AAA Authentication Login Methods

The table lists AAA authentication login methods. Uses the enable password for authentication. Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. Uses the line password for authentication. Uses the local username database for authentication. Uses case-sensitive local username authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication. Uses a...

Additional Features in Cisco Secure ACS 40 for Windows

Cisco Secure ACS 4.0 for Windows provides the following additional features Cisco NAC support Cisco Secure ACS 4.0 for Windows acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the NAD ACLs, a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific...

Adjusting the Switchto Client Retransmission Time

When the switch does not receive an EAP Response Identity from the client, it waits a specific amount of time and then resends the request. The default time is 30 seconds. Use the dot1x timeout tx-period command to adjust the retransmission time. switch(config) dot1x timeout tx-period seconds Note You should change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Adjusting Timers for DHCP

The following example shows how to enable a VLAN as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client. You will set 3 as the quiet time on the switch, and set 15 as the number of seconds that the switch waits for a response to an EAP Request Identity frame from the client before resending the request. Switch(config-if) dot1x timeout quiet-period 3 Switch(config-if) dot1x timeout tx-period 15 Switch(config-if) dot1x guest-vlan 20 2007 Cisco Systems, Inc. Trust and...

Administrator Interface

R Add Ed it users in these groups r Setup of these groups 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-22 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-22 If you plan to administer the Cisco Secure ACS from the network, you will have to create and enable an administrator first. An administrative account is not created by default. To create an administrative account, follow these steps Step 1 Click Administration Control. Step 17 Click Add Administrator. Step 18 Complete...

Advanced Filtering

Advanced filtering is based on a Boolean AND expression of RADIUS attributes. Advanced filtering is used to create rules based on specific RADIUS attributes and values (including Cisco attribute-value pairs). Multiple-rule elements are allowed, which are treated as a Boolean AND expression. The operators contains, start with, and regular expression apply only to string-type attribute values. The rule elements table is used to dictate the rule elements that make up a rule based on a RADIUS...

Applying a CoPP Service Policy to the Host Subinterface

This task allows you to apply a CoPP service policy to the control plane host subinterface. Note Before you attach an existing QoS policy to the control plane, you must first create the policy by using MQC to define a class map and policy map for control plane traffic. Perform these steps to apply a CoPP service policy to a control plane interface Step 1 Attach a policy map to a control plane for aggregate control plane services. router(config-cp) service-policy input output policy-map-name...

Applying a Port Filter Service Policy to the Host Subinterface

You are now ready to apply the port-filter policy to the host subinterface. Follow these steps Step 1 Attach a QoS policy that manages traffic to the control plane host subinterface, and enter the control plane configuration mode. router(config) control-plane host Syntax Description Enters the control plane host subinterface configuration mode Note Port-filter can only be applied to the host subinterface. 3-28 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems,...

Applying a Queue Threshold Policy to the Host Subinterface

Before you can attach a queue-threshold service policy to the control plane host subinterface, you must first create the policy that defines a class map and policy map for the required control plane traffic. Follow these steps to apply queue-threshold service policies to the control plane host subinterface Step 1 Enter global configuration mode. Step 2 Attach a queue-threshold policy to the host subinterface and enter control plane configuration mode. Note Queue thresholding can only be applied...

Applying a Service Policy to an Interface

Router(config) interface FastEthernet 0 1 router(config-if) service-policy type access-control input fpm-policy 2007 Cisco Systems, Inc. All rights After the traffic policy is created, you have to apply the policy to an interface. Complete these steps to apply the traffic policy to an interface Step 1 Enter interface configuration mode. router(config) interface FastEthernet 0 1 Step 2 Specify the type and the name of the traffic policy to be attached to the input or router(config-if)...

Attacks and Vulnerabilities

This topic describes some of the network attacks and the vulnerabilities that are being exploited. 2006 Cisco Systems, Inc. All rights reserved. 2006 Cisco Systems, Inc. All rights reserved. Because of either software- or network-related vulnerabilities, the network is exposed to several types of attacks. For an attack to take place, there must be some weakness to exploit. Here are some of these Missing network security policies No written policies Usually results in little to no security...

Authorization Rules

M tS 1 Search SlFavorites Media 3 E- < 1 Users (2 users) j J Any < 2 Contractors (2 users) jJ Any < 13 Guest (2 users) jJ Any j J condition is not defined or there is no r Include RADIUS attributes from user's group 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-32 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-32

Before You Begin

To set up authorization rules for a profile, it is assumed that some other elements of Cisco Secure ACS have been set up, including the following RADIUS authorization components (RACs) 2007 Cisco Systems, Inc. Trust and Identity 2-59 2007 Cisco Systems, Inc. All rights reserv. 2007 Cisco Systems, Inc. All rights reserv.

