| |
|
|
This chapter describes the procedures to configure Secure Shell (SSH) and Authentication, Authorization, and Accounting (AAA) services.
SSH
Secure Shell (SSH) is a secure replacement for the UNIX remote copy (rcp), remote shell (rsh) and remote login (rlogin) utilities.
The entire SSH session is encrypted, including the transmission of user names and passwords, using methods of encryption defined by negotiation between a client and server running the SSH protocol
SSH is not a replacement for TACACS+, which provides centralized authentication and accounting of users. By comparison, SSH provides a secure method of transmitting information. It provides no authentication, accounting or usage facilities, and is not centralized.
SSH provides:
- Secure connections to the Avici router
- A method of transmitting encrypted data to and from the server
When you enable SSH on the server, the entire system is placed in security mode. All non-SSH sessions are rejected. The only connections allowed when SSH is enabled are SSH sessions and sessions with a directly connected console.
IPriori supports SSH Versions 1 and 2.
AAA
Authentication, Authorization, and Accounting (AAA) includes three distinct services:
Authentication is a basic security mechanism used for computers. When you login to system, you are in effect authenticating yourself to that system. In networks, it is desirable to have authentication controlled from a central location for all the systems on the network. This service is provided by a server (or set of servers) that are queried any time a user logs on to a device on the network. This way, usernames and passwords can be managed from a central location.
Authorization further extends the idea of centralized security, by allowing a network device to query the same server used for authentication each time a user attempts to perform an action (i.e. copy files, change configuration information, etc.). This allows a range of users to be on a network, each having explicitly configured access to network services.
Accounting is a method of keeping track of network activity. The same centralized method is used to record a range of activities, from user logins to system warnings. Accounting is used for billing and for tracking the activities of users.
The aaa command is used to enable AAA..
With AAA enabled, when you enter privileged command mode, you will enter the current AAA user's password instead of the Avici router enable password.
TACACS+ Authentication Protocol
AAA uses an authentication protocol to authenticate all login attempts through a central authentication server. The Avici router uses the Terminal Access Controller Access Control System (TACACS+) authentication protocol. Each login attempt is authenticated by the central server before a user can access the Avici router.
When AAA is enabled, The Avici router displays the AAA server login and password prompts. If these prompts are not available the standard Avici router prompts are displayed.
At the AAA server login prompt, an escape sequence is available to initiate a change of password stored on the AAA server.
The directed-request user login command supports the entering of a fully qualified user and hostname (e.g. xxxxx@tacsrv
.yyyyy.com) at the login prompt, providing for the direction of authentication requests to a specific AAA server.The Avici router supports transparent server re-direction. If multiple AAA servers are available, and an AAA server goes down, the user does not have to restart the CLI session; the Avici router authenticates with the next available AAA server without prompting the user for the username and password again.
Radius Authentication Protocol
RADIUS is a protocol for authentication, authorization and accounting (AAA) for a user session with a remote server. IPriori supports both TACACS and RADIUS authentication, authorization and accounting. The RADIUS implementation supports per command authentication capabilities as specified in RFC-2865 and RFC-2866 and authentication and accounting client MIB as specified in RFC-2618 and RFC-2620. The RADIUS implementation supports MD-5 encryption. A log message is generated in the event of a failed authentication attempt between the client and the RADIUS server.
The RADIUS client provides the following functionalities:
- Authenticates and authorizes the user at login
- Provides accounting services
- Encapsulates the authentication/accounting information passed by the application and passes the information on to the designated RADIUS server
- Retransmits the request packet if response is not received from the server within the specified interval of time.
- Processes the responses from the RADIUS server and passes it on to the application
How SSH and AAA Provide Security
When no security is configured, users connect to the Avici router either directly through the console or through an external client such as telnet. Telnet sessions are insecure. All data is sent unencrypted. When a connection is established, the Avici router simply checks the user list to determine if the session is from an authenticated user.
