Examples of Cisco APE Scenarios

Similar documents
Configuring Local Authentication

TACACS Device Access Control with Cisco Active Network Abstraction

Configuring Authorization

PT Activity: Configure AAA Authentication on Cisco Routers

Managing GSS User Accounts Through a TACACS+ Server

Console Port, Telnet, and SSH Handling

Configuring Authorization

Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Configuring Secure Shell (SSH)

XML Transport and Event Notifications

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

XML Transport and Event Notifications

HTTP 1.1 Web Server and Client

AAA and the Local Database

Configuring Switch-Based Authentication

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

Configuring Local Authentication and Authorization

Managing GSS User Accounts Through a TACACS+ Server

Lab AAA Authorization and Accounting

Configuring Basic AAA on an Access Server

Configuring the CSS as a Client of a TACACS+ Server

Internetwork Expert s CCNA Security Bootcamp. Securing Cisco Routers. Router Security Challenges

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

Configuring Secure Shell (SSH)

Managing GSS User Accounts Through a TACACS+ Server

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Configuring Secure Shell (SSH)

Configuring Security for the ML-Series Card

Configuring the WMIC for the First Time

Configuring Secure Shell (SSH)

Network security session 9-2 Router Security. Network II

Firewall Authentication Proxy for FTP and Telnet Sessions

HTTP 1.1 Web Server and Client

ISE 2.3+ TACACS+ IPv6 Configuration Guide for Cisco IOS Based Network Devices with new Policy UI. Secure Access How-to User Series

Configuring Secure Shell (SSH)

Operation Manual Login and User Interface. Table of Contents

Configure a Cisco Router with TACACS+ Authentication

Control Device Administration Using TACACS+

Getting Started Using Cisco License Manager

Lab Configuring and Verifying Extended ACLs Topology

Configuring a Terminal/Comm Server

Using the Management Interfaces

Restrictions for Secure Copy Performance Improvement

Lab 8.5.2: Troubleshooting Enterprise Networks 2

TACACS+ Configuration Mode Commands

HTTP 1.1 Web Server and Client

Manage Users. About User Profiles. About User Roles

Lab 7 Configuring Basic Router Settings with IOS CLI

Configuring Lock-and-Key Security (Dynamic Access Lists)

Configuring the Management Interface and Security

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring TACACS+ About TACACS+

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Access Service Security

Logging In and Setting Up

Lab 5.6b Configuring AAA and RADIUS

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

Configuring Security with Passwords, Privileges, and Logins

Passwords and Privileges Commands

Logging in through SNMP from an NMS 22 Overview 22 Configuring SNMP agent 22 NMS login example 24

Logging in to the CLI

AAA Authorization and Authentication Cache

Lab Securing Network Devices

Configuring Secure Shell

Role-Based CLI Access

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Controlling Switch Access with Passwords and Privilege Levels

Lab Configure Basic AP Security through IOS CLI

Chapter 10 Configure AnyConnect Remote Access SSL VPN Using ASDM

Control Device Administration Using TACACS+

Configuring RADIUS Servers

Control Device Administration Using TACACS+

CCNA Security 1.0 Student Packet Tracer Manual

Password Strength and Management for Common Criteria

How to configure MB5000 Serial Port Bridge mode

King Fahd University of Petroleum & Minerals. Configuration of Routers and Establishing Routed Networks

Configuring Management Access

Configuring RADIUS and TACACS+ Servers

Getting Started with CMS

Lab Configure Basic AP security through GUI

CISCO SWITCH BEST PRACTICES GUIDE

Managing NCS User Accounts

NBAR2 HTTP-Based Visibility Dashboard

Create User Profiles and Assign Privileges

Lock and Key: Dynamic Access Lists

Cisco IOS Login Enhancements-Login Block

ISE TACACS+ Configuration Guide for Cisco ASA. Secure Access How-to User Series

Managing GSS Devices from the GUI

PROTECTING NETWORK INFRASTRUCTURE - ROUTERS, SWITCHES, ETC.

