Tải bản đầy đủ - 0 (trang)
Chapter 1. Authentication, Authorization, and Accounting Overview

Chapter 1. Authentication, Authorization, and Accounting Overview

Tải bản đầy đủ - 0trang

betweentworouters.

Itisoverallaverysimpleprocesstoconfigure.Infact,itis

easilycomparabletoday-to-dayscenariossuchasgaining

accesstogolfclubsorsittinginfirstclassonacommercial

airline.Ineachofthesesituations,youmustprovidesometype

ofproofastoyourrighttoenterthegolfcluborsitinanice

comfortablefirst-classseat.

Ineachofthefollowingsections,youseemorespecificdetails

onthefunctionsofAAA.Throughoutthecourseofthisbook,

youlearnhowtotakethefunctionsofAAAandimplementa

localsolution,providingausernameandpasswordthatis

actuallystoredonaCiscodevice,andanetwork-widesolution,

usinganexternalauthenticationserversuchastheCisco

SecureAccessControlServer(CSACS)forWindowsServerand

CiscoAccessRegistrarfortheserviceproviderenvironment.



TIP

AAAisdiscussedinanumberofRequestsForComments

(RFCs).RFC2903discussesthegeneralAAAarchitecture.This

isan"experimental"RFC.Sincethen,AAAhasbeenmore

clearlydefinedinotherRFCs.OtherRFCsincludeRFC2924,

AccountingAttributesandRecordFormats;RFC2975,

IntroductiontoAccountingManagement;RFC2989,Criteriafor

EvaluatingAAAProtocolsforNetworkAccess;andRFC3127,

Authentication,Authorization,andAccounting:Protocol

Evaluation.AgreatdealofinformationonAAAcanbeobtained

athttp://www.ietf.org/html.charters/aaa-charter.html.







AuthenticationOverview

Justasmanytypesofauthenticationprocessestakeplacein

today'sworld,manytypesofauthenticationmethodscanbe

performedonaCiscodevice.Anexampleofanauthentication

methodmightbeastate-issueddriverlicenseoraboarding

passforaspecificairline.Whentheairlineattendantsrequest

identificationfortheuseoftheirservices,youarepreparedwith

theproperidentification.ThisisthemostbasicprocessofAAA.

Authenticationprovidesamethodforidentifyingusersand

includesloginandpasswordprompting,challengeandresponse

functions,messagingsupport,andquitepossiblyencryption,as

well.Thisauthenticationactiontakesplacepriortotheuser

beingallowedaccesstoanyofthenetworkresources.



NOTE

Authenticationcantakeplaceasanindividualprocessorcanbe

combinedwithauthorizationandaccounting.



WhenyouconfigureaCiscodeviceforauthentication,youneed

tocompleteafewsteps.Althoughthesestepsarecoveredin

detailinChapter3,"AuthenticationConfigurationonCisco

Routers,"ahigh-leveloverviewisprovidedhereforthe

configurationofCiscoIOS,CATOS,andPIXOS.

Thefollowingstepsareperformed:

Step1. EnabletheAAAprocess.

AlthoughAAAisacommonprotocolthatisseenin



mostenterprisenetworks,theprotocolisnotenabled

bydefault.

Step2. Definethelocation,protocol,andsecretkeyforthe

servercommunication.

Step3. Defineamethodlistforauthentication.[1]



Amethodlistdefinesthetypeofauthenticationtobeperformed

andwhichsequencetoperformitin.Itisnecessarytoapplyit

toaninterfacebeforetheauthenticationmethodsareused.

However,oneexceptiontothisruleofapplicationexists.A

defaultlistexists,named"default,"thatisappliedtoallthe

interfacesprovidedaspecificlistisnotconfiguredonthe

interfacealready.

Onceagain,thisfollowstheexampleoftheairlinesasusers

attempttoaccessanetworkservice,theyaregivenan

authenticationprompt.Theuserscanthenprovethattheyare

whotheysaytheyare.Inyournetworkenvironment,this

promptcanbeservedupinaTelnetapplication,FileTransfer

Protocol(FTP)application,orwebapplication.Youcanalsouse

virtualauthenticationmethodssuchasvirtualHypertext

TransferProtocol(HTTP)andvirtualTelnet.RefertotheCisco

SecurePIXFirewallAdvancedbookformoreinformation.

