AAA Authentication Login Methods

The table lists AAA authentication login methods. Uses the enable password for authentication. Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. Uses the line password for authentication. Uses the local username database for authentication. Uses case-sensitive local username authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication. Uses a...

Additional Features in Cisco Secure ACS 40 for Windows

Cisco Secure ACS 4.0 for Windows provides the following additional features Cisco NAC support Cisco Secure ACS 4.0 for Windows acts as a policy decision point in NAC deployments. Using configurable policies, it evaluates and validates the credentials received from the Cisco Trust Agent (posture), determines the state of the host, and sends a per-user authorization to the NAD ACLs, a policy-based ACL, or a private VLAN assignment. Evaluation of the host credentials can enforce many specific...

Adjusting the Switchto Client Retransmission Time

When the switch does not receive an EAP Response Identity from the client, it waits a specific amount of time and then resends the request. The default time is 30 seconds. Use the dot1x timeout tx-period command to adjust the retransmission time. switch(config) dot1x timeout tx-period seconds Note You should change the default value of this command only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain clients and authentication servers.

Adjusting Timers for DHCP

The following example shows how to enable a VLAN as an IEEE 802.1x guest VLAN when an IEEE 802.1x port is connected to a DHCP client. You will set 3 as the quiet time on the switch, and set 15 as the number of seconds that the switch waits for a response to an EAP Request Identity frame from the client before resending the request. Switch(config-if) dot1x timeout quiet-period 3 Switch(config-if) dot1x timeout tx-period 15 Switch(config-if) dot1x guest-vlan 20 2007 Cisco Systems, Inc. Trust and...

Administrator Interface

R Add Ed it users in these groups r Setup of these groups 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-22 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-22 If you plan to administer the Cisco Secure ACS from the network, you will have to create and enable an administrator first. An administrative account is not created by default. To create an administrative account, follow these steps Step 1 Click Administration Control. Step 17 Click Add Administrator. Step 18 Complete...

Advanced Filtering

Advanced filtering is based on a Boolean AND expression of RADIUS attributes. Advanced filtering is used to create rules based on specific RADIUS attributes and values (including Cisco attribute-value pairs). Multiple-rule elements are allowed, which are treated as a Boolean AND expression. The operators contains, start with, and regular expression apply only to string-type attribute values. The rule elements table is used to dictate the rule elements that make up a rule based on a RADIUS...

Applying a CoPP Service Policy to the Host Subinterface

This task allows you to apply a CoPP service policy to the control plane host subinterface. Note Before you attach an existing QoS policy to the control plane, you must first create the policy by using MQC to define a class map and policy map for control plane traffic. Perform these steps to apply a CoPP service policy to a control plane interface Step 1 Attach a policy map to a control plane for aggregate control plane services. router(config-cp) service-policy input output policy-map-name...

Applying a Port Filter Service Policy to the Host Subinterface

You are now ready to apply the port-filter policy to the host subinterface. Follow these steps Step 1 Attach a QoS policy that manages traffic to the control plane host subinterface, and enter the control plane configuration mode. router(config) control-plane host Syntax Description Enters the control plane host subinterface configuration mode Note Port-filter can only be applied to the host subinterface. 3-28 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems,...

Applying a Queue Threshold Policy to the Host Subinterface

Before you can attach a queue-threshold service policy to the control plane host subinterface, you must first create the policy that defines a class map and policy map for the required control plane traffic. Follow these steps to apply queue-threshold service policies to the control plane host subinterface Step 1 Enter global configuration mode. Step 2 Attach a queue-threshold policy to the host subinterface and enter control plane configuration mode. Note Queue thresholding can only be applied...

Applying a Service Policy to an Interface

Router(config) interface FastEthernet 0 1 router(config-if) service-policy type access-control input fpm-policy 2007 Cisco Systems, Inc. All rights After the traffic policy is created, you have to apply the policy to an interface. Complete these steps to apply the traffic policy to an interface Step 1 Enter interface configuration mode. router(config) interface FastEthernet 0 1 Step 2 Specify the type and the name of the traffic policy to be attached to the input or router(config-if)...

Attacks and Vulnerabilities

This topic describes some of the network attacks and the vulnerabilities that are being exploited. 2006 Cisco Systems, Inc. All rights reserved. 2006 Cisco Systems, Inc. All rights reserved. Because of either software- or network-related vulnerabilities, the network is exposed to several types of attacks. For an attack to take place, there must be some weakness to exploit. Here are some of these Missing network security policies No written policies Usually results in little to no security...

Authentication Authorization and Accounting

All rights reserveO. AAA is a compilation of network security services that provides the framework through which you set up NAC. AAA provides a modular way of performing authentication, authorization, and accounting services. These services will be discussed further. AAA uses protocols such as RADIUS, TACACS+, or Kerberos for its security functions. From the view of a network access server (NAS), AAA is the means through which the NAS establishes communication between...