Configuring the Access Point/Bridge for the First Time

Configure ASR9k TACACS with Cisco Secure ACS 5.x Server

User and System Administration

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

Lab Configuring an ISR with SDM Express

AAA Configuration. Terms you ll need to understand:

Configuring Authentication Proxy

Controlling Switch Access with Passwords and Privilege Levels

Transcription:

CHAPTER 5 This chapter describes three example scenarios with which to use Cisco APE: Access to Asynchronous Lines, page 5-1 Cisco IOS Shell, page 5-3 Command Authorization, page 5-5 Note For intructions on how to configure Cisco IOS commands, refer to the Cisco IOS Security Configuration Guide, Release 12.2 at the following URL: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/index.htm. Access to Asynchronous Lines To configure access to asynchronous lines, follow these example tasks: Task 2: Configuring Cisco APE through the Management UI You must configure Cisco IOS to request authentication and authorization using TACACS+ for reverse access to serial lines: Set up AAA configuration: aaa new-model aaa authentication login vtymethod group tacacs+ aaa authorization reverse-access vtymethod group tacacs+ Configure the TACACS server with the IP address of Cisco APE (10.1.9.52) and secret shared with Cisco APE: tacacs-server host 10.1.9.52 tacacs-server key SECRET Specify the IP alias to the async line: ip alias 10.0.0.33 2033 5-1

Access to Asynchronous Lines Chapter 5 Step 4 Set up the async line with authentication and authorization: line 33 48 no exec exec-timeout 0 0 authorization reverse-access vtymethod transport input telnet Task 2: Configuring Cisco APE Through the Management UI Step 4 From the management UI, add an authorization device. For instructions on how to add an authorization device, see Adding an Authorization Device section on page 4-12. Example: Name the authorization device IOSBOX, the shared secret SECRET and the IP address 10.0.0.4. On the Users page in the management interface, add a user, and enter a location for the user. For instructions on how to add a user, see Adding a User section on page 4-4. Example: Add the user Joe to the root location (/). Add a resource for the asynchronous line. Enter a name for the resource, the authorization device that controls it (Cisco IOS device) and an authorization ID (which for async lines is ttyxx). Resources also have a location and a type. You must give the resource a network port and IP address, which is what is used to telnet to the device. For instructions on how to add a resource, see Adding a Resource section on page 4-7. Example: Name the resource Switch1, the authorization device IOSBOX, the authorization ID tty33, the location root location (/), and the resource type root resource type (/). The IP address assigned to this resource is 10.0.0.33 and the port is 23 (Telnet). By using the management UI, create a role that provides access to the async line. Enter a name and permission for the role. Example: Name the role Test1 and the permission Resource Access. Add a user Joe and the resource Switch1 to the role. Operation Here is a typical sequence of what happens after you have completed the configuration tasks during normal operation: 1. The operator starts the web browser and connects to the operator URL in Cisco APE, which prompts for a username and password. 2. The operator enters the username (Joe), and a password, and submits the form. 3. Cisco APE evaluates the username and password, and the operator sees a web page that shows only the resources that are accessible. In this case, the hypertext link Switch1 is linked to Telnet://10.0.0.33:23/. 4. The operator then selects this link, which launches the default telnet client on the system with a connection to 10.0.0.33 on port 23. 5. The authorization device (IOSBOX) accepts the connection; the device initiates authentication requests with Cisco APE by using TACACS+ authentication start message. 5-2

Chapter 5 Cisco IOS Shell 6. Cisco APE sends a username prompt to the authorization device (IOSBOX). 7. The authorization device displays the username prompt to the user in the telnet session. 8. The user enters the username. 9. The authorization device sends the username to Cisco APE by using TACACS+. 10. Cisco APE sends a password prompt to the authorization device, which displays the prompt to the user in the Telnet session. 11. The user enters a password. 12. The authorization device sends the password to Cisco APE. Cisco APE validates the authentication and returns a success message. 13. The authorization device sends a TACACS+ authorization request for reverse telnet access to the tty line to Cisco APE. 14. Cisco APE checks the user's roles to see if the user has the resource access permission on this resource and returns with a success message. 15. The authorization device allows access to the line. The user can now access the device connected to the line. Cisco IOS Shell To configure Cisco IOS Shell, follow these example tasks: Task 2: Configuring Cisco APE through the Management UI You must configure Cisco IOS to request authentication and authorization by using TACACS+ for exec access to the router shell: Set up AAA configuration: aaa new-model aaa authentication login vtymethod group tacacs+ aaa authorization exec vtymethod group tacacs+ Configure the TACACS server with the IP address of Cisco APE and shared secret with Cisco APE: tacacs-server host 10.1.9.52 tacacs-server key SECRET Set up shell vty with authentication and authorization: line vty 0 4 authorization exec vtymethod login authentication vtymethod 5-3