When SSH is enabled, connections to the Avici router are encrypted, including usernames and passwords. SSH provides authentication using standard password authentication or AAA services (if AAA is enabled). It provides no accounting or usage facilities, and is not centralized. IPriori supports SSH versions 1 and 2. SSH version 1 suffers from being a non-standard ad hoc protocol containing problems that could not be fixed without sacrificing backwards compatibility. SSH version 2 moves towards a standardized SSH. The IPriori implementation allows for the configuration of version 1, version 2 or compatibility mode which supports both version 1 and 2. IPriori operates in compatibility mode by default.
When AAA is enabled, the CLI requests authentication from an AAA server. If authentication is successful, the AAA server returns a security token to the CLI. The token can then be sent back to the AAA server with a request for accounting services (if enabled).
NOTE Each CLI command entered by an authenticated user is sent to the central AAA server for authorization.
Together, SSH and AAA provide remote authentication, authorization, accounting, and secure connection.
Related Information
Administrators should be familiar with authentication operation and theory before configuring AAA on the Avici router. The following provide additional information:
- RFC 1492 - An access control protocol, sometimes called TACACS; C. Finseth; July 1993
- RFC 1994 - PPP Challenge Handshake Authentication Protocol; W. Simpson; August 1996
- RFC 2179 - Network security for trade shows; A. Gwinn; July 1997
- (Internet Draft) The TACACS+ Protocol Version 1.78; D. Carrel, Lol Grant; January 1997
- (expired Internet Draft) The SSH (Secure Shell) Remote Login Protocol; T. Ylonen; November 1995
Configuring SSH
Use the procedures described in this section to enable SSH on the Avici router.
Checking for Hostname and Domain Name
SSH servers configure the Avici router client SSH using either the Avici router's IP address or the Avici router's hostname and domain name. To make configuration simpler, the hostname and domain-name should be configured before SSH is enabled.
PROCEDURE: Use the following procedure to determine that hostname and domain-name have been configured:
Step 1 Use the show running-config command to determine if a hostname has been configured.
Step 2 Use the show hosts command to determine if a domain name has been configured:
router#show running-config
server-id 1
hostname avicisystem5
.
.
.
router#show hosts
Default domain is avici.com
.
.
.
Step 3 If the hostname is not configured, refer to the hostname command in the "System Administration Commands" chapter of the IPriori Command-Line Reference, Volume 1 for the steps to configure a hostname.
Step 4 If the domain name has not been configured, refer to the ip domain-name command in the "IP Commands" chapter of the IPriori Command-Line Reference, Volume 2 for the steps to configure a domain name.
Configuring Login
SSH requires that standard username and password login are enabled.
PROCEDURE: Use the following steps to configure login:
Step 1 Use the line vty 0 4 command to enter Line Configuration command mode.
Step 2 Use the login command to configure the line to configure the Avici router to request username and password when a user attempts to establish a session.
Use the exit command to exit Line Configuration command mode:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#line vty 0 4
router(config-line)#login
router(config-line)#end
router#
Configuring a TACACS Prompt
The prompts for TACACS user name and password can be configured with a user specified string of up to 64 characters for this Avici router. If the TACACS server already has a prompt configured, that configured prompt will display. If no prompt is configured, the default prompt displays. Once new prompts are configured, the newly configured prompt displays when you enable AAA and telnet to the Avici router. If a configured prompt already exists, remove the configured prompt before attempting to enter a new prompt.
Use the aaa username-prompt command to configure a username prompt.
Use the aaa password-prompt command to configure a password prompt.
Use the no aaa username-prompt command to remove a configured username prompt.
Use the no password-prompt command to remove a configured password prompt.
