|
|
The access service security paradigm presented in this chapter uses the authentication, authorization, and accounting (AAA) facility. Authentication requires dial-in users to prove they are who they say they are. When you require authentication before users can access your network, you are preventing users from either accessing lines on the VoIP Access Shelves or connecting through the lines directly to network resources. You need to secure every access point.
Authorization prevents each user from gaining access to services and devices on the network that they do not need to or are not permitted to access. Accounting provides records of who is connected and how long they have been connected for billing and other recording purposes. This chapter does not describe how to configure accounting. For more information about configuring accounting, see the Security Configuration Guide in the Cisco IOS configuration guides and command references documentation.
This chapter describes how to configure security using a Remote Access Dial-In User Service (RADIUS).
| Caution This chapter does not provide an exhaustive security overview. For example, it does not describe how to configure TACACS, Extended TACACS, Kerberos, or access lists. It presents the most commonly used security mechanisms to prevent unauthenticated and unauthorized access to network resources through the VoIP Access Shelves. For a comprehensive overview of Cisco security mechanisms, see the Security Configuration Guide. |
This chapter includes the following sections:
In a traditional Internet service provider (ISP) environment, you need a centralized security database that provides username and password information to the Cisco AccessPath-VS3 Packet Telephony Concentrator or to the home gateway router. This centralized security database resides in a security server. (See the RADIUS server in Figure 5-1.)
An example of a remote security database server is the CiscoSecure Access Control Server (ACS) for UNIX or Windows NT. The CiscoSecure ACS is a UNIX security daemon solution, with which the administrator creates a database that defines the network users and their privileges. The CiscoSecure ACS uses a central database that stores user and group profiles with authentication and authorization information.
The VoIP Access Shelf exchanges user authentication information with a RADIUS database on the security server by transmitting encrypted RADIUS packets across the network.
For specific information about the interaction between the security server and the VoIP Access Shelf, see the Security Configuration Guide.
A centralized security database also helps establish consistent remote-access policies throughout a corporation.
Using the AAA facility, you can authenticate users with the security database. The basic process of configuring the Cisco IOS software for authentication requires the following tasks:
The first important step is to secure access to privileged EXEC (enable) mode. Enable mode provides access to configuration mode, which enables any type of configuration change to the VoIP Access Shelf. To secure access to privileged EXEC mode, enter one of the following commands:
| Caution If you use the enable secret command and specify an encryption type, you must enter the encrypted version of a specific password. Do not enter the cleartext version of the password after specifying an encryption type. You must comply with the following procedure when you specify an encryption type or you will be locked irretrievably out of privileged EXEC (enable) mode. The only way to regain access to privileged EXEC mode will be to erase the contents of nonvolatile random-access memory (NVRAM), erase your entire configuration, and reconfigure the router again. |
To enter an encryption type with the enable secret command, follow this procedure:
Step 1 From within global configuration mode, enter the enable secret command, followed by the cleartext password that you will use to gain access to privileged EXEC mode. Do not specify an encryption type.
Step 2 Exit from global configuration mode and enter the command show running-config to view the encrypted version of the password:
Step 3 At this point, select and copy the encrypted password following "enable secret 5" in the configuration output ($1$h7dd$VTNs4.BAfQMUU0Lrvw6570).
Step 4 Enter global configuration mode and enter the enable secret command, followed by the encryption type (5 is the only valid encryption type for enable secret), then paste in the encrypted version of the password, as shown in the following example:
Step 5 Exit from global configuration mode and copy the running configuration to NVRAM:
You can also specify additional protection for privileged EXEC mode, including the following:
This section describes the Cisco IOS software commands that enable the AccessPath-VS3 system to communicate with RADIUS servers, and is described in the following sections.
You must configure the security server before performing the tasks described in this chapter. The section "Security Examples" at the end of this chapter shows some typical RADIUS server entries corresponding to the VoIP Access Shelf security configurations.
To enable communication between the RADIUS security (database) server and the VoIP Access Shelf, enter the following commands in global configuration mode:
For example, to enable the remote RADIUS server to communicate with the VoIP Access Shelf, enter the commands as follows:
AS01# configure terminal
AS01(config)# radius-server host test
AS01(config)# radius-server key abra2cad
The host name of the RADIUS server in the previous example is test. The key (abra2cad) in the previous example is the encryption key shared between the RADIUS server and the VoIP Access Shelf.
