Securing the Corporate Network

Chapter Description

This sample chapter from Cisco Secure Internet Security Solutions explains how dial-in users can be authenticated using the local database. As an example, the chapter includes a basic AAA configuration. Next, the chapter takes an in-depth look at the AAA authentication process using a TACACS+ server. Finally, the chapter explores how IPSec can be used to secure VPNs coming into the network through the Internet.

AAA Authorization Setup

Whereas authentication is concerned with ensuring that the device or end user is who it claims to be, authorization is concerned with allowing and disallowing authenticated users access to certain areas and programs on the network.

The command for enabling authorization follows:

aaa authorization service-type {default | list-name}
  method1 [method2] [method3] [method4]

With this command, service-type must be one of the service types listed in Table 10-4.

Table 10-4 AAA Authorization Service Types

Service Type

Description

commands {level}

Checks authorization for any EXEC command at the optionally specified level

exec

Checks authorization to run an EXEC shell

network

Checks authorization for network activities

reverse-access

Checks authorization for reverse Telnet


The next parameter is either the key word default or a list name. The list name can be virtually any word except the word default, and it is used to name the following list of authorization methods. The parameters method1, method2, method3, and method4 are used to specify the order in which authentication takes place. At least one method must be used, with a maximum total of four methods specified. The possible values for the method are shown in Table 10-5.

Table 10-5 AAA Authorization Methods

Method

Description

if-authenticated

If the user is already authenticated, the user is allowed to access the service.

krb5-instance

This uses the instance defined with the kerberos instance map command.

local

The local database is consulted.

radius

The RADIUS server's database is consulted to see if the user has the appropriate rights.

tacacs+

The TACACS+ server's database is consulted to see if the user has the appropriate rights.


NOTE

When AAA authorization is not enabled, all users are allowed full access. Once authentication is started, the default changes to allow no access.

This means that the administrator must create a user with full access rights configured before authorization is enabled. Failure to do so will immediately lock the administrators out of their own system the moment the aaa authorization command is entered.

The only way to recover from this is to reboot the router. If this is a production router, rebooting might be unacceptable. Be sure that at least one user always has full rights.

Configuring AAA authorization is very similar to AAA authentication. Look at the following configuration. This configuration checks the authorization for users of the S2 interface when accessing network service such as PPP:

aaa new-model
!Set up for AAA

tacacs-server host 172.30.1.50
!The TACACS+ server is at 172.30.1.50

tacacs-server key mysecretkey
!Use the encrypted keys

interface s2
aaa authorization network tacacs+
!Start authorization for network services
4. AAA Authorization Setup | Next Section Previous Section