I just read a report from Fortinet where a virus rewrites the MBR and asks from ransom, scary stuff out there:
Fortinet Security Blog::All your drives are belong to us
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Thursday, December 2, 2010
Thursday, November 18, 2010
Watchguard PPTP VPN user validation via RADIUS using Cisco ACS 4.2
Wow that title is a mouthful.
A customer has a Watchguard Firebox firewall and a Cisco ACS, all the users for Cisco related activities are on the ACS and the customer wants to migrate all the PPTP VPN users from the firewall to the Cisco ACS.
Both the ACS and Firebox support RADIUS, so it sounds quite easy.
I did the initial configuration; creating the AAA client in the ACS, changing the VPN configuration on the watchguard so it asks the ACS for the users, creating a test user and a test group with the following RADIUS parameters:
[011] Filter-Id PPTP-Users
[311\007] MS-MPPE-Encryption-Policy "Encryption Required"
[311\008] MS-MPPE-Encryption-Types "128-bit"
[311\012] MS-CHAP-MPPE-Keys
[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key
Testing with a Windows 7 Enterprise client, I got the error:
Error 734: The PPP link control protocol was terminated.
The logs on the firewall showed:
level=''3'' msg=''pri=''3'' msg_id=''1401-3003'' msg=''pptp MSCHAPv2 authentication ok for peer wg''''
level=''7'' msg=''sent [CHAP Success id=0x32 ''S=5F85A740C65AD93F308ED6681B455486FC2EF4F5 M=Access granted'']'' new_msg='' level=''7'' msg=''sent [CHAP Success id=0x32 ''S=5F85A740C65AD93F308ED6681B455486FC2EF4F5 M=Access granted'']'''' Debug
pppd[1255] MPPE required, but keys are not available. Possible plugin problem?
pppd MPPE required but not available'''
Basically the issue seemed to be MPPE related, since the configuration requires encryption, no MPPE = no VPN.
In the ACS the authentication showed as successful and little else. I checked and double checked the RADIUS attributes. After sometime with Watchguard support, they suggested to get a packet capture of the ACS RADIUS response:
Using Wireshark, it was clear that the ACS was not sending any MPPE related attributes and in fact the only Microsoft attribute was the one indicating that the authentication was OK.
I replicated the VPN configuration using a cisco router and it worked without issues, after that, I was checking everything again and noticed that the cisco router was defined in the ACS AAA client section as "RADIUS (Cisco IOS/PIX 6.0)" while the Watchguard Firewall was defined as "RADIUS (IETF)"
I changed the firewall to "RADIUS (Cisco IOS/PIX 6.0)" and ta-da, everything worked.
All the Microsoft attributes were there and all was well in the land. Of course after reading the ACS help, it seems obvious:
"RADIUS (IETF). These are the standard IETF RADIUS attributes. Select this option if you are using devices supporting RADIUS but do not need to make use of the vendor-specific attributes (VSA) of the manufacturer.
RADIUS (Cisco IOS/PIX 6.0) Select the RADIUS (Cisco IOS) option when using a Cisco Systems IOS device as a AAA client. This option enables you to make use of the Cisco IOS and PIX 6.0 RADIUS VSAs."
A customer has a Watchguard Firebox firewall and a Cisco ACS, all the users for Cisco related activities are on the ACS and the customer wants to migrate all the PPTP VPN users from the firewall to the Cisco ACS.
Both the ACS and Firebox support RADIUS, so it sounds quite easy.
I did the initial configuration; creating the AAA client in the ACS, changing the VPN configuration on the watchguard so it asks the ACS for the users, creating a test user and a test group with the following RADIUS parameters:
[011] Filter-Id PPTP-Users
[311\007] MS-MPPE-Encryption-Policy "Encryption Required"
[311\008] MS-MPPE-Encryption-Types "128-bit"
[311\012] MS-CHAP-MPPE-Keys
[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key
Testing with a Windows 7 Enterprise client, I got the error:
Error 734: The PPP link control protocol was terminated.
