|
|
This chapter provides examples you can apply directly to your own CiscoSecure Access Control Server (ACS). Use the information here to help you configure your CiscoSecure ACS and Cisco network access server (NAS) for the following:
Because the CiscoSecure ACS supports the RADIUS protocol, you can configure your NAS for RADIUS and achieve the same, or equivalent, security services as with the TACACS+ protocol.
The following example illustrates a typical configuration for an ISP with an existing RADIUS installation. In this sample configuration, the Cisco AS5200 can use the same authentication and accounting servers as other vendors' equipment. The result is uniform authentication, authorization, and accounting services, which in turn provides centralized user management and accounting records necessary for billing.
You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for RADIUS-based security services:
Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname isdn-14 ! aaa new-model aaa authentication login default none aaa authentication login console line aaa authentication login secure radius local aaa authentication login vty line aaa authentication ppp default none aaa authentication ppp secure if-needed radius local aaa authorization exec radius aaa authorization network radius aaa accounting exec start-stop radius aaa accounting network start-stop radius ! username backup password radiusISdown ip radius source-interface Ethernet0 rlogin trusted-remoteuser-source local rlogin trusted-localuser-source radius isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 171.68.187.254 255.255.255.0 ! interface Ethernet0 ip address 172.16.25.15 255.255.255.224 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default dialer-group 1 ppp authentication chap pap secure group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp peer default ip address pool default ppp multilink ppp authentication chap pap secure dialer-group 1 ! ip local pool default 171.68.187.1 171.68.187.48 ip domain-name cisco.com ip name-server 171.68.10.70 no ip classless async-bootp dns-server 171.68.10.70 ! radius-server host 172.16.72.41 radius-server host 172.16.72.42 radius-server timeout 3 radius-server key MYSECRET ! dialer-list 1 protocol ip permit ! line con 0 login authentication console password cisco line 1 48 session-timeout 15 output autoselect during-login autoselect ppp login authentication secure modem InOut transport input all line aux 0 line vty 0 4 login authentication vty password secret ! end
The Lock and Key Security feature, starting with Cisco IOS Release 11.1 software, offers an improved security solution: the Key Security feature (see Figure 6-1). Lock and Key security defines dynamic access control lists (ACL) that grant access per user, on a specific source/destination host basis through a user authentication process.
In essence, you can dynamically allow user access through a firewall without compromising security.
In a typical environment, Lock and Key security puts in place a fixed access control list (ACL) that filters all traffic except for Telnet traffic until a remote user has been authenticated with the security mechanism.
When a user logs in and successfully authenticates with the CiscoSecure ACS, the ACS issues the access-enable command to the NAS, which confirms that the user is on an ACL and activates a configuration template that alters the ACL for the incoming interface to enable the privileges allowed to the authenticated user.
After authentication, a specific ACL is put in place, for the Telnet port only, that allows the authenticating of user/network access beyond the firewall.
 | Caution Lock and Key security allows an external event to place an opening in the firewall. After this opening is placed, the router is susceptible to source address spoofing. To prevent this, you need to provide encryption support using IP authentication or encryption. |
You can enter the following sample configuration to immediately enable Lock and Key with the CiscoSecure ACS. This configuration enables Lock and Key functionality on a Cisco 2511. Depending on your NAS and network topology, you might have to modify the configuration slightly to meet your exact needs.
NAS "delta" configuration
=========================
! simple tacacs+ configuration. You need EXEC authorization to execute
! the autocommand configured for the user
!
aaa new-model
aaa authentication login default tacacs+
aaa authorization exec tacacs+
!
tacacs-server host 10.10.1.200
tacacs-server key secret
!
! Now configure the access-list. The fixed access list should deny
! traffic except for telnet to the router itself and deny everything
! else. The dynamic part of the access-list determines what access
! the user will have after they have authenticated themselves. In
! this case, the user will have full IP access after authentication.
!
access-list 101 permit tcp any host 10.10.1.254 eq telnet
access-list 101 dynamic temp permit ip any any
!
! Now apply the access-list inbound to the dial-up interfaces
!
int s0:23
ip access-group 101 in
CiscoSecure database
================
# match keys with the NAS
key = "secret"
# definition of the lock&key user
user = unlockme {
# his LOGIN password
password = clear "key"
# define user's EXEC authorization profile
service = exec {
# this will unlock the access-list for
# the user for 15 minutes
set autocmd = "access-enable 15"
}
}
Full NAS configuration
======================
DEMO1#wr t
Building configuration...
Current configuration:
!
version 11.1
service udp-small-servers
service tcp-small-servers
!
hostname Router
!
aaa new-model
aaa authentication login default tacacs+
aaa authorization exec tacacs+
!
interface Ethernet0
ip address 10.10.1.254 255.255.255.0
!
interface Serial0:23
ip address 10.10.2.254 255.255.255.0
ip access-group 101 in
encapsulation ppp
dialer map ip 10.10.2.1 name cisco-1004 broadcast
dialer-group 1
ppp authentication chap
!
access-list 101 permit tcp any host 10.10.2.254 eq telnet
access-list 101 dynamic temp permit ip any any
tacacs-server host 10.10.1.200
tacacs-server key secret
!
line con 0
line aux 0
line vty 0 4
!
end
In this next example (see Figure 6-2), a remote node dials in to a NAS, authenticates by means of the CiscoSecure ACS, and is authorized on a protected IPX network.
You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP and IPX dial-up. Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs.
Remote Node IP and IPX Dial-Up Configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! ipx routing ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.10.2.254 255.255.255.0 ipx network AAAA ipx sap-interval 0 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ipx network BBBB ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.2.1 10.10.2.48 ! ipx router rip no network AAAA ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
You can enter the following sample configuration directly into your NAS to immediately enable CiscoSecure ACS for ISDN dial-up to a Cisco AS5200. (See Figure 6-3.)
AS5200
Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs.
Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! ipx routing ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.10.2.254 255.255.255.0 ipx network AAAA ipx sap-interval 0 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ipx network BBBB ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.2.1 10.10.2.48 ! ipx router rip no network AAAA ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP dial-up. (See Figure 6-4.)
Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your system's needs.
Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Ethernet0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Ethernet0 encapsulation ppp peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.1.1 10.10.1.48 ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
|
|