Cisco IBNS Port Based Access Control

Authentication Server (Cisco Secure ACS RADIUS) Authentication Server (Cisco Secure ACS RADIUS) Check with policy database Policy database informs switch Policy database confirms ID and grants access 2007 Cisco Systems, Inc. All rights re In compliance with the IEEE 802.1x standard, Cisco Catalyst switches can perform basic port-based authentication and Network Access Control (NAC). Once the IEEE 802.1x-compliant client software is configured on the end device (client), the Cisco Catalyst...

Cisco IOS Debug

Cisco IOS Software includes several debugging commands that can be used to provide detailed information about the processing of AAA requests by the AAA client. For general information about AAA processing, including which protocol is being used, use one of these commands For details about TACACS or RADIUS in particular, use one of these commands Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Cisco Secure ACS

PSTN public switched telephone network 2007 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS functions as the AAA server from the perspective of the NAD. You must configure the device, which functions as a AAA client from the Cisco Secure ACS perspective, to direct all end-user host access requests to Cisco Secure ACS, via the TACACS+ or RADIUS protocols. Basically, the NAD serves as the network gatekeeper and sends an access request to Cisco Secure ACS on behalf of the user. Cisco...

Cisco Secure ACS for Windows Server Internal Architecture

Provides Cisco Secure ACS to multiple Cisco authenticating devices Comprises several modular Windows services, operating together on one server Comprises several modular Windows services, operating together on one server 2007 Cisco Systems, Inc. All rights re Authentication service Authorization service 2007 Cisco Systems, Inc. All rights re When you install Cisco Secure ACS, the installation adds several Microsoft Windows services. The services provide the core of Cisco Secure ACS...

Cisco Secure ACS Troubleshooting

- Failed Authentications Report - Passed Authentications Report Cisco Secure ACS command-line utility 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-33 Basically, there are three tools to help with troubleshooting a Cisco Secure ACS environment. These tools can be used to help determine where the problem exists, including a third-party database back-end authentication problem.

Common Cisco Ios Aaa Accounting Configuration

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. dev(config) aaa accounting auth-proxy system network exec connection commands level default list-name vrf vrf-name start-stop stop-only none broadcast group group-name 2007 Cisco Systems, Inc. Trust and Identity 2-21 Provides information about all authenticated-proxy user events. Performs accounting for all system-level events not...

Common Cisco Ios Aaa Authentication Configuration

To enable AAA authentication and create a local authentication list, use the aaa authentication login command. dev(config) aaa authentication login default list-name password-expiry methodl method2 Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in. Character string used to name the list of authentication methods activated when a user logs in. Enables password aging on a local authentication list. Identifies the list of methods...

Common Cisco Ios Aaa Configuration

Use the aaa new-model command to enable AAA. router(config) aaa new-model To disable AAA, use this command router(config) no aaa new-model To configure security on a Cisco router or access server using AAA, follow these steps Step 1 Enable AAA by using the aaa new-model global configuration command. Step 2 If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos. Step 3 Define the method lists for authentication by using an...

Common Configurations in Cisco Secure ACS

Several Cisco Secure ACS elements must be configured first to configure a NAP and its policies. Authentication using TACACS+ or RADIUS < vendor> In Advanced Options, allow the following Per-user TACACS+ or RADIUS attributes Group-level shared network access restrictions Group-level downloadable ACLs 2-54 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Group NADs into locations or by other criteria RADIUS authorization components Create ACLs to manage...

Compatibility with Other Features

The table includes other switch features that are compatible with port security configured on a port. Dynamic Trunking Protocol (DTP) port1 1. A port configured with the switchport mode dynamic interface configuration command. 2. A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command. 3. You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. 2007...

Concepts of Cisco IBNS in Action

All rights reserved. Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. The Cisco IBNS solution enables greater security while simultaneously offering cost-effective management of changes throughout the organization. Cisco IBNS provides the network with the following services and capabilities User or device authentication, or both Mapping the...

Configuration Guidelines

Not active until enabled on a VLAN Configure DHCP server and relay agent first Configure DHCP addresses and options first DHCP option 82 not supported if relay agent is enabled but snooping is disabled 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 1-5 Here are some guidelines to use when configuring DHCP snooping You must globally enable DHCP snooping on the switch. DHCP snooping is not active until DHCP snooping is enabled on a VLAN. Before globally enabling DHCP snooping on the...

Configure Interface and Enable 8021x

Switchport mode access no switchport Configure port as an access port Enable IEEE 802.1x authentication on the port (Optional) Allow multiple clients on an IEEE 802.1x-authorized port 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-25 Configure the interface using the following commands IEEE 802.1x can only be configured on static Layer 2 access ports. dot1x port-control force-authorized force-unauthorized auto This command enables IEEE 802.1x authentication on the port. The default...

