لطفا منتظر باشید ...
AAA Model
Authentication, authorization, and accounting (AAA, pronounced "triple A") provides security to Cisco IOS routers and network devices.AAA provides a method for identifying users who are logged in to a router and have access to servers or concentrators. AAA also identifies the level of access that has been granted to each user and monitors user activity to produce accounting information.As discussed in the previous chapters, access to network data is available via a variety of methods, including the following:
- Dialup connections
- Integrated services digital networks (ISDNs)
- Broadband cable and asymmetric digital subscriber lines (ADSLs)
- Access through the Internet via virtual private networks (VPNs)
The AAA model was designed in such a way that all these access methods can benefit from the AAA security features.The three phases (authentication, authorization, and accounting) ensure that only legitimate users are permitted access, as explained in the following list:
- Authentication
Verification of who you are. Remote users must be authenticated before being permitted access to network resources by confirming their identities. - Authorization
Control of what you can do. Once the user is identified, the accessible resources are defined by the authorization mechanism. - Accounting
Tracking what you have done. Timestamps, command history, and type of resources are just a few examples of information collected by the accounting mechanism.
Let's now examine each of the three in a little more detail. Authentication allows the users to submit their usernames and passwords through a series of challenges and responses. Once users are authenticated, authorization defines what services in the network the users are permitted to access. The operations permitted may include the Cisco Internet Operating System (IOS) privileged executive commands that are permitted. For example, a user may be allowed to type commands, but only the certain show and debug commands that are authorized. This is demonstrated later in the chapter through examples.Accounting allows the network administrator to log and view what actions were performed, such as whether a Cisco router was reloaded or the configuration was changed. The accounting function ensures that an audit allows network administrators to view which actions were performed and at what time. The AAA server handles all three functions: authentication, authorization, and accounting.Figure 11-1 displays a typical network setup with a AAA server securing the network.
Figure 11-1. AAA Server Securing the Network
Authentication
Authentication allows administrators to identify who can connect to a router by comparing the usernames and passwords of those seeking access with the usernames and passwords in an authorized list or database. Normally, when a user connects to a router remotely via Telnet, the user needs to supply only a password, and the administrator has no way of knowing the user's username. With AAA authentication, whenever a user logs on, the user must enter a username and a password, which have been assigned by the administrator.NOTEThe AAA model can be enabled on a Cisco router using the aaa new-model command.Example 11-1 displays two types of remote access: a remote user accessing a router via Telnet without AAA and a remote user accessing a AAA-configured Cisco router.
Example 11-1. AAA vs. Router Configured Without AAA
As you can see in Example 11-1, the user must enter a valid username and password to access a AAA-configured Cisco router. Both username and password are set to "Gert" in this case. Typically, a database contains the valid usernames that reside on a remote AAA server. Cisco IOS can also create a local database on the router, but this is not a scalable solution. Example 11-2 shows the configuration required to create a local database entry for user Gert.
Brussels#telnet nonAAA_router
User Access Verification
Password: xxxxxxxx
nonAAA_router>
Brussels#telnet AAA_router
Trying AAA_router (10.1.1.1)... Open User Access Verification
Username: Gert
Password: xxxxxxxx
AAA_router>
Example 11-2. Local AAA Database Configured on Cisco IOS Router
AAA_router#configure terminal
AAA_router(config)#username Gert password Gert
AAA_router(config)#
AAA_router#
AAA_router#show running
Building configuration...
Current configuration : 1391 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AAA_router
!
logging queue-limit 100
enable password cisco
!
username Gert password 0 Gert
memory-size iomem 15
aaa new-model
!
