| |
|
|
This chapter describes the procedures to configure Secure Shell (SSH) and Authentication, Authorization, and Accounting (AAA) services.
SSH
Secure Shell (SSH) is a secure replacement for the UNIX remote copy (rcp), remote shell (rsh) and remote login (rlogin) utilities.
The entire SSH session is encrypted, including the transmission of user names and passwords, using methods of encryption defined by negotiation between a client and server running the SSH protocol
SSH is not a replacement for TACACS+, which provides centralized authentication and accounting of users. By comparison, SSH provides a secure method of transmitting information. It provides no authentication, accounting or usage facilities, and is not centralized.
SSH provides:
- Secure connections to the Avici router
- A method of transmitting encrypted data to and from the server
When you enable SSH on the server, the entire system is placed in security mode. All non-SSH sessions are rejected. The only connections allowed when SSH is enabled are SSH sessions and sessions with a directly connected console.
IPriori supports SSH Version 1.2.26.
AAA
Authentication, Authorization, and Accounting (AAA) includes three distinct services:
Authentication is a basic security mechanism used for computers. When you login to system, you are in effect authenticating yourself to that system. In networks, it is desirable to have authentication controlled from a central location for all the systems on the network. This service is provided by a server (or set of servers) that are queried any time a user logs on to a device on the network. This way, usernames and passwords can be managed from a central location.
Authorization further extends the idea of centralized security, by allowing a network device to query the same server used for authentication each time a user attempts to perform an action (i.e. copy files, change configuration information, etc.). This allows a range of users to be on a network, each having explicitly configured access to network services.
Accounting is a method of keeping track of network activity. The same centralized method is used to record a range of activities, from user logins to system warnings. Accounting is used for billing and for tracking the activities of users.
The aaa command is used to enable AAA.
With AAA enabled, when you enter privileged command mode, you will enter the current AAA user's password instead of the Avici router enable password.
TACACS+ Authentication Protocol
AAA uses an authentication protocol to authenticate all login attempts through a central authentication server. The Avici router uses the Terminal Access Controller Access Control System (TACACS+) authentication protocol. Each login attempt is authenticated by the central server before a user can access the Avici router.
When AAA is enabled, The Avici router displays the AAA server login and password prompts. If these prompts are not available the standard Avici router prompts are displayed.
At the AAA server login prompt, an escape sequence is available to initiate a change of password stored on the AAA server.
The directed-request user login command supports the entering of a fully qualified user and hostname (e.g. xxxxx@tacsrv
.yyyyy.com) at the login prompt, providing for the direction of authentication requests to a specific AAA server.The Avici router supports transparent server re-direction. If multiple AAA servers are available, and an AAA server goes down, the user does not have to restart the CLI session; the Avici router authenticates with the next available AAA server without prompting the user for the username and password again.
How SSH and AAA Provide Security
When no security is configured, users connect to the Avici router either directly through the console or through an external client such as telnet. Telnet sessions are insecure. All data is sent unencrypted. When a connection is established, the Avici router simply checks the user list to determine if the session is from an authenticated user.
When SSH is enabled, connections to the Avici router are encrypted, including usernames and passwords. SSH provides authentication using standard password authentication or AAA services (if AAA is enabled). It provides no accounting or usage facilities, and is not centralized.
When AAA is enabled, the CLI requests authentication from an AAA server. If authentication is successful, the AAA server returns a security token to the CLI. The token can then be sent back to the AAA server with a request for accounting services (if enabled).
NOTE Each CLI command entered by an authenticated user is sent to the central AAA server for authorization.
Together, SSH and AAA provide remote authentication, authorization, accounting, and secure connection.
Related Information
Administrators should be familiar with authentication operation and theory before configuring AAA on the Avici router. The following provide additional information:
- RFC 1492 - An access control protocol, sometimes called TACACS; C. Finseth; July 1993
- RFC 1994 - PPP Challenge Handshake Authentication Protocol; W. Simpson; August 1996
- RFC 2179 - Network security for trade shows; A. Gwinn; July 1997
- (Internet Draft) The TACACS+ Protocol Version 1.78; D. Carrel, Lol Grant; January 1997
- (expired Internet Draft) The SSH (Secure Shell) Remote Login Protocol; T. Ylonen; November 1995
Configuring SSH
Use the procedures described in this section to enable SSH on the Avici router.