Configure Radius Communications

Radius-server host host name IP address Specify the IP address of the RADIUS server switch(config) radius-server key string Specify the authentication and encryption key radius-server vsa send accounting authentication (Optional) Enable the switch to recognize and use VSAs 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-23 Configure RADIUS communications using the following commands radius-server host host name IP address auth-port port acct-port port This command specifies the IP...

Configuring 8021x in Cisco IOS

Configure RADIUS communications. Configure interface and enable 802.1x. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-21 The basic configuration of the Cisco Catalyst switch or Cisco Aironet wireless LAN access point remains constant within any IEEE 802.1x deployment regardless of the EAP method chosen for authentication. The EAP method is agreed upon by the client and authentication server, and the authenticator simply proxies the information...

Configuring a Restricted VLAN

IEEE 802.1x-compliant clients are moved into the restricted VLAN when the authentication server does not receive a valid username and password from the client. Restricted VLANs are supported only in single-host mode. Perform these tasks to configure a restricted VLAN on a switch port Step 2 Configure the switch port as access. Step 3 Configure dot1x port control as auto. Step 4 Specify an active VLAN as a restricted VLAN. You can configure the maximum number of authentication attempts allowed...

Configuring AAA Services to work with a AAA Server

Router(config) aaa authentication login default group tacacs+ enable router(config) aaa authorization network default group tacacs+ enable router(config) aaa accounting network myacct start-stop group radius router(config) tacacs-server host 10.0.1.12 router(config) tacacs-server host 10.0.1.14 router(config) tacacs-server key cisco123 OR router(config) tacacs-server host 10.0.1.12 key cisco123 Several steps are required to configure AAA services to work with external AAA servers using TACACS...

Configuring CPPr

(Optional) Configure port-filter policy. (Optional) Configure queue-threshold policy. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-6 The CLI for control plane has been extended to allow for CoPP policies to be applied to individual control plane subinterfaces. The command syntax for creating CoPP service policies remains the same. In addition, the MQC class map and policy map CLI was modified to allow for additional types. The port-filter and queue-threshold policy features...

Configuring FPM

- Define a protocol stack and specify exact parameters to match - Using class map type stack and access-control Apply the service policy to an interface 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 3-6 FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks. The process for configuring FPM consists of four steps. Step 1 Load a PHDF from flash memory. Once the appropriate PHDFs are loaded, a class-map command with type...

Configuring Guest and Restricted VLANs

' (Optional) Specify active VLAN as an IEEE 802.1x guest VLAN switch(config-if) dotlx auth-fail vlan vlan-id ' (Optional) Specify an active VLAN as an IEEE 802.1x restricted VLAN 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-26 This command specifies an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN, except an RSPAN VLAN or a voice VLAN, as an IEEE 802.1x guest VLAN. dot1x auth-fail vlan vlan-id This command specifies an active...

Configuring MPP

3-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 When the last configured interface is deleted, the MPP feature turns itself off. Follow these steps to configure a network device Step 1 Enter control plane host configuration mode. Applies policies to host control plane traffic. Step 2 Configure an interface to be a management interface and specify which management protocols are allowed. router(config-cp-host) management-interface interface allow protocols Name of the interface...

Configuring Port Security Aging

Use the switchport port-security aging command to enable or disable static aging for the secure port, or set the aging time or type. switch(config-if) switchport port-security aging static time time type absolute inactivity Enter static to enable aging for the statically configured secure addresses on this port. 1-24 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. For time, specify the aging time for this port. The valid range is from 0 to 1440 minutes. If...

Configuring VLAN Assignment

Perform these tasks to configure VLAN assignment 3. Assign vendor-specific tunnel attributes in the RADIUS (Cisco Secure ACS) server. The RADIUS server must return these attributes to the switch 65 Tunnel-Medium-Type IEEE 802 81 Tunnel-Private-Group-ID VLAN name or VLAN ID Note Attribute 64 must contain the value VLAN (type 13). Attribute 65 must contain the value IEEE 802 (type 6). Attribute 81 specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. Securing Networks...

Control Plane Architecture with CPPr

All rights reserved. Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature This diagram depicts the flow of control traffic through the control plane architecture with the CPPr feature enabled.

Course Introduction

Securing Networks with Cisco Routers and Switches (SNRS) v2.0 is a five-day, instructor-led, lab-intensive course that is delivered by Cisco Learning Partners. It is aimed at providing network specialists with the knowledge and skills needed to secure Cisco IOS router and switch networks. Successful graduates will be able to secure the network environment using existing Cisco IOS security features. This includes the ability to configure some of the primary components of the Cisco IOS Firewall...