Authorization Rules

M tS 1 Search SlFavorites Media 3 E- < 1 Users (2 users) j J Any < 2 Contractors (2 users) jJ Any < 13 Guest (2 users) jJ Any j J condition is not defined or there is no r Include RADIUS attributes from user's group 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-32 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-32

Before You Begin

To set up authorization rules for a profile, it is assumed that some other elements of Cisco Secure ACS have been set up, including the following RADIUS authorization components (RACs) 2007 Cisco Systems, Inc. Trust and Identity 2-59 2007 Cisco Systems, Inc. All rights reserv. 2007 Cisco Systems, Inc. All rights reserv.

Cisco ACS Features

A centralized identity networking solution Manage and administer user access for many Cisco and other devices 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-2 Cisco Secure ACS for Windows provides a centralized identity networking solution and simplified user management experience across all Cisco devices and security management applications. Cisco Secure ACS helps to ensure enforcement of assigned policies by allowing network administrators to control who can log into the network,...

Cisco IBNS Port Based Access Control

Authentication Server (Cisco Secure ACS RADIUS) Authentication Server (Cisco Secure ACS RADIUS) Check with policy database Policy database informs switch Policy database confirms ID and grants access 2007 Cisco Systems, Inc. All rights re In compliance with the IEEE 802.1x standard, Cisco Catalyst switches can perform basic port-based authentication and Network Access Control (NAC). Once the IEEE 802.1x-compliant client software is configured on the end device (client), the Cisco Catalyst...

Cisco IOS Debug

Cisco IOS Software includes several debugging commands that can be used to provide detailed information about the processing of AAA requests by the AAA client. For general information about AAA processing, including which protocol is being used, use one of these commands For details about TACACS or RADIUS in particular, use one of these commands Securing Networks with Cisco Routers and Switches (SNRS) v2.0

Cisco Secure ACS

PSTN public switched telephone network 2007 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS functions as the AAA server from the perspective of the NAD. You must configure the device, which functions as a AAA client from the Cisco Secure ACS perspective, to direct all end-user host access requests to Cisco Secure ACS, via the TACACS+ or RADIUS protocols. Basically, the NAD serves as the network gatekeeper and sends an access request to Cisco Secure ACS on behalf of the user. Cisco...

Cisco Secure ACS for Windows Server Internal Architecture

Provides Cisco Secure ACS to multiple Cisco authenticating devices Comprises several modular Windows services, operating together on one server Comprises several modular Windows services, operating together on one server 2007 Cisco Systems, Inc. All rights re Authentication service Authorization service 2007 Cisco Systems, Inc. All rights re When you install Cisco Secure ACS, the installation adds several Microsoft Windows services. The services provide the core of Cisco Secure ACS...

Cisco Secure ACS Troubleshooting

- Failed Authentications Report - Passed Authentications Report Cisco Secure ACS command-line utility 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-33 Basically, there are three tools to help with troubleshooting a Cisco Secure ACS environment. These tools can be used to help determine where the problem exists, including a third-party database back-end authentication problem.

Common Cisco Ios Aaa Accounting Configuration

Use the aaa accounting command to enable accounting and to create named method lists that define specific accounting methods on a per-line or per-interface basis. dev(config) aaa accounting auth-proxy system network exec connection commands level default list-name vrf vrf-name start-stop stop-only none broadcast group group-name 2007 Cisco Systems, Inc. Trust and Identity 2-21 Provides information about all authenticated-proxy user events. Performs accounting for all system-level events not...

Common Cisco Ios Aaa Authentication Configuration

To enable AAA authentication and create a local authentication list, use the aaa authentication login command. dev(config) aaa authentication login default list-name password-expiry methodl method2 Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in. Character string used to name the list of authentication methods activated when a user logs in. Enables password aging on a local authentication list. Identifies the list of methods...

Common Cisco Ios Aaa Configuration

Use the aaa new-model command to enable AAA. router(config) aaa new-model To disable AAA, use this command router(config) no aaa new-model To configure security on a Cisco router or access server using AAA, follow these steps Step 1 Enable AAA by using the aaa new-model global configuration command. Step 2 If you decide to use a separate security server, configure security protocol parameters, such as RADIUS, TACACS+, or Kerberos. Step 3 Define the method lists for authentication by using an...

Common Configurations in Cisco Secure ACS

Several Cisco Secure ACS elements must be configured first to configure a NAP and its policies. Authentication using TACACS+ or RADIUS < vendor> In Advanced Options, allow the following Per-user TACACS+ or RADIUS attributes Group-level shared network access restrictions Group-level downloadable ACLs 2-54 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Group NADs into locations or by other criteria RADIUS authorization components Create ACLs to manage...

Compatibility with Other Features

The table includes other switch features that are compatible with port security configured on a port. Dynamic Trunking Protocol (DTP) port1 1. A port configured with the switchport mode dynamic interface configuration command. 2. A VLAN Query Protocol (VQP) port configured with the switchport access vlan dynamic interface configuration command. 3. You must set the maximum allowed secure addresses on the port to two plus the maximum number of secure addresses allowed on the access VLAN. 2007...

Concepts of Cisco IBNS in Action

All rights reserved. Cisco IBNS is an integrated solution combining several Cisco products that offer authentication, access control, and user policies to secure network connectivity and resources. The Cisco IBNS solution enables greater security while simultaneously offering cost-effective management of changes throughout the organization. Cisco IBNS provides the network with the following services and capabilities User or device authentication, or both Mapping the...

