|
|
This appendix provides examples you can apply directly to your own CiscoSecure access control server (ACS). Use the information here to help you configure your CiscoSecure ACS and Cisco network access server (NAS) for:
Because the CiscoSecure ACS supports the RADIUS protocol, you can configure your network access server for RADIUS and achieve the same, or equivalent, security services as with the TACACS+ protocol.
The sample configuration that follows might be a typical configuration for an ISP with an existing RADIUS installation. In this sample configuration, the Cisco AS5200 can use the same authentication and accounting servers as other vendors' equipment. The result is uniform authentication, authorization, and accounting services, which in turn provides centralized user management as well as accounting records necessary for billing.
You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for RADIUS-based security services.
Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname isdn-14 ! aaa new-model aaa authentication login default none aaa authentication login console line aaa authentication login secure radius local aaa authentication login vty line aaa authentication ppp default none aaa authentication ppp secure if-needed radius local aaa authorization exec radius aaa authorization network radius aaa accounting exec start-stop radius aaa accounting network start-stop radius ! username backup password radiusISdown ip radius source-interface Ethernet0 rlogin trusted-remoteuser-source local rlogin trusted-localuser-source radius isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 171.68.187.254 255.255.255.0 ! interface Ethernet0 ip address 172.16.25.15 255.255.255.224 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default dialer-group 1 ppp authentication chap pap secure group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp peer default ip address pool default ppp multilink ppp authentication chap pap secure dialer-group 1 ! ip local pool default 171.68.187.1 171.68.187.48 ip domain-name cisco.com ip name-server 171.68.10.70 no ip classless async-bootp dns-server 171.68.10.70 ! radius-server host 172.16.72.41 radius-server host 172.16.72.42 radius-server timeout 3 radius-server key MYSECRET ! dialer-list 1 protocol ip permit ! line con 0 login authentication console password cisco line 1 48 session-timeout 15 output autoselect during-login autoselect ppp login authentication secure modem InOut transport input all line aux 0 line vty 0 4 login authentication vty password secret ! end
An improved security solution starting with Cisco IOS Release 11.1 software is the Lock and Key Security feature (see Figure D-1). Lock and Key security defines dynamic access lists that grant access per user, on a specific source/destination host basis through a user authentication process.
In essence, you can allow user access through a firewall dynamically, without compromising security restrictions. When a user tries to log in, the CiscoSecure ACS runs the access-enable command. Provided that the user is in an access list, this command uses a configuration template to open a hole in the firewall.
Lock and Key security is activated after the user has been authenticated by the network's CiscoSecure ACS. The NAS is the authentication mechanism and is responsible for altering the access list for the incoming interface to enable the privileges allowed to that user.
In a typical environment, Lock and Key security puts in place an access control list (ACL) that filters all traffic until the remote user has authenticated with the security mechanism. After authentication, a remote host can then execute a Telnet session and open the corporate site firewall. Until such time, the firewall is configured to disallow all traffic except Telnet.
In this manner, no ACLs exist for any port, except for the Telnet ACL. Until the remote user authenticates, access is denied on the port. After authentication, a specific ACL is put in place, for that port only, that allows the authenticating of user/network access beyond the firewall.
 | Caution Lock and Key security allows an external event to place an opening in the firewall. After this opening is placed, the router is susceptible to source address spoofing. To prevent this, you need to provide encryption support using IP authentication or encryption. |
You can enter the following sample configuration to immediately enable Lock and Key with the CiscoSecure ACS. The sample configuration enables Lock and Key functionality on a Cisco 2511. Depending on your NAS and network topology, you might have to modify this sample configuration slightly to meet your exact needs.
NAS "delta" configuration
=========================
! simple tacacs+ configuration. You need EXEC authorization to execute
! the autocommand configured for the user
!
aaa new-model
aaa authentication login default tacacs+
aaa authorization exec tacacs+
!
tacacs-server host 10.10.1.200
tacacs-server key secret
!
! Now configure the access-list. The fixed access list should deny
! traffic except for telnet to the router itself and deny everything
! else. The dynamic part of the access-list determines what access
! the user will have after they have authenticated themselves. In
! this case, the user will have full IP access after authentication.
!
access-list 101 permit tcp any host 10.10.1.254 eq telnet
access-list 101 dynamic temp permit ip any any
!