The logs on the firewall showed:
level=''3'' msg=''pri=''3'' msg_id=''1401-3003'' msg=''pptp MSCHAPv2 authentication ok for peer wg''''
level=''7'' msg=''sent [CHAP Success id=0x32 ''S=5F85A740C65AD93F308ED6681B455486FC2EF4F5 M=Access granted'']'' new_msg='' level=''7'' msg=''sent [CHAP Success id=0x32 ''S=5F85A740C65AD93F308ED6681B455486FC2EF4F5 M=Access granted'']'''' Debug
pppd[1255] MPPE required, but keys are not available. Possible plugin problem?
pppd MPPE required but not available'''
Basically the issue seemed to be MPPE related, since the configuration requires encryption, no MPPE = no VPN.
In the ACS the authentication showed as successful and little else. I checked and double checked the RADIUS attributes. After sometime with Watchguard support, they suggested to get a packet capture of the ACS RADIUS response:
Using Wireshark, it was clear that the ACS was not sending any MPPE related attributes and in fact the only Microsoft attribute was the one indicating that the authentication was OK.
I replicated the VPN configuration using a cisco router and it worked without issues, after that, I was checking everything again and noticed that the cisco router was defined in the ACS AAA client section as "RADIUS (Cisco IOS/PIX 6.0)" while the Watchguard Firewall was defined as "RADIUS (IETF)"
I changed the firewall to "RADIUS (Cisco IOS/PIX 6.0)" and ta-da, everything worked.
All the Microsoft attributes were there and all was well in the land. Of course after reading the ACS help, it seems obvious:
"RADIUS (IETF). These are the standard IETF RADIUS attributes. Select this option if you are using devices supporting RADIUS but do not need to make use of the vendor-specific attributes (VSA) of the manufacturer.
RADIUS (Cisco IOS/PIX 6.0) Select the RADIUS (Cisco IOS) option when using a Cisco Systems IOS device as a AAA client. This option enables you to make use of the Cisco IOS and PIX 6.0 RADIUS VSAs."
Monday, November 8, 2010
Cisco IOS Site-to-Site IPSec VPN using Certificates
After a couple of weeks trying to get a Site-to-Site IPSec tunnel to work using a Watchguard firewall, I decided to simply do it with a Cisco Router.
These are the steps involved in the configuration, hopefully this will help someone else or myself in the future.
In my particular case, the remote end uses certificates for the VPN and has a Certification Authority, so first we have to generate a certificate and ask them to sign it, the CSR can be generated on the IOS but for backup purposes I always tend to use openssl, that way if the router/firewall dies, we have backups:
openssl req -new -nodes -keyout example.key -out example.csr
Generating a 1024 bit RSA private key
.............++++++
............++++++
writing new private key to 'example.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Now that the CSR its done, the CA has to sign it.
After the CA does the signing, we need to import the certificates into the IOS device. There are many ways of doing this, but I prefer the PKCS#12 method since it's self-contained and simpler.
To use PKCS#12, we need to create the p12 file, I do this with openssl:
openssl pkcs12 -export -in example.cer -inkey example.key -certfile ca.cer -name "name" -out example.p12
Enter Export Password:
Verifying - Enter Export Password:
Now that we have the certificate signed and in PKCS#12 format, we have to import it to the IOS device, for that we have to create a pki trustpoint:
R1(config)#crypto pki trustpoint EXAMPLE-VPN
R1(ca-trustpoint)#revocation-check none
With the trustpoint created, we can import the certificate. There are several methods, I use TFTP:
R1(config)#crypto ca import EXAMPLE-VPN pkcs12 tftp: PASSWORD
% Importing pkcs12…
Address or name of remote host []? 1.1.1.1
Source filename [trustpoint]? example.p12
Reading file from tftp://1.1.1.1/example.p12
Loading example.p12 from 1.1.1.1 (via FastEthernet0/0): !
[OK - 1245 bytes]
CRYPTO_PKI: Imported PKCS12 file successful
We can verify that everything was imported correctly with the commands:
show crypto pki trustpoints
show crypto pki certificates
Now that the certificates are out of the way, we can focus on the VPN configuration itself.
