This part of the book addresses the following exam objectives as posted at Cisco.com:
■ Describe the components of a basic AAA implementation
■ Test the perimeter router AAA implementation using applicable debug commands
■ Describe the features and architecture of CSACS 3.0 for Windows
■ Configure the perimeter router to enable AAA processes to use a TACACS remote service
■ Configure AAA on a Cisco IOS Firewall
This chapter covers the following subjects:
■ Authentication
■ PAP and CHAP Authentication
C H A P T E R 6
Authentication
The identification and verification of users requesting access to a device or network is one of the core objectives of security. Although several methods of authentication are available, it is essential that one or a combination of authentication be used to secure the device or network.
This chapter provides an introduction to the different types of authentication methods that you can use for Cisco devices and networks.
“Do I Know This Already?” Quiz
The purpose of the “Do I Know This Already?” quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now.
The eight-question quiz, derived from the major sections in “Foundation Topics” section of the chapter, helps you determine how to spend your limited study time.
Table 6-1 outlines the major topics discussed in this chapter and the “Do I Know This Already?”
quiz questions that correspond to those topics.
Table 6-1 “Do I Know This Already?” Foundation Topics Section-to-Question Mapping
Foundation Topics Section Questions Covered in This Section
TACACS 5
RADIUS 7
CHAP and PAP 6, 8
Configuring Line Authentication 4
Authentication 1, 2, 3
1. Which of the following is true? (Choose two.)
a. Authentication provides a method for verifying the identity of users.
b. NAS cannot provide authentication.
c. Usernames and passwords can be stored on NAS.
d. Cisco does not support RADIUS.
2. Which of the following is the least secure method of authentication? (Choose two.)
a. Username/password static
b. Username/password aging
c. Session key one-time password
d. Token cards
3. Which of the following security protocols is not supported by Cisco network devices?
a. TACACS+
b. RADIUS
c. Kerberos
d. TLS
4. Which of the following command syntax is correct for creating a username and password locally on the NAS?
a. Router(config)#username meron password k0nj0
b. Router#username meron password k0nj0
c. Router(config)#set username meron set password k0nj0
d. Router#set username meron password k0nj0
CAUTION The goal of self-assessment is to gauge your mastery of the topics in this chapter.
If you do not know the answer to a question or are only partially sure of the answer, you should mark this question wrong for purposes of the self-assessment. Giving yourself credit for an answer you correctly guess skews your self-assessment results and might provide you with a false sense of security.
“Do I Know This Already?” Quiz 103
5. Which port is reserved for TACACS+?
a. UDP 1645
b. TCP 1645
c. TCP 49
d. UDP 49
6. Password Authentication Protocol (PAP)
a. Involves a two-way handshake where the username and password are sent across the link in clear text.
b. Sends username and passwords in encrypted format.
c. Involves a one-way handshake.
d. Is not supported by Cisco network devices.
7. Which of the following port does RADIUS use?
a. UDP 49
b. TCP 1645
c. TCP 49
d. UDP 1645
8. The CHAP authentication protocol
a. Involves a three-way handshake.
b. Involves a one-way handshake.
c. Is not supported by Cisco network devices.
d. Sends password in clear text.
The answers to the “Do I Know This Already?” quiz are found in the appendix. The suggested choices for your next step are as follows:
■ 6 or less overall score—Read the entire chapter. This includes the “Foundation Topics” and
“Foundation Summary” sections and the “Q&A” section.
■ 7 or 8 overall score—If you want more review on these topics, skip to the “Foundation Summary” section and then go to the “Q&A” section. Otherwise, move on to the next chapter.
Foundation Topics
Authentication
Authentication provides the method for verifying the identity of users and administrators who are requesting access to network resources, through username and password dialog boxes, challenge and response, token cards, and other methods.
Various types of authentication methods are available today. They range from the simple username and password databases to stronger implementation of token cards and one-time passwords (OTPs).
Table 6-2 lists the authentication methods, from the strongest and most complex methods to the weakest and easy methods.
Configuring Line Password Authentication
You can provide access control on a terminal line by entering the password and establishing password checking. To do so, use the following commands in line configuration mode:
Router(config) line console 0
Router(config-line)# password password Table 6-2 Authentication Methods
Method Description
Token cards and soft tokens
Token cards are small electronic devices. A PIN is given to users. The user authenticates with a combination of the token card and the PIN.
