Download Title: First Slide in a Presentation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts

AppleTalk wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

TCP congestion control wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Server Message Block wikipedia , lookup

Wireless security wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Lag wikipedia , lookup

Cisco Systems wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Transcript 
CNIT 221 Security 1 ver.2
Module 5
City College of San Francisco
Spring 2006
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2004,
2005 Cisco
1
1
Network Security 1
Module 5 – Cisco Secure Access Control
Server
© 2005 Cisco Systems, Inc. All rights reserved.
2
Learning Objectives
• 5.1 Cisco Secure Access Control Server for
Windows
• 5.2 Configuring RADIUS and TACACS+ with
CSACS
© 2005 Cisco Systems, Inc. All rights reserved.
3
Module 5 – Cisco Secure Access
Control Server
5.1 Cisco Secure Access Control Server for
Windows
© 2005 Cisco Systems, Inc. All rights reserved.
4
Cisco Access Control Server
• Cisco Secure Access Control Server (ACS) network
security software helps you authenticate users by
controlling access to an AAA client.
–Router, switch or VPN Concentrator
• The AAA client can be any one of many network
devices that can be configured to defer
authentication and authorization of network users to
an AAA server.
–AAA - Authentication, Authorization and Accounting
–AAA can be implemented on a device locally or managed
from a central server running RADIUS or TACACS+
protocols.
© 2005 Cisco Systems, Inc. All rights reserved.
5
Cisco Secure ACS Products
Remote client
(Dial-up)
NAS
Cisco Secure ACS
for Windows
Server
PSTN/ISDN
Console
Remote client
(VPN Client)
Internet
Router
© 2005 Cisco Systems, Inc. All rights reserved.
Cisco Secure ACS
Solution Engine
6
What Is Cisco Secure ACS for Windows
Server?
• Provides AAA services to network devices that function as AAA clients,
such as routers, NASs, PIX Security Appliances, or VPN Concentrators
• Helps centralize access control and accounting, in addition to router
and switch access management
• Allows network administrators to quickly administer accounts and
globally change levels of service offerings for entire groups of users
• Although the use of an external user database is optional, Cisco Secure
ACS for Windows Server supports many popular user repository
implementations
• Uses the TACACS+ and RADIUS protocols to provide AAA services that
ensure a secure environment
• Can authenticate against many popular token servers
• Cisco Secure ACS supports any token server that is a RADIUS
server compliant with IETF RFC 2865.
© 2005 Cisco Systems, Inc. All rights reserved.
7
Cisco Secure ACS General Features
Cisco Secure ACS for
Windows Server
TACACS+
RADIUS
PAP
CHAP
MS-CHAP
NAS
• Uses TACACS+ or RADIUS between Cisco Secure ACS
and NAS
• Allows authentication against Windows 2000 user database, ACS
user database, token server, or other external databases
• Supports PAP, CHAP, and MS-CHAP authentication on
the NAS
© 2005 Cisco Systems, Inc. All rights reserved.
8
Authentication and User Databases
•Cisco Secure ACS supports several
external user databases
–Windows NT/2000 User Database
–Generic LDAP
–NDS
–ODBC-compliant relational databases
–CRYPTOCard token server
–SafeWord token server
–AXENT token server
–RSA SecureID token server
–ActivCard token server
–Vasco token server
© 2005 Cisco Systems, Inc. All rights reserved.
9
Cisco Secure ACS System Architecture
•
•
Provides ACS to multiple Cisco
authenticating devices
Comprises several modular Windows
2000 services, operating together on
one server
Administration service
Authentication service
Authorization service
NAS 1
TACACS+ service
RADIUS service
NAS 2
Logging service
Sync service
NAS 3
© 2005 Cisco Systems, Inc. All rights reserved.
Monitor service
10
Cisco Secure ACS Windows Services
• CSAdmin—Provides the HTML interface for administration of
Cisco Secure ACS.
• CSAuth—Provides authentication services.
• CSDBSync—Provides synchronization of the CiscoSecure user
database with an external RDBMS application.
• CSLog—Provides logging services, both for accounting and system
activity.