The tunnel parameters for this example are:
IKE Phase 1
- Encryption 3DES
- Hash SHA
- DH-Group 2
IKE Phase 2
- ESP-3DES-MD5
- Local Network: 192.168.2.1/32
- Remote Network: 192.168.1.0/24
IKE Phase 1:
crypto isakmp policy 1
encr 3des
authentication rsa-sig
hash sha
group 2
This can be verified using show crypto isakmp policy
Transform-Set(s):
crypto ipsec transform-set TRANSFORM-SET-NAME esp-3des esp-md5-hmac
This can be verified using show crypto ipsec transform-set
Interesting traffic and NATing the source:
Lets assume that my network is 192.168.0.0/24, the remote network 192.168.1.0/24 and that the remote side has told me that all of my traffic has to come from 192.168.2.1
ip access-list extended NAT-IP-VPN
permit ip host 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip nat pool VPN-NAT 192.168.2.1 192.168.2.1 prefix-length 30
ip nat inside source list NAT-IP-VPN pool VPN-NAT overload
ip access-list extended TRAFFIC-VPN
permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
Be careful with the NAT because if you have more than one statement the order matters. This can be verified using show ip nat translations, show access-lists
Crypto Map:
This is where we put it all together for the IKE Phase 2
crypto map VPN-Map-1 10 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set TRANSFORM-SET-NAME
match address TRAFFIC-VPN
Apply the crypto map/nat on the interfaces:
interface FastEthernet0/0
description LAN
ip nat inside
interface ATM0.1 point-to-point
description WAN
ip nat outside
crypto map VPN-Map-1
Verification:
Now all we have to do is generate interesting traffic and test what happens, some useful commands are show crypto isakmp sa and show crypto ipsec sa.
Useful Links:
Wednesday, November 3, 2010
Basic Cisco ASA 8.2 Template
A basic Cisco ASA 8.2 template.This is meant to used as a starting point for a production configuration and obviously it has to be customized to meet your particular security requirements.
This templates uses:
*3 Interfaces (outside 192.168.100.0/24, inside10.0.0.0/24 and dmz 172.16.0.0/24)
*Management interface (192.168.0.0/24)
*Banner for motd and ADSM.
*CET/CEST timezone.
*Firewall/NAT rules that allow IP/icmp traffic from inside to outside with nat, inside to dmz without nat, dmz to outside with nat.
*Static NATs for both dmz and inside hosts (tcp 80 and tcp 8080).
*AAA configuration with a local validation in case the AAA servers are unreachable or down (notacacsuser).
*SNMP access
*SSH/ASDM access everywhere except the dmz
*NTP
Configuration:
ASA Version 8.2(3)
!
hostname ASA-TEMPLATE
domain-name foo.bar
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.22 255.255.255.0
management-only
!
banner motd -----------------------------------------------
banner motd WARNING: You have accessed a restricted system.
banner motd -----------------------------------------------
banner asdm -----------------------------------------------
banner asdm WARNING: You have accessed a restricted system.
banner asdm -----------------------------------------------
ftp mode passive
clock timezone CEST 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name foo.bar
object-group service Web8080 tcp
port-object eq 8080
access-list inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside object-group Web8080
access-list dmz_access_in extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 echo-reply
access-list dmz_access_in extended deny ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list dmz_access_in extended permit ip 172.16.0.0 255.255.255.0 any
access-list dmz_access_in extended deny icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list dmz_access_in extended permit icmp 172.16.0.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 96000
logging buffered debugging
logging asdm informational
logging host outside 192.168.102.245
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface www 10.0.0.45 www netmask 255.255.255.255
static (dmz,outside) tcp interface 8080 172.16.0.10 www netmask 255.255.255.255
static (dmz,outside) 192.168.100.3 172.16.0.2 netmask 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tacacs protocol tacacs+
aaa-server tacacs (management) host 192.168.0.5
key tacacssecret
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authorization command tacacs LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 1.1.1.1 poll community test version 2c
snmp-server location LOCATION
snmp-server contact super-firewall-admin@foo.bar
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 1.1.1.1
webvpn
username notacacsuser password notacacsuser privilege 15
This templates uses:
*3 Interfaces (outside 192.168.100.0/24, inside10.0.0.0/24 and dmz 172.16.0.0/24)
*Management interface (192.168.0.0/24)
*Banner for motd and ADSM.
