Upload
changeme789
View
93
Download
4
Embed Size (px)
DESCRIPTION
Cisco ACE - tacacs and radius
Citation preview
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
ACE Remote AuthenticationTACACS+ and RADIUS using ACS
Sean Merrow, Application Networking Services CSE
February 2009
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Example Scenario
In this document, we will create a user called ‘aceadmin’.
This user account will only have access to a context on the ACE called ‘Cnt1’.
The user will be given the Admin role and put in the default-domain of the Cnt1 context.
This user will not be configured as a local user on the ACE, although the ACE will check its local user database if it cannot reach the ACS (TACACS+/RADIUS server).
ACS Servers
130.10.0.55
130.10.0.56 ACE Module/Appliance
150.10.40.21
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
ACE Remote Authentication - Agenda
ACE with TACACS+ using ACS
ACE with RADIUS using ACS
Network Catpure Screenshots
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Create the TACACS+ User on ACS
1
2
3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
Notes on ACS User Settings
A common problem customers report after adding the shell command in the TACACS+ Settings is that although authentication works fine with the ACE, those users can no longer access their other network devices.
These customers should enter the shell command as follows:
shell:<Context>*<Role> <Domain>
shell:Cnt1*Admin default-domain
When the * is used, it means the attribute is optional. The = used in the previous slide means the attribute is mandatory.
The TACACS+ Settings can also be entered into the Groups on the ACS in which the user is a member. The Group settings will apply to all members, although settings entered directly in the user configuration will override the Group settings.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
Create the ACE TACACS+ Client on ACS
1
2 1. Source IP Address of ACE AAA Traffic.
2. Be sure to create a second client for the
Redundant ACE if necessary.
3. Key entered will also be used in the ACE
configuration.
4. Specify TACACS+ Authentication.
• Each AAA transaction will occur using a
separate TCP connection. Check this
box if you would like them to use a single
TCP connection.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Configure TACACS+ on the ACE(s)
ACE-1/Cnt1# config
ACE-1/Cnt1(config)# tacacs-server key cisco123
ACE-1/Cnt1(config)# tacacs-server host 130.10.0.55
ACE-1/Cnt1(config)# tacacs-server host 130.10.0.56
ACE-1/Cnt1(config)# tacacs-server host 130.10.0.57 key password123
ACE-1/Cnt1(config)# aaa group server tacacs+ acs-servers
ACE-1/Cnt1(config-tacacs+)# server 130.10.0.55
ACE-1/Cnt1(config-tacacs+)# server 130.10.0.56
ACE-1/Cnt1(config-tacacs+)# exit
ACE-1/Cnt1(config)# aaa authentication login default group acs-servers local
ACE-1/Cnt1(config)# aaa accounting default group acs-servers local
ACE-1/Cnt1(config)# exit
ACE-1/Cnt1# copy run start
Global TACACS+ key used with all servers
that do not have a key configured, such as
.55 and .56 below. Note that .57 below has
a unique key defined which will be used for
that server.
Create a group for the TACACS+
servers and add the member
servers.
Configure the ACE to use the servers in this TACACS+
server group for AAA. Note that the ‘local’ keyword at the
end means that a local user database on the ACE should be
used for authentication ONLY if neither TACACS+ server in
the group can be reached. The local user database will
NOT be consulted if the authentication is rejected.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
TACACS+ Config on the ACE(s)
tacacs-server key 7 "fewhg123"
tacacs-server host 130.10.0.55
tacacs-server host 130.10.0.56
tacacs-server host 130.10.0.57 key 7 "swwxoomi123”
aaa group server tacacs+ acs-servers
server 130.10.0.55
server 130.10.0.56
aaa authentication login default group acs-servers local
aaa accounting default group acs-servers local
Although keys are entered in clear-text, they
are encrypted in the config.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
ACE Remote Authentication - Agenda
ACE with TACACS+ using ACS
ACE with RADIUS using ACS
Network Catpure Screenshots
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Create the RADIUS User on ACS Server
1
2
3
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Create the ACE RADIUS Client on ACS
1
2 1. Source IP Address of ACE AAA Traffic.
2. Be sure to create a second client for the
Redundant ACE if necessary.
3. Key entered will also be used in the ACE
configuration.
4. Specify RADIUS Authentication.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
ACE-1/Cnt1# config
ACE-1/Cnt1(config)# radius-server host 130.10.0.55 key cisco123
ACE-1/Cnt1(config)# radius-server host 130.10.0.56 key cisco123
ACE-1/Cnt1(config)# aaa group server radius radius-farm
ACE-1/Cnt1(config-radius)# server 130.10.0.55
ACE-1/Cnt1(config-radius)# server 130.10.0.56
ACE-1/Cnt1(config-radius)# exit
ACE-1/Cnt1(config)# aaa authentication login default group radius-farm local
ACE-1/Cnt1(config)# aaa accounting default group radius-farm
ACE-1/Cnt1(config)# exit
ACE-1/Cnt1# copy run start
Configure RADIUS on the ACE(s)
RADIUS servers configured with keys.
Alternately, a global key could be configured
as shown in the TACACS+ configuration
example
Create a group for the RADIUS
servers and add the member
servers.
Configure the ACE to use the servers in this RADIUS server
group for AAA. Note that the optional ‘local’ keyword at the
end means that a local user database on the ACE should be
used for authentication ONLY if neither RADIUS server in
the group can be reached. The local user database will
NOT be consulted if the authentication is rejected.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13
RADIUS Config on the ACE(s)
radius-server host 130.10.0.55 key 7 "fewhg123" authentication accounting
radius-server host 130.10.0.56 key 7 "fewhg123" authentication accounting
aaa group server radius radius-farm
server 130.10.0.55
server 130.10.0.56
aaa authentication login default group radius-farm local
aaa accounting default group radius-farm
Although keys are entered in clear-text, they
are encrypted in the config.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
ACE Remote Authentication - Agenda
ACE with TACACS+ using ACS
ACE with RADIUS using ACS
Network Catpure Screenshots
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Configure Wireshark to Decrypt TACACS+
• Edit Preferences TACACS+
• Enter the TACACS+ Key
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16
TACACS+ Authentication Request
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 17
TACACS+ Authentication Response
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 18
TACACS+ Authorization Request
The ACE tells the ACS what context the user
has logged into so it can now find out what
permissions this user has in the context.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 19
TACACS+ Authorization Response
The ACS tells the ACE what role and domain
the user has for this context.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 20
TACACS+ Accounting Update
The ACE tells the ACS the time of user login.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 21
TACACS+ Accounting Update
The ACE tells the ACS that the aceadmin user
has entered the ‘show user-’ command.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 22
TACACS+ Accounting Update
The ACE tells the ACS the exact time that the
aceadmin user logged out.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 23
RADIUS Authentication Request
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 24
RADIUS Authentication Response
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 25
RADIUS Accounting Update
The ACE tells the ACS the exact time that the
aceadmin user logged in.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 26
RADIUS Accounting Update
The ACE tells the ACS the exact time that the
aceadmin entered the ‘show user-acc’
command.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
RADIUS Accounting Update
The ACE tells the ACS the exact time that the
aceadmin user logged out.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 28
Helpful Resources
BU Escalation Alias
Emergency S1/S2 After Hours Escalation E-page
Design and Feature Questions
ADBU
http://wwwin.cisco.com/dss/adbu/
ANS Samples
http://www-tac.cisco.com/~smerrow/Samples/main.html