• CSMon—Provides monitoring, recording, and notification of
Cisco Secure ACS performance, and includes automatic response to
some scenarios.
• CSTacacs—Provides communication between TACACS+ AAA clients
and the CSAuth service.
• CSRadius—Provides communication between RADIUS AAA clients
and the CSAuth service.
© 2005 Cisco Systems, Inc. All rights reserved.
11
Cisco Secure ACS User Database
Cisco Secure ACS authorizes network services for users based upon group membership
and specific user settings found in the Cisco Secure ACS user database.
NAS 1
NAS 2
ACS user
database
NAS 3
© 2005 Cisco Systems, Inc. All rights reserved.
12
Using the ACS Database Alone
Windows 2000 Server
Dial-up
client
NAS
Requests and
responses
ACS
TACACS+ or
RADIUS service
ACS
authentication and
authorization
service
Username and
password
Authentication
Authentication
confirmed
Authorization
Authorization
information
Accounting
NAS is directed to Cisco Secure ACS
for Windows Server for AAA
services:
• Authentication of the client
• Authorization privileges
assignment
• Accounting information
destination
© 2005 Cisco Systems, Inc. All rights reserved.
TACACS+ or
RADIUS service
directs the request
to the appropriate
administrative
service.
Windows 2000
Server user login
process
Windows 2000
user database
Request is
authenticated
against ACS
database,
associated
authorizations
assigned, and
accounting
information logged.
13
Using the Windows Database
Windows 2000 Server
ACS
TACACS+ or
RADIUS service
Dial-up
Client
NAS
ACS
authentication and
authorization service
Windows 2000
Server user login
process
Username and
password
Authentication
Windows 2000
user database
Authentication
confirmed
Authorization
Authorization
information
Accounting
Requests and
responses
NAS is directed to Cisco Secure
ACS for Windows Server for AAA
services:
• Authentication of the client
• Authorization privileges
assignment
• Accounting information
destination
© 2005 Cisco Systems, Inc. All rights reserved.
TACACS+ or
RADIUS service
directs the request
to the appropriate
administrative
service.
Username or
password
sent to Windows 2000
database for
authentication. If
approved,
confirmation and
associated
authorization
assigned
in ACS for that user
are sent to NAS.
Accounting
information is logged.
RAS data
grant dial
Username or
password
submitted to
Windows 2000 and
Grant dial-in as a
local user.
Response is
returned to ACS
and authorizations
assigned, which
makes single login
for dial-in access
and network login
possible.
14
Using External User Databases
NAS 1
NAS 2
ACS user
database
External
user
database
NAS 3
© 2005 Cisco Systems, Inc. All rights reserved.
15
Using Token Cards
Cisco Secure ACS
Token card server
Proprietary protocols
TACACS+
or RADIUS
–LEAP proxy RADIUS servers
–RSA SecurID token servers
–RADIUS-based token servers, including:
•ActivCard token servers
•CRYPTOCard token servers
•VASCO token servers
•PassGo token servers
Token card
3178454
•SafeWord token servers
•Generic RADIUS token servers
© 2005 Cisco Systems, Inc. All rights reserved.
16
User-Changeable Passwords
Cisco Secure ACS
for Windows Server
NAS 1
NAS 2
128-bit encrypted
messaging
NAS 3
Windows 2000
Server (IIS 5.0)
UCP server
User
SSL
connection
(suggested)
© 2005 Cisco Systems, Inc. All rights reserved.
17
Module 5 – Cisco Secure Access
Control Server
5.2 Configuring RADIUS and TACACS+ with
CSACS
© 2005 Cisco Systems, Inc. All rights reserved.
18
Gathering Answers for the Installation Questions
•
Determine whether the computer that Cisco Secure ACS
will be installed on is a domain controller or a member
server.
•
Determine which AAA protocol and vendor-specific
attribute to implement.
•
Record the name of the AAA client.
•
Record the IP address of the AAA client.
•
Record the IP address of the computer that Cisco Secure
ACS will be installed on .
•
Record the shared secret TACACS+ or RADIUS key.
© 2005 Cisco Systems, Inc. All rights reserved.
19
Cisco Secure ACS for Windows Server:
Installation Overview
–Task 1: Preconfigure Windows 2000 Server system.