Configuration Guidelines

Not active until enabled on a VLAN Configure DHCP server and relay agent first Configure DHCP addresses and options first DHCP option 82 not supported if relay agent is enabled but snooping is disabled 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 1-5 Here are some guidelines to use when configuring DHCP snooping You must globally enable DHCP snooping on the switch. DHCP snooping is not active until DHCP snooping is enabled on a VLAN. Before globally enabling DHCP snooping on the...

Configure Interface and Enable 8021x

Switchport mode access no switchport Configure port as an access port Enable IEEE 802.1x authentication on the port (Optional) Allow multiple clients on an IEEE 802.1x-authorized port 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-25 Configure the interface using the following commands IEEE 802.1x can only be configured on static Layer 2 access ports. dot1x port-control force-authorized force-unauthorized auto This command enables IEEE 802.1x authentication on the port. The default...

Configure Radius Communications

Radius-server host host name IP address Specify the IP address of the RADIUS server switch(config) radius-server key string Specify the authentication and encryption key radius-server vsa send accounting authentication (Optional) Enable the switch to recognize and use VSAs 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-23 Configure RADIUS communications using the following commands radius-server host host name IP address auth-port port acct-port port This command specifies the IP...

Configuring 8021x in Cisco IOS

Configure RADIUS communications. Configure interface and enable 802.1x. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-21 The basic configuration of the Cisco Catalyst switch or Cisco Aironet wireless LAN access point remains constant within any IEEE 802.1x deployment regardless of the EAP method chosen for authentication. The EAP method is agreed upon by the client and authentication server, and the authenticator simply proxies the information...

Configuring a Guest VLAN on a Port

When you configure a guest VLAN, clients that are not IEEE 802.1x-capable are put into the guest VLAN when the server does not receive a response to its EAPOL Request Identity frame. Clients that are IEEE 802.1x-capable but fail authentication are not granted access to the network. The switch supports guest VLANs in single-host or multiple-hosts mode. Perform these tasks to configure a guest VLAN on a switch port Step 1 Enable AAA. Step 2 Enable 802.1x guest VLAN behavior globally. Step 3...

Configuring a Queue Threshold Policy

Define queue-threshold packet classification criteria. Define a queue-threshold service policy. Apply the queue-threshold policy to the host subinterface. 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 3-1C You can define a queue-threshold service policy when you want to limit the number of unprocessed packets that a protocol can have at the process level. A new queue-threshold policy feature is included with CPPr that can be applied to the control plane host subinterface. This feature...

Configuring a Restricted VLAN

IEEE 802.1x-compliant clients are moved into the restricted VLAN when the authentication server does not receive a valid username and password from the client. Restricted VLANs are supported only in single-host mode. Perform these tasks to configure a restricted VLAN on a switch port Step 2 Configure the switch port as access. Step 3 Configure dot1x port control as auto. Step 4 Specify an active VLAN as a restricted VLAN. You can configure the maximum number of authentication attempts allowed...

Configuring AAA Services to work with a AAA Server

Router(config) aaa authentication login default group tacacs+ enable router(config) aaa authorization network default group tacacs+ enable router(config) aaa accounting network myacct start-stop group radius router(config) tacacs-server host 10.0.1.12 router(config) tacacs-server host 10.0.1.14 router(config) tacacs-server key cisco123 OR router(config) tacacs-server host 10.0.1.12 key cisco123 Several steps are required to configure AAA services to work with external AAA servers using TACACS...

Configuring CPPr

(Optional) Configure port-filter policy. (Optional) Configure queue-threshold policy. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-6 The CLI for control plane has been extended to allow for CoPP policies to be applied to individual control plane subinterfaces. The command syntax for creating CoPP service policies remains the same. In addition, the MQC class map and policy map CLI was modified to allow for additional types. The port-filter and queue-threshold policy features...

Configuring FPM

- Define a protocol stack and specify exact parameters to match - Using class map type stack and access-control Apply the service policy to an interface 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 3-6 FPM allows customers to create their own filtering policies that can immediately detect and block new viruses and attacks. The process for configuring FPM consists of four steps. Step 1 Load a PHDF from flash memory. Once the appropriate PHDFs are loaded, a class-map command with type...

Configuring Guest and Restricted VLANs

' (Optional) Specify active VLAN as an IEEE 802.1x guest VLAN switch(config-if) dotlx auth-fail vlan vlan-id ' (Optional) Specify an active VLAN as an IEEE 802.1x restricted VLAN 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 2-26 This command specifies an active VLAN as an IEEE 802.1x guest VLAN. The range is 1 to 4094. You can configure any active VLAN, except an RSPAN VLAN or a voice VLAN, as an IEEE 802.1x guest VLAN. dot1x auth-fail vlan vlan-id This command specifies an active...

Configuring MPP

3-46 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 When the last configured interface is deleted, the MPP feature turns itself off. Follow these steps to configure a network device Step 1 Enter control plane host configuration mode. Applies policies to host control plane traffic. Step 2 Configure an interface to be a management interface and specify which management protocols are allowed. router(config-cp-host) management-interface interface allow protocols Name of the interface...