Cisco IOS Shell Chapter 5 Task 2: Configuring Cisco APE Step 4 To add an authorization device, from the Add Authorization Devices page on the Cisco APE Management interface, enter a name, an IP address, and the shared secret. For instructions on how to add an authorization device, see Adding an Authorization Device section on page 4-12. Example: Name the authorization device IOSBOX, the secret is SECRET, and the IP address is 10.0.0.4. To add a user, on the Add Users page on the management UI, enter a username, password, and a location. For instructions on how to add a user, see Adding a User section on page 4-4. Example: Add the user Joe to the root location (/). To add a resource for the Cisco IOS shell, from the Add Resources page on the Management UI, enter a name, the authorization device that controls it (Cisco IOS device) and an authorization ID (which for shell access is shell). Select a location and a type of resource. Enter the network port and IP address, which will be used to telnet to the device. For instructions on how to add a resource, see Adding a Resource section on page 4-7. Example: Name the resource IOSShell1, the authorization device IOSBOX, the authorization ID shell, the location root location (/), and the resource type root resource type (/). The IP address assigned to this resource is left as default, which will be 10.0.0.4 and the port is 23 (Telnet). From the Add Roles page on the Management UI, create a role that provides access to the asynchronous line. Enter a name and permissions for the role. Example: Name the role Test1 and the permission Resource Access. Add the user Joe, and the resource IOSShell1 to the role. Operation Here is a typical sequence of what happens during normal operation after you have completed the configuration: 1. The operator starts the web browser and connects to the Operators UI in Cisco APE, which prompts for a username and password. 2. The operator enters the username (Joe) and password, and submits the form. 3. Cisco APE evaluates the username and password, and the user sees a web page that only shows the resources that are accessible. In this case, the hypertext link IOSShell1 is linked to Telnet://10.0.0.4/. 4. The operator then selects this link, which starts the default Telnet client on the system with a connection to 10.0.0.4 on port 23. 5. The authorization device (IOSBOX) accepts the connection; then the device initiates authentication requests with Cisco APE using TACACS+ authentication start message. 6. Cisco APE sends a username prompt to the authorization device (IOSBOX), which displays the username prompt to the user in the Telnet session. 7. The user enters the username. 8. The authorization device sends the username to Cisco APE using TACACS+. 9. Cisco APE sends a password prompt to the authorization device. 10. The authorization device displays the prompt to the user in the Telnet session. 11. The user enters a password. 5-4

Chapter 5 Command Authorization 12. The authorization device sends the password to Cisco APE. 13. Cisco APE validates the authentication and returns success. 14. The authorization device sends a TACACS+ authorization request for shell access to the Cisco IOS shell (authorization device) to Cisco APE. 15. Cisco APE checks the user's roles to see if the user has the resource access permission on this resource and returns a success message. 16. The authorization device allows access to the shell. The user can now access the Cisco IOS shell. Command Authorization To configure command authorization, follow these example tasks: Task 2: Configuring Cisco APE through the Management UI You must configure Cisco IOS to request authentication and authorization using TACACS+ for authorization of commands at a particular privilege level (the default for all commands is a level 1 or 15): Set up AAA configuration: aaa new-model aaa authentication login vtymethod group tacacs+ aaa authorization exec vtymethod group tacacs+ aaa authorization commands 1 vtymethod group tacacs+ aaa authorization commands 15 vtymethod group tacacs+ Configure the TACACS server with the IP address of Cisco APE and secret shared with Cisco APE: tacacs-server host 10.1.9.52 tacacs-server key SECRET Set up shell vty with authentication and authorization: line vty 0 4 authorization exec vtymethod authorization commands 15 vtymethod authorization commands 1 vtymethod login authentication vtymethod Task 2: Configuring Cisco APE Through the Management Interface On the Cisco APE Management Interface, add an authorization device. Enter a name, IP address, and shared secret. For instructions on how to add an authorization device, see Adding an Authorization Device section 5-5