Checking for Hostname and Domain Name
SSH servers configure the Avici router client SSH using either the Avici router's IP address or the Avici router's hostname and domain name. To make configuration simpler, the hostname and domain-name should be configured before SSH is enabled.
PROCEDURE: Use the following procedure to determine that hostname and domain-name have been configured:
Step 1 Use the show running-config command to determine if a hostname has been configured.
Step 2 Use the show hosts command to determine if a domain name has been configured:
router#show running-config
server-id 1
hostname avicisystem5
.
.
.
router#show hosts
Default domain is avici.com
.
.
.
Step 3 If the hostname is not configured, refer to the hostname command in the "System Administration Commands" chapter of the IPriori Command-Line Reference, Volume 1 for the steps to configure a hostname.
Step 4 If the domain name has not been configured, refer to the ip domain-name command in the "IP Commands" chapter of the IPriori Command-Line Reference, Volume 2 for the steps to configure a domain name.
Configuring Login
SSH requires that standard username and password login are enabled.
PROCEDURE: Use the following steps to configure login:
Step 1 Use the line vty 0 4 command to enter Line Configuration command mode.
Step 2 Use the login command to configure the line to configure the Avici router to request username and password when a user attempts to establish a session.
Use the exit command to exit Line Configuration command mode:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line vty 0 4
router(config-line)#login
router(config-line)#end
router#
Configure Usernames or Enable AAA
SSH requires you to specify the names of all users that are allowed access. You can perform this task using one of two methods:
- Use the username command to identify all authorized users.
- Enable AAA services to provide centralized authentication and authorization. Refer to "Configuring AAA" in this chapter.
Configuring Usernames
If no AAA services are configured, use the username command to add a new user for this router.
You must enter both a name and password to establish a new user. You can optionally specify whether the password is encrypted (7) or not (0).
- In the following example, the username commands create five new users:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#username NOCuser1 0 password ATM1159
router(config)#username NOCuser2 0 password RFC1102
router(config)#username NOCuser3 0 password curtis
router(config)#username engineer47 0 password astro
router(config)#username engineer112 0 password fred
NOTE You may also wish to change the admin password at this time for security reasons.
Changing an AAA Server Password
To change a user's AAA password, enter the escape sequence ## at the username prompt when logging in to the Avici router. The telnet session informs you that it received an AAA escape sequence, requests your username, old password, new password and a confirmation of your new password. Once the change is complete, the IPriori executive command mode prompt displays.
Example: The following example initiates a password change with the ## escape sequence and changes the doc1 user password from oldpass to newpass:
Username: ##
Received AAA escape sequence!
Change password, username:doc1
Old Password:oldpass
New Password:newpass
Confirm Password:newpass
router>
Configuring AAA Server Directed Request
Direct user login to a specific AAA server from the login prompt is supported. With this feature enabled, entering a fully qualified user and hostname at the login prompt specifies the host to which AAA requests are directed.
You can enable directed requests using the aaa tacacs directed-request command in configuration mode. You can disable directed requests using the no aaa tacacs directed-request command. Directed-request is disabled by default.
Example: The following commands enable server directed request for this Avici router:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa tacacs directed-request
router(config)#end
router#
Enabling SSH
PROCEDURE: Use the following procedure to enable SSH:
Step 1 Use the ip ssh command to enable Secure Shell.
Step 2 Optionally, use the ip ssh permit telnet command to permit Telnet sessions when SSH is enabled. This is an unsecured access.
Step 3 Optionally, use the ip ssh permit ftp command to permit FTP file transfers when SSH is enabled. This is an unsecured access.
Step 4 Optionally, use the ip ssh permit unverified_host_keys to permit unverified host keys when SSH is enabled.
CAUTION Permitting insecure access compromises the security of the Avici router and is not recommended.