–Task 2: Verify connection between Windows 2000 Server
system and Cisco routers.
–Task 3: Install Cisco Secure ACS for Windows Server on
the Windows 2000 Server system.
–Task 4: Initially configure Cisco Secure ACS for Windows
Server via web browser.
–Task 5: Configure routers for AAA.
–Task 6: Verify correct installation and operation.
© 2005 Cisco Systems, Inc. All rights reserved.
20
Administering Cisco Secure ACS for Windows
Server
© 2005 Cisco Systems, Inc. All rights reserved.
21
Troubleshooting
–
Use the Failed Attempts Report under Reports and Activity as a
starting point.
–
Provides a valuable source of troubleshooting information.
© 2005 Cisco Systems, Inc. All rights reserved.
22
Globally Enable AAA
Cisco Secure
ACS for Windows Server
10.1.2.4
NAS
router(config)#
aaa new-model
router(config)# aaa new-model
© 2005 Cisco Systems, Inc. All rights reserved.
23
tacacs-server Commands
router(config)#
The two
commands
shown here
can be used
to share the
key with all
servers
or
This
command
can be used
for a single
server
tacacs-server key keystring
router(config)# tacacs-server key 2bor!2b@?
router(config)#
tacacs-server host ipaddress
router(config)# tacacs-server host 10.1.2.4
router(config)#
tacacs-server host ipaddress key keystring
router(config)# tacacs-server host 10.1.2.4 key
2bor!2b@?
© 2005 Cisco Systems, Inc. All rights reserved.
24
AAA Configuration Commands
router(config)#
aaa authentication {login | enable default | arap | ppp
| nasi} {default | list-name} method1 [method2
[method3 [method4]]]
router(config)#
aaa authorization {network | exec | commands level |
reverse-access} {default | list-name}
{if-authenticated | local | none | radius | tacacs+ |
krb5-instance}
router(config)#
aaa accounting {system | network | exec | connection |
commands level}{default | list-name} {start-stop |
wait-start | stop-only | none} [method1 [method2]]
© 2005 Cisco Systems, Inc. All rights reserved.
25
AAA TACACS+ Troubleshooting
router#
debug tacacs
–Displays detailed information associated
with TACACS+
router#
debug tacacs events
• Displays detailed information from
the TACACS+ helper process
© 2005 Cisco Systems, Inc. All rights reserved.
26
debug aaa authentication Command
TACACS+ Example Output
14:01:17: AAA/AUTHEN (567936829): Method=TACACS+
14:01:17: TAC+: send AUTHEN/CONT packet
14:01:17: TAC+ (567936829): received authen
response status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS
© 2005 Cisco Systems, Inc. All rights reserved.
27
debug tacacs Command Example Output –
Failure
13:53:35: TAC+: Opening TCP/IP connection to 10.1.1.4/49
13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 10.1.1.4/49
(AUTHEN/START)
13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 10.1.1.4/49
13:53:35: TAC+ (416942312): received authen response status = GETUSER
13:53:37: TAC+: send AUTHEN/CONT packet
13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 10.1.1.4/49
(AUTHEN/CONT)
13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 10.1.1.4/49
13:53:37: TAC+ (416942312): received authen response status = GETPASS
13:53:38: TAC+: send AUTHEN/CONT packet
13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 10.1.1.4/49
(AUTHEN/CONT)
13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 10.1.1.4/49
13:53:38: TAC+ (416942312): received authen response status = FAIL
13:53:40: TAC+: Closing TCP/IP connection to 10.1.1.4/49
© 2005 Cisco Systems, Inc. All rights reserved.
28
debug tacacs Command Example Output –
Pass
14:00:09: TAC+: Opening TCP/IP connection to 10.1.1.4/49
14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 10.1.1.4/49
(AUTHEN/START)
14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 10.1.1.4/49
14:00:09: TAC+ (383258052): received authen response status = GETUSER
14:00:10: TAC+: send AUTHEN/CONT packet
14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 10.1.1.4/49
(AUTHEN/CONT)
14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 10.1.1.4/49
14:00:10: TAC+ (383258052): received authen response status = GETPASS
14:00:14: TAC+: send AUTHEN/CONT packet
14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 10.1.1.4/49
(AUTHEN/CONT)
14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 10.1.1.4/49
14:00:14: TAC+ (383258052): received authen response status = PASS
14:00:14: TAC+: Closing TCP/IP connection to 10.1.1.4/49
© 2005 Cisco Systems, Inc. All rights reserved.
