Wednesday 24 February 2010

Setting up Authentication using New-Model AAA

One of the tasks required in the ISCW part of the CCNP which I'm sure will make it across into the new exams is the topic of Router Security.

The first and easiest part of setting up router security is locking down the various access paths to the router using AAA or Authentication, Authorisation and Accounting.

This engine on Cisco devices allows you to setup a range of rules on a device to lock down access, authorise users, authenticate sources, log changes and access, in fact pretty much anything you do on the router.

Historically older methods of AAA have revolved around line level passwords and secrets. This leveraged user set passwords on the various access points around the router to stop someone from directly logging onto the device and making changes.

Depending on the configuration the passwords themselves were either not encrypted or very weakly encrypted using a reversible hash. When Cisco later introduced "secrets" which were effectively just passwords with a one way MD5 encrpytion to make them much more difficult to decrypt, they added some longevity but ultimately the man overheads and security risks have made old line level work more obselete.



It is worth noting at this point, if you still use telnet to connect to remote devices, all the password encryption in the world on the device worthless because a simple packet sniffer like Wireshark in line or a Man in the Middle replay attack will just show the password being sent plain text or replay the password at the device, giving the user full access.


All that aside, enabling the engine itself for AAA is very easy :

aaa new-model

This will turn the engine on and immediately overwrite/remove all line level passwords and old methods of authentication. With this in mind, if you lose connection to this router at any stage you will not be able to get back on as there will be no rules to govern the Auth part of the AAA and the default is to allow no access unless configured to allow "no auth". (a simple reboot will however return you to the old setup as the command requires the usual saves)

Once the engine is enabled, the next step is to decide what database you want to authenticate to. There are 3 common options, the local database on the device itself, a TACACS+ database or a RADIUS database.

There are pros and cons to each which I will cover in another article.

Using the local database

this is the option for when you don't have a remote auth DB. It means you still have to setup per device users as with the older method, but it has its pluses, including the ability to setup per user access levels and responsibilities.


An example config would be:

Router>en
Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#aaa new
Router(config)#aaa new-model
Router(config)#username TestUser secret TestPass
Router(config)#aaa authentication login default local none
Router(config)#line vty 0 4
Router(config-line)#login authentication defaul
Router(config)#line con 0
Router(config-line)#login authentication default
Router(config-line)#exit
Router(config)#exit
Router#
*Aug 7 19:02:26.223: %SYS-5-CONFIG_I: Configured from console by console


This would setup a username and password for logging onto the router via either the VTY ports or the console ports.

By using a Secret not a Password the data is encrypted on the config by default but please note as SSH is not currently configured, access is via Telnet which is unencrypted. Also this basic access does not include enable so once on, enable is unpassword.

By using the syntax on authentication "local none" it will use those methods for the default group i.e. the local database, which if no user/passes exist it will use no authentication.

This means if for any reason the user/pass wipes, you can still get on the box, but at a security risk as no auth will be used.

If you had specified simply "local" then in the event of no password or user being available, you would still get the prompt but every login attempt would fail meaning a break if the config had been saved.

***Important **** Be very careful when entering users/passes. The router will count ALL characters, including a space!

Using TACACS or RADIUS

Setting up tacacs would require first setting up the server details, usually just a matter of the IP and the key :

tacacs-server host 127.0.0.1 key 12345

(note the IP and Key are just for example purposes)

Then setup the AAA auth accordingly :


aaa authentication login TACACS1 group tacacs+ local

This command rather than setting the default method, sets a group TACACS1 (the name is arbitrary) which will use the listed methods, TACACS first, which if fails then the local DB. In the event no local DB is present, no authentication will work and you will not be able to access the device.

By failure on the TACACS method I refer to failure in the response or availability from the TACACS server, not failure of auth by the server, in the event of an auth failure on the primary method, no further authentication is offered.


RADIUS is effectively the same thing.
radius-server host 1.2.3.4 key ABCDE
aaa authentication login RADIUS group radius local


As above, we create a group RADIUS authing the radius server listed.

There are extended commands in the RADIUS and TACACS options for things like timeouts, retries etc but those can be covered another day or learned independently as required.


Custom authentication actions.

If you are so inclined, there are custom actions you can set on the authentication, such as the fail-message when auth is rejected or the banner when you login. With some manipulation I've created :

Press RETURN to get started.



None Shall Pass!
WhoGoesThere:Dave
ProveYourself:
Welcome to Fail, Population = You!
WhoGoesThere:

This is achieved with the config :

aaa authentication banner ^C None Shall Pass! ^C
aaa authentication fail-message ^C Welcome to Fail, Population = You! ^C
aaa authentication password-prompt ProveYourself:
aaa authentication username-prompt WhoGoesThere:



Hope that's useful for you all, have fun and enjoy!

No comments:

Post a Comment