Software Configuration Guide
Page 7
... 4-2 Local Security Database 4-2 Remote Security Database 4-3 Configuring Authentication 4-4 Securing Access to Privileged EXEC and Configuration Mode 4-4 Communicating Between the Access Server and the Security Server 4-6 Communicating with a TACACS+ Server 4-7 Communicating with a RADIUS Server 4-8 Configuring Authentication on a TACACS+ Server 4-9 Enabling AAA Globally on the Access Server 4-9 Defining Authentication Method Lists 4-10 Authentication Method List Examples 4-14 Applying Authentication Method Lists 4-15...
... 4-2 Local Security Database 4-2 Remote Security Database 4-3 Configuring Authentication 4-4 Securing Access to Privileged EXEC and Configuration Mode 4-4 Communicating Between the Access Server and the Security Server 4-6 Communicating with a TACACS+ Server 4-7 Communicating with a RADIUS Server 4-8 Configuring Authentication on a TACACS+ Server 4-9 Enabling AAA Globally on the Access Server 4-9 Defining Authentication Method Lists 4-10 Authentication Method List Examples 4-14 Applying Authentication Method Lists 4-15...
Software Configuration Guide
Page 107
...not access. • Accounting-Provides records for Terminal Access Controller Access Control System (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). This chapter includes the following sections: • Assumptions • Local Versus Remote Server Authentication ...access lists. Requiring authentication before users can access the network prevents users from gaining access to services and devices on the access server or connecting through Cisco access servers. For example, it does not describe how to network resources. CHAPTER 4 Access Service Security The access...
...not access. • Accounting-Provides records for Terminal Access Controller Access Control System (TACACS+) and Remote Authentication Dial-In User Service (RADIUS). This chapter includes the following sections: • Assumptions • Local Versus Remote Server Authentication ...access lists. Requiring authentication before users can access the network prevents users from gaining access to services and devices on the access server or connecting through Cisco access servers. For example, it does not describe how to network resources. CHAPTER 4 Access Service Security The access...
Software Configuration Guide
Page 108
... on the Cisco access server. Local Security Database If you have very few access servers providing network access. A local security database does not require a separate (and costly) security server. 4-2 Cisco AS5300 Universal Access Server Software Configuration Guide...Cisco AAA security facility. For example, you have one or two access servers providing access to as local authentication. (See Figure 4-1.) Figure 4-1 Local Security Database Authentication Small corporate network (remote office) with only one dial-in access server Single dial-in this chapter include TACACS+ and RADIUS...
... on the Cisco access server. Local Security Database If you have very few access servers providing network access. A local security database does not require a separate (and costly) security server. 4-2 Cisco AS5300 Universal Access Server Software Configuration Guide...Cisco AAA security facility. For example, you have one or two access servers providing access to as local authentication. (See Figure 4-1.) Figure 4-1 Local Security Database Authentication Small corporate network (remote office) with only one dial-in access server Single dial-in this chapter include TACACS+ and RADIUS...
Software Configuration Guide
Page 109
... user authentication information with many dial-in access servers 48 or 60 dial-in access servers. It prevents having to all dial-in ports on each Cisco AS5300 access server Cisco AS5300 Cisco AS5300 Cisco AS5300 Router UNIX server Cisco AS5300 Router Novell server Cisco AS5300 TACACS+ server or RADIUS server Windows NT server S6549 Cisco AS5300 Remote security server provides centralized security database to update each of access servers providing network access. CiscoSecure uses a central database that define network...
... user authentication information with many dial-in access servers 48 or 60 dial-in access servers. It prevents having to all dial-in ports on each Cisco AS5300 access server Cisco AS5300 Cisco AS5300 Cisco AS5300 Router UNIX server Cisco AS5300 Router Novell server Cisco AS5300 TACACS+ server or RADIUS server Windows NT server S6549 Cisco AS5300 Remote security server provides centralized security database to update each of access servers providing network access. CiscoSecure uses a central database that define network...