Creating a Traffic Class

In creating a traffic class, you will create stateless packet classification criteria that, when used in conjunction with an appropriately defined policy, can mitigate network attacks. Once the appropriate PHDFs are loaded, a stack of protocol headers must be defined so that FPM knows which headers are present and in which order. Once the stack of protocols is defined, a class map of type access-control is defined for classifying packets. Step 2 Define the sequence of headers as IP first, then...

Creating an Installation

This topic describes how to perform a Cisco Secure ACS installation using setup.exe on the Cisco Secure ACS CD-ROM. Accept software license agreement Enter database encryption password Finish, start services, and administrator session 2007 Cisco Systems, Inc. All rights reserved. Complete the following steps to install Cisco Secure ACS for the first time. Step 1 Log onto the computer using a local administrator account. Step 5 Click setup.exe, located in the root directory of the CD-ROM. Step 6...

Data Plane Attacks

CPU utilization for five seconds 99 85 one minute 99 five minutes 78 Attacks against networking environments are increasing in frequency and sophistication. Attacks that affect the data forwarding plane include some well-known attacks with very specific signatures (fields within the IP packet that contain certain specific values). Here are some of these attacks All of these attacks are known to overload the CPU of any router or switch in its path. To counter these attacks, features are needed...

Defining Packet Classification Criteria for CoPP

You must first create the policy using MQC to define a class map and policy map for control plane traffic. 3-16 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Follow these steps to define a class map Step 1 Define an access list of trusted hosts using specific protocols to access the router. router(config) ip access list extended access-group-name router(config-ext-nacl) deny tcp host trusted-host any eq protocol router(config-ext-nacl) permit tcp any any...

Eapmd5

All rights re EAP-MD5 is a standard, nonproprietary EAP type. It is based on RFC 1994 (CHAP) and RFC 2284 (EAP). An MD5-Challenge within an EAP message is analogous to the PPP CHAP protocol, with MD5 specified as the hash algorithm. Because MD5 support is included in RFC 3748, all EAP deployments should support the MD5-Challenge mechanism. The diagram illustrates the EAP-MD5 message exchange between the supplicant, authenticator, and authentication server. First, a...

Enable 8021x Globally

Enable IEEE 802.1x authentication globally on the switch (Optional) Enable the optional guest VLAN behavior globally on the switch 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-24 Enable 802.1x globally on the switch using the following commands This command globally enables IEEE 802.1x authentication on the switch. (Optional) dotlx guest-vlan supplicant Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and allowed clients that failed...

Example of Authentication

Username myuser password secure_password ppp default group radius group tacacs+ local 2007 Cisco Systems, Inc. All rights reserved. This example shows a security solution where some interfaces will use the same authentication methods to authenticate PPP connections but the vty will use a named method list. For PPP connections, the RADIUS servers are contacted first for authentication information, then if there is no response, the TACACS+ group is contacted. If all designated servers fail to...

Example of CoPP

Router(config) ip access-list extended CP-acl router(config-ext-nacl) deny tcp host 10.10.10.2 any eq telnet router(config-ext-nacl) deny tcp host 10.10.10.2 any eq www router(config-ext-nacl) permit tcp any any eq telnet router(config-ext-nacl) permit tcp any any eq www router(config-ext-nacl) exit router(config) class-map match-any CP-class router(config-cmap) match access-group name CP-acl router(config-cmap) exit router(config) policy-map CP-policy router(config-pmap) class CP-class...

Example of Port Filtering

Router(config) class-map type port-filter match-all PF router(config-cmap) match closed-ports router(config) policy-map type port-filter PF-policy router(config-cp-host) service-policy type port-filter This example shows how to configure a port-filter policy to drop all traffic destined to closed or nonlistened TCP or UDP ports. Note that the PF-class class map matches all closed ports. In addition, the PF-policy policy map points to the class map and defines the action. The control plane host...

Examples Cont

Client-ID Lease expiration Hardware address User name 0063.6973.636f.2d64. Mar 29 2003 04 36 AM 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 This example displays the DHCP bindings by IP address and subnet. The example shows the DHCP binding address parameters, including an IP address, an associated MAC address, a lease expiration date, and the type of address assignment that have occurred. The table describes the...

External User Databases

The External User Databases section consists of three subsections. In addition to configuring the parameters to communicate with the external databases, you can configure how Cisco Secure ACS handles requests from users that are not in the local Cisco Secure ACS database (Unknown User Policy), and a mapping from the external database group to the local Cisco Secure ACS database group. In this section, you configure an unknown user policy. You also configure database group mappings to external...

Hardware and Software Requirements

Pentium 4 processor, 1.8 GHz or faster At least 1 GB of free disk space Minimum graphics resolution of 256 colors at 800x600 pixels 100Base-T or faster connection Software Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions - Without Microsoft Windows 2000 Cluster Service installed - Without other features specific to Microsoft Windows 2000 Advanced Server enabled Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server...