Configuring Port Filter Policies

Define port-filter packet classification criteria. Define a port-filter service policy. Apply the port-filter service policy to the host subinterface. 2007 Cisco Systems, Inc. All rights reserved. SNRS V2.0 3-8 Apply the port-filter policy feature to the control plane host subinterface to block traffic destined to closed or nonlistened TCP and UDP ports. New class map and service policy types have been created to accommodate the port-filter configuration. However, classification and match...

Configuring Port Security Aging

Switchport port-security aging static time time type absolute inactivity Enable or disable static aging for the secure port, or set the aging time or type 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-10 You can use port security aging to set the aging time for static and dynamic secure addresses on a port. Here are the two types of aging supported per port Absolute The secure addresses on the port are deleted after the specified aging time. Inactivity The secure addresses on the...

Configuring Port Security Cont

Switchport port-security violation protect restrict shutdown Set the violation mode (optional) switchport port-security mac-address mac-address Enter a static secure MAC address for the interface (optional) switchport port-security mac-address sticky Enable sticky learning on the interface (optional) 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1-9 Step 5 (Optional) Set the violation mode. This is the action to be taken when a security violation is detected switch(config-if)...

Configuring VLAN Assignment

Perform these tasks to configure VLAN assignment 3. Assign vendor-specific tunnel attributes in the RADIUS (Cisco Secure ACS) server. The RADIUS server must return these attributes to the switch 65 Tunnel-Medium-Type IEEE 802 81 Tunnel-Private-Group-ID VLAN name or VLAN ID Note Attribute 64 must contain the value VLAN (type 13). Attribute 65 must contain the value IEEE 802 (type 6). Attribute 81 specifies the VLAN name or VLAN ID assigned to the IEEE 802.1x-authenticated user. Securing Networks...

Control Plane Architecture with CPPr

All rights reserved. Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature Control Plane Cisco Express Forwarding Subinterface Cisco Express Forwarding Input Feature This diagram depicts the flow of control traffic through the control plane architecture with the CPPr feature enabled.

Course Flow

Lab 2-1 Configure Cisco Secure ACS as a AAA Server Lab 4-1 Configure a Site-to-Site VPN Using Pre-Shared Keys Lab 4-5 Configure a Cisco IOS SSL VPN (WebVPN) Lab 5-3 Configure a Cisco IOS Zone-Based Policy Firewall Lab 5-4 Configure a Cisco IOS Firewall Authentication Proxy on a Cisco Router Lab 2-2 Configure 802.1x Port-Based Authentication Lab 4-2 Configure a Site-to-Site VPN Using Certificates Lab 4-3 Configure a GRE Tunnel to a Remote Site Lab 4-6 Configure Cisco Easy VPN Remote Access Lab...

Course Goal

To secure a network using existing Cisco IOS security features, including the Cisco IOS classic firewall, Cisco IOS IPS, and Cisco IOS authentication proxy to implement secure tunnels using IPsec technology, and implement switch trust and identity using 802.1x and Cisco Secure Access Control Server (ACS) Upon completing this course, you will be able to meet these objectives Implement Layer 2 security features Implement the Cisco Trust and Identity Management model to control network access...

Course Introduction

Securing Networks with Cisco Routers and Switches (SNRS) v2.0 is a five-day, instructor-led, lab-intensive course that is delivered by Cisco Learning Partners. It is aimed at providing network specialists with the knowledge and skills needed to secure Cisco IOS router and switch networks. Successful graduates will be able to secure the network environment using existing Cisco IOS security features. This includes the ability to configure some of the primary components of the Cisco IOS Firewall...

Creating a Traffic Class

In creating a traffic class, you will create stateless packet classification criteria that, when used in conjunction with an appropriately defined policy, can mitigate network attacks. Once the appropriate PHDFs are loaded, a stack of protocol headers must be defined so that FPM knows which headers are present and in which order. Once the stack of protocols is defined, a class map of type access-control is defined for classifying packets. Step 2 Define the sequence of headers as IP first, then...

Creating an Installation

This topic describes how to perform a Cisco Secure ACS installation using setup.exe on the Cisco Secure ACS CD-ROM. Accept software license agreement Enter database encryption password Finish, start services, and administrator session 2007 Cisco Systems, Inc. All rights reserved. Complete the following steps to install Cisco Secure ACS for the first time. Step 1 Log onto the computer using a local administrator account. Step 5 Click setup.exe, located in the root directory of the CD-ROM. Step 6...

Data Plane Attacks

CPU utilization for five seconds 99 85 one minute 99 five minutes 78 Attacks against networking environments are increasing in frequency and sophistication. Attacks that affect the data forwarding plane include some well-known attacks with very specific signatures (fields within the IP packet that contain certain specific values). Here are some of these attacks All of these attacks are known to overload the CPU of any router or switch in its path. To counter these attacks, features are needed...

Defining a Port Filter Service Policy

You can define a port-filter service policy that provides additional CPPr. Defining this policy supports early dropping of packets that are directed toward closed on nonlistened TCP UDP ports on the router. Complete these steps to configure a port-filter service policy. The port-filter traffic class is associated with the service policy when the class command is used. The class command must be issued after entering policy map configuration mode. After entering the class command, you are...

