AAA Servers
In many circumstances, AAA uses security protocols to administer its security functions. If your router, concentrator, or even PIX is acting as an NAS, AAA is the means through which you establish communication between your NAS and your TACACS+, RADIUS, or Kerberos security server.
TACACS+ Overview
Cisco IOS supports three versions of TACACS: TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username and password pairing. This section covers only TACACS+ (also referred to as "TACACS plus").
NOTE
Cisco has developed a server application, CiscoSecure Access Control Server (ACS). Cisco ACS is a flexible family of security servers that supports both RADIUS and TACACS+. The Cisco ACS software has many features (logging and debugging, for example), which the case study explores in greater detail.
Trial copies and additional product information on CiscoSecure ACS for Windows NT/2000 or UNIX can be downloaded from the Cisco software center at http://www.cisco.com/public/sw-center/.
Figure 11-2 displays a typical TACACS+ connection request. (This example shows PPP authentication using TACACS+, whereas the previous example showed user exec authentication).
When a TACACS+ server authenticates a remote user, the following events occur, which are illustrated in Figure 11-2:
Step 1. | When the connection is established, the NAS contacts the TACACS+ service to obtain a username prompt, which is then displayed to the user. The user enters a username, and the NAS then contacts the TACACS+ service to obtain a password prompt. The NAS displays the password prompt to the user, the user enters a password, and the password is then sent to the TACACS+ service (steps 1 through 5 in Figure 11-2). | Step 2. | The NAS eventually receives one of the following responses from the TACACS+ daemon:
- -
ACCEPT
The user is authenticated and service may begin. If the NAS is configured to require authorization, authorization begins at this time (step 7 in Figure 11-2).
- -
REJECT
The user fails to authenticate. The user may be denied further access or will be prompted to retry the login sequence, depending on the TACACS+ daemon.
- -
ERROR
An error occurs during authentication. This can be either at the daemon or in the network connection between the daemon and the NAS. If an ERROR response is received, the NAS typically tries to use an alternative method for authenticating the user.
- -
CONTINUE
The user is prompted for additional authentication information.
| Step 3. | A Password Authentication Protocol (PAP) login is similar to an ASCII login, except that the username and password arrive at the NAS in a PAP packet instead of being typed in by the user. Therefore, the user is not prompted. Challenge Handshake Authentication Protocol (CHAP) logins are also similar in principle. | Step 4. | Following authentication, the user is also required to undergo an additional authorization phase, if authorization has been enabled on the NAS. Users must first successfully complete TACACS+ authentication before proceeding to TACACS+ authorization. | Step 5. | If TACACS+ authorization is required, the TACACS+ daemon is again contacted, and it returns an ACCEPT or REJECT authorization response. If an ACCEPT response is returned, the response contains data in the form of attributes that are used to direct the EXEC, NETWORK, COMMAND, or CONNECT session for that user, determining services that the user can access.
|
Services include the following:
- Telnet, rlogin, PPP, Serial Line Internet Protocol (SLIP), or EXEC services - Connection parameters, including the host or client IP address, access list, and user timeouts
Table 11-1 shows the main TACACS+ characteristics.
Table 11-1. Summary of TACACS+ ProtocolFeatures | Meaning |
|---|
TCP | Packets sent between client and server are TCP. | TCP destination PORT | Port 49. | Attributes | Packet types are defined in TACACS+ frame format as:
Authentication 0x01
Authorization 0x02
Accounting 0x03 | SEQ_NO | The sequence number of the current packet flow for the current session. The SEQ_NO starts with 1, and each subsequent packet increments by one. The client sends only odd numbers. The TACACS+ server sends only even numbers. | Encryption method | Entire packets are encrypted. Data is encrypted using MD5 and a secret key that matches on both the NAS (for example, a Cisco IOS router) and the TACACS+ server. |
Figure 11-3 displays a screenshot of an ACS setup for TACACS+ authentication.
TACACS+ accounting provides an audit record of what commands were completed. When NAS sends a record of commands, the TACACS+ server sends a response acknowledging the accounting record.
