All Cisco-Network Study Notes: 12/01/09

Virtual Profiles

Virtual Profiles
Virtual profiles and virtual templates provide ways to apply centralized, user-specific
parameters to multiple access servers and their physical interfaces. This can greatly reduce
the impact of changes to widely distributed access points.
As suggested by the name, there is a difference between a virtual profile and the element it
replaces—the dialer profile. Dialer profiles maintain information on a single access server for
specific users. The virtual profile adds the following:
User-specific configurations served from the AAA server
An open methodology for defining both standards-based and vendor-specific parameters
After the user authenticates the system, a virtual template is applied to the virtual access
interface. User parameters are then obtained from the AAA server (security server) and applied
to the virtual access interface. This solution allows for better scalability and easier administration
than would be allowed with standard dialer profiles. As a result, the virtual profile is actually
a combination of the physical interface, generic information stored in a virtual template on
the access server, and user-specific parameters stored on the security server.
If you want to expand your understanding of virtual profiles and their usage,
refer to the Cisco website (www.cisco.com). 1024

Accounting Configuration

The accounting function records who did what and for how long. Because of this, it relies
upon the authentication process to provide part of the audit trail. For this reason, it is recommended
that accounts be established with easily identified usernames—typically a lastname,
first-initial configuration. This information is coupled with six accounting types, as
described in Table 32.5.

The configuration of accounting is fairly simple, but there are a few choices that should be
considered. Table 32.6 provides a subset of the more common commands. Administrators
will need to balance the desire to obtain complete accounting records against the overhead
incurred. In Table 32.6, there is a function that is being accounted for that includes commands,
connections, system events, and so on. There is a method used to account for those
functions that includes start-stop, stop-only, and wait-start, and the server type to send this
information to.

AAA Accounting Commands
Command Description
aaa accounting command
level method server
Audits all commands at a specified level by using the specified
method. (The options are start-stop, stop-only, and wait-start.) Sends
this information to the server type (TACACS+ or RADIUS) specified.
aaa accounting
connection method
server
Audits all outbound connections (including Telnet and rlogin) to the
specified server type by using the specified method.
aaa accounting exec
method server
Audits the EXEC process with the specified method to the specified
server type.
aaa accounting network
method server
Audits network service requests (including SLIP, PPP, and ARAP
requests) to the specified server type by using the specified method.

aaa accounting system
method server
Audits system-level events by using the specified method to the
specified server type. This includes reload, for example. Because
a router reload is one of the ultimate denial-of-service attacks, it
would be useful to know what user identification was used to issue
the command.
aaa accounting
function start-stop
server
Documents the start and stop of a particular type of session specified
by the function parameter to the specified server type. Audit information
is sent in the background, negating any delay for the user.
aaa accounting
function stop-only
server
Sends a stop accounting notice at the end of a user process specified
by the function parameter to the specified server type.
aaa accounting
function wait-start
server
Similar to aaa accounting start-stop, this command documents
the start of a particular type of session specified by the function
parameter to the specified server type. However, the user is not permitted
to continue until the accounting server acknowledges the log
entry. This can delay user access.
aaa accounting
function method
{tacacs+ | radius}
Enables accounting information to be sent to the TACACS+ or
RADIUS accounting server for the specified function by using the
specified method.

One area in which accounting transcends security is charge-back. If accurate start
and stop times are recorded, a company could charge users for their time on the
system to offset the cost. Internet service providers (ISPs) have long considered
this as an alternative to the flat-rate model currently found in the United States.

Authorization Commandss

Recall that authorization is the AAA process responsible for granting permission to access particular
components in the network. The administrator will need to define these permissions
based on corporate policy and user privileges. It is important to note that although a TACACS+
file was included in the previous section to illustrate authentication, the actual authorization
controls were not included.
980 Chapter 32 Centralized Security in Remote Access Networks
The commands associated with authorization include parameters for the protocols that are
to be used and the method used for authorization. These commands are used after the authentication
phase of AAA, and they are described in Table 32.4.