One-time passwords OTP systems are based on a secret pass-phrase that generates passwords.
These are only good for one-time use, and thus guard against eavesdrop- ping attacks, playback attacks, and password attacks.
Username and passwords (with expiration date)
The user must change the password because it expires (usually every 30–60 days).
Static username and password database
The password is the same unless changed by the system administrator.
Vulnerable to password-cracking programs and other password attacks.
No username and password This is usually an open invitation to hackers who discover the access method to gain access to the network system.
Authentication 105
The password checker is case-sensitive and can include spaces; for example, the password Secret is different from the password secret, and you can use two words for an acceptable password. You can disable line password verification by disabling password checking. To do so, use the following command in line configuration mode:
Router(config-line)# no login authentication
Configuring Username Authentication
You can create a username-based authentication system, in which a user is prompted for a username and password when attempting to access the network access server (NAS) or router. The username and password database is stored locally on the Cisco NAS device.
To establish username authentication, use the following commands in global configuration mode
Router(config)# username name [nopassword | password password | password encryption-type encrypted-password]
The following example shows the creation of a user named Meron with a password D0wnUnd3r.
Router(config)# username Meron password D0wnUnd3r
Local username and password works very well for administrative access authentication. For remote- access dial-in users, however, using an external database to do authentication may be a good choice.
Remote Security Servers
A remote security database provides uniform remote-access security policies throughout the enterprise. It centrally manages all remote user profiles. Cisco network devices support the following three primary security server protocols:
■ TACACS+
■ RADIUS
■ Kerberos
NOTE A password for a vty line has to be configured for telnet access to work.
NOTE Passwords display in clear text in your configuration unless you enable the service password-encryption command.
TACACS Overview
Terminal Access Controller Access Control System (TACACS) provides a way to centrally validate all users individually before they can gain access to a router or access server. TACACS was derived from the United States Department of Defense and is described in RFC 1492. TACACS is an open protocol and can be ported to most username or password databases. Figure 6-1 shows a TACACS+
server supporting a dialup client.
Figure 6-1 TACACS+ Server Supporting a Dialup User
The Cisco IOS Software implements TACACS to allow centralized control over who can access routers and access servers. Authentication also can be provided for Cisco IOS administration tasks on the routers’ and access servers’ user interfaces. With TACACS enabled, the router and access server prompts the user for a username and a password. Then the router or access server queries a TACACS server to determine whether the user provided the correct corresponding password.
TACACS was originally designed to run on UNIX workstations but can now run on Windows too.
The three current versions of TACACS security server application are as follows:
■ TACACS—An older access protocol, incompatible with the newer TACACS+ protocol. It provides password checking and authentication and notification of user actions for security and accounting purposes.
■ XTACACS—An extension to the older TACACS protocol, supplying additional functionality to TACACS. Extended TACACS provides information about protocol translator and router use.
This information is used in UNIX auditing trails and accounting files.
■ TACACS+—An improved protocol providing detailed accounting information and flexible administrative control over authentication and authorization processes. TACACS+ is facilitated through AAA and can be enabled only through AAA commands.
The TACACS and XTACACS protocols in Cisco IOS Software are officially considered end-of- maintenance and are no longer maintained by Cisco for bug fixes or enhancement.
TACACS+ provides for separate and modular authentication, authorization, and accounting facili- ties. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide authen- tication, authorization, and accounting services independently. Each service can be tied into its own
Dial-Up Client NAS
TACACS+Server
User Request for Authentication
Authentication 107
database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.
The TACACS+ protocol provides authentication between the NAS and the TACACS+ daemon, and it ensures confidentiality because all protocol exchanges between a NAS and a TACACS+ daemon are encrypted, typically using Message Digest 5 (MD5) algorithms. TACACS+ can forward the password types for ARA, SLIP, PAP, CHAP, and standard telnet. Therefore, clients can use the same username password for different protocols. TCP port 49 is reserved for TACACS+.
RADIUS Overview
RADIUS is a distributed client/server protocol that secures networks against unauthorized access.
RADIUS includes two pieces: an authentication server and client protocols. A NAS operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response that is returned. RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to deliver service to the user. The RADIUS servers can act as proxy clients to other kinds of authentication servers. RADIUS uses UDP as the communication protocol between the client and the server on port UDP 1645. Figure 6-2 shows a RADIUS server supporting a dialup client.