RADIUS Overview
RADIUS is a client-server based system that secures a network. RADIUS is a protocol that is implemented in all Cisco devices that send authentication requests to a RADIUS server. RADIUS is defined in RFC 2138/2139.
A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users when using Cisco devices (routers, switches, firewalls, or concentrators).
NOTE
Cisco has developed a server application, CiscoSecure ACS, that supports both RADIUS and TACACS+.
Figure 11-4 displays a typical RADIUS connection request (authentication).
When a RADIUS server authenticates a remote user, the following events occur:
Step 1. | When the connection is established, the NAS contacts the RADIUS daemon to obtain a username prompt, which is then displayed to the user. The user enters a username, and the NAS then contacts the RADIUS daemon to obtain a password prompt. The NAS displays the password prompt to the user, the user enters a password, and the password is then sent to the RADIUS daemon (steps 1 through 6 in Figure 11-4). | Step 2. | When a RADIUS server authenticates a user, the following events occur:
The user is prompted for and enters a username and password. The username and encrypted password are sent over the network to the RADIUS server. The user receives one of the following responses from the RADIUS server: - -
ACCESS-ACCEPT
The user is authenticated.
- -
ACCESS-REJECT
The user is not authenticated and is prompted to reenter the username and password, or access is denied. This response is sent from the RADIUS server when the user enters an invalid username/password pairing.
- -
CHALLENGE
A challenge is issued by the RADIUS server. The challenge collects additional data from the user.
- -
CHANGE-PASSWORD
A request is issued by the RADIUS server, asking the user to select a new password.
|
Services that are accessible for the user include Telnet, rlogin, or local-area transport (LAT) connections, and PPP, SLIP, or EXEC services.
NOTE
RADIUS is commonly used when PPP is used.
The use of a shared secret authenticates transactions between the NAS and the RADIUS server. The username is sent as clear text. RADIUS supports both PAP and CHAP. It is important to realize that a RADIUS server never sends the user's password over the network. If the username and password pairing are entered incorrectly, the RADIUS server sends an ACCESS_REJECT response. The end user must reenter the pairings or the connection is rejected.
RADIUS supports a number of predefined attributes that may be exchanged between client and server, such as the client's IP address. RADIUS attributes carry specific details about authentication. These attribute pairs are also referred to as AV pairs.
RFC 2138 defines a number of attributes. The following bulleted list provides details for the most common attributes:
Attribute type 1Username
Defines usernames such as numeric, simple ASCII characters, or a Simple Mail Transfer Protocol (SMTP) address.
Attribute type 2User Password
Defines the password, which is encrypted using MD5.
Attribute type 3CHAP Password
Only used in access-request packets.
Attribute type 4NAS IP Address
Defines the IP address of the NAS server; used only in access-request packets.
Attribute type 5NAS Port
Indicates the physical port number of the NAS; ranges from 0 to 65535.
Attribute type 6Service Type
Type of service requested; not supported for Cisco devices.
Attribute type 7Protocol
Defines required framing; for example, PPP is defined when this attribute is set to 1 and SLIP is set to 2.
Attribute type 8IP Address
Defines the IP address to be used by the remote user.
Attribute type 9IP Subnet Mask
Defines the subnet mask to be used by the remote user.
Attribute type 10
Defines framed-routing to send and/or listen for routing packets.
Attribute type 13
Defines utilization of framed compression.
Attribute type 19
Defines the Callback ID used to authenticate.
Attribute type 26Vendor specific
Cisco (vendor-ID 9) uses one defined option: vendor type 1 named cisco-avpair; this attribute transmits TACACS+ A/V pairs.
Attribute type 61NAS Port Type
Defines the NAS port type (Async, ISDN Sync, ISDN Async, and Virtual.
Table 11-2 summarizes the main features of RADIUS.
