50 |
Chapter 2 Introduction to AAA Security |
|
T A B L E |
2 . 3 AAA Authorization Commands |
|
|
|
|
Command |
Description |
|
|
|
|
aaa authorization commands level 15 |
Allows all exec commands at the specified |
|
|
|
level (0–15). In this example, this is level 15, |
|
|
which is regarded as full authorization and is |
|
|
normally associated with enable mode. |
aaa authorization config-commands |
Uses AAA authorization for configuration-mode |
|
|
|
commands. |
aaa authorization configuration |
Allows you to download the configuration from |
|
|
|
an AAA server. |
aaa authorization exec |
Authorizes the exec process with AAA. |
|
aaa authorization ipmobile |
Allows you to configure Mobile IP services. |
|
aaa authorization network |
Performs authorization security on all network |
|
|
|
services, including SLIP, PPP, and ARAP. |
aaa authorization reverse-access |
Uses AAA authorization for reverse Telnet |
|
|
|
connections. |
|
|
|
Accounting Configuration on the NAS
AAA’s accounting function records who did what and for how long. The accounting function relies on the authentication process to provide part of the audit trail. This is why it’s a good idea to establish accounts with easily identified usernames—typically a last-name, first-initial configuration.
The configuration of accounting in AAA is fairly simple, but you do have a few choices to consider:
Todd(config)#aaa accounting ?
commands |
For exec (shell) commands. |
connection |
For outbound connections. (telnet, rlogin) |
exec |
For starting an exec (shell). |
nested |
When starting PPP from EXEC, generate NETWORK records before |
|
EXEC-STOP record. |
network |
For network services. (PPP, SLIP, ARAP) |
send |
Send records to accounting server. |
suppress |
Do not generate accounting records for a specific type of user. |
system |
For System events. |
update |
Enable accounting update records. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
51 |
The preceding output lists the current AAA accounting commands available from global configuration mode. This section will focus on the network command for now.
The aaa accounting network command allows you to configure either a named list or the default:
Todd(config)#aaa accounting network ?
WORD Named Accounting list. default The default accounting list.
Todd(config)#aaa accounting network default ?
none |
No accounting. |
start-stop |
Record start and stop without waiting. |
stop-only |
Record stop when service terminates. |
wait-start |
Same as start-stop but wait for start-record commit. |
Todd(config)#aaa accounting network default start-stop ? radius Use RADIUS for Accounting.
tacacs+ Use TACACS+.
The default keyword lets you record the start and stop times of a user’s session on the network. But you’ve got to have a RADIUS or TACACS+ server for that, so you’ll learn more about this configuration in Chapter 3.
For now, check out Table 2.4. It lists the more commonly used commands for configuring AAA accounting. The trick for deciding which command to use is to balance your need for obtaining complete accounting records against the overhead incurred by recording those records.
T A B L E 2 . 4 AAA Accounting Commands
Command |
Description |
|
|
aaa accounting commands level |
Audits all commands. If specified, only commands at |
|
the specified privilege level (0–15) are included. |
aaa accounting connection |
Audits all outbound connections, including Telnet and |
|
rlogin. |
aaa accounting exec |
Audits the exec process. |
aaa accouting nested |
Used when PPP authentication is used to record activity |
|
before the start-stop times are recorded. |
aaa accounting network |
Audits network service requests, including SLIP, PPP, |
|
and ARAP requests. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
52 |
Chapter 2 Introduction to AAA Security |
|
T A B L E |
2 . 4 AAA Accounting Commands (continued) |
|
|
|
|
Command |
Description |
|
|
|
|
aaa accounting system |
Audits system-level events. This includes reload, for |
|
|
|
example. Because a router reload is one of the ultimate |
|
|
DoS attacks, it would be useful to know the user identi- |
|
|
fication that issues the command. |
aaa accounting send |
Documents the start and stop of a session. Audit infor- |
|
|
|
mation is sent in the background, so there is no delay |
|
|
for the user. |
aaa accounting suppress |
Sends a stop accounting notice at the end of a user |
|
|
|
process. |
aaa accounting system |
Similar to aaa accounting start-stop, this command |
|
|
|
documents the start of a session. However, the user is |
|
|
not permitted to continue until the accounting server |
|
|
acknowledges the log entry. This can delay user access. |
aaa accounting update |
Enables TACACS+ or RADIUS accounting. |
|
|
|
|
One area in which AAA accounting transcends security is charge-back. If accurate start and stop times are well recorded, a company could charge users for their time spent on the system to offset the costs of running the system. ISPs have long considered this as an alternative to the flat-rate model currently used in the United States.
Verifying the NAS Configuration
The following output is from the configuration file of the Todd NAS router. It highlights the commands used for the AAA authentication and authorization configuration:
Todd#sh run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime service timestamps log uptime
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
53 |
no service password-encryption
!
hostname Todd
!
aaa new-model
aaa authentication login default local aaa authentication login dial-in local aaa authentication ppp dial-in local aaa authorization commands 1 begin local aaa authorization commands 15 end local
aaa authorization network admin local none enable secret 5 $1$Qrnt$AmoVOSoe/ImPuv6jN9PeL. enable password 7 06140034584B1B0A0C1A
!
username todd password 0 lammle ip subnet-zero
!
isdn switch-type basic-ni
!