Example: The following example removes already existing username and password AAA prompts and configures new username and password prompts:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#no aaa username-prompt
router(config)#no aaa password-prompt
router(config)#aaa username-prompt "AviciUsername: "
router(config)#aaa password-prompt "AviciPassword: "
router(config)#end
router#
Configuring Privilege Level on the TACACS server
When AAA is enabled and the TACACS AAA authentication default list is enabled for TACACS authentication using the aaa authentication enable default tacacs+ enable command, the entered enable password on the session server is authenticated against the TACACS server. For this authentication to take place, the privilege level for the session server must match the privilege level set for the TACACS server. Authentication privilege level can be modified on a server when entering the enable command using the syntax: enable privilegeLevel. The privilege level specified is between 0 and 15.
Use the show privilege command on the desired server to display the current privilege setting.
Configure Usernames or Enable AAA
SSH requires you to specify the names of all users that are allowed access. You can perform this task using one of two methods:
- Use the username command to identify all authorized users.
- Enable AAA services to provide centralized authentication and authorization. Refer to "Configuring AAA" in this chapter.
Configuring Usernames
If no AAA services are configured, use the username command to add a new user for this router.
You must enter both a name and password to establish a new user. You can optionally specify whether the password is encrypted (7) or not (0).
- In the following example, the username commands create five new users:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#username NOCuser1 0 password ATM1159
router(config)#username NOCuser2 0 password RFC1102
router(config)#username NOCuser3 0 password curtis
router(config)#username engineer47 0 password astro
router(config)#username engineer112 0 password fred
NOTE You may also wish to change the admin password at this time for security reasons.
Changing an AAA Server Password
To change a user's AAA password, enter the escape sequence ## at the username prompt when logging in to the Avici router. The telnet session informs you that it received an AAA escape sequence, requests your username, old password, new password and a confirmation of your new password. Once the change is complete, the IPriori executive command mode prompt displays.
Example: The following example initiates a password change with the ## escape sequence and changes the doc1 user password from oldpass to newpass:
Username: ##
Received AAA escape sequence!
Change password, username:doc1
Old Password:oldpass
New Password:newpass
Confirm Password:newpass
router>
Configuring AAA Server Directed Request
Direct user login to a specific AAA server from the login prompt is supported. With this feature enabled, entering a fully qualified user and hostname at the login prompt specifies the host to which AAA requests are directed.
You can enable directed requests using the aaa tacacs directed-request command in configuration mode. You can disable directed requests using the no aaa tacacs directed-request command. Directed-request is disabled by default.
Example: The following commands enable server directed request for this Avici router:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa tacacs directed-request
router(config)#end
router#
Disabling Telnet and FTP Ports when enabling SSH
In prior releases, enabling Secure Shell (SSH) automatically disabled telnet and FTP ports. Enabling SSH now has no affect on the status of telnet and FTP ports. IPriori supports up to 15 telnet and 15 SSH concurrent sessions. Two commands in global configuration mode provide for enabling and disabling of telnet and FTP ports on an Avici router. These command are: ip telnet and ip ftp.
The no ip ssh command disconnects any established SSH sessions to the server. The no ip telnet and no ip ftp commands deny new connections but leave established connections untouched.
NOTE Because the ip ssh command no longer automatically disables FTP and telnet ports, the ip ssh permit {ftp | telnet} command is no longer supported. Regardless of the status of SSH, FTP and telnet ports are enabled by default. Use the no ip telnet and no ip ftp commands to disable these ports.
Enabling/Disabling a telnet port
The ip telnet command in configuration mode provides for the enabling and disabling of telnet ports. Telnet ports are enabled by default. Any already connected telnet sessions are not affected by this command. Use the ip telnet command to enable telnet ports on this Avici router. Use the no ip telnet command to disable telnet ports on this Avici router.
Enabling/Disabling an FTP port
The ip ftp command in configuration mode provides for the enabling and disabling of FTP ports. FTP ports are enabled by default. Any already connected FTP sessions are not affected by this command. Use the ip ftp command to enable FTP ports on this Avici router. Use the no ip ftp command to disable FTP ports on this Avici router.