Table 11-2. Summary of RADIUS ProtocolFeatures | Meaning |
|---|
UDP | Packets sent between client and server use the User Datagram Protocol (UDP) primarily because the overhead of the Transmission Control Protocol (TCP) does not allow for significant advantages. Typically, the user can wait for a username and password prompt. | UDP destination PORT | RADIUS uses two sets of ports. The pre-RFC ports of 1645 and 1646 are widely used. Ports 1812 and 1813 are defined in RFC 2138. | Attributes | Attributes are used to exchange information between the NAS and the client. | Model | Client/server-based model, in which packets are exchanged in a unidirectional manner. | Encryption method | Password is encrypted using MD5; the username is not. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is transmitted in clear text. A third party can capture other information such as username, authorized services, and accounting. | Multiprotocol support | Does not support protocols such as AppleTalk, NetBIOS, or IPX. IP only is supported. |
Figure 11-5 displays a screenshot of an ACS setup for RADIUS authentication
A RADIUS server is usually software that runs on a variety of platforms, including Microsoft NT servers or a UNIX host. RADIUS can be used to authenticate router users, authenticate vendors, and even validate IP routes.
TACACS+ versus RADIUS
Table 11-3 compares the main differences between TACACS+ and RADIUS.
Table 11-3. TACACS+/RADIUS Comparison| | RADIUS | TACACS+ |
|---|
Packet Delivery | UDP | TCP | Packet Encryption | RADIUS encrypts only the password in the access-request packet from the client to the server. | TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. | AAA Support | RADIUS combines authentication and authorization. RADIUS has strong accounting capabilities. | TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting. | Multiprotocol Support | None. | Supports other protocols such as AppleTalk, NetBIOS, and Internet Packet Exchange (IPX). | Router Management | RADIUS does not allow users to control which commands can be executed on a router. | TACACS+ allows network administrators control over which commands can be executed on a router. |
Kerberos
Kerberos is a trusted third-party authentication application layer service (Layer 7 of the OSI model), relying heavily on an authentication technique involving shared secrets. The basic concept is quite simple: If a secret is known by only two people, then either person can verify the identity of the other by confirming that the other person knows the secret.
Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).
NOTE
Kerberos (or Cerberus) was a figure in classical Greek mythology, a fierce, three-headed dog that guarded the gates of the Underworld. Like Kerberos the guard dog, Kerberos the protocol has three heads: a client, a server, and a trusted third party to mediate between them. The trusted intermediary in the protocol is known as the KDC.
Figure 11-6 displays the authentication process Kerberos uses when a remote client initiates a remote Telnet session. (Kerberos supports Telnet, rlogin, remote shellrsh, and remote copyrcp.)
When Kerberos is used for authentication for a remote user, the following events occur, as shown in Figure 11-6:
Step 1. | User initiates a Telnet session to the router.
| Step 2. | The NAS builds a credential request and sends it to the KDC.
| Step 3. | The KDC decrypts the request and builds a service credential.
| Step 4. | The KDC sends the service credential to the router.
| Step 5. | The router decrypts the service credential.
| Step 6. | The KDC sends the service credential to the user.
| Step 7. | User decrypts the service credential.
| Step 8. | An authenticated Telnet session to the router is established and data exchange can start.
|
The primary use of Kerberos is to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username-and-password authentication mechanism.
The Kerberos credential scheme embodies a concept called "single logon." This process requires authenticating a user once and then allows secure authentication (without encrypting another password) wherever that user's credential is accepted.
NOTE
Starting with Cisco IOS Release 11.2, Cisco IOS software includes Kerberos 5 support, which allows organizations already deploying Kerberos 5 to use the same Kerberos authentication database on their routers that they are already using on their other network hosts (such as UNIX servers and PCs).
Table 11-4 summarizes the key characteristics of Kerberos.
Table 11-4. Characteristics of the Kerberos ProtocolAttribute | Meaning |
|---|
Packet delivery | A number of ports are defined:
TCP/UDP ports 88, 543, 749, and TCP ports 754, 2105, 4444. | Packet encryption | This supports username/password encryption. | Telnet support | Telnet sessions can be encrypted. |
 |