29
debug tacacs events Command Output
router# debug tacacs events
%LINK-3-UPDOWN: Interface Async2, changed state to up
00:03:16: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15
00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to 10.1.1.4/49
00:03:16: TAC+: periodic timer started
00:03:16: TAC+: 10.1.1.4 req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (ESTAB)
expire=14 AUTHEN/START/SENDAUTH/CHAP queued
00:03:17: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 46 of 46 bytes
00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12
00:03:22: TAC+: 10.1.1.4 CLOSEWAIT read=61 wanted=61 alloc=61 got=49
00:03:22: TAC+: 10.1.1.4 received 61 byte reply for 3BD868
00:03:22: TAC+: req=3BD868 id=-1242409656 ver=193 handle=0x48A87C (CLOSEWAIT) expire=9
AUTHEN/START/SENDAUTH/CHAP processed
00:03:22: TAC+: periodic timer stopped (queue empty)
00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to 10.1.1.4/49
00:03:22: TAC+: Opening TCP/IP to 10.1.1.4/49 timeout=15
00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to 10.1.1.4/49
00:03:22: TAC+: periodic timer started
00:03:22: TAC+: 10.1.1.4 req=3BD868 id=299214410 ver=192 handle=0x489F08 (ESTAB)
expire=14 AUTHEN/START/SENDPASS/CHAP queued
00:03:23: TAC+: 10.1.1.4 ESTAB 3BD868 wrote 41 of 41 bytes
00:03:23: TAC+: 10.1.1.4 CLOSEWAIT read=12 wanted=12 alloc=12 got=12
00:03:23: TAC+: 10.1.1.4 CLOSEWAIT read=21 wanted=21 alloc=21 got=9
00:03:23: TAC+: 10.1.1.4 received 21 byte reply for 3BD868
00:03:23: TAC+: req=3BD868 id=299214410 ver=192 handle=0x489F08 (CLOSEWAIT) expire=13
AUTHEN/START/SENDPASS/CHAP processed
00:03:23: TAC+: periodic timer stopped (queue empty)
© 2005 Cisco Systems, Inc. All rights reserved.
30
RADIUS Server Command
router(config)#
The two
commands
shown here
can be
used to
share the
key with all
servers
radius-server key keystring
Or
router(config)# radius-server host 10.1.2.4
This
command
can be
used for a
single
server
router(config)# radius-server key 2bor!2b@?
router(config)#
radius-server host {host-name | ipaddress}
router(config)#
radius-server host ipaddress key keystring
router(config)# radius-server host 10.1.2.4 key
2bor!2b@?
© 2005 Cisco Systems, Inc. All rights reserved.
31
©
Cisco Systems,
Systems, Inc.
Inc. All
All rights
rights reserved.
reserved.
© 2005,
2005 Cisco
32
32
Related documents
If your staff need to upgrade or re
If your staff need to upgrade or re
JOB DESCRIPTION NETWORK ADMINISTRATOR
JOB DESCRIPTION NETWORK ADMINISTRATOR
Research Scientist – Prague, Czech Republic Cisco Systems
Research Scientist – Prague, Czech Republic Cisco Systems
Cisco PWR-C45-1000AC= power supply unit (PWR
Cisco PWR-C45-1000AC= power supply unit (PWR
Computer Networks [Opens in New Window]
Computer Networks [Opens in New Window]
Career Highlights - University of the Pacific
Career Highlights - University of the Pacific
Course Overview
Course Overview
Alexander-Ereweles-CV
Alexander-Ereweles-CV
Template for Symposium Submission
Template for Symposium Submission
Learning Services
Learning Services
O L G A F O S T... Inside Sales Account Manager
O L G A F O S T... Inside Sales Account Manager
The contains tools to better understand and communicate climate science.
The contains tools to better understand and communicate climate science.