Figure 6-2 Dialup Client Supported by a RADIUS Server
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, could be captured by a third party.
The RADIUS server supports a variety of methods to authenticate a user. When it is provided with the username and original password given by the user, it can support PPP, PAP, CHAP, UNIX login, and other authentication mechanisms.
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authenti- cation and authorization. RADIUS does perform accounting separately.
Dial-Up Client NAS
RADIUS Server
When a user attempts to log in and authenticate to an access server using RADIUS, the following steps occur:
1. The user is prompted for and enters a username and password.
2. The username and encrypted password are sent over the network to the RADIUS server.
3. The user receives one of the following responses from the RADIUS server:
• ACCEPT—The user is authenticated.
• REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.
• CHALLENGE—A challenge is issued by the RADIUS server. The challenge col- lects additional data from the user.
• CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.
The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization Table 6-3 shows a brief comparison between TACACS+ server and RADIUS.
Table 6-3 Features of TACACS+ and RADIUS Protocols
Functionality TACACS+ RADIUS
AAA support Authentication, authorization, and accounting services are separate.
Authentication and authorization are combined, but accounting services are separate.
Transport protocol TCP port 49. UDP Port 1645—Authentication/
Authorization
UDP Port 1646—Accounting Above are the original RFC ports (still supported)
New (additional) ports are UDP Port 1812—Authentication/
Authorization
UDP Port 1813—Accounting
Challenge/response Bidirectional. Unidirectional.
Protocol support Multiproctocol support. No NetBEUI, ARA.
PAP and CHAP Authentication 109
Kerberos Overview
The Kerberos protocol was designed by the Massachusetts Institute of Technology to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos keeps a database of its clients and their private keys. The private key is a large number known only to Kerberos and the client it belongs to. In the case that the client is a user, it is an encrypted password.
Network services requiring authentication register with Kerberos, as do clients wanting to use those services. The private keys are negotiated at registration.
Because Kerberos knows these private keys, it can create messages that convince one client that another is really who it claims to be. Kerberos also generates temporary private keys, called session keys, which are given to two clients and no one else. A session key can be used to encrypt messages between two parties.
Kerberos provides three distinct levels of protection. The application programmer determines which is appropriate, according to the requirements of the application. For example, some applications require only that authenticity be established at the initiation of a network connection and can assume that further messages from a given network address originate from the authenticated party.
Other applications require authentication of each message, but do not care whether the content of the message is disclosed. For these, Kerberos provides safe messages. Yet a higher level of security is provided by private messages, where each message is not only authenticated but also encrypted.
Private messages are used, for example, by the Kerberos server itself for sending passwords over the network.
You can find more information on Kerberos at http://web.mit.edu/kerberos/www/.
PAP and CHAP Authentication
Traditionally, remote users dial in to an access server to initiate a PPP session. PPP is the standard encapsulation protocol for the transport of different network protocols across ISDN, serial, or Public Switched Telephone Network (PSTN) connections.
PPP currently supports two authentication protocols: PAP and CHAP. Both are specified in RFC 1334 and are supported on synchronous and asynchronous interfaces. Authentication via PAP or CHAP is
Data integrity The entire TACACS+ packet is encrypted in MD5.
Only the user password is encrypted.
Accounting Limited. Extensive.
Table 6-3 Features of TACACS+ and RADIUS Protocols (Continued)
Functionality TACACS+ RADIUS
equivalent to typing in a username and password when prompted by the server. CHAP is considered to be more secure because the remote user’s password is never sent across the connection.
PAP
Password Authentication Protocol (PAP) involves a two-way handshake where the username and password are sent across the link in clear text. When PAP is enabled, the remote client attempting to connect to the access server is required to send an authentication request. If the username and password specified in the authentication request are accepted, the access server sends an authenti- cation acknowledgment. Figure 6-3 shows the two-handshake process of PAP.
Figure 6-3 Two-Handshake Process of PAP
An example of a PAP authentication on a NAS follows:
Router(config-if)# ppp authentication pap
PAP provides no protection from playback and password attacks. A protocol analyzer could easily capture the password. Although a lot of vendors support PAP, CHAP is the preferred method of authentication because it is more secure.