|
|
This feature module describes the IKE Shared Secret Using AAA Server feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.
This document includes the following sections:
The IKE Shared Secret Using AAA Server feature enables key lookup from a AAA server. Pre-shared keys do not scale well when trying to deploy a large scale Virtual Private Network (VPN) without using a certification authority (CA). When using dynamic IP addressing such as DHCP or PPP dialups, the changing IP address can make key lookup difficult or impossible unless wildcard pre-shared key is used.
In the IKE Shared Secret Using AAA Server feature, the shared secret is accessed during the aggressive mode of IKE negotiation through the AAA server. The ID of the exchange is used as the username to query AAA if no local key can be found on the Cisco IOS router to which the user is trying to connect.
When deploying a large scale dialup VPN without the use of a certification authority (CA), with dynamic IP addresses, pre-shared keys can not be used. Pre-shared keys are looked up by IP address, which is not static when using dynamic IP addressing. Using wildcard pre-shared keys is not very secure, since a large number of users are given the same secret, thus reducing the security of the secret.
The IKE Shared Secret Using AAA Server feature allows each user to have their own key, which is stored on an external AAA server. This allows for central management of the user database, linking it to an existing AAA database, in addition to allowing every user to have their own unique, more secure pre-shared key.
The IKE Shared Secret Using AAA Server feature has the following restrictions:
Aggressive Mode Only
IKE Shared Secret for AAA can occur only during aggressive mode, since the ID is in the first message. Main mode does not permit key lookup by ID, because the ID occurs in the latter part of the IKE exchange, too late to use for key lookup.
ID Types
Currently only the following ID types can be used in the IKE Shared Secret for AAA feature:
Strong Encryption Limitations
Cisco IOS images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com.
The IKE Shared Secret Using AAA Server feature module is related to the following existing features:
For more information on these features refer to "Related Documents".
For related information on the IKE Shared Secret Using AAA Server feature, refer to the following documents:
The IKE Shared Secret Using AAA Server feature is supported on all platforms that support IPSec in Cisco IOS Release 12.1 T.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
IETF RADIUS Tunnel Authentication Draft, draft-ietf-radius-tunnel-auth-09.txt
IPSec Software Image Required
Before configuring the IKE Shared Secret Using AAA Server feature, you must have an IPSec encryption software image from Cisco IOS Release 12.1(1)T downloaded on to your router. For more information on downloading a software image, see the following publications:
AAA Configuration Required
Before configuring the IKE Shared Secret Using AAA Server feature, you must set up an authorization list using AAA commands.
| Command | Purpose |
|---|---|
Router(config)# aaa authorization {default | list-name} method1 [method2...]
| Set parameters that restrict a user's network access. |
For more information on configuring AAA commands, see the following publications:
IKE and IPSec Configuration Required
Before configuring the IKE Shared Secret Using AAA Server feature, you must configure an IPSec transform, a crypto map, and ISAKMP policy using IPSec and IKE commands.
| Command | Purpose |
|---|---|
Router(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] | Define a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode. |
Router(cfg-crypto-trans)# mode [tunnel | transport] | Specify the mode for the transform set. |
Router(cfg-crypto-trans)# exit | Exit crypto transform configuration mode. |
Router(config)# crypto map map-name seq-num ipsec-isakmp | Create or modify a static crypto map entry, and enters the crypto map configuration mode. |
Router(config-crypto-map)# crypto map map-name client authentication list list-name | (Optional) Enable extended authentication on a crypto map. |
Router(config-crypto-map)# match address [access-list-id | name] | Specify an extended access list for a crypto map entry |
Router(config-crypto-map)# set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] | Specify which transform sets can be used with the static crypto map entry. |
Router(config-crypto-map)# exit | Exit crypto map configuration mode. |
Router(config)# crypto isakmp policy priority | Define an IKE policy, and enters ISAKMP policy configuration mode. |
Router(config-isakmp)# hash {sha | md5}
| Specify the hash algorithm within an IKE policy. |
Router(config-isakmp)# authentication {rsa-sig | rsa-encr | pre-share}
| Specify the authentication method within an IKE policy. |
Router(config-isakmp)# exit | Exit ISAKMP policy configuration mode. |
Router(config-crypto-map)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name | Create or modify a dynamic crypto map entry, and enters the crypto map configuration mode. |
Router(config-crypto-map)# set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] | Specify which transform sets can be used with the dynamic crypto map entry. |
Router(config-crypto-map)# exit | Exit crypto map configuration mode. |
Router(config)# crypto isakmp key keystring address peer-address | Configure a pre-shared authentication key. |
Router(config)# interface interface | Enter the interface configuration mode. |
Router(config-if)# ip address ip-address | Indicate an IP address for the interface. |
Router(config-if)# interface interface | Apply a previously defined crypto map to the interface. |
Router(config-if)# exit | Exit interface configuration mode. |
For more information on configuring IPSec and IKE commands, see the following publications:
IKE Shared Secret Using AAA Server Configuration
The IKE Shared Secret Using AAA Server feature is optional and disabled by default.
See the following sections for IKE Shared Secret Using AAA Server feature configuration tasks. Each task in the list indicates if it is optional or required:
To configure the IKE Shared Secret Using AAA Server feature, perform these tasks at each peer:
 |
Note For information on configuring AAA, IPSec transform, static crypto map, ISAKMP policy, and dynamic crypto map, see "Prerequisites." |
To enable an IPSec peer for IKE Shared Secret Using AAA Server, perform the following task beginning in crypto map configuration mode:
| Command | Purpose |
Router(config-crypto-map)# crypto map map-name isakmp authorization list list-name | (Required) Enable IKE querying of AAA for tunnel attributes in aggressive mode. |
To verify that the IKE Shared Secret Using AAA Server feature is enabled, issue the show running configuration global configuration command. If the crypto map client authorization appears in the config, IKE Shared Secret Using AAA Server is enabled.