TABLE 3 2 . 4 AAA Authorization Commands
Command Description
aaa authorization
network method
Performs authorization security on all network services—including
SLIP, PPP, and ARAP—using the method specified by the method
parameter. The method could be TACACS+, RADIUS, local, and so on.
aaa authorization
exec method
Authorizes the EXEC process with the specified AAA method.
aaa authorization
commands level 15
method
Authorizes all EXEC commands used at the specified level (0–15) by using
the specified method. In this example, this is level 15, which is regarded
as full authorization and normally associated with enable mode.
aaa authorization
config-commands
Uses AAA authorization for configuration mode commands.
aaa authorization
reverse-access
method
Uses AAA authorization specified by the method parameter for reverse
Telnet connections.
aaa authorization
function ifauthenticated
Permits the user to use the requested function only if the user is
authenticated.
aaa authorization
function local
Uses the local database for authorization for the specified function.
This database is stored on the router’s configuration in NVRAM.
aaa authorization
function radius
Uses RADIUS for authorization of the specified function.
aaa authorization
function tacacs+
Uses TACACS+ for authorization of the specified function.

A Sample TACACS+ Configuration File

A Sample TACACS+ Configuration File
The easiest way to understand the authorization function is to examine a configuration file that
controls authorized services. Look at the following sample configuration file that controls
authorized services:
#TACACS+ V2.1 configuration file
#created 5/14/03
#edited 8/26/03
#
#If user doesn't appear in the config file user/etc/password
default authentication = file /etc/passwd
accounting file = /home1/logs/tacacs+.accounting
#Must be same as router IOS "tacacs-server key"
key = tjelkprp
#
user=netops {
member=operator
login=cleartext dilbert
}
user=rpadjen {
# Robert Padjen
default service=permit
login=cleartext yummy
}
group=operator {
name="Network Operator"
cmd=debug {
permit .*
}
cmd=write {
permit terminal
}
cmd=clear {
permit .*
}
cmd=show {
#permit show commands
permit .*
}
}
user=shayna {
# Shayna Padjen
member=operator_plus
login=cleartext flatshoe
}
group=operator_plus {
name="Network Operator Plus"
cmd=debug {
permit .*
}
cmd=write {
permit terminal

}
cmd=clear {
permit .*
}
#permit show commands
cmd=show {
permit .*
}
cmd=configure {
permit terminal
}
cmd=interface {
permit .*
}
cmd=shutdown {
permit .*
}
cmd=no {
permit shutdown
}
}
This file establishes a number of user accounts and authorization rights. The first group,
operator, is provided with basic diagnostic and administrative functions, while the operator_
plus group is enhanced with shutdown, interface, and configure commands. All commands
are available to one administrator. Note that Shayna is a member of operator_plus,
and Rob is allowed full access.
Pay particular attention to a few additional items about this specific configuration file. First,
the passwords are in cleartext, meaning that anyone with access to the server can obtain them.
Most configuration files are encrypted. Second, observe that restrictions can be quite granular
and could include functions such as Ping while blocking extended ping.
Please refer to the documentation that accompanies your server for syntax and
configuration instructions specific to your installation.

Authorization Configurationn

Authorization defines the network services that are available to an individual or group. It provides
an easy means of allowing privileged-mode (enable-mode) access while restricting the
commands that can be executed. For example, you might want to isolate most enable commands
to a single administrator or manager, while allowing operators to perform limited diagnostic
functions. More experienced operators would be granted higher levels of authorization—
for example, they might be permitted to shut down an interface. The unrestricted enable-mode
administrator would be required for additional functions.
Use care in restricting administrative rights to the router. Although this is a
helpful option when allocating rights to vendors and other parties, too restrictive
a policy will lead to the distribution of the unrestricted account information,
which can create a larger security risk.