Ifusersneedaccesstootherresources,oneofthepreviously

mentionedmethodsofaccessmustbeperformedfirstoran

alternativemethodsuchasvirtualTelnetmustbeused.Thisis

simplyamethodofdeliveringanauthenticationprompttothe

user.

AllthemethodsforauthenticationonCiscoroutersarerequired

touseAAAwiththeexceptionoflocal,line,andenable

passwords.



NOTE

Byusingthetermmethodshere,wearetalkingabout

authenticationmethods.Thesecanincludebutarenotlimited

tolineauthentication,enableauthentication,andlogin

authentication.



Althoughyoucanstoreanenablepasswordonthedeviceitself,

thisdoesn'tscale,andthepasswordcanbeviewedinthe

configurationfileofthedeviceincleartextunlessyouusethe

enablesecretoption.Theotheroptionsdiscussedherefor

authenticatinglocal,line,andenablepasswordswillbe

discussedingreaterdepthinChapter3.



AuthenticationExample

Inthisexample,youruserlocal-adminisattemptingtoTelnet

toaCiscorouter.TheCiscorouterisconfiguredtorequest

authenticationfromanyonethatattemptstoaccessitvia

Telnet.Astheuserentersapassword,itissentascleartextto

therouter.Therouterthentakesthatusernameandpassword

andplacesitinapacketthatissenttoeitheranAAAserver,

suchasCSACS,oritcomparesittoalocalusernameand

passwordthatareconfigured.

Amoredetailedlookattheprocessisasfollows:

Step1. Theclientestablishesconnectionwiththerouter.

Step2. Therouterpromptstheuserfortheirusernameand

password.

Step3. Therouterauthenticatestheusernameandpassword

inthelocaldatabase.Theuserisauthorizedtoaccess

thenetworkbasedoninformationinthelocal

database.



TheprocessisillustratedinFigure1-1.



Figure1-1.ASimpleAuthenticationExample



Ofcourse,thisisnotthebesttypeofauthenticationtoperform

becauseanyonethathasaccesstothenetworkandthepath

thatlocal-administakingfromtheirworkstationtotherouter

canseetheusernameandpasswordsimplybyusingsometype

of"sniffer"softwareorprotocolanalyzer.Infact,mostprotocols

don'tencryptthepassword,whileothersuseweakciphersand

canbesusceptibletobruteforceattacks.Moresecuremethods

mightincludeprotocolssuchastheChallengeHandshake

AuthenticationProtocol(CHAP),oreventheuseofone-time

passwordsortheuseofsmarttokenslikeRSASecurIDor

CRYPTOCard.Thesetypesofauthenticationwillbediscussed

Chapter11,"SystemConfiguration."



AuthorizationOverview

TotakeAAAastepfurther,imaginethatyouareabouttotakea

vacation.Youaregoingtotakeacommercialairlinetoyour

vacationhotspot.Theairplanehasacoupleofrowsinthefront

thatareverynice,leather,wide,andcomfortable.Youwould

prefertosithereinsteadoftheseatsthatarefartherback,

becausethosearestiff,uncomfortable,anddonotoffermuch

legroom.Unfortunately,ifyoupurchasedacoachclassticket,

youcannotsitinthefirst-classseatinthefrontoftheplane.

SimilartothisprocessistheauthorizationfunctionofAAA.If

youhavea"coach"authorizedticket,youcannotaccess"firstclassresources."Thisinformationisallkeptintheairline's

computerandcaneasilybeverifiedbylookingyournameupin

thecomputerandreferencingtheseatassignment.

Authorizationisamethodofprovidingcertainprivilegesor

rightstoremoteusersforservicesrequested.Supportfor

authorizationincludesIP,InternetworkPacketExchange(IPX),

AppleTalkRemoteAccess(ARA),andTelnet.Authorizationcan

beconfiguredtothegroupthatamemberisapartoforonan

individualuserbasis.Userauthorizationoverridesgroup

authorization.Authorizationcanbeconfiguredlocallyinsome

casesorkeptonaremoteAAAserver.Theremoteservermight

beeasierforadministrationdependingonyournetwork

environment.AuthorizationisthesecondmoduleoftheAAA

framework.

