Tag Archives: 5.1d

5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [i] AAA with TACACS+ and RADIUS

RADIUS is an access server that uses AAA protocol and combines authentication and authorization. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. TACACS + provides session encryption and can provide CLI authorization by user groups.

RADIUS comprises three components:

● A protocol with a frame format that utilizes User Datagram Protocol (UDP)/ IP

● A server

● A client

RADIUS uses UDP while TACACS + uses TCP. TCP offers several advantages over UDP. TCP offers a connection -oriented transport , while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as retransmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers:

● TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.

● TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.

● Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.

● TCP is more scalable and adapts to growing, as well as congested, networks.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5110-5113).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

 

5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [ii] Local privilege authorization fallback

The local database can act as a fallback method for several functions. This behavior is designed to help prevent accidental lockout . For users who need fallback support, it is recommended that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

The local database supports the following fallback functions:

● Console and enable password authentication—When you use the aaa authentication console command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too.

● Command authorization—When you use the aaa authorization command command, you can add the LOCAL keyword after the AAA server group tag. If the TACACS + servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels.

● VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command , available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133).  . Kindle Edition.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960xr/software/15.0_2_EX1/security/configuration_guide/b_sec_152ex1_2960-xr_chapter_0111.html

5.1.d AAA with TACACS+ and RADIUS

i first turned off the radius server and authenticated locally with the default method list…

r3#debug aaa authenti
AAA Authentication debugging is on
r3#term mon
r3#
May 11 14:10:42.572: AAA/BIND(00000015): Bind i/f
May 11 14:10:42.576: AAA/AUTHEN/LOGIN (00000015): Pick method list ‘default’
r3#
May 11 14:11:14.019: AAA/AUTHEN/ENABLE(00000015): Processing request action LOGIN
May 11 14:11:14.019: AAA/AUTHEN/ENABLE(00000015): Done status GET_PASSWORD
r3#
May 11 14:11:22.163: AAA/AUTHEN/ENABLE(00000015): Processing request action LOGIN
May 11 14:11:22.215: AAA/AUTHEN/ENABLE(00000015): Done status PASS

r3#debug radius ?
accounting      RADIUS accounting packets only
authentication  RADIUS authentication packets only
brief           Only I/O transactions are recorded
elog            RADIUS event logging
failover        Packets sent upon fail-over
local-server    Local RADIUS server
retransmit      Retransmission of packets
verbose         Include non essential RADIUS debugs
<cr>

r3#debug radius authenti
Radius protocol debugging is on
Radius protocol brief debugging is off
Radius protocol verbose debugging is off
Radius packet hex dump debugging is off
Radius packet protocol (authentication) debugging is on
Radius packet protocol (accounting) debugging is off
Radius elog debugging debugging is off
Radius packet retransmission debugging is off
Radius server fail-over debugging is off
Radius elog debugging debugging is off
r3#
May 11 14:13:33.730: AAA/BIND(00000017): Bind i/f
May 11 14:13:33.730: AAA/AUTHEN/LOGIN (00000017): Pick method list ‘default’
May 11 14:13:33.738: RADIUS/ENCODE(00000017): ask “Username: ”
May 11 14:13:33.738: RADIUS/ENCODE(00000017): send packet; GET_USER
r3#
May 11 14:13:40.422: RADIUS/ENCODE(00000017): ask “Password: ”
May 11 14:13:40.422: RADIUS/ENCODE(00000017): send packet; GET_PASSWORD
r3#
May 11 14:13:45.594: RADIUS/ENCODE(00000017):Orig. component type = EXEC
May 11 14:13:45.594: RADIUS:  AAA Unsupported Attr: interface         [158] 5
May 11 14:13:45.594: RADIUS:   74 74 79                                         [tty]
May 11 14:13:45.594: RADIUS/ENCODE(00000017): dropping service type, “radius-server attribute 6 on-for-login-auth” is off
May 11 14:13:45.594: RADIUS(00000017): Config NAS IP: 0.0.0.0
May 11 14:13:45.598: RADIUS/ENCODE(00000017): acct_session_id: 10
May 11 14:13:45.598: RADIUS(00000017): sending
May 11 14:13:45.598: RADIUS/ENCODE: Best Local IP-Address 172.16.3.1 for Radius-Server 172.16.3.2
May 11 14:13:45.598: RADIUS(00000017): Send Access-Request to 172.16.3.2:1812 id 1645/6, len 82
May 11 14:13:45.602: RADIUS:  authenticator 60 CF 80 A9 F5 03 06 80 – 04 A3 A0 79 40 89 8E 64
May 11 14:13:45.602: RADIUS:  User-Name           [1]   9   “raduser”
May 11 14:13:45.602: RADIUS:  User-Password       [2]   18  *
May 11 14:13:45.602: RADIUS:  NAS-Port            [5]   6   69
May 11 14:13:45.602: RADIUS:  NAS-Port-Id         [87]  7   “tty69”
May 11 14:13:45.602: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
May 11 14:13:45.602: RADIUS:  Calling-Station-Id  [31]  10  “10.1.1.1”
r3#
May 11 14:13:45.602: RADIUS:  NAS-IP-Address      [4]   6   172.16.3.1
May 11 14:13:45.606: RADIUS: Received from id 1645/6 172.16.3.2:1812, Access-Accept, len 26
May 11 14:13:45.610: RADIUS:  authenticator AC 26 56 EC D9 A8 8D 12 – D7 E9 8C 23 14 AC 87 66
May 11 14:13:45.610: RADIUS:  Session-Timeout     [27]  6   9999999
May 11 14:13:45.610: RADIUS(00000017): Received from id 1645/6
r3#

5.1.d AAA with TACACS+ and RADIUS

it’s a little tricky but it works… and it’s free so you can get some stick time…

winradiusports

note that you have to match the specified ports in your router configuration..

when you configure the host cisco will default to the old ports… you have to manually add the newer specified ports to match winradius…

radius-server host 172.16.3.2 auth-port 1645 acct-port 1646
radius-server host 172.16.3.2 auth-port 1812 acct-port 1813

also aaa has to be enabled as well as the group, similar to tacacs:

aaa new-model

aaa authentication login default group radius none

but it will authenticate, see below:

winradius

see the ccna security lab manual for more details…

the winradius piece is also part of the ccnp switch net acad lab manual…