Catalyst Switch Configuration

On the Cisco Catalyst series switch platform running Catalyst Operating System (CatOS), the
authentication commands present themselves differently, but the resulting behavior is the same.
The following configuration, like the router configuration, uses TACACS+ for login and enable
(privileged) mode:
#tacacs+
set tacacs server 10.1.98.36 primary
set tacacs server 10.1.5.36
set tacacs attempts 3
set tacacs directedrequest disable
set tacacs key tjelkprp
set tacacs timeout 5
set authentication login tacacs enable
set authentication login local enable
set authentication enable tacacs enable
set authentication enable local enable

Again, this configuration file is an excerpt from the Catalyst switch configuration file—
displayed with the show config command. There are two TACACS+ servers defined; however,
notice that one is defined as primary. On the router, the first server listed is defaulted
to primary, but the switch allows for the primary’s configuration by using the primary keyword.
Don’t be too concerned with understanding the switch configuration—the test
focuses only on the router-based commands. The configuration is provided here so readers
who have not previously experienced Catalyst commands can become familiar with them.
The remainder of this chapter focuses only on the router commands.

The switch commands in this chapter are based on version 4.5.5 of the Catalyst
code. There might be minor differences with other versions. show config or
write terminal are often used to show the configuration information.

Authentication Configuration

Authentication is configured differently on Cisco routers and switches; however, the general parameters
are similar. In broad terms, the administrator must first instruct the device to use an authentication
protocol and then provide the IP address for communications to the security server.
Router Configuration
The following is extracted from the full configuration file of the router to highlight the commands
used for AAA configuration:
aaa new-model
aaa authentication login default tacacs+ enable
aaa authentication enable default tacacs+ enable
aaa accounting exec start-stop tacacs+

tacacs-server host 10.1.98.36
tacacs-server host 10.1.5.36
tacacs-server key tjelkprp
The preceding output is an example of a typical router configuration. This output starts the
AAA service, establishes authentication services for both the login and enable processes, and
audits the start and end times of each access. The two TACACS+ servers noted here are defined,
and the preshared key is assigned.
In this example (which uses TACACS+), the aaa authentication command is used to
define the type of authentication protocol. The enable keyword at the end of the two authentication
commands allows the local enable secret password (use of the enable password would
be used if the secret is not defined, but this is not recommended from a security perspective)
to be used if network connectivity is lost between the security server and router; however, this
also can be considered a security risk. This risk is minor, considering that the attacker would
have to physically access the router or compromise the internal network sufficiently to change
routes or block packets. Here, the tacacs-server command is being used to define the IP
address of each TACACS+ server. In this example, the server key is being used to provide basic
security over the communications link to the security server. Note that this configuration
includes an aaa accounting command, which instructs the router to log the start and stop
times of an exec session to the TACACS+ server.

AAA Configuration

Although AAA was designed to centralize access control, it still requires configuration on each
and every network device. Fortunately, after AAA is configured, there are few instances when
the administrator will need to alter its configuration—for example, when the encryption key is
changed. Aside from such minor alterations, all changes—including those for user accounts—
are invoked at the security server. This configuration process lets the router or access device
know about the type of security to be used, the location of the security server, and the passwords
or other information needed to facilitate communications.
In addition to these configuration commands, the administrator must establish
network-level connectivity between the access device and the security server.
This might require access list modification or route entries.

Table 32.3 outlines some of the AAA commands, including those for authentication and
accounting. The configurations that relate to these commands are shown later in this section.

Overview of AAA Commands and Configuration
Command Description
aaa new-model Enables AAA services on the router. new-model reflects changes from
the initial implementation, which is no longer supported. In the
absence of other AAA commands, the local database will be used for
username and password. If no database is present and no other AAA
method is specified, this command will lock out the router.
aaa authentication
login default tacacs+
enable
Configures TACACS+ to be the default method used for login-level
access. If TACACS+ is unavailable, use the local enable password.
aaa authentication
enable default
tacacs+ enable
Configures TACACS+ to be the default method used for enable-level
access. If TACACS+ is unavailable, use the local enable password.
aaa accounting exec
start-stop tacacs+
Configures the accounting process, logging the start and stop times
of each exec session access.
tacacs-server host
10.1.98.36
Specifies the IP address of the TACACS+ server. The singleconnection
parameter can be used to improve performance by
maintaining a single TCP session as opposed to starting a separate
session for each authentication.
tacacs-server key
tjelkprp
Specifies the encryption key to be used for communications between
the router and TACACS+ server.