Software Configuration Guide
Page 110
... a local or remote security database, or use TACACS+ or RADIUS authentication and authorization, the process of configuring the access server for authentication requires the following tasks: 1 Securing Access to configuring authentication is similar. Populate the Local Username Database if... of configuration change to the Security Command Reference, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/ 4-4 Cisco AS5300 Universal Access Server Software Configuration Guide Whether you enter this command, the encryption cannot be read ...
... a local or remote security database, or use TACACS+ or RADIUS authentication and authorization, the process of configuring the access server for authentication requires the following tasks: 1 Securing Access to configuring authentication is similar. Populate the Local Username Database if... of configuration change to the Security Command Reference, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/ 4-4 Cisco AS5300 Universal Access Server Software Configuration Guide Whether you enter this command, the encryption cannot be read ...
Software Configuration Guide
Page 112
...RADIUS server entries corresponding to the section "Enabling AAA Globally on the Access Server," later in this chapter. If you must configure the security server before performing the tasks described in this chapter. The section "Security Examples" at http://www.cisco... Save the configuration changes to NVRAM so that enable the access server to enable mode. If you are using local authentication, refer to the access server security configurations. 4-6 Cisco AS5300 Universal Access Server Software Configuration Guide This message is similar for authentication and ...
...RADIUS server entries corresponding to the section "Enabling AAA Globally on the Access Server," later in this chapter. If you must configure the security server before performing the tasks described in this chapter. The section "Security Examples" at http://www.cisco... Save the configuration changes to NVRAM so that enable the access server to enable mode. If you are using local authentication, refer to the access server security configurations. 4-6 Cisco AS5300 Universal Access Server Software Configuration Guide This message is similar for authentication and ...
Software Configuration Guide
Page 114
... request. Return to the Security Command Reference, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/ 4-8 Cisco AS5300 Universal Access Server Software Configuration Guide Configuring Authentication Communicating with a RADIUS Server To enable communication between the access server and the RADIUS server. End with a RADIUS Security Server Step Command 1 5300> enable Password: 5300# 2 5300# configure terminal Enter configuration...
... request. Return to the Security Command Reference, available online at http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/ 4-8 Cisco AS5300 Universal Access Server Software Configuration Guide Configuring Authentication Communicating with a RADIUS Server To enable communication between the access server and the RADIUS server. End with a RADIUS Security Server Step Command 1 5300> enable Password: 5300# 2 5300# configure terminal Enter configuration...
Software Configuration Guide
Page 116
...or login and authentication method (TACACS+, RADIUS, or local authentication). These authentication method lists are cleartext when they cross the network. You can enter your security server is not available on the access server, you need to define authentication method ...After defining these authentication method lists, apply them to the access server. To use CHAP authentication with PPP, rather than PAP. To define an authentication method list, follow these lists. 4-10 Cisco AS5300 Universal Access Server Software Configuration Guide Step 3 Identify a list name or ...
...or login and authentication method (TACACS+, RADIUS, or local authentication). These authentication method lists are cleartext when they cross the network. You can enter your security server is not available on the access server, you need to define authentication method ...After defining these authentication method lists, apply them to the access server. To use CHAP authentication with PPP, rather than PAP. To define an authentication method list, follow these lists. 4-10 Cisco AS5300 Universal Access Server Software Configuration Guide Step 3 Identify a list name or ...
Software Configuration Guide
Page 117
... ppp default In the following dial-in protocols as local authentication versus TACACS+ or RADIUS). Identify a List Name A list name identifies each list a different name, as when you are enabling dial-in ARA access, specify arap • If you deploy a new login method for users. The... them to all lines and interfaces. The default method list is insecure: 5300# configure terminal 5300(config)# aaa authentication ppp insecure Access Service Security 4-11 If you can create multiple authentication method lists with each of the following example, the PPP authentication method list ...
