco Secure ACS
Proprietary protocols
LEAP proxy RADIUS servers
RSA SecurID token servers
RADIUS-based token servers, including:
ActivCard token servers
CRYPTOCard token servers
VASCO token servers
PassGo token servers
SafeWord token servers
Generic RADIUS token servers
17
User-Changeable Passwords
NAS 1
NAS 2
NAS 3
Windows 2000
Server (IIS 5.0)
UCP server
Cisco Secure ACS
for Windows Server
128-bit encrypted
messaging
SSL
connection
(suggested)
User
18
Module 5 Cisco Secure Access
Control Server

5.2 Configuring RADIUS and TACACS+ with
CSACS
19
Gathering Answers for the Installation Questions
Determine whether the computer that Cisco Secure ACS
will be installed on is a domain controller or a member
server.
Determine which AAA protocol and vendor-specific
attribute to implement.
Record the name of the AAA client.
Record the IP address of the AAA client.
Record the IP address of the computer that Cisco Secure
ACS will be installed on .
Record the shared secret TACACS+ or RADIUS key.
20
Cisco Secure ACS for Windows Server:
Installation Overview
Task 1: Preconfigure Windows 2000 Server system.
Task 2: Verify connection between Windows 2000 Server
system and Cisco routers.
Task 3: Install Cisco Secure ACS for Windows Server on
the Windows 2000 Server system.
Task 4: Initially configure Cisco Secure ACS for Windows
Server via web browser.
Task 5: Configure routers for AAA.
Task 6: Verify correct installation and operation.
21
Administering Cisco Secure ACS for Windows
Server
22
Troubleshooting

Use the Failed Attempts Report under Reports and Activity as a
starting point.
Provides a valuable source of troubleshooting information.
23
Globally Enable AAA
Cisco Secure
ACS for Windows Server
NAS
10.1.2.4
aaa new-model
router(config)#
router(config)# aaa new-model
24
tacacs-server Commands
tacacs-server key keystring
router(config)#
router(config)# tacacs-server key 2bor!2b@?
tacacs-server host ipaddress
router(config)#
router(config)# tacacs-server host 10.1.2.4
tacacs-server host ipaddress key keystring
router(config)#
router(config)# tacacs-server host 10.1.2.4 key
2bor!2b@?
The two
commands
shown here
can be used
to share the
key with all
servers
or
This
command
can be used
for a single
server
25
AAA Configuration Commands
aaa authentication {login | enable default | arap | ppp
| nasi} {default | list-name} method1 [method2
[method3 [method4]]]
aaa accounting {system | network | exec | connection |
commands level}{default | list-name} {start-stop |
wait-start | stop-only | none} [method1 [method2]]
aaa authorization {network | exec | commands level |
reverse-access} {default | list-name}
{if-authenticated | local | none | radius | tacacs+ |
krb5-instance}
router(config)#
router(config)#
router(config)#
26
AAA TACACS+ Troubleshooting
Displays detailed information associated
with TACACS+
debug tacacs
router#
debug tacacs events
router#
Displays detailed information from
the TACACS+ helper process
27
debug aaa authentication Command
TACACS+ Example Output
14:01:17: AAA/AUTHEN (567936829): Method=TACACS+
14:01:17: TAC+: send AUTHEN/CONT packet
14:01:17: TAC+ (567936829): received authen
response status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS
28
debug tacacs Command Example Output
Failure
13:53:35: TAC+: Opening TCP/IP connection to 10.1.1.4/49
13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 10.1.1.4/49
(AUTHEN/START)
13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 10.1.1.4/49
13:53:35: TAC+ (416942312): received authen response status = GETUSER
(AUTHEN/CONT)
13:53:37: TAC+ (416942312): received authen response status = GETPASS
(AUTHEN/CONT)
13:53:38: TAC+ (416942312): received authen response status =
13:53:40: TAC+: Closing TCP/IP connection to 10.1.1.4/49
FAIL
29
debug tacacs Command Example Output
Pass
14:00:09: TAC+: Opening TCP/IP connection to 10.1.1.4/49
(AUTHEN/START)
14:00:09: TAC+ (383258052): received authen response status = GETUSER
(AUTHEN/CONT)
14:00:10: TAC+ (383258052): received authen response status = GETPASS
(AUTHEN/CONT)
14:00:14: TAC+ (383258052): received authen response status =
14:00:14: TAC+: Closing TCP/IP connection to 10.1.1.4/49
PASS
30
debug tacacs events Command Output
router# debug tacacs events
%LINK-3-UPDOWN: Interface Async2, changed state to up
00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 10.1.1.4/49
00:03:16: TAC+: periodic timer started
00:03:16: TAC+: 10.1.1.4 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB)
expire=14 AUTHEN/START/SENDAUTH/CHAP queued
00:03:17: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 46 of 46 bytes
00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12
00:03:22: TAC+: 10.1.1.4 received 61 byte reply for 3BD868
00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9
AUTHEN/START/SENDAUTH/CHAP processed
00:03:22: TAC+: periodic timer stopped (queue empty)
00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 10.1.1.4/49
00:03:22: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15
00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 10.1.1.4/49
00:03:22: TAC+: periodic timer started
00:03:22: TAC+: 10.1.1.4 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB)
expire=14 AUTHEN/START/SENDPASS/CHAP queued
00:03:23: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 41 of 41 bytes
00:03:23: TAC+: 10.1.1.4 received 21 byte reply for 3BD868
00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13
AUTHEN/START/SENDPASS/CHAP processed
00:03:23: TAC+: periodic timer stopped (queue empty)
31
RADIUS Server Command
radius-server key keystring
router(config)#
router(config)# radius-server key 2bor!2b@?
radius-server host {host-name | ipaddress}
router(config)#
router(config)# radius-server host 10.1.2.4
radius-server host ipaddress key keystring
router(config)#
router(config)# radius-server host 10.1.2.4 key
2bor!2b@?
The two
commands
shown here
can be
used to
share the
key with all
servers

Or

This
command
can be
used for a
single
server
32
32 32 32 2005, Cisco Systems, Inc. All rights reserved.

Security: CNIT 221 1 Ver.2

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Security: CNIT 221 1 Ver.2

Caricato da

Copyright:

Formati disponibili

1

2005 Cisco Systems, Inc. All rights reserved.

Potrebbero piacerti anche