Packet-Mode Connections

Packet-mode connections
include most dial-up connections, including the following:

async

group-async

serial
ISDN BRI
ISDN PRI
Packet-mode connections typically secure connections that pass traffic through the network
device. You use the ppp, network, and arap AAA commands to control packet-mode connections.
Table 32.2 offers a list with explanations of these commands.
These sections do not provide a complete breakdown of all possible commands,
but instead they introduce the more common commands. Please refer
to the documentation specific to your version of the IOS for a current listing of
all commands and options or use the incorporated Help function.

Packet-Mode Authentication Commands
Command Description
aaa authentication ppp
user if-needed tacacs+
AAA is used for PPP packet-mode challenges. The list user is
used first, and if unsuccessful, TACACS+ will be used.
aaa authorization network
tacacs+ if-authenticated
TACACS+ is used to determine whether the user is permitted to
make packet-mode connections if the user is authenticated.
interface async16 ppp
authentication chap user
This is a new command for this chapter in that it associates
an AAA function with an interface. Specifically, line async16 is
instructed to use the list user for CHAP authentication. Note that
an AAA server (RADIUS, and so on) is not used.

Character-Mode Connections

Character-mode connections
describe character-based access, including access via the VTY,
TTY, AUX (auxiliary), and CON (console) ports. Although such access might be through a

packet-based network—Telnet, for example—the connection is still viewed as being character
based. The AAA commands that configure character-mode access are as follows:

login

exec

nasi

connection

arap

enable

command
Character-mode access usually includes connections only to the router or network device.
Table 32.1 includes explanations of these commands.

TABLE 3 2 . 1
Character-Mode Authentication and Authorization Commands
Command Description
aaa authentication enable
default tacacs+ enable
Uses TACACS+ to determine whether the user can access
enabled mode. If TACACS+ is unavailable, the local enable
password will be used.
aaa authorization exec
tacacs+ local
Determines whether the user is allowed access to the EXEC
shell. This example provides for TACACS+ authentication, and
should TACACS+ fail, it permits authorization via the local
database. The local database is populated with the
username
command.
aaa authorization command
n
tacacs+ local
Runs authorization for all commands at privilege level
n
(a
number between 0 and 15). Every line entered by a user can be
controlled and authorized by TACACS+, although performance
can suffer.
username
user
password
password
Creates or adds to the local database with a username of
user
and the password of password. This database is stored in the
router’s configuration file in NVRAM (nonvolatile random
access memory), and it can be accessed upon authentication
failure depending on configuration.

Router Access Modes

A Cisco router can be accessed by using one of two access modes. These are broadly categorized
as character mode and packet mode. In essence, the difference between these modes can be best
understood by looking at the commands that configure character and packet modes. You
should understand the difference in the modes and use this section as an introduction to the configuration
command syntax.

How AAA Works

It is important to remember that AAA is simply a grouping of three security functions—authentication,
authorization, and accounting. Most texts examine each component as an isolated process,
and although this is perhaps more accurate, here they have been placed into a three-step
process to better communicate the interactions between each service. For example, it is perfectly
valid to use only authentication and authorization while omitting accounting, but if you do so,
administrators will lose the auditing benefits that are provided by the auditing service.

Step 1: Authentication
Authentication
is the first facet of the three security elements, and it provides a basis for the remaining
two components. Authentication provides the “who” in the AAA model. Like journalists who
ask themselves the questions they must answer to make their story good (Who?, What?, Where?,
When?, and How?), administrators need to ask who is involved in their system; it is one of the fundamental
pieces of information they need to set up their system. Unfortunately, in computing, as in
non-computing situations, it can be fairly simple to lie about one’s identity.
To facilitate the authentication process, most systems require both a username and a
password—it is hoped the password will be maintained in confidence in order to preclude
the potential of compromise. By requiring two elements of identity, the computer-based
system doubles the likelihood that the user is accurately identified.
However, it is possible to obtain, lie about, or guess both pieces of information. The likelihood
of accurate authentication is stronger if a physical element is added. In non-computing situations,
this might include a passport or driver’s license; in the computer world, it might include a tokenbased
device. As presented in the CiscoSecure section of this chapter, there are many products that
can provide this service as a software receiver of the physical code card data.