... ppp default In the following dial-in protocols as local authentication versus TACACS+ or RADIUS). Identify a List Name A list name identifies each list a different name, as when you are enabling dial-in ARA access, specify arap • If you deploy a new login method for users. The... them to all lines and interfaces. The default method list is insecure: 5300# configure terminal 5300(config)# aaa authentication ppp insecure Access Service Security 4-11 If you can create multiple authentication method lists with each of the following example, the PPP authentication method list ...
Software Configuration Guide
Page 118
.... Do not prompt for authentication. Use TACACS+ authentication as defined on a TACACS+ security server. 4-12 Cisco AS5300 Universal Access Server Software Configuration Guide Uses the line (login) password for a username or password. Will guest access to an AppleTalk network be authenticated by a TACACS+ or RADIUS daemon? No duplicate authentication. krb5 Specifies Kerberos 5 authentication. TACACS+ can query the security...
.... Do not prompt for authentication. Use TACACS+ authentication as defined on a TACACS+ security server. 4-12 Cisco AS5300 Universal Access Server Software Configuration Guide Uses the line (login) password for a username or password. Will guest access to an AppleTalk network be authenticated by a TACACS+ or RADIUS daemon? No duplicate authentication. krb5 Specifies Kerberos 5 authentication. TACACS+ can query the security...
Software Configuration Guide
Page 119
...If you specify more than one authentication method and the first method (TACACS+ in to log in the previous example) is as RADIUS). Access Service Security 4-13 To create a local username database, define username profiles using the subsequent security methods if the user entered the... types of security servers on the network and one or more types of the password, as follows: 5300# show running-config Building configuration... However, if authentication fails using the local username database that any time a user attempts to a line on an access server, the Cisco IOS software checks ...
...If you specify more than one authentication method and the first method (TACACS+ in to log in the previous example) is as RADIUS). Access Service Security 4-13 To create a local username database, define username profiles using the subsequent security methods if the user entered the... types of security servers on the network and one or more types of the password, as follows: 5300# show running-config Building configuration... However, if authentication fails using the local username database that any time a user attempts to a line on an access server, the Cisco IOS software checks ...
Software Configuration Guide
Page 120
...local The following example creates an authentication method list that a remote TACACS+ daemon be the default list. 4-14 Cisco AS5300 Universal Access Server Software Configuration Guide The name of authentication lists. If this example, default can be substituted for dial-in using ...to any line on the access server: 5300(config)# aaa authentication login default local The following example specifies login authentication using RADIUS (the RADIUS daemon is polled for authentication profiles): 5300(config)# aaa authentication login default radius The following example specifies login ...
...local The following example creates an authentication method list that a remote TACACS+ daemon be the default list. 4-14 Cisco AS5300 Universal Access Server Software Configuration Guide The name of authentication lists. If this example, default can be substituted for dial-in using ...to any line on the access server: 5300(config)# aaa authentication login default local The following example specifies login authentication using RADIUS (the RADIUS daemon is polled for authentication profiles): 5300(config)# aaa authentication login default radius The following example specifies login ...
Software Configuration Guide
Page 121
Table 4-7 Applying Authentication Method Lists Interface and Line Command Action Port to which uses RADIUS authentication, is created. If you entered the ppp authentication command, you use CHAP because CHAP is applied to the Security ...Authentication Method Lists" section earlier in Table 4-7. You apply these authentication method lists to the console port and the default virtual terminal (vty) lines on a Cisco AS5300 access server configured with a dual T1 PRI card, including the console (CON) port, the 48 physical asynchronous (tty) lines, the auxiliary (AUX) port, and...
Table 4-7 Applying Authentication Method Lists Interface and Line Command Action Port to which uses RADIUS authentication, is created. If you entered the ppp authentication command, you use CHAP because CHAP is applied to the Security ...Authentication Method Lists" section earlier in Table 4-7. You apply these authentication method lists to the console port and the default virtual terminal (vty) lines on a Cisco AS5300 access server configured with a dual T1 PRI card, including the console (CON) port, the 48 physical asynchronous (tty) lines, the auxiliary (AUX) port, and...