Configuration Examples:
Example 1: The following example enables SSH, disables telnet ports, and disables FTP ports on this Avici router:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip ssh
router(config)#no ip telnet
router(config)#no ip ftp
router(config)#end
router#
Example 2: The following example enables telnet ports, and enables FTP ports on this Avici router:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip telnet
router(config)#ip ftp
router(config)#end
router#
Configuring a Session Limits for SSH and Virtual Terminal Sessions
By default up to 15 SSH sessions can be configured on a route controller with session IDs between 0 - 14. The maximum number of sessions for SSH allowed on a route controller can be configured between 0 - 15. Setting the limit to 0 prevents all sessions from being established. The specified session limit is only applied to the current route controller. Configuring a limit smaller than the current number of sessions will not remove an operating session. Once the number of operating sessions falls below the configured limit, new sessions beyond the configured limit will not be allowed.
Use the line ssh session-limit command to configure the maximum number of SSH sessions for this route controller.
Use the no ssh session-limit command to reset the maximum number of SSH sessions for this route controller to the default value.
If a non-default value is configured, the configured value can be displayed using the show running-config command, otherwise the configured value remains 15.
Enabling SSH
PROCEDURE: Use the following procedure to enable SSH:
NOTE IPriori provides support for 15 SSH concurrent sessions.
Step 1 Assure that the SSH version is the desired version using the show ip ssh command. Use the ip ssh version command to change the current SSH version for this router.
Step 2 Use the ip ssh command to enable Secure Shell.
Step 3 Optionally, use the ip ssh permit unverified_host_keys to permit unverified host keys when SSH is enabled.
CAUTION Permitting insecure access compromises the security of the Avici router and is not recommended.
- In the following example, the ip ssh command enables SSH on the server:
router#config terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#ip ssh
Displaying SSH
Use the show ip ssh command to display the SSH configuration:
Example: For example:
router#show ip ssh
Secure Shell service is enabled.
Connection Version Encryption State Username
----------------------------------------------------
0 1.2.27 3des 1 jmiller
1 1.2.27 3des 1 jmiller2
-----------------------------------------------------
The following table describes the fields in the display:
Impact of Enabling SSH
When SSH is enabled, the following CLI commands are affected:
- boot - any permutation using network file transfer
- copy <network> <filename>
- copy <filename> <network>
- configure network
- write - any permutation using network file transfer
Configuring AAA
Use the procedures described in this section to configure AAA services on the Avici router.
AAA is configured for both the TACACs and Radius protocols using the following command set:
The aaa command is used to enable AAA..
The aaa username-prompt command configures a unique username prompt.
The aaa source-interface specifies the source interface for this client.
The username command provides for the identification of authorized users.
The show aaa command displays AAA settings for both RADIUS and TACACS enabled AAA.
The show running-config displays all radius server configuration changes.
The aaa policy command sets server policy.
The following commands have been modified for specifying RADIUS AAA in the configuration:
Use the aaa protocol {radius | tacacs} command to enable the specified AAA protocol.
Use the aaa {radius | tacacs} host hostname accounting command to enable accounting for the specified protocol on the specified host.
Use the no aaa {radius | tacacs} host hostname accounting command to disable accounting.
Use the aaa {radius | tacacs} host hostname command to add a host to the server list for the specified protocol.
Use the no aaa {radius | tacacs} host hostname command to remove a server host from the server list.
Use the aaa {radius | tacacs} host hostname key secretKey command to specify a secret key for authentication between the host and the client.
Use the no aaa {radius | tacacs} host hostname key secretKey command to delete a secret key for authentication between the host and the client.
Use the aaa {radius | tacacs} host hostname timeout period command to specify the number of seconds that AAA waits for a response from the AAA server before timing out.
Use the no aaa {radius | tacacs} host hostname timeout command to reset the number of seconds that AAA waits for a response from the AAA server before timing out to the default value.
Use the aaa {radius | tacacs} host hostname retransmit attempts command to specify the number of times AAA services searches the server list for an available AAA server.
Use the no aaa {radius | tacacs} retransmit command to reset the number of times AAA services searches the server list for an available AAA server to its default value.