You can use any of the following optional commands to interact with the RADIUS server host:
To use the AAA security facility in the Cisco IOS software, you must issue the aaa new-model command from global configuration mode.
For example, enter the following commands to enable AAA in the Cisco IOS software:
AS01# configure terminal AS01(config)# aaa new-model
When you issue the aaa new-model command, all lines on the VoIP Access Shelf receive the implicit login authentication default method list. In addition, the aaa new-model command applies an implicit aaa authentication login default local command.
| Caution If you intend to authenticate users via a security server, make sure you do not inadvertently lock yourself out of the VoIP Access Shelf ports after you issue the aaa new-model command. Enter line configuration mode and issue the aaa authentication login default RADIUS enable global configuration command. This command specifies that if your RADIUS server is not functioning properly, you can enter your enable password to log in to the VoIP Access Shelf. In general, make sure you have a last-resort access method before you are certain that your security server is set up and functioning properly. For more information about the aaa authentication command, see the next section, "Defining Authentication Method Lists." |
| TimeSaver You should test login security from the enable prompt (#) using the login command. This way, if security should fail, and you cannot log in, you will be at the enable prompt where you can correct the problem.
|
After you enable AAA globally on the VoIP Access Shelf, you need to define authentication method lists, which you then apply to lines and interfaces. These authentication method lists are security profiles that indicate the protocol (ARAP or PPP) or login and authentication method (RADIUS, or local authentication).
To define an authentication method list, perform the following steps, which are described in this section:
The section, "Applying Authentication Method Lists," later in this chapter, describes how to apply these lists.
To define an authentication method list, start by issuing the aaa authentication global configuration command, as shown in the following example:
AS01# configure terminal AS01(config)# aaa authentication
After you issue aaa authentication, you must specify one of the following protocols as applicable for your network:
You can specify only one dial-in protocol per authentication method list. However, you can create multiple authentication method lists with each of these options. You must give each list a different name, as described in the next section "Step 3Identify a List Name."
A list name identifies each authentication list. You can choose either to use the keyword default, or choose any other name that describes the authentication list. For example, you might call it isdn-radius if you intend to apply it to interfaces configured for ISDN and RADIUS authentication. The list name can be any alphanumeric string. We recommend that you use default as the list name for all lines and interfaces internal to the AccessPath-VS3 system, and different names for all lines and interfaces where dial-in users will be authenticated.
You can create different authentication method lists and apply them to lines and interfaces selectively. You can even create a named authentication method list that you do not apply to a line or interface, but which you intend to apply at some later point, such as when you deploy a new login method for users.
After you define a list name, you must identify additional security attributes (such as local authentication versus RADIUS).
In the following example, the login authentication method list name is local:
AS01# configure terminal AS01(config)# aaa authentication login local
After you identify a list name, you must specify an authentication method. An authentication method identifies how users are authenticated. For example, will users be authenticated by a local security database resident on the VoIP Access Shelf (local method)? Will they be authenticated by a remote security database, such as by a RADIUS daemon?
Authentication methods are defined with optional keywords in the aaa authentication command. The available authentication methods for PPP are described in Table 5-1.
| Authentication Methods | Purpose |
|---|---|
if-needed | Authenticates only if not already authenticated. No duplicate authentication. |
local | Uses the local username database in the VoIP Access Shelf. This is defined with the username global configuration command. |
none | No authentication is required. Do not prompt for a username or password. |
radius | Use RADIUS authentication as defined on a RADIUS security server. |
You can specify multiple authentication methods for each authentication list. The following example authentication method list for PPP first queries a RADIUS server, then the local security database. Multiple authentication methods can be useful if a single security server type does not respond.
AS01(config)# aaa authentication testbed radius local
If you specify more than one authentification method and the first method (RADIUS in the previous example) is not available, the Cisco IOS software attempts to authenticate using the next method. If in the previous example the RADIUS server has no information about the user, or if no RADIUS server can be found, the user is authenticated using the local username database that was populated with the username command.
However, if authentication fails using the first method listed, the Cisco IOS software does not permit access. It does not attempt to authenticate using the subsequent security methods if the user entered the incorrect password.
If you specify local as the security method, you must specify username profiles for each user who might log in. An example of specifying local authentication is as follows:
AS01(config)# aaa authentication login your_name local
This command specifies that any time a user attempts to log in to a line on an VoIP Access Shelf, the Cisco IOS software checks the username database. To create a local username database, define username profiles using the username global configuration command.