Thefollowingstepsareneededforauthorizationtotakeplace:

Step1. AAAassemblesasetofattributesbasedonthe

servicesthatauserisrequestingauthorizationto

perform.

Step2. Theseattributesarecomparedagainstadatabasethat



containstheusers'actualpermissions.

Step3. Afterauserisverifiedtobe,ornottobe,authorized,

theresultisreturnedtotheAAAprocess.

Step4. Aftertheprecedingstepsequence,theAAAprocessis

thenabletoimposetheproperrestrictionstotheuser

data.

Step5. Iftheusers'authorizationsarelocatedonaremote

server,theyareusuallydeterminedbycomparingto

Attribute-Value(AV)pairs,whicharediscussedin

Chapter13,"ExploringTACACS+AttributeValues."



Amethodlistconfiguresauthentication;amethodlistisalso

configuredtodefinemethodsofauthorization.Itisnecessaryto

authenticateauserbeforeyoucandeterminewhatthatuseris

authorizedtodo.Therefore,authorizationrequires

authentication.



AuthorizationExample

Youcanclearlyseetheprocessofauthorizationusingthesame

networkexamplefromearlierinthechapter.

Figure1-2demonstratesabasicauthorizationprocessthatcan

takeplace,inadditiontotheauthenticationprocessthatisseen

inthepreviousexample.Onedifferenceyoumightnotehereis

thatintheauthenticationexample,onlyalocalauthenticationis

discussed.Inthisauthorizationexample,anAAAserveris

added,whichincludesauthorizations.Moredetailonlocal

authenticationversusauthenticationusingaserverwillbe

discussedinChapter3.



Figure1-2.BasicAuthorizationofFTP



Inthissituation,thefollowingstepstakeplace:

Step1. Toperformauthorization,asessionisestablishedwith

anAAAserver.

Step2. Therouterrequestsauthorizationfortherequested

servicefromtheAAAserver.



Step3. TheAAAserverreturnsaPASS/FAILforauthorization.



Again,themethodlistthatisconfigureddetermineswhat

authorizationistobeperformed.Theconfigurationofamethod

listisdiscussedinChapter3;however,youmightwanttonote

thattheconfigurationofamethodlistforauthorizationisthe

sameasthemethodlistconfigurationforauthenticationaswell

asaccounting.







AccountingOverview

ThefinalportionofAAAistheaccountingmodule.Accounting

canalsobeexplainedusinganexampleoftheairlineindustry.

Asyouenterorboardtheplane,youhandaboardingpassto

theagent,anditisscannedthroughamachine.Thisaccounts

foryouboardingtheplane.Asfarastheairlineisconcerned,

youwerethere,andyouwereontheairplane.AAAaccounting

issimilar.Whenyouaccessthenetwork,AAAcanbegintotrack

anyactionsyoutake.Onceyouauthenticate,youwerethere,

asfarastheAAAprocessisconcerned.

AccountinginaCiscoenvironmentallowsyoutotrackthe

amountofnetworkresourcesyourusersareaccessingandthe

typesofservicestheyareusing.Forexample,system

administratorsmightneedtobilldepartmentsorcustomersfor

connectiontimeorresourcesusedonthenetwork(forexample,

totaltimeconnected).AAAaccountingallowsyoutotrackthis

activity,aswellassuspiciousconnectionattemptsintothe

network.

WhenyouuseAAAaccounting,theroutercansendmessages

eithertotheAAAserverortoaremoteSYSLOGserver,

dependingonyourconfiguration.Youthenhavetheabilityto

importtheaccountingrecordsintoaspreadsheetoraccounting

programforviewing.TheCSACScanbeusedtostorethese

accountingmessages,andyoucanalsodownloadthese

accountingstatementsin.CSVformatoruseOpenDatabase

Connectivity(ODBC)logging,whichissupportedinCSACS.

Ciscodevicesperformingaccountingcanbeconfiguredto

captureanddisplayaccountingdatabyusingtheAAA

accountingcommandsincludingthefollowing:EXEC

commands;networkservicessuchasSLIP,PPP,andARAP;and

system-leveleventsnotassociatedwithusers.



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Chapter 1. Authentication, Authorization, and Accounting Overview

Tải bản đầy đủ ngay(0 tr)

×