Examples of Cisco APE Scenarios

Transcription

1 CHAPTER 5 This chapter describes three example scenarios with which to use Cisco APE: Access to Asynchronous Lines, page 5-1 Cisco IOS Shell, page 5-3 Command Authorization, page 5-5 Note For intructions on how to configure Cisco IOS commands, refer to the Cisco IOS Security Configuration Guide, Release 12.2 at the following URL: Access to Asynchronous Lines To configure access to asynchronous lines, follow these example tasks: Task 2: Configuring Cisco APE through the Management UI You must configure Cisco IOS to request authentication and authorization using TACACS+ for reverse access to serial lines: Set up AAA configuration: aaa new-model aaa authentication login vtymethod group tacacs+ aaa authorization reverse-access vtymethod group tacacs+ Configure the TACACS server with the IP address of Cisco APE ( ) and secret shared with Cisco APE: tacacs-server host tacacs-server key SECRET Specify the IP alias to the async line: ip alias

2 Access to Asynchronous Lines Chapter 5 Step 4 Set up the async line with authentication and authorization: line no exec exec-timeout 0 0 authorization reverse-access vtymethod transport input telnet Task 2: Configuring Cisco APE Through the Management UI Step 4 From the management UI, add an authorization device. For instructions on how to add an authorization device, see Adding an Authorization Device section on page Example: Name the authorization device IOSBOX, the shared secret SECRET and the IP address On the Users page in the management interface, add a user, and enter a location for the user. For instructions on how to add a user, see Adding a User section on page 4-4. Example: Add the user Joe to the root location (/). Add a resource for the asynchronous line. Enter a name for the resource, the authorization device that controls it (Cisco IOS device) and an authorization ID (which for async lines is ttyxx). Resources also have a location and a type. You must give the resource a network port and IP address, which is what is used to telnet to the device. For instructions on how to add a resource, see Adding a Resource section on page 4-7. Example: Name the resource Switch1, the authorization device IOSBOX, the authorization ID tty33, the location root location (/), and the resource type root resource type (/). The IP address assigned to this resource is and the port is 23 (Telnet). By using the management UI, create a role that provides access to the async line. Enter a name and permission for the role. Example: Name the role Test1 and the permission Resource Access. Add a user Joe and the resource Switch1 to the role. Operation Here is a typical sequence of what happens after you have completed the configuration tasks during normal operation: 1. The operator starts the web browser and connects to the operator URL in Cisco APE, which prompts for a username and password. 2. The operator enters the username (Joe), and a password, and submits the form. 3. Cisco APE evaluates the username and password, and the operator sees a web page that shows only the resources that are accessible. In this case, the hypertext link Switch1 is linked to Telnet:// :23/. 4. The operator then selects this link, which launches the default telnet client on the system with a connection to on port The authorization device (IOSBOX) accepts the connection; the device initiates authentication requests with Cisco APE by using TACACS+ authentication start message. 5-2

3 Chapter 5 Cisco IOS Shell 6. Cisco APE sends a username prompt to the authorization device (IOSBOX). 7. The authorization device displays the username prompt to the user in the telnet session. 8. The user enters the username. 9. The authorization device sends the username to Cisco APE by using TACACS Cisco APE sends a password prompt to the authorization device, which displays the prompt to the user in the Telnet session. 11. The user enters a password. 12. The authorization device sends the password to Cisco APE. Cisco APE validates the authentication and returns a success message. 13. The authorization device sends a TACACS+ authorization request for reverse telnet access to the tty line to Cisco APE. 14. Cisco APE checks the user's roles to see if the user has the resource access permission on this resource and returns with a success message. 15. The authorization device allows access to the line. The user can now access the device connected to the line. Cisco IOS Shell To configure Cisco IOS Shell, follow these example tasks: Task 2: Configuring Cisco APE through the Management UI You must configure Cisco IOS to request authentication and authorization by using TACACS+ for exec access to the router shell: Set up AAA configuration: aaa new-model aaa authentication login vtymethod group tacacs+ aaa authorization exec vtymethod group tacacs+ Configure the TACACS server with the IP address of Cisco APE and shared secret with Cisco APE: tacacs-server host tacacs-server key SECRET Set up shell vty with authentication and authorization: line vty 0 4 authorization exec vtymethod login authentication vtymethod 5-3