The following example shows how to use the username command for a user myname with password mypassword:
AS01(config)# username myname password mypassword
The show running-config command shows the encrypted version of the password, as follows:
AS01# show running-config
Building configuration... Current configuration: ! version 11.1 ! most of config omitted username myname password 7 0215055500070C294D
This section shows some examples of authentication lists.
The following example creates a local authentication list for users logging in to any line on the VoIP Access Shelf. This list is identical to the implicit method list when the command aaa new-model is used.
AS01(config)# aaa authentication login default local
The following example specifies login authentication using RADIUS (the RADIUS daemon is polled for authentication profiles):
AS01(config)# aaa authentication login default radius
As described earlier in the "Defining Authentication Method Lists" section, the aaa authentication global configuration command creates authentication method lists or profiles. You apply these authentication method lists to lines or interfaces by issuing the login authentication command, as described in Table 5-2.
| Interface and Line Command | Action | Port to which List is Applied | Corresponding Global Configuration Command |
|---|---|---|---|
Logs directly in to the VoIP Access Shelf. | Console port or vty lines. | aaa authentication login |
You can create more than one authentication list or profile for login and protocol authentication and apply them to different lines or interfaces. The following examples show the line or interface authentication commands that correspond to the aaa authentication global configuration command.
The following example shows the default login authentication list applied to the console port and the default virtual terminal (vty) lines on the VoIP Access Shelf:
AS01(config)# aaa authentication login default local
AS01(config)# line console 0
AS01(config-line)# login authentication default
AS01(config-line)# line vty 0 4
AS01(config-line)# login authentication default
You can configure the VoIP Access Shelves to restrict user access to the network so that users can only perform certain functions after successful authentication. As with authentication, authorization can be used with either a local or remote security database. This guide describes only remote security server authorization.
A typical configuration most likely uses the EXEC facility and network authorization. EXEC authorization restricts access to the EXEC, and network authorization restricts access to network services, including PPP and ARA.
Authorization must be configured on both the VoIP Access Shelves and the security daemon. The default authorization is different on the VoIP Access Shelves and the security server:
When you configure authorization, you must ensure that the parameters established on the VoIP Access Shelf correspond with those set on the RADIUS server.
The following example shows how to use a RADIUS server to authorize the use of network services, including PPP and ARA. If the RADIUS server is not available or has no information about a user, no authorization is performed, and the user can use all network services.
AS01(config)# aaa authorization network RADIUS none
The following example shows how to permit the user to run the EXEC process if the user is already authenticated. If the user is not already authenticated, the Cisco IOS software defers to a RADIUS server for authorization information.
AS01(config)# aaa authorization exec if-authenticated radius
The following example shows how to configure network authorization. If the RADIUS server does not respond or has no information about the username being authorized, the RADIUS server is polled for authorization information for the user. If the RADIUS server does not respond, the user still can access all network resources without authorization requirements.
AS01(config)# aaa authorization network RADIUS radius none
Use the aaa accounting command with the radius keyword to turn on RADIUS accounting for each Cisco IOS privilege level, and network services, as follows:
This series of examples shows complete security configuration components of a configuration file on an VoIP Access Shelf. Each of these examples shows authentication and authorization.
This sample configuration uses AAA to configure default authentication using a local security database on the VoIP Access Shelf. All lines and interfaces have the default authentication lists applied. Users myname1, myname2, and myname3 have been assigned privilege level 7, which prevents them from issuing the ppp and slip commands, because these commands have been assigned to privilege level 8.
aaa new-model aaa authentication login default local aaa authentication ppp default local aaa authorization exec local aaa authorization network local aaa authorization ! username myname1 privilege exec level 7 privilege network level 8 password 7 095E470B1110 username myname2 privilege network level 7 password 7 0215055500070C294D username myname3 privilege network level 7 password 7 095E4F10140A1916 ! privilege exec level 8 ppp privilege exec level 8 arap privilege exec level 8 slip line console 0 login authentication default ! line 1 16 ! interface Group-Async1 ppp authentication chap default group-range 1 16
With this configuration, the sign-on dialog from a remote PC appears as follows:
atdt5551234 CONNECT 14400/ARQ/V32/LAPM/V42BIS User Access Verification Username: myname1
Password: Router> enable
Password: Router#
|
|
