Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Piggybacking (Internet access) wikipedia , lookup
TCP congestion control wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Server Message Block wikipedia , lookup
Wireless security wikipedia , lookup
Deep packet inspection wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Extensible Authentication Protocol wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
CNIT 221 Security 1 ver.2 Module 5 City College of San Francisco Spring 2006 © Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. © 2004, 2005 Cisco 1 1 Network Security 1 Module 5 – Cisco Secure Access Control Server © 2005 Cisco Systems, Inc. All rights reserved. 2 Learning Objectives • 5.1 Cisco Secure Access Control Server for Windows • 5.2 Configuring RADIUS and TACACS+ with CSACS © 2005 Cisco Systems, Inc. All rights reserved. 3 Module 5 – Cisco Secure Access Control Server 5.1 Cisco Secure Access Control Server for Windows © 2005 Cisco Systems, Inc. All rights reserved. 4 Cisco Access Control Server • Cisco Secure Access Control Server (ACS) network security software helps you authenticate users by controlling access to an AAA client. –Router, switch or VPN Concentrator • The AAA client can be any one of many network devices that can be configured to defer authentication and authorization of network users to an AAA server. –AAA - Authentication, Authorization and Accounting –AAA can be implemented on a device locally or managed from a central server running RADIUS or TACACS+ protocols. © 2005 Cisco Systems, Inc. All rights reserved. 5 Cisco Secure ACS Products Remote client (Dial-up) NAS Cisco Secure ACS for Windows Server PSTN/ISDN Console Remote client (VPN Client) Internet Router © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Solution Engine 6 What Is Cisco Secure ACS for Windows Server? • Provides AAA services to network devices that function as AAA clients, such as routers, NASs, PIX Security Appliances, or VPN Concentrators • Helps centralize access control and accounting, in addition to router and switch access management • Allows network administrators to quickly administer accounts and globally change levels of service offerings for entire groups of users • Although the use of an external user database is optional, Cisco Secure ACS for Windows Server supports many popular user repository implementations • Uses the TACACS+ and RADIUS protocols to provide AAA services that ensure a secure environment • Can authenticate against many popular token servers • Cisco Secure ACS supports any token server that is a RADIUS server compliant with IETF RFC 2865. © 2005 Cisco Systems, Inc. All rights reserved. 7 Cisco Secure ACS General Features Cisco Secure ACS for Windows Server TACACS+ RADIUS PAP CHAP MS-CHAP NAS • Uses TACACS+ or RADIUS between Cisco Secure ACS and NAS • Allows authentication against Windows 2000 user database, ACS user database, token server, or other external databases • Supports PAP, CHAP, and MS-CHAP authentication on the NAS © 2005 Cisco Systems, Inc. All rights reserved. 8 Authentication and User Databases •Cisco Secure ACS supports several external user databases –Windows NT/2000 User Database –Generic LDAP –NDS –ODBC-compliant relational databases –CRYPTOCard token server –SafeWord token server –AXENT token server –RSA SecureID token server –ActivCard token server –Vasco token server © 2005 Cisco Systems, Inc. All rights reserved. 9 Cisco Secure ACS System Architecture • • Provides ACS to multiple Cisco authenticating devices Comprises several modular Windows 2000 services, operating together on one server Administration service Authentication service Authorization service NAS 1 TACACS+ service RADIUS service NAS 2 Logging service Sync service NAS 3 © 2005 Cisco Systems, Inc. All rights reserved. Monitor service 10 Cisco Secure ACS Windows Services • CSAdmin—Provides the HTML interface for administration of Cisco Secure ACS. • CSAuth—Provides authentication services. • CSDBSync—Provides synchronization of the CiscoSecure user database with an external RDBMS application. • CSLog—Provides logging services, both for accounting and system activity. • CSMon—Provides monitoring, recording, and notification of Cisco Secure ACS performance, and includes automatic response to some scenarios. • CSTacacs—Provides communication between TACACS+ AAA clients and the CSAuth service. • CSRadius—Provides communication between RADIUS AAA clients and the CSAuth service. © 2005 Cisco Systems, Inc. All rights reserved. 11 Cisco Secure ACS User Database Cisco Secure ACS authorizes network services for users based upon group membership and specific user settings found in the Cisco Secure ACS user database. NAS 1 NAS 2 ACS user database NAS 3 © 2005 Cisco Systems, Inc. All rights reserved. 