! Now apply the access-list inbound to the dial-up interfaces
!
int s0:23
ip access-group 101 in
CiscoSecure database
================
# match keys with the NAS
key = "secret"
# definition of the lock&key user
user = unlockme {
# his LOGIN password
password = clear "key"
# define user's EXEC authorization profile
service = exec {
# this will unlock the access-list for
# the user for 15 minutes
set autocmd = "access-enable 15"
}
}
Full NAS configuration
======================
DEMO1#wr t
Building configuration...
Current configuration:
!
version 11.1
service udp-small-servers
service tcp-small-servers
!
hostname Router
!
aaa new-model
aaa authentication login default tacacs+
aaa authorization exec tacacs+
!
interface Ethernet0
ip address 10.10.1.254 255.255.255.0
!
interface Serial0:23
ip address 10.10.2.254 255.255.255.0
ip access-group 101 in
encapsulation ppp
dialer map ip 10.10.2.1 name cisco-1004 broadcast
dialer-group 1
ppp authentication chap
!
access-list 101 permit tcp any host 10.10.2.254 eq telnet
access-list 101 dynamic temp permit ip any any
tacacs-server host 10.10.1.200
tacacs-server key secret
!
line con 0
line aux 0
line vty 0 4
!
end
In this next example (see Figure D-2), a remote node dials in to a NAS, authenticates by means of the CiscoSecure ACS, and ultimately is authorized on the protected network.
You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP and IPX dialup. Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your exact needs.
Remote Node IP and IPX Dial-Up Configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! ipx routing ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.10.2.254 255.255.255.0 ipx network AAAA ipx sap-interval 0 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ipx network BBBB ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.2.1 10.10.2.48 ! ipx router rip no network AAAA ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
You can enter the following sample configuration directly into your NAS to immediately enable CiscoSecure ACS for ISDN dialup to a Cisco AS5200. (See Figure D-3.)
Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your exact needs.
Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! ipx routing ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Loopback0 ip address 10.10.2.254 255.255.255.0 ipx network AAAA ipx sap-interval 0 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ipx network BBBB ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Loopback0 encapsulation ppp isdn incoming-voice modem ipx ppp-client Loopback0 peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Loopback0 ip tcp header-compression passive encapsulation ppp async mode interactive ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Loopback0 encapsulation ppp ipx ppp-client Loopback0 peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.2.1 10.10.2.48 ! ipx router rip no network AAAA ! dialer-list 1 protocol ip permit dialer-list 1 protocol ipx permit ! line con 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
You can enter the following sample configuration directly into your NAS to immediately enable the CiscoSecure ACS for remote node IP dialup. (See Figure D-4.)
Depending on your NAS and network topology, you might have to adapt this sample configuration slightly to meet your exact needs.
Current configuration: ! version 11.1 service udp-small-servers service tcp-small-servers ! hostname AS5200 ! aaa new-model aaa authentication login default tacacs+ enable aaa authentication ppp default if-needed tacacs+ aaa authorization exec aaa authorization network aaa accounting exec start-stop tacacs+ aaa accounting network start-stop tacacs+ ! isdn switch-type primary-5ess ! controller T1 0 framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 framing esf clock source line secondary linecode b8zs pri-group timeslots 1-24 ! interface Ethernet0 ip address 10.10.1.254 255.255.255.0 ! interface Serial0 no ip address shutdown ! interface Serial1 no ip address shutdown ! interface Serial0:23 ip unnumbered Ethernet0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Serial1:23 ip unnumbered Ethernet0 encapsulation ppp isdn incoming-voice modem peer default ip address pool default dialer rotary-group 1 dialer-group 1 ! interface Group-Async1 ip unnumbered Ethernet0 ip tcp header-compression passive encapsulation ppp async mode interactive peer default ip address pool default dialer-group 1 no cdp enable ppp authentication chap pap group-range 1 48 ! interface Dialer1 ip unnumbered Ethernet0 encapsulation ppp peer default ip address pool default dialer-group 1 ppp multilink ppp authentication chap pap ! tacacs-server host 10.10.1.200 tacacs-server key secret ip local pool default 10.10.1.1 10.10.1.48 ! dialer-list 1 protocol ip permit ! line con 0 exec-timeout 0 0 line 1 48 autoselect during-login autoselect ppp login local modem InOut modem autoconfigure type microcom_hdms transport input all stopbits 1 rxspeed 115200 txspeed 115200 flowcontrol hardware line aux 0 line vty 0 4 ! end
|
|