Cisco CCNA 200-301 – Cisco Device Security Part 5

9. AAA Configuration

The last lecture we covered the theory of AAA authentication, authorization and accounting. In this lecture, you’ll see how to configure it. Now in the latest version of iOS it’s moved to a different command syntax for configuring AAA. But before this latest version, for a long time it used the old lab doing it that you can see on the slide here. And you’ll still see us being used a lot in the field. So I’ll cover the old configuration first and first I’ll show you the Radius config.

Then I’ll show you the tacax plus config. They’re both very similar. So the old way of doing Radius, first thing that we want to do is to configure a backup username. When you use AAA, you tell the router or the switch that whenever you need to authenticate somebody, whenever you’re checking your username and password, we’re not using a locally configured username. The user is on the AAA server.

Now you can configure it that it will use only the AAA server. But the problem with this is that if a device loses connectivity to the server, if there’s an issue with the server, or if there’s an issue with the network getting to the server and you’ve just configured it to use AAA only then nobody is going to be able to log into that device at all.

So what you want to do is configure a local username and that will be used just as a backup. So if the AAA server is available, if the router or switch can communicate with it, then users cannot log in with the backup username. But if the router switch cannot communicate with the triple A server, then it fails over to using the local username. So this means that you can still get into the device. It stops you from getting locked out of it.

So to do that, we need to configure a username. This is standard command for that. So we say username here I’ve used the username of backup admin and then receive the password is flatbox one. So that is our backup user in case we lose connectivity to the AAA server. Then for the rest of our AAA config at Global config we say AAA new model. There is no AAA old model.

Command just means that we’re enabling AAA on this device. Then we configure where our triple A servers are. We’re using radius here? So we say Radius Server host and we’ve got ten dot 1010, dot ten. And then we say key flack box one. You configure a matching password on the AAA server and on the router.

And that allows them to use triple A with each other. We don’t want to just have one server, we want to have at least two for redundancy. So here we’ve also configured Radius server host ten 1011 and it’s using key flackbox too, so that’s our Radius servers added. Then optionally we can put these into a group so you can have different groups of different servers if you want to. It’s not really that common to use that, but the functionality is there if you want to. To do that, we say AAA Group Server Radius and then give it a name. Here. I’ve called it Fbrg for flackbox radius group.

Then under there you save the servers that are going to go in the group. So we’ve got Server 1010 and Server 1011, the ones that we configured earlier. Then to enable a for authentication we say AAA Authentication Login default Group Radius Local if you don’t specify a particular group of servers then this means that it can use all of the Radius servers that you’ve configured on that particular device. So that’s the first way you can do it. The other way you can do it if you have specified a particular group is you would say AAA Authentication Login default group Fbrg, the group that we configured and then Local. So with both of those we’ve got Radius and then Local.

That means that the first choice is to use the Radius servers only. If the Radius servers cannot be reached, it will fall back to using the local username. That’s how you configure authentication. You can configure authorization as well. With AAA authorization, if you go on to the CCNP level or you do the security track, you’ll see these extra AAA commands.

Okay? So that is the old configuration, the new configuration that just came out with the latest version of iOS. So on the latest version of iOS, if you see Radius Server Host 1010, the old style of doing it, it will give you a warning saying that that command line is going to be deprecated soon. Please move to using Radius Server the new way.

So the new way of doing it at Global Config, same command to start with is AAA new model. Then we say Radius Server server One. So we give it a name and that will take us to a subcommand menu for configuring the Radius server. In there we specify the IP address. So we say address IPV 410 for our example and then key flat box one which matches the key that we configured on the AAA server to authenticate this particular router or switch. Then for redundancy we’ve got a second server. So we’ve got Radius Server, Server Two, address IPV 410 eleven and the key is flatbox two. The name that you give them there, it doesn’t have to match the host name of the server, it’s just a name so that it can be recognized in iOS. Then we’ve got AAA group server radius.

I’ve called it Fbrg again and I say Server name Server One and Server name Server Two to group both of those servers that we configured into this group. Then to enable a authentication, we’ve got triple A authentication default group Fbrg Local. So again it will use the Radius servers first. If they’re not available, then it will fall back to using the local username. Okay, so it’s the new configuration. And that was for radius. Let’s have a look at our Takax configuration as well. This is going to be pretty much exactly the same, but we use the keyword of Takax server rather than the keyword of Radius. So same kind of config. Again, we’ve got username backup admin secret flatbox one as our backup user in case we lose connect to the Aubaqax server triple A new model Takax server host 1010, key flatbox one, then a second server for redundancy Takax server host ten 1011 key flatbox two. Then our group triple A group server Takax plus Fbtg. I’ve got a Fbtg for flatbox Takax plus group this time server 1010 and ten 1011. And then to enable the authentication, triple A authentication login, default group Fptg as the first choice and then fall back to local as the second choice.