12 Using the ACS Database Alone Windows 2000 Server Dial-up client NAS Requests and responses ACS TACACS+ or RADIUS service ACS authentication and authorization service Username and password Authentication Authentication confirmed Authorization Authorization information Accounting NAS is directed to Cisco Secure ACS for Windows Server for AAA services: • Authentication of the client • Authorization privileges assignment • Accounting information destination © 2005 Cisco Systems, Inc. All rights reserved. TACACS+ or RADIUS service directs the request to the appropriate administrative service. Windows 2000 Server user login process Windows 2000 user database Request is authenticated against ACS database, associated authorizations assigned, and accounting information logged. 13 Using the Windows Database Windows 2000 Server ACS TACACS+ or RADIUS service Dial-up Client NAS ACS authentication and authorization service Windows 2000 Server user login process Username and password Authentication Windows 2000 user database Authentication confirmed Authorization Authorization information Accounting Requests and responses NAS is directed to Cisco Secure ACS for Windows Server for AAA services: • Authentication of the client • Authorization privileges assignment • Accounting information destination © 2005 Cisco Systems, Inc. All rights reserved. TACACS+ or RADIUS service directs the request to the appropriate administrative service. Username or password sent to Windows 2000 database for authentication. If approved, confirmation and associated authorization assigned in ACS for that user are sent to NAS. Accounting information is logged. RAS data grant dial Username or password submitted to Windows 2000 and Grant dial-in as a local user. Response is returned to ACS and authorizations assigned, which makes single login for dial-in access and network login possible. 14 Using External User Databases NAS 1 NAS 2 ACS user database External user database NAS 3 © 2005 Cisco Systems, Inc. All rights reserved. 15 Using Token Cards Cisco Secure ACS Token card server Proprietary protocols TACACS+ or RADIUS –LEAP proxy RADIUS servers –RSA SecurID token servers –RADIUS-based token servers, including: •ActivCard token servers •CRYPTOCard token servers •VASCO token servers •PassGo token servers Token card 3178454 •SafeWord token servers •Generic RADIUS token servers © 2005 Cisco Systems, Inc. All rights reserved. 16 User-Changeable Passwords Cisco Secure ACS for Windows Server NAS 1 NAS 2 128-bit encrypted messaging NAS 3 Windows 2000 Server (IIS 5.0) UCP server User SSL connection (suggested) © 2005 Cisco Systems, Inc. All rights reserved. 17 Module 5 – Cisco Secure Access Control Server 5.2 Configuring RADIUS and TACACS+ with CSACS © 2005 Cisco Systems, Inc. All rights reserved. 18 Gathering Answers for the Installation Questions • Determine whether the computer that Cisco Secure ACS will be installed on is a domain controller or a member server. • Determine which AAA protocol and vendor-specific attribute to implement. • Record the name of the AAA client. • Record the IP address of the AAA client. • Record the IP address of the computer that Cisco Secure ACS will be installed on . • Record the shared secret TACACS+ or RADIUS key. © 2005 Cisco Systems, Inc. All rights reserved. 19 Cisco Secure ACS for Windows Server: Installation Overview –Task 1: Preconfigure Windows 2000 Server system. –Task 2: Verify connection between Windows 2000 Server system and Cisco routers. –Task 3: Install Cisco Secure ACS for Windows Server on the Windows 2000 Server system. –Task 4: Initially configure Cisco Secure ACS for Windows Server via web browser. –Task 5: Configure routers for AAA. –Task 6: Verify correct installation and operation. © 2005 Cisco Systems, Inc. All rights reserved. 20 Administering Cisco Secure ACS for Windows Server © 2005 Cisco Systems, Inc. All rights reserved. 21 Troubleshooting – Use the Failed Attempts Report under Reports and Activity as a starting point. – Provides a valuable source of troubleshooting information. © 2005 Cisco Systems, Inc. All rights reserved. 22 Globally Enable AAA Cisco Secure ACS for Windows Server 10.1.2.4 NAS router(config)# aaa new-model router(config)# aaa new-model © 2005 Cisco Systems, Inc. All rights reserved. 23 tacacs-server Commands router(config)# The two commands shown here can be used to share the key with all servers or This command can be used for a single server tacacs-server key keystring router(config)# tacacs-server key 2bor!2b@? router(config)# tacacs-server host ipaddress router(config)# tacacs-server host 10.1.2.4 router(config)# tacacs-server host ipaddress key keystring router(config)# tacacs-server host 10.1.2.4 key 2bor!2b@? © 2005 Cisco Systems, Inc. All rights reserved. 