How 8021x Works

Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. 2007 Cisco Systems, Inc. All rights The switch or the client can initiate authentication. If you enable authentication on a port by using the dotlx...

How 8021x Works Cont

Authentication Server (Cisco Secure ACS) EAP Request Identity EAP Response Identity Authentication Server (Cisco Secure ACS) EAP-method dependent Auth Exchange with AAA Server 2007 Cisco Systems, Inc. All rights re You control the port authorization state by using the dotlx port-control interface configuration command and these keywords force-authorized This keyword disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port...

Identity Based Networking Services

Intelligent adaptability offering greater flexibility and mobility for users Combines authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs Strengthens security for network connectivity, services, and applications 2006 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-4 The Cisco IBNS solution provides the following benefits Intelligent adaptability for offering greater flexibility and mobility to...

IEEE 8021x Host Mode

IEEE 802.1x ports can be configured for single-host or multiple-host mode. Only one client can be connected to the IEEE 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Multiple hosts may be attached to a single IEEE 802.1x-enabled port. Only one of the attached...

Cisco Career Certifications

You are encouraged to join the Cisco Certification Community, a discussion forum open to anyone holding a valid Cisco Career Certification (such as Cisco CCIE , CCNA , CCDA , CCNP , CCDP , CCIP , CCVP , or CCSP ). It provides a gathering place for Cisco certified professionals to share questions, suggestions, and information about Cisco Career Certification programs and other certification-related topics. For more information, visit www.cisco.com go certifications. Securing Networks with Cisco...

Learner Skills and Knowledge

Certification as a Cisco CCNA or the equivalent knowledge (optional) Basic knowledge of the Microsoft Windows OS Familiarity with networking and security terms and concepts (The concepts are learned in prerequisite training or by reading industry publications.) Completion of Interconnecting Cisco Network Devices (ICND) course Completion of Securing Cisco Network Devices (SND) course 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 3 2 Securing Networks with Cisco Routers and Switches...

MAC Spoofing ManintheMiddle Attacks

All rights re MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of the other host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic, it will not receive any traffic....

Method Lists and Server Groups

A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define Radius_1 and Radius_2 as a server group, and define TACACS+_1 and TACACS+_2 as a separate server group. For example, you can specify Radius_1 and TACACS+_1 in the method list for authentication login, while specifying Radius_2 and...

Mitigating DHCP Attacks

Here are two ways to mitigate DHCP spoofing and starvation attacks 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0-1-i In this lesson, the following two ways to mitigate DHCP spoofing and starvation attacks are discussed. Port security The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. You would use the port-security command to set the MAC address of a valid DHCP server on a switch port to prevent any...

Mitigating Spanning Tree Manipulation

Spanning-tree portfast bpduguard default Globally enable BPDU guard on all ports switch(config-if) spanning-tree guard root Enable root guard on an interface 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1- To mitigate STP manipulation, use the root guard and the bpdu-guard enhancement commands to enforce the placement of the root bridge in the network and enforce the STP domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the...

Network Access Profiles

A NAP is a means to classify access requests, according to the IP addresses of AAA clients, membership in an NDG, protocol types, or other specific RADIUS attribute values sent by the network device through which the user connects. The use of NAPs allows the administrator to configure different authentication mechanisms and authorizations depending on the characteristics of the access request, resulting in increased flexibility. The Network Access Profile section is used to create profiles, and...

Network Configuration

This button is where an administrator can add, delete, or modify settings for AAA clients (NADs). The layout of this page changes depending on the settings for interface configuration. If you are using NDGs, after you click Network Configuration in the navigation bar, only the Network Device Groups table and Proxy Distribution Table information appears. If you are not using NDGs, the AAA Clients table and the AAA Servers table appear in place of the Network Device Groups table.

Port Filtering

This feature enhances control plane protection by providing for early dropping of packets directed toward closed or nonlistened Cisco IOS TCP and UDP ports on the router. Note The port-filter policy feature can be applied only to the control plane host subinterface. The port filter maintains a global database of all open TCP and UDP ports on the router, including random ephemeral ports created by applications. The port database is dynamically populated with entries provided by the registered...

Ports in Authorized and Unauthorized States

The switch port state determines whether the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1x packets. When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally. If a client that does not support 802.1x is connected to an unauthorized 802.1x port, the switch requests the identity of the...

Protocol Header Definition File

Protocol headers are defined in separate files called PHDFs. You define the packet filters using the field names that are defined within the PHDFs. A PHDF is a file that allows the user to leverage the flexibility of XML to describe almost any protocol header. The important components of the PHDF are the version, the XML file schema location, and the protocol field definitions. The protocol field definitions name the appropriate field in the protocol header, allow for a comment describing the...