Just like with Radius, this is the old configuration. We have a new configuration for tackax as well, which again matches the new configuration for Radius. So here, if we say tacka server host 1010, the old command will get a warning that it’s being deprecated. Then our new command syntax is username backup admin secret flackbox one. Same command as before.

To configure the backup user triple A new model Takax server, server one address IPV 410 and key flackbox one. We repeat those commands for server two with its IP address. Then AAA Group Server takax plus Fptg I’ve called it for the name specifiables two servers, server One and Server Two. And then finally default group. First choice is the group Fbtg. The second choice is local. Okay, so that is how we do our AAA configuration. I’ll see you in the next lecture for some best practice security commands that we want to do on our routers and switches.

10. Global Security Best Practices

In this lecture you’ll learn about some global security best practices. Back in the Switch Security section, we covered about best practices for port level or interface level security. This lecture we’re going to cover best practices for some security commands that we should enter in global configuration. And this is on both our routers and our switches. First thing it cover is login and exec banners. Messages can be displayed in the command line before and or after an administrator logs into the iOS device. And this is most commonly used to display security warnings. So for before they log in, that is the login banner. To configure that a global config, you say banner login and then you put in a delimiter such as a quote. Also, most of the special characters on the top line you can use here.

Then you then hit Enter and then the router will give you feedback saying Enter your text message end with the character the same delimiter that you used. So because we said banner, login and then double quotes hit Enter, we’ll get that feedback. We then type in the message that we want to show for our example authorized users only. We then hit the double quotes again and it will break us back out of the command. Now the next time that a user goes to log in before they enter a password, they will see that warning message. You can also configure a message that administrators will see just after they log in. That is the exact banner for that. You see banner exec.

So before it was banner and login. Now we do banner exec our delimiter again. Again in the example we’re using, the double quotes will tell us to enter the text message after we hit Enter there in our example we’re saying please log out immediately if you’re not an authorized administrator, then hit the double quotes again and it’ll break us back out of the command again. Then you see the effect of this. So when a user and administrator goes to telnet into the router or the switch before it prompts them for her password, it gives them the login banner which was authorized users only for our example. Then it will prompt them for a password. They enter their password, then as soon as we’ve logged in, we’ll get the exact banner which was please log out immediately if you’re not an authorized administrator for our example. So both of those are optional. If you want you can configure a login banner. If you want, you could just do an exec banner and also if you wanted you could put both of them in together. That’s our login and exec banners. Next thing you cover as a best practice is disabling unused services. By disabling unused services, that reduces the attack surface.

For example, say that you’ve got Http running on the router and a hacker discovers that there’s a new exploit that they can use that attacks Http on Cisco routers. Well, if you’re not running Http, you’re not susceptible to that attack. Another benefit that you get is it reduces the load on the router or switch. If it’s not running the service, then it doesn’t have to give CPU cycles to do that. So best practice is to disable all of your unused services. I just mentioned about Http, they use that as an example. Https to secure Http is often used if you’re using a Gui, a graphical user interface tool to manage the router or switch. But Http really there’s never any need to have that enabled. So best practice is to disable Http. Another example of a service that you might want to disable is CDP.

Now, in most normal environments you will leave CDP running the Cisco discovery protocol because it’s really useful if you’re on a router or a switch and you want to see what neighbors are connected to it, what their IP addresses are. It’s very handy to have CDP enabled, but this can be seen as a security issue as well. Maybe you don’t want people to be able to map out the network using CDP. So in highly secure environments such as banks, it’s pretty normal to disable CDP.

So the examples we would do for the commands we would do for our examples to disable Http, it would be no IP Http server that will disable Http, but it will leave Https running. And if you wanted to disable CDP globally, global config, it’s no CDP run. Okay, the last thing to cover here is time synchronization. All of the servers and infrastructure devices in your network should be synchronized to the same time. So not just your routers and your switches.

Also any firewalls, anything like that, you’ve got all of your servers as well. Everything should be running at the same time. That is in troubleshooting, because now all of your logs will report the correct time that events actually occurred. In real world, you’re going to probably run into this where you’re doing some troubleshooting and you look at the log and the time has not been set on that device. And the real time is the 2 January 2018, but the device thinks that it’s 1 February 1984. And then trying to figure out when things actually happened is very annoying. So it’s much easier to troubleshoot if all of your devices have got the correct time on them. Another big reason that you want them all to have the correct time is that some security features actually require this.

For example, Kerberos authentication and digital certificates. If you’re using Kerberos to log into active directory, the client and the server, the time must not be more than five minutes out by default. If the time difference is more than five minutes, then authentication is going to fail. It’s to stop people trying to send your username and password again. If you’ve sniffed it pretending to be you, the other one there was. Digital certificates can be used for authentication as well. Digital certificates have got a valid time on them, save from 2015 to 2020. Well, if your router thinks that it’s 1984, it will see it as an invalid digital certificate and it’s not going to work. So for all those reasons, you definitely want to use time synchronization in your environment. The protocol that is used for this is NTP, the network time protocol. So you want all of your servers, all of your infrastructure devices to be synchronized with an NTP server. The other thing they can use is their own internal clock. But if you forget to set it, it can be way out. And even if you do set it a router, it’s built to be a router, not to be an excellent timekeeper, and the clock will drift over time.