Use the aaa {radius | tacacs} host hostname priority {primary | secondary} command to specify the priority of a specified host providing the AAA policy has been set to priority.
Enabling AAA and AAA Accounting
PROCEDURE: Use the following steps to enable AAA and AAA Accounting:
Step 1 Use the aaa command to enable AAA services on the Avici router.
Step 2 Use the aaa accounting command to enable the Avici router to report user activity to the AAA server. The AAA server stores the activity as accounting records in an accounting log.
- In the following example:
- The aaa command enables AAA services on the Avici router.
- The aaa accounting command enables accounting services on the Avici router.
- The show aaa command displays the new setting:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa
router(config)#aaa accounting
router(config)#end
router)#show aaa
AAA service: ENABLED
AAA protocol: TACACS+
AAA accounting: ENABLED
.
.
.
Identifying AAA Servers
AAA services operate on the Avici router as a client to a host operating as an AAA server.
You can configure up to five hosts as AAA servers. If you configure multiple servers, AAA searches the server list for an available server in the reversed order in which the servers are defined. You can modify the order in which AAA searches the server list using the aaa policy command.
Use the aaa host command to configure hosts as AAA servers. Repeat the command up to five times to configure up to five hosts.
For this release, only the TACACS+ authentication protocol is supported.
Configuring the AAA Server Encryption Key
You must define a server encryption key. You can define a global encryption key used by all the AAA servers on the server list, or you can define keys specifically for each server.
Use the aaa tacacs key secret command to define the encryption key for all AAA servers.
Use the aaa tacacs host hostname key secret command to define an encryption key only for the specified server.
- In the following example, the aaa tacacs host hostname key secret command configures the encryption key for a single AAA server:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa tacacs host aaaserver4 key avicisystems
AAA Default Settings
IPriori includes a variety of default settings for AAA. You may wish to accept many of these defaults and therefore skip some steps of configuring AAA. The defaults are as follows:
Modifying Default Settings
AAA includes several default values. Refer to "AAA Default Settings." The following section describes the steps to modify the defaults.
Modifying AAA Policy
AAA supports up to five AAA servers. The policy attribute determines how AAA selects a server when multiple servers are configured. There are three policy methods:
- The first-available policy selects the first available AAA server from the list of configured servers. This the default method.
- The priority policy selects the AAA server based on the server's priority. Server priority is configured using the aaa priority command.
- The round-robin policy selects the AAA server using a round-robin algorithm.
Policy is configured using the aaa policy command.
- In the following example, the aaa policy round-robin command configures AAA services to select an AAA server using a round-robin algorithm, and the show aaa command displays the configuration:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa policy round-robin
router(config)#end
router)#show aaa
AAA service :ENABLED
AAA protocol:TACACS+
AAA accounting :ENABLED
AAA server search policy :Round-Robin
.
.
.
Modifying AAA Host Priority
If you configure AAA policy to use the priority method of selecting an AAA server, you must also designate one server as "primary."
If no server is designated as primary, all servers in the server list default to secondary using a first-available policy.
- In the following example:
- The aaa policy priority command configures AAA to select an AAA server based on priority.
- The aaa host command defines an AAA server.
- The aaa tacacs host priority command configures the priority of the server as secondary.
- The show aaa command displays the configuration:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa policy priority
router(config)#aaa tacacs host aaaserver1
router(config)#aaa tacacs host aaaserver1 priority secondary
router(config)#end
router)#show aaa
router#show aaa
.
.
.
AAS Server 1:
Hostname: aaaserver1
TCP/IP port: 49
Priority: secondary
.
.
.
Modifying TCP/IP Port Number
By default, AAA services uses TCP port number 49 when connecting to TACACS+.
Use the aaa tacacs port port-number command to globally configure the Avici router to use the specified port for AAA services.
Use the optional host hostname keyword and argument to configure the Avici router to use the specified port when communicating with the specified AAA server.