Defining a Queue Threshold Service Policy

Use the new policy-map type queue-threshold global configuration command to configure a queue-threshold service policy. Use this command to specify the queue-threshold service policy name, and use other configuration commands to associate a queue-threshold traffic class that was configured with the class-map type queue-threshold command, with the queue-threshold queue-limit action command. The class command must be issued after entering policy map configuration mode. After entering the class...

Defining Packet Classification Criteria for CoPP

You must first create the policy using MQC to define a class map and policy map for control plane traffic. 3-16 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Follow these steps to define a class map Step 1 Define an access list of trusted hosts using specific protocols to access the router. router(config) ip access list extended access-group-name router(config-ext-nacl) deny tcp host trusted-host any eq protocol router(config-ext-nacl) permit tcp any any...

DHCP Snooping

DHCP snooping allows the configuration of ports as trusted or untrusted. Untrusted ports cannot process DHCP replies. Configure DHCP snooping on uplinks to a DHCP server. Do not configure DHCP snooping on client ports. DHCP snooping is a DHCP security feature that provides network security by filtering untrusted DHCP messages and by building and maintaining a DHCP snooping binding database, which is also referred to as a DHCP snooping binding table. DHCP snooping is a Cisco Catalyst switch...

Eapfast

EAP-FAST TLS Client Hello Client_random, PAC-Opaque EAP-Fast TLS Server Hello Server_random , Change_Cipher_Spec, TLS Finished EAP-FAST TLS Change_Ciph_Spec, TLS Finished EAP-Fast TLS Server Hello Server_random , Change_Cipher_Spec, TLS Finished EAP-FAST TLS Change_Ciph_Spec, TLS Finished This diagram illustrates the EAP-FAST message exchange between the supplicant, authenticator, and authentication server using EAP-GTC as the inner method. First, a client running the IEEE 802.1x supplicant...

Eapmd5

All rights re EAP-MD5 is a standard, nonproprietary EAP type. It is based on RFC 1994 (CHAP) and RFC 2284 (EAP). An MD5-Challenge within an EAP message is analogous to the PPP CHAP protocol, with MD5 specified as the hash algorithm. Because MD5 support is included in RFC 3748, all EAP deployments should support the MD5-Challenge mechanism. The diagram illustrates the EAP-MD5 message exchange between the supplicant, authenticator, and authentication server. First, a...

Enable 8021x Globally

Enable IEEE 802.1x authentication globally on the switch (Optional) Enable the optional guest VLAN behavior globally on the switch 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 2-24 Enable 802.1x globally on the switch using the following commands This command globally enables IEEE 802.1x authentication on the switch. (Optional) dotlx guest-vlan supplicant Before Cisco IOS Release 12.1(22)EA2, the switch did not maintain the EAPOL packet history and allowed clients that failed...

Example of Accounting

Aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local aaa accounting network myacct start-stop group radius username myuser password secure_password radius-server host 10.0.1.12 key radiuskey interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting myacct 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-10 In this example, the...

Example of Authentication

Username myuser password secure_password ppp default group radius group tacacs+ local 2007 Cisco Systems, Inc. All rights reserved. This example shows a security solution where some interfaces will use the same authentication methods to authenticate PPP connections but the vty will use a named method list. For PPP connections, the RADIUS servers are contacted first for authentication information, then if there is no response, the TACACS+ group is contacted. If all designated servers fail to...

Example of Authorization

Aaa authentication login admin local aaa authentication ppp dialins group radius local aaa authorization network myauth group radius local username myuser password secure_password radius-server host 10.0.1.12 key radiuskey interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization myauth line 1 16 autoselect ppp autoselect during-login login authentication admin modem dialin 2007 Cisco Systems, Inc. All rights rese ed. SNRS v2.0 2-8 This example...

Example of CoPP

Router(config) ip access-list extended CP-acl router(config-ext-nacl) deny tcp host 10.10.10.2 any eq telnet router(config-ext-nacl) deny tcp host 10.10.10.2 any eq www router(config-ext-nacl) permit tcp any any eq telnet router(config-ext-nacl) permit tcp any any eq www router(config-ext-nacl) exit router(config) class-map match-any CP-class router(config-cmap) match access-group name CP-acl router(config-cmap) exit router(config) policy-map CP-policy router(config-pmap) class CP-class...

Example of Port Filtering

Router(config) class-map type port-filter match-all PF router(config-cmap) match closed-ports router(config) policy-map type port-filter PF-policy router(config-cp-host) service-policy type port-filter This example shows how to configure a port-filter policy to drop all traffic destined to closed or nonlistened TCP or UDP ports. Note that the PF-class class map matches all closed ports. In addition, the PF-policy policy map points to the class map and defines the action. The control plane host...

Examples Cont

Client-ID Lease expiration Hardware address User name 0063.6973.636f.2d64. Mar 29 2003 04 36 AM 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 2007 Cisco Systems, Inc. All rights reserved SNRS v2.0 1-9 This example displays the DHCP bindings by IP address and subnet. The example shows the DHCP binding address parameters, including an IP address, an associated MAC address, a lease expiration date, and the type of address assignment that have occurred. The table describes the...