Step 2: Authorization
After the identity of the user has been established, a decision must be made regarding what
rights that user can exercise. This is called
authorization
, and is assigned by the administrator
based on the requirements and business policies of the organization. An example of authorization
would include permissions to access a remote access device or the ability to print a file.
Because authentication and authorization are so involved and dependent on each other, they are
regarded as a single security component in most environments.
Step 3: Accounting
Whereas authentication and authorization work to prevent unauthorized access,
accounting
provides a means of verifying that only authorized users obtain access. In addition, accounting
is used to audit the actions of an authorized user.
An accounting record relies on the authenticity of the authentication process—a fraudulent
user might provide a valid login, but the accounting feature provides the audit trail required to
assess the damage. This log provides a record of when an activity occurred and what action was
performed—connecting to a router, for example.

CiscoSecure’s Response

CiscoSecure’s Response to Brute Force and Denial-of-Service Attacks
The CiscoSecure product, like other such products, has the capability to disable accounts automatically
in response to brute force attacks. This is accomplished by
intruder detection
, in which
the software assumes that the party is an intruder after a certain number of failed logins. A
brute
force attack
is one in which the attacker bombards the system with login attempts. Ultimately,
such an attack can lead to access—especially when passwords and account information are relatively
simple. By detecting such an attack, products can disable the account before it is compromised.
Frequently, such logic is limited to the number of attempts per unit of time, however. For
example, a brute force rule might allow five bad login attempts per hour before locking the
account for a day, or it might detect three bad passwords and then lock the account until the
administrator releases it.
Unfortunately, most solutions to a brute force attack lead to another type of attack: denialof-
service. A
denial-of-service attack
usually does not lead to the access of private information;
rather, as the name suggests, it prevents legitimate users from obtaining that data or
using the resource. Administrators must balance the impact of brute force compromises
against the potential of blocking access to legitimate users as a result of this protection. As
with most products, including CiscoSecure and others, the responsibility to balance access
control with access is placed on the administrator.

CiscoSecure’s Response

Authentication, Authorization, and Accounting

Regarded as distinct elements, authentication, authorization, and accounting (AAA) all work cooperatively
to establish and enforce a security model. This model is the result of a
security policy
, which
should define an overall set of standards that will be used by the organization to secure and protect
its assets. This policy can include definitions of access rights that will be assigned to different groups
and the protocols that will be used for various functions. For example, one policy statement might
include that TACACS
+
is the sole protocol used and that SSH, a secure tool used for administration,
is preferred over Telnet.

It is important to understand how authentication, authorization, and accounting work
together to promote and support a security model. In this chapter, you will learn about how
AAA works, as well as how AAA functions in Cisco’s router access modes. AAA services are
the basic tenet of Cisco remote access solutions, and, although their presentation has been left
to the end of the book, you should find that the Physical and Network layers supplement these
concepts well. This includes physical security, the use of access lists, static or authenticated IP
routing, and other security techniques.

CiscoSecure 2

The CiscoSecure product is Cisco’s security server solution. This product incorporates many
services, including TACACS
+
and RADIUS servers, as well as logging functionality.
CiscoSecure uses web-based interfaces and Java to provide multiple administrators with
access to the server. Though the product supports both Internet Explorer and Netscape, it ships
with a Netscape FastTrack Server, and some administrators find it to be more reliable with the
Netscape client. CiscoSecure also relies on a relational database to manage accounts and store
information—currently it supports the Oracle and Sybase database platforms.
For enhanced security, administrators can choose to use
one-time challenge tokens
. These tokens
provide for the use of a different password for each login—a tactic that prevents session replay and
other techniques that would otherwise compromise security. Token cards from CRYPTOCard,
Enigma Logic, and Security Dynamics Technologies are supported with CiscoSecure.