*CET/CEST timezone.
*Firewall/NAT rules that allow IP/icmp traffic from inside to outside with nat, inside to dmz without nat, dmz to outside with nat.
*Static NATs for both dmz and inside hosts (tcp 80 and tcp 8080).
*AAA configuration with a local validation in case the AAA servers are unreachable or down (notacacsuser).
*SNMP access
*SSH/ASDM access everywhere except the dmz
*NTP
Configuration:
ASA Version 8.2(3)
!
hostname ASA-TEMPLATE
domain-name foo.bar
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 172.16.0.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.0.22 255.255.255.0
management-only
!
banner motd -----------------------------------------------
banner motd WARNING: You have accessed a restricted system.
banner motd -----------------------------------------------
banner asdm -----------------------------------------------
banner asdm WARNING: You have accessed a restricted system.
banner asdm -----------------------------------------------
ftp mode passive
clock timezone CEST 1
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name foo.bar
object-group service Web8080 tcp
port-object eq 8080
access-list inside_access_in extended permit icmp 10.0.0.0 255.255.255.0 any
access-list inside_access_in extended permit ip 10.0.0.0 255.255.255.0 any
access-list inside_access_in extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any interface outside eq www
access-list outside_access_in extended permit tcp any interface outside object-group Web8080
access-list dmz_access_in extended permit icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0 echo-reply
access-list dmz_access_in extended deny ip 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list dmz_access_in extended permit ip 172.16.0.0 255.255.255.0 any
access-list dmz_access_in extended deny icmp 172.16.0.0 255.255.255.0 10.0.0.0 255.255.255.0
access-list dmz_access_in extended permit icmp 172.16.0.0 255.255.255.0 any
pager lines 24
logging enable
logging timestamp
logging buffer-size 96000
logging buffered debugging
logging asdm informational
logging host outside 192.168.102.245
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 10.0.0.0 255.255.255.0
nat (dmz) 1 172.16.0.0 255.255.255.0
static (inside,outside) tcp interface www 10.0.0.45 www netmask 255.255.255.255
static (dmz,outside) tcp interface 8080 172.16.0.10 www netmask 255.255.255.255
static (dmz,outside) 192.168.100.3 172.16.0.2 netmask 255.255.255.255
static (inside,dmz) 10.0.0.0 10.0.0.0 netmask 255.255.255.0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 192.168.100.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server tacacs protocol tacacs+
aaa-server tacacs (management) host 192.168.0.5
key tacacssecret
aaa authentication ssh console tacacs LOCAL
aaa authentication telnet console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authorization command tacacs LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 outside
snmp-server host inside 1.1.1.1 poll community test version 2c
snmp-server location LOCATION
snmp-server contact super-firewall-admin@foo.bar
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt noproxyarp outside
sysopt noproxyarp inside
sysopt noproxyarp dmz
sysopt noproxyarp management
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
console timeout 5
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 1.1.1.1
webvpn
username notacacsuser password notacacsuser privilege 15
Monday, October 18, 2010
CiscoSecure ACS for Windows Router PPTP Authentication
If you need to migrate your PPTP users from a IOS device/PIX to a Cisco ACS, this is a good starting point:
Configuring CiscoSecure ACS for Windows Router PPTP Authentication
I was having an odd issue with this configuration, everything seemed fine but on my Windows 7 Test client I got the Error 742: "The remote server does not support encryption" every time I tried to connect, the ACS 4.2 showed the authentication as successful and nothing else, the debug on the router pretty much the same thing with the exception of :
"Vi1 MPPE: RADIUS keying material missing"
[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key
In the new Cisco ACS 5.x family, enabling the these particular attributes does not seem to be necessary since "These are added to the profile as required".