Enter the following debug commands in EXEC mode to troubleshoot IKE Shared Secret Using AAA Server:
| Command | Purpose |
|---|---|
debug crypto isakmp | Display messages about IKE events. |
debug aaa authorization | Display information on AAA/TACACS+ authorization. |
debug tacacs | Display information associated with the Terminal Access Controller Access Control System (TACACS). |
debug radius | Display information associated with the Remote Authentication Dial-In User Server (RADIUS). |
The following example is output from the show running configuration global configuration command. The IKE Shared Secret Using AAA Server configuration commands are bold.
aaa new-model aaa authorization network mylist group radius !This defines the AAA server used for authorization. crypto dynamic-map foo 10set security-association lifetime seconds 120 set transform-set proposal1 proposal2
! crypto map foo isakmp authorization list mylist crypto map foo 10 ipsec-isakmp dynamic foo ! This sets up a dynamic crypto-map, which will query AAA for a shared secret.
zeke.cisco.com Password = "cisco", Service-Type = OutboundTunnel-Medium-Type =:1:IP, Tunnel-Type =:1:ESP, Cisco:Avpair = "ipsec:tunnel-password=cisco", Cisco:Avpair = "ipsec:key-exchange=ike"
zeke.cisco.com Password = "cisco", Service-Type = OutboundTunnel-Medium-Type =:1:IP, Tunnel-Password =:1:"cisco" Tunnel-Type =:1:ESP, Cisco:Avpair = "ipsec:key-exchange=ike"
This section documents a new command, crypto map isakmp authorization list crypto map configuration command. All other commands used with this feature are documented in the Cisco IOS Release 12.1 publications.
To configure IKE Shared Secret Using AAA Server, use the crypto map client authorization list global configuration command. Use the no form of this command to restore the default value.
[no] crypto map map-name isakmp authorization list list-name
Syntax Description
map-name The name you assign to the crypto map set. list-name Character string used to name the list of authorization methods activated when a user logs in. The list-name must match the list-name defined during AAA configuration.
Defaults
IKE Shared Secret Using AAA Server is not enabled.
Command Modes
Global configuration mode
Command History
12.1(1)T This command was introduced in Cisco IOS Release 12.1 T.
Release
Modification
Usage Guidelines
Before configuring IKE Shared Secret Using AAA Server, you should set up an authorization list using AAA commands.
Before configuring IKE Shared Secret Using AAA Server, you should configure an IPSec transform, a crypto map, and ISAKMP policy using IPSec and IKE commands.
After enabling IKE Shared Secret Using AAA Server, you should apply the crypto map on which IKE Shared Secret Using AAA Server is configured to the interface.
Examples
The following example configures IKE Shared Secret Using AAA Server on a router:
crypto map ikessaaamap isakmp authorization list ikessaaalist crypto map ikessaaamap 10 ipsec-isakmp dynamic ikessaaadyn
Related Commands
aaa authorization Set parameters that restrict a user's network access. crypto ipsec transform-set Defines a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode. crypto map (global configuration) Creates or modifies a crypto map entry, and enters the crypto map configuration mode crypto isakmp policy Defines an IKE policy, and enters ISAKMP policy configuration mode. Configures a pre-shared authentication key. Enters the interface configuration mode.
Command
Description
crypto isakmp key
interface
AAA---authentication, authorization, and accounting. A framework of security services that provide the method for identifying users (authentication), for remote access control (authorization), and for collecting and sending security server information used for billing, auditing, and reporting (accounting).
aggressive mode---This mode eliminates several steps during IKE authentication negotiation (phase 1) between two or more IPSec peers. Aggressive mode is faster than main mode, but not as secure.
authentication, authorization, and accounting---See AAA.
authorization---The method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and Telnet. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database can be located locally on the access server or router or it can be hosted remotely on a RADIUS or TACACS+ security server. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. All authorization methods must be defined through AAA.
IKE---A key management protocol standard which is used in conjunction with the IPSec standard. IPSec is an IP security feature that provides robust authentication and encryption of IP packets. IPSec can be configured without IKE, but IKE enhances IPSec by providing additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a hybrid protocol which implements the Oakley key exchange and Skeme key exchange inside the Internet Security Association and Key Management Protocol (ISAKMP) framework. (ISAKMP, Oakley, and Skeme are security protocols implemented by IKE.)
CA---certification authority. A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service is explicitly entrusted by the receiver to validate identities and to create digital certificates. This service provides centralized key management for the participating devices.
certification authority---See CA.
Internet Key Exchange---See IKE.
IP Security Protocol---See IPSec.
IPSec---IP Security Protocol. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
main mode---This mode ensures the highest level of security when two or more IPSec peers are negotiating IKE authentication (phase 1). It requires more processing time than aggressive mode.
peer---A router or device that participates as an endpoint in IPSec and IKE.
pre-shared key---A pre-shared key is a shared, secret key that uses IKE for authentication.
RADIUS---Remote Authentication Dial-In User Service. A distributed client/server system that secures networks against unauthorized access. RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
Remote Authentication Dial-In User Service---See RADIUS.
SA---security association. An instance of security policy and keying material applied to a data flow. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bi-directional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
security association---See SA.
Virtual Private Network---See VPN.
VPN---virtual private network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunnels to encrypt all information at the IP level.
Posted: Mon Apr 3 17:30:48 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.