Command Authorization Chapter 5 Step 4 Step 5 on page 4-12. Example: Name the authorization device IOSBOX, the shared secret SECRET, and the IP address 10.0.0.4. From the Add Users page on the Cisco APE Management Interface, add a user by entering a username and a password. Enter a location for the user. For instructions on how to add a user, see Adding a User section on page 4-4. Example: Add the user Joe to the root location (/). From the Add Resources page, add a resource for the Cisco IOS shell. Enter a name, the authorization device that controls it (Cisco IOS device), and an authorization ID. Enter a location, a type, a network port and IP address, which is used to telnet to the device. For instructions on how to add a resource, see Adding a Resource section on page 4-7. Example: Name the resource IOSShell1, the authorization device IOSBOX, the authorization ID shell, the location root location (/), and the resource type root resource type (/). Assign the default IP address to this resource, which is 10.0.0.4 and the port is 23 (Telnet). From the Add Roles page, create a role that provides access to the async line. Enter a name and permissions. For instructions on how to add a role, see Adding a Role section on page 4-14 Example: Name the role Test1, and the permission Resource Access. The user Joe and the resource IOSShell1 are added to the role. From the Add CLI Permissions page, add the permission to execute Cisco IOS CLI Permissions to the role. For instructions on how to add a CLI permission, see Adding a Command Line Interface Permission section on page 4-16 In this example, allow the operators in this role to have access to the pad command except the command "pad 1234". To do this, add the following CLI permissions: pad 1234 exclude pad.* include The first permission excludes the command from the list of commands allowed by this role. The second permission allows all forms of the pad command to be run. The exclusions take precedence so in this case all forms of the pad command except pad 1234 are allowed. All other commands are denied. Note Note that the exclusion only applies to this role. The user may have access to another role that provides access to the pad 1234 command, which would allow access to the user. Operation Here is a typical sequence of what happens during normal operation, after you have completed the configuration: 1. The operator starts the web browser, and connects to the Operators Interface in Cisco APE, and enters his username (Joe) and password, and submits the form. 2. Cisco APE evaluates the username and password, and then opens a web page that shows only the resources that are accessible. In this case, the hypertext link IOSShell1 is linked to Telnet://10.0.0.4/. 3. The operator then selects this link, which launches the default Telnet client on the system with a connection to 10.0.0.4 on port 23. 5-6

Chapter 5 Command Authorization 4. The authorization device (IOSBOX) accepts the connection and then initiates authentication requests with Cisco APE by using TACACS+ authentication start message. 5. Cisco APE sends a username prompt to the authorization device (IOSBOX), which displays the username prompt to the user in the Telnet session. 6. The user enters a username. 7. The authorization device sends the username to Cisco APE using TACACS+. 8. Cisco APE sends a password prompt to the authorization device. 9. The authorization device displays the prompt to the user in the Telnet session. 10. The user enters a password. 11. The authorization device sends the password to Cisco APE. 12. Cisco APE validates the authentication and returns a success message. 13. The authorization device sends a TACACS+ authorization request for shell access to the Cisco IOS shell (authorization device) to Cisco APE. 14. Cisco APE checks the user's roles to see if he has the resource access permission on this resource and returns Success. 15. The authorization device allows access to the shell. 16. The user can now access the Cisco IOS shell. 17. The user enters the command pad 7263784549. 18. The Authorization device (Cisco IOS) checks the privilege level of the command. Since it is a level 1 command, the authorization device requests authorization for this command from Cisco APE using TACACS+ authorization request. 19. Cisco APE checks to see if any of the user's roles allows this command. Since one role permits the user to do so, the user is allowed to issue this command. 5-7

Command Authorization Chapter 5 5-8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback