Es CCNAS v11 Ch03
Autenticación, Autorización y Registro de Auditoria © 2012 Cisco and/or its affiliates. All rights reserved. 1 © 201
Views 86 Downloads 6 File size 8MB
Recommend stories
- Author / Uploaded
- JulioCésarAltamiranoTávara
Citation preview
Autenticación, Autorización y Registro de Auditoria
© 2012 Cisco and/or its affiliates. All rights reserved.
1
© 2012 Cisco and/or its affiliates. All rights reserved.
2
• La gestión de acceso a la infraestructura administrativa es
crucial. • Métodos: – – – –
Password only Local database AAA Local Authentication (self-contained AAA ó AAA autocontenido) AAA Server-based Network Access Common AAA Command
Access Type
Remote administrative access
Remote network access
Modes
Server Ports
Element
Character Mode (line or EXEC mode)
tty, vty, auxiliary, and console
login, exec, and enable commands
Packet (interface mode)
Dial-up and VPN access including asynchronous and ISDN (BRI and PRI)
ppp and network commands
© 2012 Cisco and/or its affiliates. All rights reserved.
3
User Access Verification
Internet
Password: cisco Password: cisco1 Password: cisco12 % Bad passwords
R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login
• User EXEC mode or privilege EXEC mode password access is limited and does not scale well. © 2012 Cisco and/or its affiliates. All rights reserved.
4
Internet
Welcome to SPAN Engineering User Access Verification User Access Verification Username admin Username: Admin Password: cisco1 cisco Password: % Login invalid
Username: Admin Password: cisco12 % Login invalid
R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
• Proporciona mayor seguridad que una simple contraseña. • It’s a cost effective and easily implemented security solution. © 2012 Cisco and/or its affiliates. All rights reserved.
5
• El problema de la base de datos local es que debe ser
replicado todos los dispositivos… – A better scalable solution is to use AAA.
© 2012 Cisco and/or its affiliates. All rights reserved.
6
• AAA es un marco arquitectónico para la configuración:
© 2012 Cisco and/or its affiliates. All rights reserved.
7
Authentication Who are you?
Authorization How much can you spend?
Accounting What did you spend it on?
© 2012 Cisco and/or its affiliates. All rights reserved.
8
• Routers Cisco IOS pueden implementar AAA utilizando: Local username and password database
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Secure Access Control Server (ACS)
9
• AAA local usa una base de datos local para la autenticación. • Este método almacena los nombres de usuario y sus
correspondientes contraseñas localmente en el router Cisco, y los usuarios se autentican en la base de datos local. • Esta base de datos es la misma que se requiere para establecer
una CLI basada en roles. • AAA local es ideal para redes pequeñas.
© 2012 Cisco and/or its affiliates. All rights reserved.
10
© 2012 Cisco and/or its affiliates. All rights reserved.
11
• El método basado en servidor usa un recurso externo de servidor
de base de datos que utiliza los protocolos RADIUS o TACACS+. • Los ejemplos incluyen el Servidor de Control de Acceso Seguro
de Cisco (ACS) para Windows Server, el Cisco Secure ACS Solution Engine o Cisco Secure ACS Express. • Si hay más de un router, AAA basado en servidor será la opción
más apropiada.
© 2012 Cisco and/or its affiliates. All rights reserved.
12
© 2012 Cisco and/or its affiliates. All rights reserved.
13
• Una vez que los usuarios han ido autenticados exitosamente
contra la fuente de datos AAA seleccionada (ya sea local o basada en servidor), se les autoriza el acceso a recursos específicos en la red. • La autorización consiste básicamente en lo que un usuario puede
y no puede hacer en la red luego de que es autenticado, parecido a cómo los niveles de privilegios y la CLI basada en roles les dan a los usuarios derechos y privilegios específicos a ciertos comandos en el router. • En general, la autorización se implementa usando una solución
de AAA basada en servidor.
© 2012 Cisco and/or its affiliates. All rights reserved.
14
© 2012 Cisco and/or its affiliates. All rights reserved.
15
• El registro de auditoría recolecta y reporta datos de uso para que
puedan ser empleados para auditorías o emisión de facturas. • Los datos recolectados pueden incluir el inicio y fin de
conexiones, comandos ejecutados, números de paquetes y número de bytes. • El registro de auditoría se implementa usando una solución AAA
basada en servidor. • Este servicio reporta estadísticas de uso al servidor ACS.
• Estas estadísticas pueden ser extraídas para crear reportes
detallados sobre la configuración de la red.
© 2012 Cisco and/or its affiliates. All rights reserved.
16
© 2012 Cisco and/or its affiliates. All rights reserved.
17
© 2012 Cisco and/or its affiliates. All rights reserved.
18
• El aumento de la flexibilidad y el control de la configuración de
acceso • Escalabilidad • Múltiples sistemas de respaldo • Métodos de autenticación estandarizados – RADIUS, TACACS+ and Kerberos
© 2012 Cisco and/or its affiliates. All rights reserved.
19
• AAA se implementa típicamente usando un servidor dedicado
ACS para guardar usuarios / contraseñas en una base de datos centralizada.
• La información se introduce centralmente / actualizado a
diferencia de una base de datos local que debe configurarse en cada router.
© 2012 Cisco and/or its affiliates. All rights reserved.
20
• Tolerancia a fallos puede ser configurado en una secuencia
alternativa. – Consulte a un servidor de seguridad ... – Si el error o ninguno, consultar bases de datos locales, ...
© 2012 Cisco and/or its affiliates. All rights reserved.
21
• AAA soporta protocolos de seguridad estandarizados. – TACACS+ •
Controlador de Acceso Terminal de Acceso al Sistema de Control Plus
•
Sustituye a los protocolos de legado TACACS y XTACACS
– RADIUS •
Autenticación remota Dial-In User Service
© 2012 Cisco and/or its affiliates. All rights reserved.
22
Configuración de Autenticación AAA Local
© 2012 Cisco and/or its affiliates. All rights reserved.
23
• Paso 1. Agregar nombres de usuario y contraseñas a la base de
datos local del router para los usuarios que requieren acceso administrativo al router. R1(config)#
user alex secret alex12345
• Paso 2. Habilitar AAA globalmente en el router. R1(config)#
aaa new-model
• Paso 3. Configurar los parámetros AAA en el router. R1(config)#
aaa authentication login default local
R1(config)#
aaa local authentication attempts max-fail 3
• Paso 4. Confirmar la configuración AAA y buscar posibles
problemas.
© 2012 Cisco and/or its affiliates. All rights reserved.
24
• Especifique el tipo de autenticación para configurar: – Login - enables AAA for logins on TTY, VTYs, and console 0. – Enable - enables AAA for EXEC mode access. – PPP - enables AAA for logins on PPP (packet transfer). © 2012 Cisco and/or its affiliates. All rights reserved.
25
• Lista método default se aplica automáticamente a todas las
interfaces si no hay otra lista de métodos definida. • name list deben aplicarse a una interfaz específica antes que
cualquiera de los métodos de autenticación definidos. © 2012 Cisco and/or its affiliates. All rights reserved.
26
• Lista de Métodos de autenticación - secuencia que se llevarán a
cabo, como por ejemplo: – Pre-defined passwords (e.g., local, enable, or line) – Consulting a TACACS+ / RADIUS / Kerberos server(s) © 2012 Cisco and/or its affiliates. All rights reserved.
27
© 2012 Cisco and/or its affiliates. All rights reserved.
28
© 2012 Cisco and/or its affiliates. All rights reserved.
29
• Usando el comando en el modo de configuración global: – aaa local authentication attempts max-fail number-ofunsuccessful-attempts – To remove the number of unsuccessful attempts that was set, use the no form of this command.
Router(config)# aaa local authentication attempts max-fail [number-of-unsuccessful-attempts]
Keyword number-of-unsuccessfulattempts
© 2012 Cisco and/or its affiliates. All rights reserved.
Description Number of unsuccessful authentication attempts before a connection is dropped.
30
• Para ver una lista de todos los usuarios bloqueados, use el
comando show aaa local user lockout en el modo EXEC privilegiado. • Use el comando para desbloquear a un usuario específico o para
desbloquear a todos los usuarios bloqueados. – clear aaa local user lockout {username username | all}
• El comando login delay introduce un retraso entre intentos de
ingreso fallidos sin bloquear la cuenta. – login delay
© 2012 Cisco and/or its affiliates. All rights reserved.
31
R1# conf t R1(config)# R1(config)# R1(config)# R1(config)# R1(config)#
username alex secret Str0ngPa55w0rd username julio secret Str0ng5rPa55w0rd aaa new-model aaa authentication login default local-case aaa local authentication attempts max-fail 3
© 2012 Cisco and/or its affiliates. All rights reserved.
32
• Una lista predeterminada o una lista con nombre se pueden
definir. – Una lista predeterminada se aplica automáticamente a todas las interfaces si no hay otra lista de métodos se define. – Una lista llamada debe aplicarse a una interfaz específica antes que cualquiera de los métodos de autenticación definidos. R1# conf t R1(config)# username alex secret Str0ngPa55w0rd R1(config)# username julio secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN
© 2012 Cisco and/or its affiliates. All rights reserved.
33
R1# show aaa local user lockout Local-user JR-ADMIN
Lock time 04:28:49 UTC Sat Dec 27 2008
R1# show aaa sessions Total sessions since last reload: 4 Session Id: 1 Unique Id: 175 User Name: ADMIN IP Address: 192.168.1.10 Idle Time: 0 CT Call Handle: 0
© 2012 Cisco and/or its affiliates. All rights reserved.
34
R1# debug aaa ? accounting administrative api attr authentication authorization cache coa db dead-criteria id ipc mlist-ref-count mlist-state per-user pod protocol server-ref-count sg-ref-count sg-server-selection subsys testing
Accounting Administrative AAA api events AAA Attr Manager Authentication Authorization Cache activities AAA CoA processing AAA DB Manager AAA Dead-Criteria Info AAA Unique Id AAA IPC Method list reference counts Information about AAA method list state change and notification Per-user attributes AAA POD processing AAA protocol processing Server handle reference counts Server group handle reference counts Server Group Server Selection AAA Subsystem Info. about AAA generated test packets
R1# debug aaa
© 2012 Cisco and/or its affiliates. All rights reserved.
35
R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
© 2012 Cisco and/or its affiliates. All rights reserved.
36
AAA is disabled by default in CCP.
© 2012 Cisco and/or its affiliates. All rights reserved.
37
© 2012 Cisco and/or its affiliates. All rights reserved.
38
© 2012 Cisco and/or its affiliates. All rights reserved.
39
Implementing Server-Based AAA Authentication
© 2012 Cisco and/or its affiliates. All rights reserved.
40
© 2012 Cisco and/or its affiliates. All rights reserved.
41
La familia de productos de ACS de Cisco soporta : – Terminal Access Control Access Control Server Plus (TACACS+) – Remote Dial-in User Services (RADIUS) protocols
© 2012 Cisco and/or its affiliates. All rights reserved.
42
• Aunque ambos protocolos pueden ser usados para la
comunicación entre clientes y servidores AAA, TACACS+ es considerado el más seguro entre ambos. • Esto es porque todos los intercambios de TACACS+ son cifrados:
RADIUS sólo cifra la contraseña de usuario. No cifra nombres de usuario, información del registro de auditoría o cualquier otra información que se transmita en el mensaje RADIUS.
© 2012 Cisco and/or its affiliates. All rights reserved.
43
• Los factores críticos de TACACS+ incluyen. – Es incompatible con TACACS y XTACACS – Separa la autenticación y la autorización – Cifra todas las comunicaciones – Usa el puerto TCP 49 Connect
Username prompt?
Username:?
Use “Username:”
ALEX
ALEX Password prompt?
Password:?
Use “Password:”
“Str0ngPa55w0rd”
“Str0ngPa55w0rd” Accept/Reject
© 2012 Cisco and/or its affiliates. All rights reserved.
44
• Los factores críticos de RADIUS incluyen. •
Usa servidores proxy RADIUS para escalabilidad
•
Combina la autenticación y la autorización RADIUS en un solo proceso
•
Cifra sólo la contraseña
•
Usa UDP
•
Soporta tecnologías de acceso remoto, 802.1X y SIP
Access-Request Username:?
(ALEX, “Str0ngPa55w0rd”)
ALEX
Access-Accept
Password:? Str0ngPa55w0rd
© 2012 Cisco and/or its affiliates. All rights reserved.
45
© 2012 Cisco and/or its affiliates. All rights reserved.
46
ACS Seguro de CISCO
© 2012 Cisco and/or its affiliates. All rights reserved.
47
• Hoy en día, existen muchos servidores de autenticación en el
mercado: – – – –
Funk's Steel-Belted RADIUS server Livingston Enterprises' RADIUS Authentication Billing Manager Merit Networks' RADIUS Cisco Secure ACS for Windows Server (ACS)
• ACS Seguro de Cisco para Windows Server es una sola solución
que ofrece AAA tanto para TACACS+ como para RADIUS.
© 2012 Cisco and/or its affiliates. All rights reserved.
48
Ease of use
• La interfaz de usuario basada en web simplifica y distribuye la configuración para perfiles de usuario, perfiles de grupo y configuración de ACS Seguro de Cisco .
Scalability
• El ACS Seguro de Cisco fue desarrollado con la capacidad de proporcionar soporte de servidores redundantes, bases de datos remotas y replicación de bases de datos y resguardo de datos a grandes redes.
Extensibility
• El reenvió de autenticación LDAP soporta la autenticación de perfiles de usuario que se almacenan en directorios de marcas líderes de directorios, incluyendo Sun, Novell y Microsoft .
Management
• El soporte Microsoft Windows Active Directory consolida la administración Windows de nombre de usuario y contraseña y usa el Windows Performance Monitor para visualización de estadísticas en tiempo real.
Administration Product flexibility
• Diferentes niveles de acceso para cada administrador del ACS Seguro de Cisco y la habilidad de agrupar dispositivos de red facilitan y flexibilizan el control del cumplimiento y cambios a la administración de la política de seguridad en todos los dispositivos de una red . • Cisco Secure ACS está disponible en tres opciones: Cisco Secure ACS Solution Engine, Cisco Secure ACS Express y Cisco Secure ACS para Windows.
Integration
• Estrecho acoplamiento con los routers Cisco IOS y soluciones VPN.
Third-party support
• Cisco Secure ACS ofrece soporte de servidor token para cualquier proveedor de contraseña de un solo uso (OTP) que proporciona una interfaz RADIUS compatible con RFC, como RSA, PassGo, Secure Computing, ActiveCard, Vasco, o CryptoCard.
Control
• Proporciona cuotas dinámicas para restringir el acceso según la hora del día, el uso de la red, el número de sesiones registradas, y el día de la semana.
© 2012 Cisco and/or its affiliates. All rights reserved.
49
Cisco Secure ACS Express 5.0 – Entry-level ACS with simplified feature set – Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period
Cisco Secure ACS for Windows can be installed on: – Windows 2000 Server with Service Pack 4 – Windows 2000 Advanced Server with Service Pack 4 – Windows Server 2003 Standard or Enterprise Edition – Windows Server 2008 Standard or Enterprise Edition
Cisco Secure ACS Solution Engine – A highly scalable dedicated platform that serves as a high-performance ACS – 1RU, rack-mountable
– Preinstalled with a security-hardened Windows software, Cisco Secure ACS software – Support for more than 350 users
© 2012 Cisco and/or its affiliates. All rights reserved.
50
© 2012 Cisco and/or its affiliates. All rights reserved.
51
© 2012 Cisco and/or its affiliates. All rights reserved.
52
© 2012 Cisco and/or its affiliates. All rights reserved.
53
© 2012 Cisco and/or its affiliates. All rights reserved.
54
© 2012 Cisco and/or its affiliates. All rights reserved.
55
© 2012 Cisco and/or its affiliates. All rights reserved.
56
• ACSv5 Demo – http://www.cisco.com/assets/cdc_content_elements/flash/netman/acsv5tacac s/player.html
© 2012 Cisco and/or its affiliates. All rights reserved.
57
Configuring Server-Based AAA Authentication
© 2012 Cisco and/or its affiliates. All rights reserved.
58
1.
Enable AAA by using the global configuration command: –
2.
Configure security protocol parameters: –
3.
aaa new-model
Server IP address and Key
Define the authentication method lists using: –
aaa authentication
4.
Apply the method lists to a particular interface or line (if required).
5.
Optionally configure authorization using the global command: –
6.
aaa authorization
Optionally configure accounting using the global command: –
aaa accounting
© 2012 Cisco and/or its affiliates. All rights reserved.
59
1. Specify the location of the AAA server that will provide AAA
services. 2. Configure the encryption key needed to encrypt the data transfer
between the network access server and Cisco Secure ACS.
© 2012 Cisco and/or its affiliates. All rights reserved.
60
Command
Description •
tacacs-server host ip-address single-connection
tacacs-server key key radius-server host ipaddress radius-server key key
© 2012 Cisco and/or its affiliates. All rights reserved.
•
Indicates the address of the Cisco Secure ACS server and specifies use of the TCP single-connection feature of Cisco Secure ACS. This feature improves performance by maintaining a single TCP connection for the life of the session between the network access server and the Cisco Secure ACS server, rather than opening and closing TCP connections for each session (the default).
•
Establishes the shared secret encryption key between the network access server and the Cisco Secure ACS server.
•
Specifies a RADIUS AAA server.
•
Specifies an encryption key to be used with the RADIUS AAA server.
61
192.168.1.100
R1 Cisco Secure ACS for Windows using RADIUS
192.168.1.101
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key WinRadius R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)#
Cisco Secure ACS Solution Engine using TACACS+
aaa new-model tacacs-server host 192.168.1.101 single-connection tacacs-server key TACACS+Pa55w0rd radius-server host 192.168.1.100 radius-server key RADIUS-Pa55w0rd
© 2012 Cisco and/or its affiliates. All rights reserved.
62
R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group
© 2012 Cisco and/or its affiliates. All rights reserved.
63
R1(config)# aaa authentication login default group tacacs+ group radius local-case
Parameter default
group group-name group radius group tacacs+
© 2012 Cisco and/or its affiliates. All rights reserved.
Description • This command creates a default that is automatically applied to all lines and interfaces, specifying the method or sequence of methods for authentication. • These methods specify the use of an AAA server. • The group radius and group tacacs+ methods refer to previously defined RADIUS or TACACS+ servers. • The group-name string allows the use of a predefined group of RADIUS or TACACS+ servers for authentication (created with the aaa group server radius or aaa group server tacacs+ command).
64
192.168.1.100
R1 Cisco Secure ACS for Windows using RADIUS
aaa authentication login default group tacacs+ local aaa authentication login VTY group tacacs+ tacacs-server host 10.0.0.3 single-connection tacacs-server key tacacspa55 192.168.1.101
line vty 0 4 login authentication VTY
R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)# R1(config)#
Cisco Secure ACS Solution Engine using TACACS+
aaa new-model tacacs-server host 192.168.1.101 single-connection tacacs-server key TACACS+Pa55w0rd radius-server host 192.168.1.100 radius-server key RADIUS-Pa55w0rd aaa authentication login default group tacacs+ group radius local-case
© 2012 Cisco and/or its affiliates. All rights reserved.
65
R1# debug aaa authentication AAA Authentication debugging is on R1# 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS
© 2012 Cisco and/or its affiliates. All rights reserved.
66
R1# debug tacacs ? accounting TACACS+ authentication TACACS+ authorization TACACS+ events TACACS+ packet TACACS+
protocol protocol protocol protocol packets
accounting authentication authorization events
R1# debug radius ? accounting RADIUS accounting packets only authentication RADIUS authentication packets only brief Only I/O transactions are recorded elog RADIUS event logging failover Packets sent upon fail-over local-server Local RADIUS server retransmit Retransmission of packets verbose Include non essential RADIUS debugs
R1# debug radius
© 2012 Cisco and/or its affiliates. All rights reserved.
67
R1# debug tacacs TACACS access control debugging is on R1# 13:53:35: TAC+: Opening TCP/IP connection to 192.168.1.101 using source 192.48.0.79 13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.1.101 (AUTHEN/START) 13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.15 13:53:35: TAC+ (416942312): received authen response status = GETUSER 13:53:37: TAC+: send AUTHEN/CONT packet 13:53:37: TAC+: Sending TCP/IP packet number 416942312-3 to 192.168.1.101 (AUTHEN/CONT) 13:53:37: TAC+: Receiving TCP/IP packet number 416942312-4 from 192.168.60.15 13:53:37: TAC+ (416942312): received authen response status = GETPASS 13:53:38: TAC+: send AUTHEN/CONT packet 13:53:38: TAC+: Sending TCP/IP packet number 416942312-5 to 192.168.1.101 (AUTHEN/CONT) 13:53:38: TAC+: Receiving TCP/IP packet number 416942312-6 from 192.168.60.15 13:53:38: TAC+ (416942312): received authen response status = FAIL 13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15
© 2012 Cisco and/or its affiliates. All rights reserved.
68
© 2012 Cisco and/or its affiliates. All rights reserved.
69
© 2012 Cisco and/or its affiliates. All rights reserved.
70
© 2012 Cisco and/or its affiliates. All rights reserved.
71
Server-Based Authorization
© 2012 Cisco and/or its affiliates. All rights reserved.
72
• Cuando la autorización AAA no está habilitada, se permite acceso
sin restricciones a todos los usuarios. Luego de que inicia la autenticación, por defecto no se permite acceso a nadie. • Esto significa que el administrador debe crear un usuario con
derechos de acceso sin restricciones antes de que se habilite la autorización: – no hacerlo deja al administrador sin forma de ingresar al sistema al momento en que ingresa el comando aaa authorization. – La única manera de recuperarse de esto es reiniciar el router. – Si es un router de producción, reiniciarlo puede no ser una opción. – Asegúrese de que al menos un usuario tiene derechos de acceso sin restricciones. Router(config)# aaa authorization type { default | list-name } method1 … [method4]
© 2012 Cisco and/or its affiliates. All rights reserved.
73
show version
Display “show version” output ALEX
configure terminal Do not permit “configure terminal”
© 2012 Cisco and/or its affiliates. All rights reserved.
Command authorization for user ALEX, command “show version”?
Accept Command authorization for user ALEX, command “config terminal”? Reject
74
R1(config)# aaa authorization ? auth-proxy For Authentication Proxy Services cache For AAA cache configuration commands For exec (shell) commands. config-commands For configuration mode commands. configuration For downloading configurations from AAA server console For enabling console authorization exec For starting an exec (shell). ipmobile For Mobile IP services. multicast For downloading Multicast configurations from an AAA server network For network services. (PPP, SLIP, ARAP) prepaid For diameter prepaid services. reverse-access For reverse access connections template Enable template authorization R1(config)# aaa authorization exec ? WORD Named authorization list. default The default authorization list. R1(config)# aaa authorization exec default ? group Use server-group. if-authenticated Succeed if user has authenticated. krb5-instance Use Kerberos instance privilege maps. local Use local database. none No authorization (always succeeds). R1(config)# aaa authorization exec default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
© 2012 Cisco and/or its affiliates. All rights reserved.
75
aaa authorization exec default group tacacs+ ! aaa session-id common
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z
© 2012 Cisco and/or its affiliates. All rights reserved.
76
© 2012 Cisco and/or its affiliates. All rights reserved.
77
© 2012 Cisco and/or its affiliates. All rights reserved.
78
Server-Based Accounting
© 2012 Cisco and/or its affiliates. All rights reserved.
79
• En ocasiones, algunas empresas desean mantener un registro de
los recursos que los individuos o grupos utilizan. • Ejemplos de esto incluyen una situación en la que un
departamento cobra el acceso a otros departamentos o una empresa proporciona soporte interno a otra empresa. • Si, por ejemplo, el administrador se entera de que un empleado
se conecta con el sistema a la medianoche, esta información puede ser usada para investigar el propósito de la sesión. • Otra razón a favor de implementar registros de auditoría es la
creación de una lista de los cambios que ocurren en la red, quién los realizó y la naturaleza exacta de los cambios. Router(config)# aaa accounting type { default | list-name } record-type method1 … [method2]
© 2012 Cisco and/or its affiliates. All rights reserved.
80
R1(config)# aaa accounting ? auth-proxy For authentication proxy events. commands For exec (shell) commands. connection For outbound connections. (telnet, rlogin) delay-start Delay PPP Network start record until peer IP address is known. exec For starting an exec (shell). gigawords 64 bit interface counters to support Radius attributes 52 & 53. multicast For multicast accounting. nested When starting PPP from EXEC, generate NETWORK records before EXEC-STOP record. network For network services. (PPP, SLIP, ARAP) resource For resource events. send Send records to accounting server. session-duration Set the preference for calculating session durations suppress Do not generate accounting records for a specific type of user. system For system events. update Enable accounting update records. R1(config)# aaa accounting exec ? WORD Named Accounting list. default The default accounting list. R1(config)# aaa accounting exec default ? none No accounting. start-stop Record start and stop without waiting stop-only Record stop when service terminates. R1(config)# aaa accounting exec default start-stop? broadcast Use Broadcast for Accounting group Use Server-group R1(config)# aaa accounting exec default start-stop group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
© 2012 Cisco and/or its affiliates. All rights reserved.
81
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z aaa aaa aaa aaa aaa
authentication login default group tacacs+ local authentication login VTY group tacacs+ authorization exec default group tacacs+ accounting exec default start-stop group tacacs+ accounting commands 15 VTY start-stop group tacacs+
line vty 0 4 authorization commands 15 VTY authorization exec VTY accounting commands 1 VTY accounting commands 7 VTY accounting commands 15 VTY accounting exec VTY login authentication VTY
© 2012 Cisco and/or its affiliates. All rights reserved.
82