Protocols of the Management Plane

All rights reserved. SNRS v2.0 3-2 The management plane performs management functions for a network and coordinates functions among all the planes (management, control, and data) in a network device. The management plane is also the logical path of all traffic related to the management of a routing platform and is used to manage a device through its network connection. Examples of protocols processed in the management plane are as follows Simple Network Management...

Proxy Attack

In this network attack against private VLANs, frames are forwarded to a host on the network connected to a promiscuous port such as a router. In the diagram, the network attacker sends a packet with the source IP and MAC address of attacker device, a destination IP address of the target system, but a destination MAC address of the router. The switch forwards the frame to the switch port of the router. The router routes the traffic, rewrites the destination MAC address as that of the target, and...

PVLAN Proxy Attack

All rights reserved Even though PVLANs are a common mechanism to restrict communications between systems on the same logical IP subnet, they are not always 100 percent secure. PVLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports...

Queue Thresholding

The queue-thresholding feature provides the ability to limit the number of unprocessed packets that a protocol can have at the process level. Note The queue-thresholding feature can only be applied to the control plane host subinterface. This feature is designed to prevent the input queue from being overwhelmed by any single protocol traffic. Per-protocol thresholding follows a protocol charge model. The queue usage of each protocol is limited such that no single misbehaving protocol process...

Radius Background

RADIUS was developed by Livingston Enterprises, now part of Lucent Technologies. It contains these components Protocol with a frame format that uses UDP 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-12 RADIUS is an access server AAA protocol developed by Livingston Enterprises (now part of Lucent Technologies). It is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises these three components...

Reports and Activity

The Reports and Activity section provides a wealth of tools for both troubleshooting and monitoring the network. Caution Logging consumes resources, and the log files should be checked periodically for content and size. The available logs that Cisco Secure ACS keeps are as follows TACACS+ Accounting The information that is included in these reports is configurable by the administrator in the System Configuration section under Logging. TACACS+ Administration These reports include all of the...

Restrictions for CPPr

As of Cisco IOS Release 12.4, the CPPr feature has these restrictions Restricted to IP version 4 (IPv4) input path only Does not support direct access control list (ACL) configuration in the control plane subinterfaces (can be configured using MQC policies) 3-10 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Requires Cisco Express Forwarding for IP packet redirection On host subinterfaces, note the following The port-filter policy supports only TCP-based...

Returning to Default Configuration

Use the no switchport port-security interface configuration command to return the interface to the default condition as being not a secure port. The sticky secure addresses remain part of the running configuration. Use the no switchport port-security maximum value interface configuration command to return the interface to the default number of secure MAC addresses. Use the no switchport port-security violation protect restrict interface configuration command to return the violation mode to the...

Secure Network Foundation

Data Forwarding Protection Data Plane Protection Lock Down Services and Routing Protocols Control Plane Protection Management Management Plane Protection The network environment of today is complex, while networking devices offer a feature-rich set of services to cater to different business needs. Because connecting to the Internet is imperative, network devices and infrastructure are exposed to many risks and threats. To meet the business needs of IP services such as network availability and...

Securing the Management Plane

Router(config-cp-host) management-interface FastEthernet 0 0 allow ssh snmp 2007 Cisco Systems, Inc. All rights By default, the MPP feature is disabled. When you enable the feature, you must follow these steps Step 1 Enter control plane host configuration mode. Step 2 Designate one or more interfaces as management interfaces. Step 3 Configure the management protocols that will be allowed on the management The configuration in this example shows MPP configured to allow SSH and SNMP to access the...

Shared Profile Components

This button allows an administrator to specify shell command authorization sets. By creating these command authorization sets, an administrator can control the commands that a user can execute on a device by applying the command authorization set to the user profile in the TACACS+ settings or at the group level. This is where you also configure downloadable ACLs and RADIUS Authorization Components. For these options to be visible, you must choose them in the Interface 2-46 Securing Networks...

Show flashphdf Command

36356096 bytes available (27656192 bytes used) 36356096 bytes available (27656192 bytes used) 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 3-12 The show flash command shows a listing of the user-defined PHDFs stored locally on the router. Securing Networks with Cisco Routers and Switches (SNRS) v2.0 Class Map type stack match-all ip-udp (id 4) Description match UDP over IP packets Match field IP protocol eq 0x11 next UDP router show class-map type access-control Class Map type...

Show policymap Command Cont

Router show policy-map type access-control interface FastEthernet 0 1 FastEthernet0 1 Service-policy access-control input fpm-policy Class-map ip-udp (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match field IP vers ion eq 4 Match field IP ihl eq 5 Match field IP protocol eq 0x11 next UDP Service-policy access-control fpm-udp-policy Class-map slammer (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match field UDP dest-port eq 0x59A Match field IP length...