Software Configuration Guide
Page 122
..., the daemon denies authorization of PAP: 5300(config)# aaa authentication ppp marketing if-needed tacacs+ (or radius) command. 4-16 Cisco AS5300 Universal Access Server Software Configuration Guide inout - - - 0 I 48 TTY 57600/57600 - The default authorization is different on both the access server and the security daemon. A typical configuration probably uses the EXEC facility and network authorization. For example...
..., the daemon denies authorization of PAP: 5300(config)# aaa authentication ppp marketing if-needed tacacs+ (or radius) command. 4-16 Cisco AS5300 Universal Access Server Software Configuration Guide inout - - - 0 I 48 TTY 57600/57600 - The default authorization is different on both the access server and the security daemon. A typical configuration probably uses the EXEC facility and network authorization. For example...
Software Configuration Guide
Page 124
... command to assign commands to authorize the use all network resources without authorization requirements. 5300(config)# aaa authorization network tacacs+ radius none 4-18 Cisco AS5300 Universal Access Server Software Configuration Guide If the user is not already authenticated, the Cisco IOS software defers to run the EXEC process if the user is performed and the user can...
... command to assign commands to authorize the use all network resources without authorization requirements. 5300(config)# aaa authorization network tacacs+ radius none 4-18 Cisco AS5300 Universal Access Server Software Configuration Guide If the user is not already authenticated, the Cisco IOS software defers to run the EXEC process if the user is performed and the user can...
Software Configuration Guide
Page 126
...+ aaa authentication ppp marketing if-needed radius aaa authorization network radius aaa authorization exec radius ! The shared key between the access server and the RADIUS security server is BaBe218. • A login ...radius-server host server219 radius-server key BaBe218 ! aaa authentication login fly radius aaa authentication ppp maaaa if-needed tacacs+ aaa authentication arap kona-coast-office tacacs+ ! interface group-async658 ppp authentication chap maaaa group-range 1 48 Cisco AS5300 Universal Access Server Software Configuration Guide tacacs-server host maui tacacs-server...
...+ aaa authentication ppp marketing if-needed radius aaa authorization network radius aaa authorization exec radius ! The shared key between the access server and the RADIUS security server is BaBe218. • A login ...radius-server host server219 radius-server key BaBe218 ! aaa authentication login fly radius aaa authentication ppp maaaa if-needed tacacs+ aaa authentication arap kona-coast-office tacacs+ ! interface group-async658 ppp authentication chap maaaa group-range 1 48 Cisco AS5300 Universal Access Server Software Configuration Guide tacacs-server host maui tacacs-server...
Software Configuration Guide
Page 193
...11 login examples 4-15 multiple methods, specifying 4-13 PPP examples 4-16 privileged EXEC mode 4-4 INDEX RADIUS server 4-8 remote 4-2 remote database 4-3 securing access 4-4 security methods 4-12 TACACS+ server 4-7 authentication accounts MMP 3-57 VPDN 3-60 authorization configuring 4-17 description 4-1 examples 4-18 EXEC ... command 3-10 telco framing type 3-10 telco line code type 3-10 verifying 3-10 CHAP authentication, enable 3-24 Cisco Connection Online xv Cisco IOS software about 2-1 command modes 2-2 enable mode 2-2 getting help 2-1 saving configuration changes 2-4 undo command 2-4 undo...