4 Cisco IOS Shell Chapter 5 Task 2: Configuring Cisco APE Step 4 To add an authorization device, from the Add Authorization Devices page on the Cisco APE Management interface, enter a name, an IP address, and the shared secret. For instructions on how to add an authorization device, see Adding an Authorization Device section on page Example: Name the authorization device IOSBOX, the secret is SECRET, and the IP address is To add a user, on the Add Users page on the management UI, enter a username, password, and a location. For instructions on how to add a user, see Adding a User section on page 4-4. Example: Add the user Joe to the root location (/). To add a resource for the Cisco IOS shell, from the Add Resources page on the Management UI, enter a name, the authorization device that controls it (Cisco IOS device) and an authorization ID (which for shell access is shell). Select a location and a type of resource. Enter the network port and IP address, which will be used to telnet to the device. For instructions on how to add a resource, see Adding a Resource section on page 4-7. Example: Name the resource IOSShell1, the authorization device IOSBOX, the authorization ID shell, the location root location (/), and the resource type root resource type (/). The IP address assigned to this resource is left as default, which will be and the port is 23 (Telnet). From the Add Roles page on the Management UI, create a role that provides access to the asynchronous line. Enter a name and permissions for the role. Example: Name the role Test1 and the permission Resource Access. Add the user Joe, and the resource IOSShell1 to the role. Operation Here is a typical sequence of what happens during normal operation after you have completed the configuration: 1. The operator starts the web browser and connects to the Operators UI in Cisco APE, which prompts for a username and password. 2. The operator enters the username (Joe) and password, and submits the form. 3. Cisco APE evaluates the username and password, and the user sees a web page that only shows the resources that are accessible. In this case, the hypertext link IOSShell1 is linked to Telnet:// /. 4. The operator then selects this link, which starts the default Telnet client on the system with a connection to on port The authorization device (IOSBOX) accepts the connection; then the device initiates authentication requests with Cisco APE using TACACS+ authentication start message. 6. Cisco APE sends a username prompt to the authorization device (IOSBOX), which displays the username prompt to the user in the Telnet session. 7. The user enters the username. 8. The authorization device sends the username to Cisco APE using TACACS+. 9. Cisco APE sends a password prompt to the authorization device. 10. The authorization device displays the prompt to the user in the Telnet session. 11. The user enters a password. 5-4

5 Chapter 5 Command Authorization 12. The authorization device sends the password to Cisco APE. 13. Cisco APE validates the authentication and returns success. 14. The authorization device sends a TACACS+ authorization request for shell access to the Cisco IOS shell (authorization device) to Cisco APE. 15. Cisco APE checks the user's roles to see if the user has the resource access permission on this resource and returns a success message. 16. The authorization device allows access to the shell. The user can now access the Cisco IOS shell. Command Authorization To configure command authorization, follow these example tasks: Task 2: Configuring Cisco APE through the Management UI You must configure Cisco IOS to request authentication and authorization using TACACS+ for authorization of commands at a particular privilege level (the default for all commands is a level 1 or 15): Set up AAA configuration: aaa new-model aaa authentication login vtymethod group tacacs+ aaa authorization exec vtymethod group tacacs+ aaa authorization commands 1 vtymethod group tacacs+ aaa authorization commands 15 vtymethod group tacacs+ Configure the TACACS server with the IP address of Cisco APE and secret shared with Cisco APE: tacacs-server host tacacs-server key SECRET Set up shell vty with authentication and authorization: line vty 0 4 authorization exec vtymethod authorization commands 15 vtymethod authorization commands 1 vtymethod login authentication vtymethod Task 2: Configuring Cisco APE Through the Management Interface On the Cisco APE Management Interface, add an authorization device. Enter a name, IP address, and shared secret. For instructions on how to add an authorization device, see Adding an Authorization Device section 5-5