Show protocols phdf Command

Router show protocols phdf ip Protocol ID 1 Protocol name IP Description Definition-for-the-IP-protocol Field id 2, tos, IP-Type-of-Service Field id 3, length, IP-Total-Length Field id 4, identification, IP-Identification Fixed offset. offset 32 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-1C These are examples of the show protocols command. The show protocols phdf loaded-protocol command shows runtime classification information for the loaded FPM classes and policies. 2007 Cisco...

Spanning Tree Manipulation

The diagram illustrates how a network attacker can use STP to change the topology of a network so that it appears that the network attacker host is a root bridge with a higher priority. One attack against switches involves intercepting traffic by attacking the STP. This protocol is used in switched networks to prevent the creation of bridging loops in an Ethernet network topology. Upon bootup, the switches begin a process of determining a loop-free topology. The switches identify one switch as...

Tools

Protects the control plane traffic responsible for traffic forwarding Cisco AutoSecure with rollback functionality Protects the management plane from unauthorized management access and polling Protects the data plane from malicious traffic Unicast RPF for antispoofing (uRPF) Vty access control list (ACL) Cisco IOS Software login enhancement Role-Based (command-line interface) views 2007 Cisco Systems, Inc. All rights reseiveO. Protects the control plane traffic responsible for traffic...

Tools Used to Secure the Management Plane

Cisco MPP feature for Cisco IOS Release 12.4(6)T Cisco IOS Software login enhancement 2007 Cisco Systems, Inc. All rights reseived. SNRS v2.0 3-3 A network administrator needs more than one tool to help secure the network infrastructure. There are several tools available to secure the management plane, including the following Cisco MPP feature Cisco IOS Release 12.4(6)T SSH access only to the device (covered in Securing Cisco Network Devices SND course) Access control lists (ACLs) on the vty...

Types of Layer 2 Attacks

This topic describes various types of Layer 2 attacks. This topic describes various types of Layer 2 attacks. 2007 Cisco Systems, Inc. All rights reserved. Like routers, both Layer 2 and Layer 3 switches have their own sets of network security requirements. However, not as much public information is available about the network security risks in switches and what can be done to mitigate those risks. Switches are susceptible to many of the same Layer 3 attacks as routers. Switches, and Layer 2 of...

Verify 8021x Operation

View the operational status of IEEE 802.1x View the IEEE 802.1x status for all ports or a specific port 2007 Cisco Systems, Inc. All rights re The following commands are used to verify 802.1x operation on the switch This command displays the operational status of IEEE 802.1x. Check the Status column in the IEEE 802.1x Port Summary section of the display. An Enabled status means that the port-control value is set to either auto or to force-unauthorized. show dotlx all interface This command...

Verify 8021x Operation Cont

Show dot1x statistics interface interface View IEEE 802.1x statistics for a specific port View the status and operational information for all configured AAA servers 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-28 The following commands are also used to verify 802.1x operation on the switch show dot1x statistics interface interface This command displays IEEE 802.1x statistics for a specific port. This command displays the status and operational information for all configured AAA...

Verifying Port Security

Sw-class show port-security Secure Port MaxSecureAddr CurrentAddr (Count) (Count) Total Addresses in System (excluding one Max Addresses limit in System (excluding 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-11 Use the show port-security command to view port security settings for the switch including violation count, configured interfaces, and security violation actions. Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action (Count) (Count) (Count) Total Addresses...

Verifying Port Security Cont

All rights reserved SNRS V2.0 1-12 Use the show port-security interface interface-id command to view port security settings for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode. sw-class show port-security interface fa0 12 SecureStatic Address Aging Maximum MAC Addresses Total MAC...

VLAN Assignment Guest VLANs and Restricted VLANs

Here are some points to keep in mind when configuring IEEE 802.1x with VLAN assignment and with guest and restricted VLANs Authentication with the VLAN assignment feature is not supported on trunk ports, dynamic ports, or with dynamic access port assignment through a VMPS. Guest VLANs are supported only on access ports. You can configure any VLAN as a guest VLAN except an RSPAN VLAN or a voice VLAN. You can configure any VLAN as a restricted VLAN except an RSPAN VLAN or a voice VLAN. Restricted...

VLAN Hopping

All rights reserved.SNRS v2.0 1-14 A VLAN hopping attack occurs when an attacker sends out packets destined for a system on a different VLAN that cannot normally be reached by the attacker. This traffic is tagged with a different VLAN ID (VID) to which the attacker belongs. Or, the attacking system may be trying to behave like a switch and negotiate trunking so that the attacker can send and receive traffic between other VLANs.

