Feedback Information

At Cisco Press, our goal is to create in-depth technical books of the highest quality and value. Each book is crafted with care and precision, undergoing rigorous development that involves the unique expertise of members from the professional technical community. Readers' feedback is a natural continuation of this process. If you have any comments regarding how we could improve the quality of this book or otherwise alter it to better suit your needs, you can contact us through e-mail at...

Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is widely used for router monitoring and configuration changes. If not configured properly, SNMP could provide a wealth of information about the device to intruders running SNMP discovery tools. Cisco IOS Software Release 12.1 supports the following versions of SNMP SNMPvl Version 1 of SNMP is a full Internet standard, defined in RFC 1157. Security is based on community strings. SNMPv2c The community string-based administrative framework for SNMPv2....

Optional Configurations

The following section provides the optional command description and examples to activate 802.1x port-based authentication. When a client is authenticated to a switch port using 802.1x, the port remains set with the supplicant attributes until a reboot occurs. To validate the user on an ongoing basis, periodic re-authentication may be enabled on a per-port basis. You can also specify the time period between authentications. Table 18-3 describes the command syntax for periodic re-authentication....

Advanced IPsec VPNs Using Cisco Routers and CAs

This section is dedicated to configuring the Cisco router for advanced scalable IPsec VPNs using CAs. It contains an overview of the CA support and configuration steps required to deploy IPsec VPNs using CA support. Clearly, the use of CAs is not a requirement for building IPsec VPNs (as noted in the previous chapter), but the interoperability between Cisco IOS devices and CAs normally results in a more scalable and manageable IPsec solution. Digital Signatures, Certificates, and Certificate...

Router Configuration Modes

Before jumping into the CLI of the Cisco router, it is important to understand the different command modes available. Consider the command mode to be a level where you can perform specific functions. If you are not at the correct level, you cannot perform the correct function (to configure the router). This simplified explanation will make more sense as each mode is discussed. The following are command modes on a Cisco router ROM monitor mode The ROM monitor mode is the mode the router boots to...

Figure 145 MAC Spoofing Attack

Trstlic trom Host CS Destined to HosL A Ii Mo Vlsiiile 10 Hsu C The Switch Has Learned Ttiat H041 A It Ort Port 1. H0S1 B Is on port 2. ana Host C Is Oil Pari 3, Hosl C Adrefleemeni Causes tiie Framelo Move the Location at Hosi A in its CAM TaWe (rofli Pon i o Port 3 Hosl C Adrefleemeni Causes tiie Framelo Move the Location at Hosi A in its CAM TaWe (rofli Pon i o Port 3 Host G Seras Oui a PsuAet Identiyirig Usait A3 Host c iP Address ui un Host A s MAC Adaross. Host G Seras Oui a PsuAet...

Do I Know This Already Quiz

The purpose of the Do I Know This Already quiz is to help you decide whether you really need to read the entire chapter. If you already intend to read the entire chapter, you do not necessarily need to answer these questions now. The 10-question quiz, derived from the major sections in Foundation Topics section of the chapter helps you determine how to spend your limited study time. Table 20-1 outlines the major topics discussed in this chapter and the Do I Know This Already quiz questions that...

Installing Cisco Secure ACS for Microsoft Windows

After confirming your network's system requirements for Cisco Secure ACS for Windows, run the setup program to install the software. Figure 10-1 shows a checklist window that comes up during the first part of the installation process. Figure 10-1. Checklist Window That Appears During the Installation Process for Cisco ACS 3.3 Figure 10-1. Checklist Window That Appears During the Installation Process for Cisco ACS 3.3 As shown in Figure 10-1, the installation process wants you to test and...

Troubleshooting AAA

After configuring AAA services, you must test and monitor your configuration. The show and debug commands are useful commands to verify, troubleshoot, and test your AAA configuration. The following show and debug commands enable you to troubleshoot and test your AAA configuration The show aaa servers displays information about the number of packets the AAA servers sent or received for all transaction types. Currently, only RADIUS servers are supported by this command. Example 7-6 provides...

Defining ACLs

ACLs are rules that deny or permit packets coming in or out of an interface. An ACL typically consists of multiple ACL entries (ACE), organized internally by the router. When a packet is subjected to access control, the router searches this linked list in order from top to bottom to find a matching element. The matching element is then examined to determine whether the packet is allowed or denied. Figure 11-1 shows the behavior of a router that has an ACL configured on its interfaces. Figure...