External User Databases

The External User Databases section consists of three subsections. In addition to configuring the parameters to communicate with the external databases, you can configure how Cisco Secure ACS handles requests from users that are not in the local Cisco Secure ACS database (Unknown User Policy), and a mapping from the external database group to the local Cisco Secure ACS database group. In this section, you configure an unknown user policy. You also configure database group mappings to external...

Hardware and Software Requirements

Pentium 4 processor, 1.8 GHz or faster At least 1 GB of free disk space Minimum graphics resolution of 256 colors at 800x600 pixels 100Base-T or faster connection Software Microsoft Windows 2000 Server, with SP4 installed Windows 2000 Advanced Server, with the following conditions - Without Microsoft Windows 2000 Cluster Service installed - Without other features specific to Microsoft Windows 2000 Advanced Server enabled Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server...

How 8021x Works

Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) Cisco Catalyst 2950 Series Switch (NAD) Authentication Server (Cisco Secure ACS) The actual authentication conversation occurs between the client and the authentication server using EAP. The authenticator is aware of this activity, but it is just an intermediary. 2007 Cisco Systems, Inc. All rights The switch or the client can initiate authentication. If you enable authentication on a port by using the dotlx...

How 8021x Works Cont

Authentication Server (Cisco Secure ACS) EAP Request Identity EAP Response Identity Authentication Server (Cisco Secure ACS) EAP-method dependent Auth Exchange with AAA Server 2007 Cisco Systems, Inc. All rights re You control the port authorization state by using the dotlx port-control interface configuration command and these keywords force-authorized This keyword disables 802.1x and causes the port to transition to the authorized state without any authentication exchange required. The port...

Identity Based Networking Services

Intelligent adaptability offering greater flexibility and mobility for users Combines authentication, access control, and user policies to secure network connectivity and resources User productivity gains and reduced operating costs Strengthens security for network connectivity, services, and applications 2006 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-4 The Cisco IBNS solution provides the following benefits Intelligent adaptability for offering greater flexibility and mobility to...

IEEE 8021x Host Mode

IEEE 802.1x ports can be configured for single-host or multiple-host mode. Only one client can be connected to the IEEE 802.1x-enabled switch port. The switch detects the client by sending an EAPOL frame when the port link state changes to the up state. If a client leaves or is replaced with another client, the switch changes the port link state to down, and the port returns to the unauthorized state. Multiple hosts may be attached to a single IEEE 802.1x-enabled port. Only one of the attached...

Cisco Career Certifications

You are encouraged to join the Cisco Certification Community, a discussion forum open to anyone holding a valid Cisco Career Certification (such as Cisco CCIE , CCNA , CCDA , CCNP , CCDP , CCIP , CCVP , or CCSP ). It provides a gathering place for Cisco certified professionals to share questions, suggestions, and information about Cisco Career Certification programs and other certification-related topics. For more information, visit www.cisco.com go certifications. Securing Networks with Cisco...

Module Objectives

Upon completing this module, you will be able to implement Layer 2 security features using Cisco IOS commands. This ability includes being able to meet these objectives Describe the network of Company ABC and examine the vulnerabilities and attacks that the company network experiences Describe the types of Layer 2 attacks and the strategies to mitigate them Implement port security on a Cisco Catalyst switch Implement DHCP snooping on a Cisco Catalyst switch Securing Networks with Cisco Routers...

If

All rights reserved.SNRS v2.0-1-i You can use the port security feature to restrict input to an interface by limiting and identifying the MAC addresses of the stations allowed to access the port. When you assign secure MAC addresses to a secure port, the port does not forward packets with source addresses outside the group of defined addresses. Port security allows you to specify MAC addresses for each port or to permit a limited number of MAC addresses. When a secure...

Learner Skills and Knowledge

Certification as a Cisco CCNA or the equivalent knowledge (optional) Basic knowledge of the Microsoft Windows OS Familiarity with networking and security terms and concepts (The concepts are learned in prerequisite training or by reading industry publications.) Completion of Interconnecting Cisco Network Devices (ICND) course Completion of Securing Cisco Network Devices (SND) course 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 3 2 Securing Networks with Cisco Routers and Switches...

MAC Spoofing ManintheMiddle Attacks

All rights re MAC spoofing attacks involve the use of a known MAC address of another host to attempt to make the target switch forward frames destined for the remote host to the network attacker. By sending a single frame with the source Ethernet address of the other host, the network attacker overwrites the CAM table entry so that the switch forwards packets destined for the host to the network attacker. Until the host sends traffic, it will not receive any traffic....

Method Lists and Server Groups

A server group is a way to group existing RADIUS or TACACS+ server hosts for use in method lists. Using server groups, you can specify a subset of the configured server hosts and use them for a particular service. For example, server groups allow you to define Radius_1 and Radius_2 as a server group, and define TACACS+_1 and TACACS+_2 as a separate server group. For example, you can specify Radius_1 and TACACS+_1 in the method list for authentication login, while specifying Radius_2 and...

