Why use a centralised server?
Once we start dealing with a large number of devices – many companies can be well into the hundreds or thousands of devices – we need a way of maintaining an always up to date centralised solution to user access control. It saves us having to configure each device every time a user is added or removed, and means is much tighter as it can be all too easy to forget to remove an administrator once they’ve left company. Because this is a blog on Cisco security, we’ll talk about Cisco’s product – ACS.
One of the benefits of ACS is that it can plugin to a Microsoft AD server, so that when a device queries the ACS, it then queries the AD server as to a user’s credentials. It can also use various other external databases, thus removing the need to maintain multiple copies of a user’s credentials dotted around the network.
ACS can be run on top of a Widows server, be a dedicated appliance bought from Cisco, or be installed in a VMWare environment.
There are two protocols to choose from for communication between devices and the ACS, RADIUS and TACACS+. Usually authentication and authorisation for CLI access will be performed over TACACS+, whereas RADIUS would be more likely to be used to authorise users who are sending packets over a network device such as through a VPN. RADIUS is an open IETF standard, whereas TACACS is a Cisco proprietary tool, although it is extremely widely used. TACACS allows much more granular control and can separate the AAA elements into distinct parts, whereas RADIUS combines many of these functions together. TACACS uses TCP whereas RADIUS uses UDP. TACACS also encrypts all packets between the server and end devices whereas RADIUS only encrypts the password. RADIUS however provides a much more detailed accounting capability than TACACS.
Configuring a router to communicate with a ACS
First let’s configure two routers in GNS3 that can talk to each other, to ensure we can get a response to pings at least.
First we want to make sure we can ping the second router:
R1#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/44/52 ms
Now we configure our basic set up – two lists, one for authentication and one for authorisation, both use tacacs and failback to local if tacacs is unreachable. Then we define our tacacs server with the key, create a username for local login and add the two lists to the remote login ports.
R1(config)#aaa new-model
R1(config)#aaa authentication login AUTHLIST group tacacs+ local
R1(config)#aaa authorization exec EXECLIST group tacacs+ local
R1(config)#username admin privilege 15 secret cisco
R1(config)#tacacs-server host 10.0.0.2 key tacacskey
R1(config)#line vty 0 4
R1(config-line)#authorization exec EXECLIST
R1(config-line)#login authentication AUTHLIST
Now with everything in place, let’s turn the debugging on and have a look at what happens under the hood.
R1#debug tacacs
TACACS access control debugging is on
Basically what happens below is that we initiate a connection to ourselves, the device attempts a connection to the ACS server and when that fails (you can see the 5 sec timeout), it moves onto the local database, which is why we were able to log in successfully. You could also use the ‘debug aaa authentication’ and ‘debug aaa authorization’ commands.
R1#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
User Access Verification
Username:
*Nov 25 14:28:42.279: TPLUS: Queuing AAA Authentication request 13 for processing
*Nov 25 14:28:42.283: TPLUS: processing authentication start request id 13
*Nov 25 14:28:42.283: TPLUS: Authentication start packet created for 13()
*Nov 25 14:28:42.283: TPLUS: Using server 10.0.0.2
*Nov 25 14:28:42.291: TPLUS(0000000D)/0/NB_WAIT/684303B0: Started 5 sec timeout
*Nov 25 14:28:42.311: TPLUS(0000000D)/0/NB_WAIT: socket event 2
*Nov 25 14:28:42.311: TPLUS(0000000D)/0/NB_WAIT: write to 10.0.0.2 failed with errno 257((ENOTCONN))
*Nov 25 14:28:42.315: TPLUS: Authentication start packet created for 13()
*Nov 25 14:28:42.319: TPLUS(0000000D)/0/684303B0: Processing the reply packet
Username: admin
Password:
R1#
*Nov 25 14:28:51.731: TPLUS: Queuing AAA Authorization request 13 for processing
*Nov 25 14:28:51.735: TPLUS: processing authorization request id 13
*Nov 25 14:28:51.735: TPLUS: Protocol set to None .....Skipping
*Nov 25 14:28:51.739: TPLUS: Sending AV service=shell
*Nov 25 14:28:51.739: TPLUS: Sending AV cmd*
*Nov 25 14:28:51.739: TPLUS: Authorization request created for 13(admin)
*Nov 25 14:28:51.739: TPLUS: using previously set server 10.0.0.2 from group tacacs+
*Nov 25 14:28:51.747: TPLUS(0000000D)/0/NB_WAIT/68430BA8: Started 5 sec timeout
*Nov 25 14:28:51.815: TPLUS(0000000D)/0/NB_WAIT: socket event 2
*Nov 25 14:28:51.815: TPLUS(0000000D)/0/NB_WAIT: write to 10.0.0.2 failed with errno 257((ENOTCONN))
*Nov 25 14:28:51.819: TPLUS: Protocol set to None .....Skipping
*Nov 25 14:28:51.819: TPLUS: Sending AV service=shell
*Nov 25 14:28:51.823: TPLUS: Sending AV cmd*
*Nov 25 14:28:51.823: TPLUS: Authorization request created for 13(admin)
*Nov 25 14:28:51.823: TPLUS: Choosing next server 10.0.0.2
*Nov 25 14:28:51.831: TPLUS(0000000D)/1/NB_WAIT/68430BA8: Started 5 sec timeout
*Nov 25 14:28:51.835: TPLUS(0000000D)/68430BA8: releasing old socket 0
*Nov 25 14:28:51.919: TPLUS(0000000D)/1/NB_WAIT: socket event 2
*Nov 25 14:28:51.919: TPLUS(0000000D)/1/NB_WAIT: write to 10.0.0.2 failed with errno 257((ENOTCONN))
*Nov 25 14:28:51.919: TPLUS: Protocol set to None .....Skipping
*Nov 25 14:28:51.923: TPLUS: Sending AV service=shell
*Nov 25 14:28:51.923: TPLUS: Sending AV cmd*
*Nov 25 14:28:51.923: TPLUS: Authorization request created for 13(admin)
*Nov 25 14:28:51.927: TPLUS: Choosing next server 10.0.0.2
*Nov 25 14:28:51.935: TPLUS(0000000D)/0/NB_WAIT/68430BA8: Started 5 sec timeout
*Nov 25 14:28:51.935: TPLUS(0000000D)/68430BA8: releasing old socket 1
*Nov 25 14:28:52.047: TPLUS(0000000D)/0/NB_WAIT: socket event 2
*Nov 25 14:28:52.047: TPLUS(0000000D)/0/NB_WAIT: write to 10.0.0.2 failed with errno 257((ENOTCONN))
*Nov 25 14:28:52.051: TPLUS: Protocol set to None .....Skipping
*Nov 25 14:28:52.051: TPLUS: Sending AV service=shell
*Nov 25 14:28:52.051: TPLUS: Sending AV cmd*
*Nov 25 14:28:52.055: TPLUS: Authorization request created for 13(admin)
*Nov 25 14:28:52.055: TPLUS(0000000D)/0/68430BA8: Processing the reply packet
No comments:
Post a Comment