- In the following example, the ip ssh command enables SSH on the server:
router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip ssh
Displaying SSH
Use the show ip ssh command to display the SSH configuration:
Example: For example:
router#show ip ssh
Secure Shell service is enabled.
Connection Version Encryption State Username
----------------------------------------------------
0 1.2.27 3des 1 jmiller
1 1.2.27 3des 1 jmiller2
-----------------------------------------------------
The following table describes the fields in the display:
Impact of Enabling SSH
When SSH is enabled, the following CLI commands are affected:
- boot - any permutation using network file transfer
- copy <network> <filename>
- copy <filename> <network>
- configure network
- write - any permutation using network file transfer
Configuring AAA
Use the procedures described in this section to configure AAA services on the Avici router.
Enabling AAA and AAA Accounting
PROCEDURE: Use the following steps to enable AAA and AAA Accounting:
Step 1 Use the aaa command to enable AAA services on the Avici router.
Step 2 Use the aaa accounting command to enable the Avici router to report user activity to the AAA server. The AAA server stores the activity as accounting records in an accounting log.
- In the following example:
- The aaa command enables AAA services on the Avici router.
- The aaa accounting command enables accounting services on the Avici router.
- The show aaa command displays the new setting:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa
router(config)#aaa accounting
router(config)#end
router)#show aaa
AAA service: ENABLED
AAA protocol: TACACS+
AAA accounting: ENABLED
.
.
.
Identifying AAA Servers
AAA services operate on the Avici router as a client to a host operating as an AAA server.
You can configure up to five hosts as AAA servers. If you configure multiple servers, AAA searches the server list for an available server in the reversed order in which the servers are defined. You can modify the order in which AAA searches the server list using the aaa policy command.
Use the aaa host command to configure hosts as AAA servers. Repeat the command up to five times to configure up to five hosts.
For this release, only the TACACS+ authentication protocol is supported.
Configuring the AAA Server Encryption Key
You must define a server encryption key. You can define a global encryption key used by all the AAA servers on the server list, or you can define keys specifically for each server.
Use the aaa tacacs key secret command to define the encryption key for all AAA servers.
Use the aaa tacacs host hostname key secret command to define an encryption key only for the specified server.
- In the following example, the aaa tacacs host hostname key secret command configures the encryption key for a single AAA server:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa tacacs host aaaserver4 key avicisystems
AAA Default Settings
IPriori includes a variety of default settings for AAA. You may wish to accept many of these defaults and therefore skip some steps of configuring AAA. The defaults are as follows:
Modifying Default Settings
AAA includes several default values. Refer to "AAA Default Settings." The following section describes the steps to modify the defaults.
Modifying AAA Policy
AAA supports up to five AAA servers. The policy attribute determines how AAA selects a server when multiple servers are configured. There are three policy methods:
- The first-available policy selects the first available AAA server from the list of configured servers. This the default method.
- The priority policy selects the AAA server based on the server's priority. Server priority is configured using the aaa priority command.
- The round-robin policy selects the AAA server using a round-robin algorithm.
Policy is configured using the aaa policy command.
- In the following example, the aaa policy round-robin command configures AAA services to select an AAA server using a round-robin algorithm, and the show aaa command displays the configuration:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa policy round-robin
router(config)#end
router)#show aaa
AAA service :ENABLED
AAA protocol:TACACS+
AAA accounting :ENABLED
AAA server search policy :Round-Robin
.
.
.
Modifying AAA Host Priority
If you configure AAA policy to use the priority method of selecting an AAA server, you must also designate one server as "primary."
If no server is designated as primary, all servers in the server list default to secondary using a first-available policy.
- In the following example:
- The aaa policy priority command configures AAA to select an AAA server based on priority.
- The aaa host command defines an AAA server.
- The aaa tacacs host priority command configures the priority of the server as secondary.
- The show aaa command displays the configuration:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa policy priority
router(config)#aaa tacacs host aaaserver1
router(config)#aaa tacacs host aaaserver1 priority secondary
router(config)#end
router)#show aaa
router#show aaa
.
.
.
AAS Server 1:
Hostname: aaaserver1
TCP/IP port: 49
Priority: secondary
.
.
.