6 Command Authorization Chapter 5 Step 4 Step 5 on page Example: Name the authorization device IOSBOX, the shared secret SECRET, and the IP address From the Add Users page on the Cisco APE Management Interface, add a user by entering a username and a password. Enter a location for the user. For instructions on how to add a user, see Adding a User section on page 4-4. Example: Add the user Joe to the root location (/). From the Add Resources page, add a resource for the Cisco IOS shell. Enter a name, the authorization device that controls it (Cisco IOS device), and an authorization ID. Enter a location, a type, a network port and IP address, which is used to telnet to the device. For instructions on how to add a resource, see Adding a Resource section on page 4-7. Example: Name the resource IOSShell1, the authorization device IOSBOX, the authorization ID shell, the location root location (/), and the resource type root resource type (/). Assign the default IP address to this resource, which is and the port is 23 (Telnet). From the Add Roles page, create a role that provides access to the async line. Enter a name and permissions. For instructions on how to add a role, see Adding a Role section on page 4-14 Example: Name the role Test1, and the permission Resource Access. The user Joe and the resource IOSShell1 are added to the role. From the Add CLI Permissions page, add the permission to execute Cisco IOS CLI Permissions to the role. For instructions on how to add a CLI permission, see Adding a Command Line Interface Permission section on page 4-16 In this example, allow the operators in this role to have access to the pad command except the command "pad 1234". To do this, add the following CLI permissions: pad 1234 exclude pad.* include The first permission excludes the command from the list of commands allowed by this role. The second permission allows all forms of the pad command to be run. The exclusions take precedence so in this case all forms of the pad command except pad 1234 are allowed. All other commands are denied. Note Note that the exclusion only applies to this role. The user may have access to another role that provides access to the pad 1234 command, which would allow access to the user. Operation Here is a typical sequence of what happens during normal operation, after you have completed the configuration: 1. The operator starts the web browser, and connects to the Operators Interface in Cisco APE, and enters his username (Joe) and password, and submits the form. 2. Cisco APE evaluates the username and password, and then opens a web page that shows only the resources that are accessible. In this case, the hypertext link IOSShell1 is linked to Telnet:// /. 3. The operator then selects this link, which launches the default Telnet client on the system with a connection to on port

7 Chapter 5 Command Authorization 4. The authorization device (IOSBOX) accepts the connection and then initiates authentication requests with Cisco APE by using TACACS+ authentication start message. 5. Cisco APE sends a username prompt to the authorization device (IOSBOX), which displays the username prompt to the user in the Telnet session. 6. The user enters a username. 7. The authorization device sends the username to Cisco APE using TACACS+. 8. Cisco APE sends a password prompt to the authorization device. 9. The authorization device displays the prompt to the user in the Telnet session. 10. The user enters a password. 11. The authorization device sends the password to Cisco APE. 12. Cisco APE validates the authentication and returns a success message. 13. The authorization device sends a TACACS+ authorization request for shell access to the Cisco IOS shell (authorization device) to Cisco APE. 14. Cisco APE checks the user's roles to see if he has the resource access permission on this resource and returns Success. 15. The authorization device allows access to the shell. 16. The user can now access the Cisco IOS shell. 17. The user enters the command pad The Authorization device (Cisco IOS) checks the privilege level of the command. Since it is a level 1 command, the authorization device requests authorization for this command from Cisco APE using TACACS+ authorization request. 19. Cisco APE checks to see if any of the user's roles allows this command. Since one role permits the user to do so, the user is allowed to issue this command. 5-7

8 Command Authorization Chapter 5 5-8