So you want it to be synchronized with an NTP server which you know has got the exact correct time on there. A Cisco router can function as both an NTP server and or a client. Typically you’re going to have it configured as an NTP client and you’ll use some kind of external device which you know has got a really good clock as your NTP server. Your configuration for NTP, first off, set the time zone on the router. If you’ve got a router in New York, you’ll set it for the New York time zone.

If you’ve got a router in Sydney, you’ll set it for the Sydney time zone. So in our example here, the local time is PST in the US. Which is 8 hours behind UTC. So we say clock time zone PST, and then minus eight to say it’s 8 hours behind UTC. Then we configure where the NTP server is. Now, you know how I said that Cisco routers can be either an NTP server or an NTP client. This can trip you up to configure the router as an NTP client. The command is NTP server.

So you see NTP server and then you see the IP address that the server is at. To configure it as an NTP server, the command is just NTP master. So usually we’ll have it configured as an NTP client. With the NTP server command, we don’t usually use the router as an NTP master. Once that is done, we can do a show clock to check that it is showing the correct time. Also to verify we can do a show NTP status and we want to see that the clock is synchronized. Now something with this for real world environments, when you configure the NTP server, the router does not just bang immediately change its time because that could cause some issues with internal processes.

It will do it slowly over a bit of time. It’s called drifting towards the NTP server, so it can take up to around five minutes before it is actually showing the correct time. So when you’re working in the real world and you configure your router or switch to use an NTP server, don’t check the clock immediately. It’s not going to be ready yet. Go make yourself a cup of coffee, come back and check the clock then. And you should see that it’s got the correct time onto there. Okay, so that was some of our global security a best practices and the next lecture will configure it in the lab.

11. Global Security Best Practices Lab Demo

In this lecture you’ll see how to do some of the best practice global configuration with a lab demo. So, very simple lab. We’ve got a couple of PCs on the left in the ten or 24 subnet router. R one has got IP address 100 one. And on the other side of the router was an NTP server at 100 1100. So first thing to do is to jump onto the router R One and let’s configure a login banner. So I’ll go to the enable prompt and then go to Global Configuration and the command is Banner login and then enter a delimiter like one of the characters from the top line or here I’ll use the double quotes and then hit Enter. When you hit Enter will tell you enter the text message you want to use and then end with the same character again. So let’s use a banner of authorized users only.

And then when I’m done I hit the double quotes again and hit Enter and then that will take the command. So let’s check this working. So I’ll go on to the PC, PC One and I will telnet to 100 One and when I do that you can see there is the banner message Authorized Users Only. I then be able to enter my password to log in. Okay, so that’s configuring a login banner. The other thing I want to show you here is configuring NTP. So if we go back onto our one to check what the current time is set as the enable prompt, we can do a show clock and that will tell us the current date and time.

And I can see that right now. And this is the kind of thing you do sometimes run into the real world is that it is at the universal UTC time and it thinks it’s March the first in 1993 right now. So I want to have this configured with the correct time. I could manually set the clock on the router here, but the problem is that it doesn’t have a great clock and it’s going to get out of time just like if you had a wristwatch, unless it’s a really good one in a year’s time, it’s not going to have really accurate time. So I want to have this synchronized with an external NTP server that I know does have a really good clock on there. So in the lab let’s have a look and see where our NTP server was. It’s ten 0110.

So back on our one, first thing I want to do is set the correct time zone. Let’s say that this router is in Sydney, Australia. So I’ll go to Global configuration and I’ll say that the clock time zone is AEST, which is for Australian Eastern Standard Time. And Australia is ahead of UTC by 10 hours. So I’ll say ten. So if you’re in the US. And you’re behind UTC, it will be minus eight. For example, Australia is plus ten. But you don’t type plus ten. You just say ten to mean it’s 10 hours after UTC. Then I need to specify where the NTP server is. So the command for that is NTP server. Again, NTP server makes the router an NTP client, not an NTP server. And the IP address of a server is at ten 0110.

And then real world, what you would do is you would leave it five minutes or so and come back and check that the clock is synchronized. Because I’m in a lab environment here, it should take effect pretty much immediately. So I can do show clock now, and I can see that it has been updated to the correct time, which is just coming up to 11:00 p. m. In Sydney. I’ve got the correct time zone there and the correct date and the correct year. So that looks good. Another command to use to verify is show NTP status. And there that, I can see that the clock is synchronized. So this all looks good. Okay, so that was a few of the best practice commands that you want to configure. A global configuration that wraps up this security section. I’ll see you in the next one.

• Category: Uncategorized