Modifying TCP/IP Port Number
By default, AAA services uses TCP port number 49 when connecting to TACACS+.
Use the aaa tacacs port port-number command to globally configure the Avici router to use the specified port for AAA services.
Use the optional host hostname keyword and argument to configure the Avici router to use the specified port when communicating with the specified AAA server.
- In the following example, the aaa tacacs host hostname port port-number command configures the TACACS+ protocol to use port 4 when communicating with AAA server aaaserver2:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa tacacs host aaaserver2 port 4
Modifying AAA Retransmit Attempts
Retransmit attempts specifies the number of times AAA searches the server list for an available AAA server. The default for retransmit attempts is 3. Use the aaa retransmit command to modify the default value.
- In the following example, the aaa retransmit command sets the number of retransmit attempts at 20, and the show aaa command displays the setting:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa retransmit 20
router(config)#end
router#show aaa
AAA service :ENABLED
AAA protocol:TACACS+
AAA accounting :ENABLED
AAA server search policy :Round-Robin
AAA source interface :loopback 0
AAA server timeout:5 seconds
AAA Server retransmit attempts:20
.
.
.
Modifying AAA Source-interface
When the Avici router connects to an AAA server, the AAA server records the time of the connection, the user name, and the IP address of the Avici router. By default, the server uses the Avici router ethernet 0 interface as the IP address.
Use the aaa source-interface command to change the interface used for connecting to AAA servers from the default to the loopback 0 interface.
- In the following example, the aaa source-interface loopback 0 command selects the loopback 0 interface as the source interface for AAA, and the show aaa command displays the setting:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa source-interface loopback 0
router(config)#end
router#show aaa
AAA service:ENABLED
AAA protocol:TACACS+
AAA accounting:ENABLED
AAA server search policy:First-Available
AAA source interface:loopback 0
AAA server timeout:5 seconds
AAA Server retransmit attempts:2
Modifying AAA Timeout
AAA timeout is the number of seconds that the local AAA services wait for a response from an AAA server before dropping the connection. The default value for AAA timeout is 5 seconds. Use the aaa timeout command to modify the default value.
- In the following example, the aaa timeout command configures the number of seconds that the local AAA services wait for a response from an AAA server before dropping the connection to 10 seconds, and the show aaa command displays the configuration:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa timeout 60
router(config)#end
router#show aaa
AAA service:ENABLED
AAA protocol:TACACS+
AAA accounting:ENABLED
AAA server search policy:Round-Robin
AAA source interface:loopback 0
AAA server timeout:10 seconds
AAA Server retransmit attempts:2
.
.
.
Configuring Last-Resort
The last-resort method of authentication can be used when no AAA server responds to a request for authentication.
If last-resort authentication is enabled, you must define a last-resort password using the aaa optional-passwords command. You can configure the last-resort password as one of two values:
- aaa optional-passwords configures AAA to use the Avici router system password as the last-resort password.
- no aaa optional-passwords configures AAA to use no password as the last-resort password.
Use the aaa last-resort command to enable last-resort authentication.
Use the [no] aaa optional-passwords command to configure the Avici router to use the system password or no password as the last resort.
- In the following example:
- The aaa last-resort command enables last-resort authentication.
- The no aaa optional-passwords command configures the Avici router to require no password.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa last-resort
router(config)#no aaa optional-passwords
Displaying AAA
Use the show aaa command to display the AAA configuration and AAA servers.
Example: For example:
router#show aaa
router#show aaa
AAA service:ENABLED
AAA protocol:TACACS+
AAA accounting:ENABLED
AAA server search policy:Round-Robin
AAA source interface:loopback 0
AAA server timeout:5 seconds
AAA Server retransmit attempts:20
AAS Server 1:
Hostname: aaaserver1
TCP/IP port: 49
Priority: Primary
AAA Server 2:
Hostname: aaaserver2
TCP/IP port: 49
Priority: unspecified
The following table describes fields in the display
| |
|
|
Source
File Name: AAA.fm
HTML File Name: AAA.html
Last Updated: 05/30/02 at 13:54:32
Please email suggestions and comments to: doc@avici.com