AAA_router#show user all
Line User Host(s) Idle Location
* 0 con 0 Gert idle 00:00:00
1 tty 1 00:00:00
2 tty 2 00:00:00
97 aux 0 00:00:00
98 vty 0 00:00:00
99 vty 1 00:00:00
100 vty 2 00:00:00
101 vty 3 00:00:00
102 vty 4 00:00:00
Interface User Mode Idle Peer Address
AAA_router#
Authorization
Authorization is the second step in the AAA process. Authorization allows administrators to control the level of access users have after they have successfully gained access to a device. For the sake of simplicity, this section focuses on accessing a router. Cisco IOS allows certain access levels (also called privilege levels) that control which Cisco IOS commands the user can issue. These levels range from 0 to 15. For example, a user with a privilege level of 0 cannot issue any Cisco IOS commands. A user with a privilege level of 15 can perform all valid Cisco IOS commands. The local database or remote security server (AAA server) can grant the required privilege levels.Remote security servers, such as RADIUS and TACACS+ (which are discussed later in the chapter), authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works by assembling a set of attributes that describe the tasks the user is authorized to perform. These attributes are compared with the information contained in a database for a given user, and the result is returned to the AAA software to determine the user's actual capabilities and restrictions.You can display your privileged level on a Cisco router with the show privilege command. Example 11-3 displays the privilege level when the user has already been authenticated for the AAA_router.
Example 11-3.
show privilege Command OutputThe higher the privilege, the more capabilities a user has with the Cisco IOS command set.
AAA_router#show privilege
Current privilege level is 15
Accounting
Accounting occurs after the authentication and authorization steps have been completed. Accounting allows administrators to collect information about users. More specifically, administrators can track which user logged in to which router, which CISCO IOS commands a user issued, and how many bytes were transferred during a user's session. Accounting information can be collected by a router or by a remote security server. For simplicity's sake, the output of the router command is displayed. The case study at the end of the chapter supplies more details on the AAA server output.To display local account information on a Cisco router that is collecting accounting information, issue the show aaa user all CISCO IOS command. Example 11-4 displays a sample output when the command is issued on a router named AAA_router.NOTEThe show accounting command is replaced by the show aaa user all command in Cisco IOS releases version 12.2 and above.
Example 11-4.
show aaa user all Command OutputIn Example 11-4, the different functions for which the accounting code records data are highlighted. The most important accounting function records are
AAA_router#show aaa user all
--------------------------------------------------
Unique id 3 is currently in use.
Accounting:
log=0x18001
Events recorded :
CALL START
INTERIM START
INTERIM STOP
update method(s) :
NONE
update interval = 0
Outstanding Stop Records : 0
Dynamic attribute list:
63517944 0 00000001 connect-progress(30) 4 0
63517958 0 00000001 pre-session-time(237) 4 21(15)
6351796C 0 00000001 elapsed_time(294) 4 0(0)
63517980 0 00000001 pre-bytes-in(233) 4 0(0)
63517994 0 00000001 pre-bytes-out(234) 4 0(0)
635179A8 0 00000001 pre-paks-in(235) 4 0(0)
635179BC 0 00000001 pre-paks-out(236) 4 0(0)
No data for type EXEC
No data for type CONN
NET: Username=(n/a)
Session Id=00000001 Unique Id=00000003
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
63517944 0 00000001 session-id(291) 4 1(1)
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 10
No data for type CALL
Debg: No data available
Radi: No data available
Interface:
TTY Num = 0
Stop Received = 0
Byte/Packet Counts till Call Start:
Start Bytes In = 0 Start Bytes Out = 0
Start Paks In = 0 Start Paks Out = 0
Byte/Packet Counts till Service Up:
Pre Bytes In = 0 Pre Bytes Out = 0
Pre Paks In = 0 Pre Paks Out = 0
Cumulatvie Byte/Packet Counts :
Bytes In = 0 Bytes Out = 0
Paks In = 0 Paks Out = 0
StartTime = 23:24:22 UTC Mar 4 1993
Component = EXEC
Authen: service=LOGIN type=ASCII method=LOCAL
Kerb: No data available
Meth: No data available
Preauth: No Preauth data.
General:
Unique Id = 00000003
Session Id = 00000001
Attribute List:
63517944 0 00000009 interface(150) 4 tty0
63517958 0 00000001 port-type(154) 4 4
6351796C 0 00000009 clid(25) 5 async
PerU: No data available
AAA_router#
- Network
- EXEC
- Connect
- Command
The Network accounting function monitors dialup and PPP authentication. The EXEC function, as displayed in