Mitigating DHCP Attacks

Here are two ways to mitigate DHCP spoofing and starvation attacks 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0-1-i In this lesson, the following two ways to mitigate DHCP spoofing and starvation attacks are discussed. Port security The techniques that mitigate CAM table flooding also mitigate DHCP starvation by limiting the number of MAC addresses on a switch port. You would use the port-security command to set the MAC address of a valid DHCP server on a switch port to prevent any...

Mitigating Spanning Tree Manipulation

Spanning-tree portfast bpduguard default Globally enable BPDU guard on all ports switch(config-if) spanning-tree guard root Enable root guard on an interface 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 1- To mitigate STP manipulation, use the root guard and the bpdu-guard enhancement commands to enforce the placement of the root bridge in the network and enforce the STP domain borders. The root guard feature is designed to provide a way to enforce the root-bridge placement in the...

Mitigating VLAN Hopping

Switch(config-if) switchport mode access Configure port as an access port 2007 Cisco Systems, Inc. All rights reserved SNRS V2.0 1-15 You can mitigate VLAN hopping attacks by putting all user ports into access mode using the switchport mode access command. Several other modifications to the VLAN configuration are also recommended. One of the more important elements is to use dedicated VLAN IDs as the active (allowed) VLANs for all trunk ports. Also, disable all unused switch ports and place...

Network Access Profiles

A NAP is a means to classify access requests, according to the IP addresses of AAA clients, membership in an NDG, protocol types, or other specific RADIUS attribute values sent by the network device through which the user connects. The use of NAPs allows the administrator to configure different authentication mechanisms and authorizations depending on the characteristics of the access request, resulting in increased flexibility. The Network Access Profile section is used to create profiles, and...

Network Configuration

This button is where an administrator can add, delete, or modify settings for AAA clients (NADs). The layout of this page changes depending on the settings for interface configuration. If you are using NDGs, after you click Network Configuration in the navigation bar, only the Network Device Groups table and Proxy Distribution Table information appears. If you are not using NDGs, the AAA Clients table and the AAA Servers table appear in place of the Network Device Groups table.

Overview

Securing the control plane of a router is essential to a secure infrastructure. Control Plane Policing (CoPP) allows administrators to configure a quality of service (QoS) filter that will manage the traffic flow of control plane packets to protect the control plane of Cisco IOS routers and switches against reconnaissance and denial of service (DoS) attacks. Control Plane Protection (CPPr) extends the capabilities of CoPP. This lesson will teach the learner to configure both CoPP and CPPr. Upon...

Port Filtering

This feature enhances control plane protection by providing for early dropping of packets directed toward closed or nonlistened Cisco IOS TCP and UDP ports on the router. Note The port-filter policy feature can be applied only to the control plane host subinterface. The port filter maintains a global database of all open TCP and UDP ports on the router, including random ephemeral ports created by applications. The port database is dynamically populated with entries provided by the registered...

Ports in Authorized and Unauthorized States

The switch port state determines whether the client is granted access to the network. The port starts in the unauthorized state. While in this state, the port disallows all ingress and egress traffic except for 802.1x packets. When a client is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the client to flow normally. If a client that does not support 802.1x is connected to an unauthorized 802.1x port, the switch requests the identity of the...

Prerequisites and Restrictions

FPM has the following prerequisites and restrictions FPM is available only in advanced security images. Although access to an XML editor is not required, XML will ease the creation of PHDFs. FPM cannot be used to mitigate an attack that requires stateful classification. Because FPM is stateless, it cannot keep track of port numbers being used by protocols that dynamically negotiate ports. Thus, when using FPM, port numbers must be explicitly specified. FPM cannot perform IP fragmentation or TCP...

Protocol Header Definition File

Protocol headers are defined in separate files called PHDFs. You define the packet filters using the field names that are defined within the PHDFs. A PHDF is a file that allows the user to leverage the flexibility of XML to describe almost any protocol header. The important components of the PHDF are the version, the XML file schema location, and the protocol field definitions. The protocol field definitions name the appropriate field in the protocol header, allow for a comment describing the...

Protocols of the Management Plane

All rights reserved. SNRS v2.0 3-2 The management plane performs management functions for a network and coordinates functions among all the planes (management, control, and data) in a network device. The management plane is also the logical path of all traffic related to the management of a routing platform and is used to manage a device through its network connection. Examples of protocols processed in the management plane are as follows Simple Network Management...

Proxy Attack

In this network attack against private VLANs, frames are forwarded to a host on the network connected to a promiscuous port such as a router. In the diagram, the network attacker sends a packet with the source IP and MAC address of attacker device, a destination IP address of the target system, but a destination MAC address of the router. The switch forwards the frame to the switch port of the router. The router routes the traffic, rewrites the destination MAC address as that of the target, and...

PVLAN Proxy Attack

All rights reserved Even though PVLANs are a common mechanism to restrict communications between systems on the same logical IP subnet, they are not always 100 percent secure. PVLANs work by limiting the ports within a VLAN that can communicate with other ports in the same VLAN. Isolated ports within a VLAN can communicate only with promiscuous ports. Community ports can communicate only with other members of the same community and promiscuous ports. Promiscuous ports...