[output cut]
The preceding output starts the AAA service and establishes authentication services for both the login default and the dial-in processes. The aaa authorization commands provide level 1 and level 15 access to network resources. You’ll learn about the accounting commands in Chapter 3.
Troubleshooting AAA on the Cisco NAS
Everything’s gone well so far, but for the darker days, let’s look at some commands that help you with troubleshooting AAA configurations. These three debugging commands can be used to trace AAA packets and monitor their activities:
debug aaa authentication
debug aaa authorization
debug aaa accounting
The following output results from executing the debug aaa authentication command. You can use this information to troubleshoot console logins:
Todd#debug aaa authentication
Todd#exit
01:41:50: AAA/AUTHEN: free_user (0x81420624) user='todd' ruser='' port='tty0' rem_addr='async/' authen_type=ASCII service=LOGIN priv=1
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
54 Chapter 2 Introduction to AAA Security
01:41:51: AAA: parse name=tty0 idb type=-1 tty=-1
01:41:51: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
01:41:51: AAA/AUTHEN: create_user (0x81420624) user='' ruser='' port='tty0' rem_ addr='async/' authen_type=ASCII service=LOGIN priv=1
01:41:51: AAA/AUTHEN/START (864264997): port='tty0' list='' action=LOGIN service=LOGIN
01:41:51: AAA/AUTHEN/START (864264997): using "default" list 01:41:51: AAA/AUTHEN/START (864264997): Method=LOCAL 01:41:51: AAA/AUTHEN (864264997): status = GETUSER
User Access Verification username:todd
Password: (not shown)
Todd>
01:42:12: AAA/AUTHEN/CONT (864264997): continue_login (user='(undef)') 01:42:12: AAA/AUTHEN (864264997): status = GETUSER
01:42:12: AAA/AUTHEN/CONT (864264997): Method=LOCAL 01:42:12: AAA/AUTHEN (864264997): status = GETPASS
01:42:14: AAA/AUTHEN/CONT (864264997): continue_login (user='todd') 01:42:14: AAA/AUTHEN (864264997): status = GETPASS
01:42:14: AAA/AUTHEN/CONT (864264997): Method=LOCAL 01:42:14: AAA/AUTHEN (864264997): status = PASS
The preceding output shows the user-mode access on the NAS (priv=1), that the username is todd, and that the method is local authentication. The following output is the enable access, which is shown as priv=15, meaning level 15 access.
Todd>enable
Password: (not shown)
01:42:46: AAA/AUTHEN: dup_user (0x8147DFC4) user='todd' ruser='' port='tty0' rem _addr='async/' authen_type=ASCII service=ENABLE priv=15 source='AAA dup enable' 01:42:46: AAA/AUTHEN/START (3721425915): port='tty0' list='' action=LOGIN service =ENABLE
01:42:46: AAA/AUTHEN/START (3721425915): console enable - default to enable pass word (if any)
01:42:46: AAA/AUTHEN/START (3721425915): Method=ENABLE 01:42:46: AAA/AUTHEN (3721425915): status = GETPASS Todd#
01:42:50: AAA/AUTHEN/CONT (3721425915): continue_login (user='(undef)') 01:42:50: AAA/AUTHEN (3721425915): status = GETPASS
01:42:50: AAA/AUTHEN/CONT (3721425915): Method=ENABLE 01:42:50: AAA/AUTHEN (3721425915): status = PASS
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Configuring the NAS for AAA |
55 |
01:42:50: AAA/AUTHEN: free_user (0x8147DFC4) user='' ruser='' port='tty0' rem_ addr='async/' authen_type=ASCII service=ENABLE priv=15
Use the no debug aaa authentication form of the command to disable this debug mode, as follows:
Todd#no debug aaa authentication
AAA Authentication debugging is off
Todd#
The next output shows a successful AAA authorization:
Todd# debug aaa authorization
1:21:23: AAA/AUTHOR (0): user='Todd'
1:21:23: AAA/AUTHOR (0): send AV service=shell 1:21:23: AAA/AUTHOR (0): send AV cmd* 1:21:23: AAA/AUTHOR (342885561): Method=Local
1:21:23: AAA/AUTHOR/TAC+ (342885561): user=Todd
1:21:23: AAA/AUTHOR/TAC+ (342885561): send AV service=shell 1:21:23: AAA/AUTHOR/TAC+ (342885561): send AV cmd*
1:21:23: AAA/AUTHOR (342885561): Post authorization status = PASS
You can see here that the username is Todd. The second and third lines show that the attribute value (AV) pairs are authorized. The next line shows the method used for authorizing, and the final line gives you the status of the authorization.
The following output shows output from the debug aaa accounting command, which displays information on accountable events as they occur. Chapter 3 covers this topic more thoroughly.
Todd# debug aaa accounting
1:09:41: AAA/ACCT: EXEC acct start, line 10
1:09:52: AAA/ACCT: Connect start, line 10, glare
1:09:07: AAA/ACCT: Connection acct stop:
task_id=60 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
Remember that the protocol used to transfer the accounting information to a server is independent of the information displayed. In addition to the debug aaa accounting command, you can use the debug tacacs and debug radius commands to examine the specific protocol information. Again, Chapter 3 provides more detail on these commands.
If you are configured for AAA accounting, you can use the show accounting command to see all the active sessions and to print accounting records. It’s also useful to know that if you activate the debug aaa accounting command, the show accounting command displays additional data on the internal state of the AAA security system.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |