Cisco Switch AAA Security

Cisco Switch AAA Security

Today i will discuss about Cisco Switch AAA Security. Typically, remote administrator access to a Cisco switch requires a password but no username. There is no accountability for which administrator has connected to the switch. Also, no mechanism is set by default for what an administrator is allowed to do. [boxads]

Cisco provides three security mechanisms called Authentication, Authorization and Accounting (AAA) that can address these vulnerabilities. Configure AAA on a switch in conjunction with a security server.

Use of AAA with a security server provides the security mechanisms described below.

• Authentication– This mechanism identifies remote and local users before granting access to the switch.
• Authorization– This mechanism controls access to remote services based on defined attributes associated with the authenticated user.
• Accounting– This mechanism provides a secure logging capability for recording services accessed by a user as well as a user’s bandwidth consumption

AAA allows for security servers to use three types of protocols: RADIUS, TACACS+ and Kerberos.

This setting is important, especially if the administrator is configuring the switch remotely.

The following command shows an example of how to create a local user, including the username (e.g., shahed) with a privilege level (e.g., 0) and a password (e.g., g00d-P5WD) that will be MD5-encrypted.

Switch(config)# username shahed privilege 0 secret g00d-P5WD

To enable AAA, use the following command.

Switch(config)# aaa new-model

Specifying a security server or set of security servers can be done using the following Cisco Switch AAA Security commands for TACACS+ and RADIUS:

{tacacs-server | radius-server} host ip-address

{tacacs-server | radius-server} key key

One important difference to note about using Kerberos, versus RADIUS or TACACS+, is that additional configuration is required to allow the switch to communicate with the key distribution center (KDC).

• 1. Authentication

It is necessary to create a login authentication method list(s) (specifying which types of security server protocols will be used and in what order). The following shows the syntax for the command to enable authentication at login at the switch, using either the default list or a custom list and using authentication methods.

aaa authentication login {default | list-name } method1 [method2…]

where the methods include the following:

group radius: uses all RADIUS servers listed

group tacacs+: uses all TACACS+ servers listed

group group-name: uses servers defined by group-name (RADIUS or TACACS+)

krb5: uses Kerberos

An example for configuring a switch to provide TACACS+ authentication using a group name of aaa-admin-servers is the following:

Switch(config)# aaa group server tacacs+ aaa-admin-servers
Switch(config)# aaa authentication login default group aaa-admin-servers

The switch can provide a local login method if for some reason the AAA server is unavailable. It will not allow a user that has been denied access by the AAA server to login using the local authentication mechanism.

The following example shows the use of local as a fallback.

Switch(config)# aaa authentication login aaa-fallback group aaa-admin-servers local

The last step is to apply the authentication method list(s) to the desired lines. The following shows the syntax for the command to enable authentication services to a specific line or a group of lines, applying either the default list or a custom list.

login authentication {default | list-name}

The following example would apply the named list, aaa-fallback, to the console line:

Switch(config)# line con 0
Switch(config-line)# login authentication aaa-fallback

• 2. Authorization

Similar to authentication, configuring authorization requires the security administrator to define method lists. The following shows the syntax for the command to enable authorization of user access to systems on a network, using either the default list or a custom list and using:

aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name} method1 [method2…]

Recommended authorization types include enabling authorization for the following:

auth-proxy: security policies are applied on a per-user basis

network: service requests

exec: initiation of an EXEC session

commands level: EXEC command execution at specified levels

reverse-access: reverse telnet session

configuration: download configurations from security server

ipmobile: IP Mobile services

An example of configuring a switch to provide TACACS+ authorization, using the aaa-admin-servers group for EXEC and privileged EXEC commands, is the following:

Switch(config)# aaa authorization exec default group aaa-admin-servers
Switch(config)# aaa authorization commands 15 aaa-config group aaa-admin-servers if authenticated

Applying named authorization lists is the final authorization configuration step. The following shows the syntax for the command to enable authorization services to a specific line or a group of lines.

authorization {arap | commands level | exec | reverse-access} {default | list-name}

To enable authorization services to the console line for commands at privilege level 15 (e.g., commands 15) with an authorization list (e.g., aaa-config), the administrator would use the following example:

Switch(config)# line con 0
Switch(config-line)# authorization commands 15 aaa-config

• 3. Accounting

The final piece of AAA to configure is accounting. Cisco switches support accounting records only for TACACS+ and RADIUS security servers. The following Cisco Switch AAA Security shows the syntax for the command to enable accounting of requested services for security purposes when using RADIUS or TACACS+.

aaa accounting {system | network | exec | connection | commands level} {default | list-name } {start-stop | stop-only | none} [method1 [method2…]]

The five types of accounting that can be specified include the following:

System: information for all system events (no support for named lists, must be default)

Network: information on all network service requests

Exec: information on user EXEC terminal sessions

Connection: information on all outbound connections

Commands level: information about all EXEC commands, at a certain privilege level, that are issued.

To control the amount of accounting records for events specified by a method list, use the following:

start-stop: notices begin at start of event and continue until the end of the event

stop-only: send only a stop notice related to the event

none: no accounting

[bodyads]

It is recommended that accounting be enabled for all five types, in particular accounting for level 15 commands. The following Cisco Switch AAA Security example enables all five types and uses the default accounting method, start-stop:

Switch(config)# aaa accounting exec default start-stop group aaa-admin-servers
Switch(config)# aaa accounting commands 15 default start-stop group aaa-admin-servers
Switch(config)# aaa accounting network default start-stop group aaa-admin-servers
Switch(config)# aaa accounting connection default start-stop group aaaadmin-servers
Switch(config)# aaa accounting system default start-stop group aaaadmin-servers

The following shows the syntax for the command to enable accounting services to a specific line or a group of lines:

accounting {arap | commands level | exec | connection} {default | listname}

To enable accounting services to the console line for commands at privilege level 15 (e.g., commands 15) and for system-level events (e.g., exec), the administrator would use the following Cisco Switch AAA Security example:

Switch(config)# line con 0
Switch(config-line)# accounting commands 15 default
Switch(config-line)# accounting exec default

To specify when accounting records are sent to security servers, enable interim accounting records.

Switch(config)# aaa accounting update {newinfo | periodic minutes}

By default, Cisco switches do not generate accounting records for failed login authentication attempts when accounting is enabled. To enable these accounting records, use the following Cisco Switch AAA Security command.

Switch(config)# aaa accounting send stop-record authentication failure

• 4. 802.1X Port-Based Authentication

The IEEE 802.1X standard is a port-based access control and authentication protocol. Although the implementation of this standard is still evolving, it is currently available on many of Cisco’s switches. It forces a client that is connected to a switch port to authenticate to a server, such as Cisco’s Access Control Server, before gaining access to a network. The client must be running 802.1X compliant software, which is available on certain operating systems (e.g., Windows XP).

The following example enables 802.1X on a Cisco IOS switch on the interface Ethernet 1/0:

Switch(config)# aaa authentication dot1x default group radius
Switch(config)# dot1x system-auth-control
Switch(config)# interface Ethernet 1/0
Switch(config-if)# dot1x port-control auto
Switch(config-if)# dot1x host-mode single-host

Comments

comments