Queue Thresholding

The queue-thresholding feature provides the ability to limit the number of unprocessed packets that a protocol can have at the process level. Note The queue-thresholding feature can only be applied to the control plane host subinterface. This feature is designed to prevent the input queue from being overwhelmed by any single protocol traffic. Per-protocol thresholding follows a protocol charge model. The queue usage of each protocol is limited such that no single misbehaving protocol process...

Radius Background

RADIUS was developed by Livingston Enterprises, now part of Lucent Technologies. It contains these components Protocol with a frame format that uses UDP 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 2-12 RADIUS is an access server AAA protocol developed by Livingston Enterprises (now part of Lucent Technologies). It is a system of distributed security that secures remote access to networks and network services against unauthorized access. RADIUS comprises these three components...

References

For additional information, refer to these resources Cisco Systems, Inc. Identity-Based Networking Systems Configuration Guide, Version 1.0. San Jose, California, December 2005. ab62.pdf. Configuring IEEE 802.1x Port-Based Authentication hapter09186a0080648d7a.html Cisco Systems, Inc. Catalyst 2950 and Catalyst 2955 Switch Software Configuration Guide, 12.1(2 2)EA7. ook09186a008064737d.html. 2007 Cisco Systems, Inc. Trust and Identity 2-115

Reports and Activity

The Reports and Activity section provides a wealth of tools for both troubleshooting and monitoring the network. Caution Logging consumes resources, and the log files should be checked periodically for content and size. The available logs that Cisco Secure ACS keeps are as follows TACACS+ Accounting The information that is included in these reports is configurable by the administrator in the System Configuration section under Logging. TACACS+ Administration These reports include all of the...

Restrictions for CPPr

As of Cisco IOS Release 12.4, the CPPr feature has these restrictions Restricted to IP version 4 (IPv4) input path only Does not support direct access control list (ACL) configuration in the control plane subinterfaces (can be configured using MQC policies) 3-10 Securing Networks with Cisco Routers and Switches (SNRS) v2.0 2007 Cisco Systems, Inc. Requires Cisco Express Forwarding for IP packet redirection On host subinterfaces, note the following The port-filter policy supports only TCP-based...

Returning to Default Configuration

Use the no switchport port-security interface configuration command to return the interface to the default condition as being not a secure port. The sticky secure addresses remain part of the running configuration. Use the no switchport port-security maximum value interface configuration command to return the interface to the default number of secure MAC addresses. Use the no switchport port-security violation protect restrict interface configuration command to return the violation mode to the...

Secure MAC Addresses

This section covers the types of secure MAC addresses and security violation mode actions. 2007 Cisco Systems, Inc. All rights reserved. A secure port can have 1 to 132 associated secure addresses. The total number of available secure addresses on the switch is 1024. After you have set the maximum number of secure MAC addresses allowed on a port, you can add secure addresses to the address table by manually configuring them, by allowing the port to dynamically configure them, or by configuring...

Secure Network Foundation

Data Forwarding Protection Data Plane Protection Lock Down Services and Routing Protocols Control Plane Protection Management Management Plane Protection The network environment of today is complex, while networking devices offer a feature-rich set of services to cater to different business needs. Because connecting to the Internet is imperative, network devices and infrastructure are exposed to many risks and threats. To meet the business needs of IP services such as network availability and...

Securing the Management Plane

Router(config-cp-host) management-interface FastEthernet 0 0 allow ssh snmp 2007 Cisco Systems, Inc. All rights By default, the MPP feature is disabled. When you enable the feature, you must follow these steps Step 1 Enter control plane host configuration mode. Step 2 Designate one or more interfaces as management interfaces. Step 3 Configure the management protocols that will be allowed on the management The configuration in this example shows MPP configured to allow SSH and SNMP to access the...

Security Violations

A security violation occurs in these situations The maximum number of secure MAC addresses have been added to the MAC address table and a station whose MAC address is not in the MAC address table attempts to access the interface An address learned or configured on one secure interface is seen on another secure interface in the same VLAN Protect When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a...

Shared Profile Components

This button allows an administrator to specify shell command authorization sets. By creating these command authorization sets, an administrator can control the commands that a user can execute on a device by applying the command authorization set to the user profile in the TACACS+ settings or at the group level. This is where you also configure downloadable ACLs and RADIUS Authorization Components. For these options to be visible, you must choose them in the Interface 2-46 Securing Networks...

Show flashphdf Command

36356096 bytes available (27656192 bytes used) 36356096 bytes available (27656192 bytes used) 2007 Cisco Systems, Inc. All rights reserved. SNRS v2.0 3-12 The show flash command shows a listing of the user-defined PHDFs stored locally on the router. Securing Networks with Cisco Routers and Switches (SNRS) v2.0 Class Map type stack match-all ip-udp (id 4) Description match UDP over IP packets Match field IP protocol eq 0x11 next UDP router show class-map type access-control Class Map type...

Show policymap Command Cont

Router show policy-map type access-control interface FastEthernet 0 1 FastEthernet0 1 Service-policy access-control input fpm-policy Class-map ip-udp (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps Match field IP vers ion eq 4 Match field IP ihl eq 5 Match field IP protocol eq 0x11 next UDP Service-policy access-control fpm-udp-policy Class-map slammer (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match field UDP dest-port eq 0x59A Match field IP length...