- In the following example, the aaa tacacs host hostname port port-number command configures the TACACS+ protocol to use port 4 when communicating with AAA server aaaserver2:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa tacacs host aaaserver2 port 4
Modifying AAA Retransmit Attempts
Retransmit attempts specifies the number of times AAA searches the server list for an available AAA server. The default for retransmit attempts is 3. Use the aaa retransmit command to modify the default value.
- In the following example, the aaa retransmit command sets the number of retransmit attempts at 20, and the show aaa command displays the setting:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa retransmit 20
router(config)#end
router#show aaa
AAA service :ENABLED
AAA protocol:TACACS+
AAA accounting :ENABLED
AAA server search policy :Round-Robin
AAA source interface :loopback 0
AAA server timeout:5 seconds
AAA Server retransmit attempts:20
.
.
.
Modifying AAA Source-interface
When the Avici router connects to an AAA server, the AAA server records the time of the connection, the user name, and the IP address of the Avici router. By default, the server uses the Avici router ethernet 0 interface as the IP address.
Use the aaa source-interface command to change the interface used for connecting to AAA servers from the default to the loopback 0 interface.
- In the following example, the aaa source-interface loopback 0 command selects the loopback 0 interface as the source interface for AAA, and the show aaa command displays the setting:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa source-interface loopback 0
router(config)#end
router#show aaa
AAA service:ENABLED
AAA protocol:TACACS+
AAA accounting:ENABLED
AAA server search policy:First-Available
AAA source interface:loopback 0
AAA server timeout:5 seconds
AAA Server retransmit attempts:2
Modifying AAA Timeout
AAA timeout is the number of seconds that the local AAA services wait for a response from an AAA server before dropping the connection. The default value for AAA timeout is 5 seconds. Use the aaa timeout command to modify the default value.
- In the following example, the aaa timeout command configures the number of seconds that the local AAA services wait for a response from an AAA server before dropping the connection to 10 seconds, and the show aaa command displays the configuration:
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa timeout 60
router(config)#end
router#show aaa
AAA service:ENABLED
AAA protocol:TACACS+
AAA accounting:ENABLED
AAA server search policy:Round-Robin
AAA source interface:loopback 0
AAA server timeout:10 seconds
AAA Server retransmit attempts:2
.
.
.
Configuring Last-Resort
The last-resort method of authentication can be used when no AAA server responds to a request for authentication.
If last-resort authentication is enabled, you must define a last-resort password using the aaa optional-passwords command. You can configure the last-resort password as one of two values:
- aaa optional-passwords configures AAA to use the Avici router system password as the last-resort password.
- no aaa optional-passwords configures AAA to use no password as the last-resort password.
Use the aaa last-resort command to enable last-resort authentication.
Use the [no] aaa optional-passwords command to configure the Avici router to use the system password or no password as the last resort.
- In the following example:
- The aaa last-resort command enables last-resort authentication.
- The no aaa optional-passwords command configures the Avici router to require no password.
router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#aaa last-resort
router(config)#no aaa optional-passwords
Displaying AAA
Use the show aaa command to display the AAA configuration and AAA servers.
Example: For example:
router#show aaa
router#show aaa
AAA service:ENABLED
AAA protocol:TACACS+
AAA accounting:ENABLED
AAA server search policy:Round-Robin
AAA source interface:loopback 0
AAA server timeout:5 seconds
AAA Server retransmit attempts:20
AAS Server 1:
Hostname: aaaserver1
TCP/IP port: 49
Priority: Primary
AAA Server 2:
Hostname: aaaserver2
TCP/IP port: 49
Priority: unspecified
The following table describes fields in the display
| |
|
|
Copyright © 2005
Avici Systems Inc.
Avici® and TSR®
is a registered trademark of Avici Systems Inc.
IPriori™, Composite Links™, SSR™, QSR, and NSR® are
trademarks of Avici Systems Inc.
Source
File Name: AAA.fm
HTML File Name: AAA.html
Last Updated: 02/25/05 at 15:18:31