24 AAA Configuration Commands router(config)# aaa authentication {login | enable default | arap | ppp | nasi} {default | list-name} method1 [method2 [method3 [method4]]] router(config)# aaa authorization {network | exec | commands level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} router(config)# aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] © 2005 Cisco Systems, Inc. All rights reserved. 25 AAA TACACS+ Troubleshooting router# debug tacacs –Displays detailed information associated with TACACS+ router# debug tacacs events • Displays detailed information from the TACACS+ helper process © 2005 Cisco Systems, Inc. All rights reserved. 26 debug aaa authentication Command TACACS+ Example Output 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS © 2005 Cisco Systems, Inc. All rights reserved. 27 debug tacacs Command Example Output – Failure 13:53:35: TAC+: Opening TCP/IP connection to 10.1.1.4/49 13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 10.1.1.4/49 (AUTHEN/START) 13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 10.1.1.4/49 13:53:35: TAC+ (416942312): received authen response status = GETUSER 13:53:37: TAC+: send AUTHEN/CONT packet 13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 10.1.1.4/49 (AUTHEN/CONT) 13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 10.1.1.4/49 13:53:37: TAC+ (416942312): received authen response status = GETPASS 13:53:38: TAC+: send AUTHEN/CONT packet 13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 10.1.1.4/49 (AUTHEN/CONT) 13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 10.1.1.4/49 13:53:38: TAC+ (416942312): received authen response status = FAIL 13:53:40: TAC+: Closing TCP/IP connection to 10.1.1.4/49 © 2005 Cisco Systems, Inc. All rights reserved. 28 debug tacacs Command Example Output – Pass 14:00:09: TAC+: Opening TCP/IP connection to 10.1.1.4/49 14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 10.1.1.4/49 (AUTHEN/START) 14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 10.1.1.4/49 14:00:09: TAC+ (383258052): received authen response status = GETUSER 14:00:10: TAC+: send AUTHEN/CONT packet 14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 10.1.1.4/49 (AUTHEN/CONT) 14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 10.1.1.4/49 14:00:10: TAC+ (383258052): received authen response status = GETPASS 14:00:14: TAC+: send AUTHEN/CONT packet 14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 10.1.1.4/49 (AUTHEN/CONT) 14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 10.1.1.4/49 14:00:14: TAC+ (383258052): received authen response status = PASS 14:00:14: TAC+: Closing TCP/IP connection to 10.1.1.4/49 © 2005 Cisco Systems, Inc. All rights reserved. 29 debug tacacs events Command Output router# debug tacacs events %LINK-3-UPDOWN: Interface Async2, changed state to up 00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15 00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 10.1.1.4/49 00:03:16: TAC+: periodic timer started 00:03:16: TAC+: 10.1.1.4 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued 00:03:17: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 46 of 46 bytes 00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=61 wanted=61 alloc=61 got=49 00:03:22: TAC+: 10.1.1.4 received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed 00:03:22: TAC+: periodic timer stopped (queue empty) 00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 10.1.1.4/49 00:03:22: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15 00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 10.1.1.4/49 00:03:22: TAC+: periodic timer started 00:03:22: TAC+: 10.1.1.4 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB) expire=14 AUTHEN/START/SENDPASS/CHAP queued 00:03:23: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 41 of 41 bytes 00:03:23: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:23: TAC+: 10.1.1.4 CLOSEWAIT read=21 wanted=21 alloc=21 got=9 00:03:23: TAC+: 10.1.1.4 received 21 byte reply for 3BD868 00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13 AUTHEN/START/SENDPASS/CHAP processed 00:03:23: TAC+: periodic timer stopped (queue empty) © 2005 Cisco Systems, Inc. All rights reserved. 30 RADIUS Server Command router(config)# The two commands shown here can be used to share the key with all servers radius-server key keystring Or router(config)# radius-server host 10.1.2.4 This command can be used for a single server router(config)# radius-server key 2bor!2b@? router(config)# radius-server host {host-name | ipaddress} router(config)# radius-server host ipaddress key keystring router(config)# radius-server host 10.1.2.4 key 2bor!2b@? © 2005 Cisco Systems, Inc. All rights reserved. 31 © Cisco Systems, Systems, Inc. Inc. All All rights rights reserved. reserved. © 2005, 2005 Cisco 32 32