Configuring Authentication Proxy on the Cisco IOS Firewall

Authentication proxy enables users to connect through the firewall to a resource only after a AAA server has verified their credentials. After the authentication is complete, the Cisco IOS Firewall receives authorization information from the AAA server in the form of a dynamic access list. It is always a good idea to ensure that all traffic is properly flowing through the Cisco IOS Firewall prior to implementing authentication proxy. Access lists applied to the Cisco IOS Firewall determine the...

Easy VPN Server Functionality

Easy VPN Server was introduced with Cisco IOS Software Release 12.2(8)T. It is the first Cisco IOS Software version to provide server support for Cisco VPN client 3.x and the Cisco VPN 3002 hardware clients. The Easy VPN Server manages all IPsec policies centrally and pushes the policy out to the client. This design minimizes the configuration required on the client end. The following functionality is integrated into the Cisco IOS Software 12.3(11)T with Easy VPN Server Split tunneling control...

Configuring a Cisco Router for IPsec Using Preshared Keys

IPsec is not a protocol but a framework of open-standard protocol suites that provides origin authentication, data integrity, data confidentiality, and antireplay protection. IPsec runs over IP and uses Internet Key Exchange (IKE) to negotiate the security association (SA) between the peers. Parameters must be configured for both IKE and IPsec SAs. Five specific steps are required to create and terminate an IPsec VPN tunnel. The endpoints perform different functions to establish the encrypted...

Troubleshooting Cisco Secure ACS for Windows

A good place to start troubleshooting Cisco Secure ACS related AAA problems is the Failed Attempts Report under Reports and Activity. The report displays several types of failures. If no entry is found in the Failed Attempts Report, it could be that there is a misconfiguration between the Cisco Secure ACS and the router client. In this case, do the following Verify that the router can ping the server and that the server can ping the router. Verify that the TACACS+ host IP address is correctly...

Cisco Secure ACS for Windows

Cisco Secure ACS is a highly scalable and operates as a centralized RADIUS server or TACACS+ server system. It controls the AAA of users who access corporate resources through a network. Cisco Secure ACS for Windows provides AAA services to network devices that function as AAA clients, such as a network access servers (NAS), PIX Firewalls, and routers. The AAA client in Figure 9-1 represents any such device that provides AAA client functionality and uses one of the AAA protocols supported by...

Configuring Radius on Cisco IOS Software

To configure RADIUS on your Cisco router or access server, you must complete the following steps Step 1. Enable AAA. Use the aaa new-model global configuration command to enable AAA. Step 2. Identify the RADIUS server. Use the radius-server host command to specify the IP address. Use the radius-server key command to specify an encryption key that will be used to encrypt all exchanges between NAS and the RADIUS server. Step 3. Configure AAA services. Use the aaa authentication global...

Configuring Tacacs on Cisco IOS Software

To configure the Cisco access server to support TACACS+, you must complete the following steps Step 1. Enable AAA. Use the aaa new-model command to enable AAA. Step 2. Identify the TACACS+ server. Use the tacacs-server host command to specify the IP address or name of one or more TACACS+ servers. Step 3. Configure AAA services. Use the aaa authentication command to define method lists that use TACACS+ for authentication. Step 4. Apply the method lists to the interfaces. Use line and interface...

Configuring AAA Services

AAA configuration includes four mandatory steps and two optional steps. It involves enabling AAA, providing security server information, defining the method list, and then applying the method list to the interface of interest. The following steps describe the configuration process Step 1. Activate AAA services by using the aaa new-model command. Step 2. Select the type of security protocols, such as RADIUS, TACACS+, or Kerberos. Step 3. Define the method list's authentication by using the aaa...

Displaying 8021x Statistics and Status

To verify successful 802.1x configuration, use the following command in privileged EXEC mode show dot1x all interface interface-id statistics interface interface-id begin exclude include expression This command displays 802.1x administrative and operational status for the switch or a specified interface. It also provides statistics information. Table 18-4 describes the command syntax and parameters. Table 18-4. show 802.1x Syntax Description Table 18-4. show 802.1x Syntax Description This...