...11 login examples 4-15 multiple methods, specifying 4-13 PPP examples 4-16 privileged EXEC mode 4-4 INDEX RADIUS server 4-8 remote 4-2 remote database 4-3 securing access 4-4 security methods 4-12 TACACS+ server 4-7 authentication accounts MMP 3-57 VPDN 3-60 authorization configuring 4-17 description 4-1 examples 4-18 EXEC ... command 3-10 telco framing type 3-10 telco line code type 3-10 verifying 3-10 CHAP authentication, enable 3-24 Cisco Connection Online xv Cisco IOS software about 2-1 command modes 2-2 enable mode 2-2 getting help 2-1 saving configuration changes 2-4 undo command 2-4 undo...
Software Configuration Guide
Page 196
... command 3-20 line signaling options 3-16 show controller e1 command 3-19 timeslots 3-16 tone signaling options 3-16 verifying 3-19 RADIUS server 4-8 AAA facility 4-9 communicating with 4-8 radius-server host command 4-8 radius-server key command 4-8 real-time packet flows, VoIP 3-44 real-time voice traffic configuring 3-44 tips 3-45 verifying 3-45 related publications xv Index 4 Cisco AS5300 Universal Access Server Software Configuration Guide
... command 3-20 line signaling options 3-16 show controller e1 command 3-19 timeslots 3-16 tone signaling options 3-16 verifying 3-19 RADIUS server 4-8 AAA facility 4-9 communicating with 4-8 radius-server host command 4-8 radius-server key command 4-8 real-time packet flows, VoIP 3-44 real-time voice traffic configuring 3-44 tips 3-45 verifying 3-45 related publications xv Index 4 Cisco AS5300 Universal Access Server Software Configuration Guide
Software Configuration Guide
Page 197
...B-1 prompt B-1 RSVP for IP, VoIP 3-44 S saving configuration changes 2-4, 3-63 script, configuration C-6 security access service 4-1 accounting 4-1 authentication 4-1 authorization 4-1 examples 4-19 RADIUS server 4-8 remote security servers 4-3 securing access 4-4 TACACS+ daemon process 4-3 TACACS+ server 4-7 unauthenticated access, preventing 4-4 security database 4-2, 4-3 serial interface configuration mode 3-24 set command B-7 SGBP 3-55 show appletalk ... timeout, disabling 3-2 timesaver, description xiii tip, description xiii U unalias command B-7 undo feature, Cisco IOS software 2-4 Index 5
...B-1 prompt B-1 RSVP for IP, VoIP 3-44 S saving configuration changes 2-4, 3-63 script, configuration C-6 security access service 4-1 accounting 4-1 authentication 4-1 authorization 4-1 examples 4-19 RADIUS server 4-8 remote security servers 4-3 securing access 4-4 TACACS+ daemon process 4-3 TACACS+ server 4-7 unauthenticated access, preventing 4-4 security database 4-2, 4-3 serial interface configuration mode 3-24 set command B-7 SGBP 3-55 show appletalk ... timeout, disabling 3-2 timesaver, description xiii tip, description xiii U unalias command B-7 undo feature, Cisco IOS software 2-4 Index 5
Configuration Guide
Page 7
... perform login authentication by login. Enter the login command at the EXEC shell prompt. Chapter 2 Configuring the Cisco AS5300 Network Access Server Task 1-Setting Up Basic Configuration Parameters To configure local AAA security, enter the following commands beginning in with ...RADIUS server. If you get in successfully. (If you can enhance the security solution by rebooting the access server.) hq-sanjose# login User Access Verification Username: joe-admin Password: joe-password hq-sanjose# Cisco IOS Dial Services Quick Configuration Guide 2-7 Do not disconnect your access server...
... perform login authentication by login. Enter the login command at the EXEC shell prompt. Chapter 2 Configuring the Cisco AS5300 Network Access Server Task 1-Setting Up Basic Configuration Parameters To configure local AAA security, enter the following commands beginning in with ...RADIUS server. If you get in successfully. (If you can enhance the security solution by rebooting the access server.) hq-sanjose# login User Access Verification Username: joe-admin Password: joe-password hq-sanjose# Cisco IOS Dial Services Quick Configuration Guide 2-7 Do not disconnect your access server...