Configuring CiscoSecure ACS for Windows Router PPTP Authentication
I was having an odd issue with this configuration, everything seemed fine but on my Windows 7 Test client I got the Error 742: "The remote server does not support encryption" every time I tried to connect, the ACS 4.2 showed the authentication as successful and nothing else, the debug on the router pretty much the same thing with the exception of :
"Vi1 MPPE: RADIUS keying material missing"
After 2 weeks with TAC, We came to the conclusion that the issue was caused by the fact that starting with Vista, MS-CHAP v1 is deprecated, so in order for MS-CHAP v2 to work we needed to enable the extra MPPE Attributes:
[311\016] MS-MPPE-Send-Key
[311\017] MS-MPPE-Recv-Key
In the new Cisco ACS 5.x family, enabling the these particular attributes does not seem to be necessary since "These are added to the profile as required".
Thursday, October 7, 2010
Cisco ACS 4.2:: Quick and easy way to admin devices via TACACS+
A quick template for Cisco ACS 4.2 TACACS+ administration for IOS devices.
On the IOS device (taken from a switch):
enable secret <SECRET>
no enable password
no username <ANY CURRENT USERS>
username panicuser secret 0 <PANIC USER PASSWORD>
ip tacacs source-interface <MANAGEMENT INT>
tacacs-server directed-request
tacacs-server key <SECRET>
tacacs-server host <ACS IP>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no-tacacs none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa authorization console
Exit the IOS device and enter with an ACS username:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
Cisco ACS:
Interface Configuration->TACACS+ (Cisco IOS)->Advanced TACACS+ Features and Display enable default (Undefined) service configuration
Network Configuration-> AAA Clients Add Entry-> IOS Device IP Address/Secret/TACACS+ (Cisco IOS)
Group Setup-> The group you want to use->Rename Group-> Meaningful name (Eg: Networking Admins)
Group Setup-> Networking Admins->Edit Settings:
->Enable Options->Level 15
->TACACS+ Settings->Shell (exec)
->TACACS+ Settings->Privilege level->15
->TACACS+ Settings->Shell Command Authorization Set->Per Group Command Authorization->Permit
->Submit + Restart
User Setup->Name of the user to create->Add/Edit
->User Setup->Password
->User Setup->Group to which the user is assigned:->Networking Admins
->Advanced TACACS+ Settings-> TACACS+ Enable Control:->Use Group Level Setting
->Advanced TACACS+ Settings-> TACACS+ Enable Password->Use CiscoSecure PAP password
->Submit
That's it, now everything AAA related goes to the TACACS+ and if the IOS device can't reach it, you have the panicuser that gives you local access to the device.
On the IOS device (taken from a switch):
enable secret <SECRET>
no enable password
no username <ANY CURRENT USERS>
username panicuser secret 0 <PANIC USER PASSWORD>
ip tacacs source-interface <MANAGEMENT INT>
tacacs-server directed-request
tacacs-server key <SECRET>
tacacs-server host <ACS IP>
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login no-tacacs none
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default if-authenticated
aaa authorization commands 1 default if-authenticated
aaa authorization commands 15 default group tacacs+ local
aaa authorization console
Exit the IOS device and enter with an ACS username:
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
Cisco ACS:
Interface Configuration->TACACS+ (Cisco IOS)->Advanced TACACS+ Features and Display enable default (Undefined) service configuration
Network Configuration-> AAA Clients Add Entry-> IOS Device IP Address/Secret/TACACS+ (Cisco IOS)
Group Setup-> The group you want to use->Rename Group-> Meaningful name (Eg: Networking Admins)
Group Setup-> Networking Admins->Edit Settings:
->Enable Options->Level 15
->TACACS+ Settings->Shell (exec)
->TACACS+ Settings->Privilege level->15
->TACACS+ Settings->Shell Command Authorization Set->Per Group Command Authorization->Permit
->Submit + Restart
User Setup->Name of the user to create->Add/Edit
->User Setup->Password
->User Setup->Group to which the user is assigned:->Networking Admins
->Advanced TACACS+ Settings-> TACACS+ Enable Control:->Use Group Level Setting
->Advanced TACACS+ Settings-> TACACS+ Enable Password->Use CiscoSecure PAP password
->Submit
That's it, now everything AAA related goes to the TACACS+ and if the IOS device can't reach it, you have the panicuser that gives you local access to the device.
Subscribe to:
Posts (Atom)