And Guest VLANs

This topic describes the use of 802.1x with guest VLANs. I do not know A, I do know B, and B gets VLAN 10. I do not know A, I do know B, and B gets VLAN 10. 2007 Cisco Systems, Inc. All rights r It is possible to configure a guest VLAN for each IEEE 802.1x port on the switch to provide limited services to clients, such as Internet access or downloading the IEEE 802.1x client. Some clients might be upgrading their system for IEEE 802.1x authentication, while others, such as Microsoft Windows 98...

And Port Security

This topic describes the use of 802.1x with port security. 2007 Cisco Systems, Inc. All rights r 2007 Cisco Systems, Inc. All rights r You can configure an IEEE 802.1x port with port security in either single-host or multiple-hosts mode. (You must also configure port security on the port by using the switchport port-security interface configuration command.) When you enable port security and IEEE 802.1x on a port, IEEE 802.1x authenticates the port, and port security manages network access for...

And Restricted VLANs

This topic describes the use of 802.1x with restricted VLANs. I do not know A, I do know B, and B gets VLAN 10. I do not know A, I do know B, and B gets VLAN 10. 2007 Cisco Systems, Inc. All rights r Another security feature allows you to configure a restricted VLAN for each IEEE 802.1x port to provide limited services to clients that cannot access the guest VLAN. Clients that are IEEE 802.1x-compliant and cannot access another VLAN because they fail the authentication process will be put in...

And VLAN Assignment

This topic describes the use of 802.1x with VLAN assignment. I do not know A I do know B, and B gets VLAN 10. I do not know A I do know B, and B gets VLAN 10. 2007 Cisco Systems, Inc. All rights r A common security policy is to limit network access for certain users by using VLAN assignment. You will accomplish this using the aaa authorization network default group radius After successful IEEE 802.1x authentication of a port, the RADIUS server sends the VLAN assignment to configure the switch...

Example of Queue Thresholding

Class-map type queue-threshold match-all QT-class match protocol bgp policy-map type queue-threshold QT-policy class QT-class queue-limit 100 control-plane host service-policy type queue-threshold input QT-policy This example shows how to configure a queue-threshold policy to set the queue limit for BGP protocol traffic to 100. The QT-class class map matches protocol bgp. The QT-policy policy map points to the class map and sets the queue limit. The control plane host subinterface has an input...

Overview of CPPr

This topic describes the basic function and benefits of the Cisco IOS CPPr feature. This topic describes the basic function and benefits of the Cisco IOS CPPr feature. Provides for all policing and protection 2007 Cisco Systems, Inc. All rights reserved. One tool mentioned in the previous section is CPPr, which includes CoPP, port filtering, and queue thresholding. CPPr is a framework that encompasses all policing and protection features in the control plane. The CPPr feature extends the...

Common Cisco Ios Aaa Authorization Configuration

To enable AAA authorization and create an authorization method list for a particular authorization type, use the aaa authorization command. dev(config) aaa authorization auth-proxy network exec commands level reverse-access configuration default listname methodl method2 Applies specific security policies on a per-user basis. Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Programs (NCPs), and AppleTalk Remote...

Defining Port Filter Packet Classification Criteria

Before you can attach a port-filter service policy to the control plane host subinterface, you must first create the policy to define a port-filter class map and policy map type for control plane traffic. A new class map type called port-filter was created for the port-filter feature. You must first create one or more port-filter class maps before you can create your port-filter service policy. Your port-filter class maps will separate your traffic into classes of traffic. Then, your service...

Enable AAA

Aaa authentication dotlx < list name> default group radius Create an IEEE 802.1X authentication method list aaa authorization network default group radius (Optional ) Configure the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment 2007 Cisco Systems, Inc. All rights re Complete these steps to enable AAA services on the switch. Specify one or more authentication, authorization, and accounting (AAA) methods for use on interfaces running...

DHCP Starvation and Spoofing Attacks

This topic describes the DHCP spoofing and starvation attacks. Attacker attempting to set up rogue DHCP server DHCP requests with spoofed MAC addresses Attacker attempting to set up rogue DHCP server Attacker attempting to starve DHCP server DHCP requests with spoofed MAC addresses Attacker attempting to starve DHCP server 2007 Cisco Systems, Inc. All rights re A DHCP starvation attack works by broadcasting DHCP requests with spoofed MAC addresses. This is easily achieved with attack tools such...

Flexible Packet Matching

All rights re 2007 Cisco Systems, Inc. All rights re Many of the tools available today are not designed with deep packet inspection as a requirement instead, they are designed to provide matching for predefined fields in well-known protocol headers. If an attack uses a field outside the limited range of inspection of these features, you are left without a defense against the attack. FPM provides the means to configure match criteria for any or all fields in a packet...