CCNP 642-811 BCMSN Exam Certification Guide - Cisco press

456 Chapter 19: Securing Switch Access

Step 2 Define the source of authentication.

You can compare user credentials against locally configured usernames and passwords, or against a database managed by external RADIUS or TACACS+ servers.

Use locally configured usernames and passwords as a last resort, when no other authentication servers are reachable or in use on the network. To define a username, use the following global configuration command:

Switch(config)# username username password password

RADIUS or TACACS+ servers are defined in groups. First, define each server along with its secret shared password. This string is known only to the switch and the server and provides a key for encrypting the authentication session. Use one of the following global configuration commands:

Switch(config)# radius-server host {hostname | ip-address} [key string]

Switch(config)# tacacs-server host {hostname | ip-address} [key string]

Then, define a group name that will contain a list of servers, using the following global configuration command:

Switch(config)# aaa group server {radius | tacacs+} group-name

Define each server of the group type with the following server-group configuration command:

Switch(config)# server ip-address

You can define multiple RADIUS or TACACS+ servers by repeating these commands.

Step 3 Define a list of authentication methods to try.

You can list switch login authentication methods by giving the method a descriptive name or as the unnamed “default” method. List each method or protocol type in the order that it should be tried. If none of the servers for the first method respond, the switch tries the servers in the next method listed.

Use the following global configuration command to define a method list:

Switch(config)# aaa authentication login {default | list-name} method1

[method2 ...]

Here, the methods refer to these values:

•tacacs+—Each of the TACACS+ servers configured on the switch will be tried, in the order that it was configured.

•radius—Each of the RADIUS servers configured on the switch will be tried, in the order that it was configured.

Switch AAA 457

•local—The user’s credentials will be compared against all of the username commands configured on the local switch.

•line—The line passwords authenticate any connected user. No usernames can be used.

NOTE Be sure to add either the local or line method at the end of the list, as a last resort. This way, if all of the RADIUS or TACACS+ servers are unavailable or the switch is completely isolated from the rest of the network, a locally configured authentication method will still eventually be used. Otherwise, you will never be able to get into the switch.

Step 4 Apply a method list to a switch line.

First, select a line (console or vty for Telnet access) using the line line command. Then, trigger the user authentication on that line to use an AAA method list. Use the following line configuration command:

Switch(line)# login authentication {default | list-name}

You can use the default method list if only one list is sufficient for all circumstances on the switch. Otherwise, if you have configured named method lists, you can reference one of them here.

CAUTION After authentication is configured on a switch, it is a good idea to stay logged in on one session so that the authentication can be tested. If you exit the configuration session, you will not be able to log in again if the authentication is misconfigured. While you stay logged in on the original session, bring up a new Telnet session to the switch. If you can successfully authenticate, everything is properly configured.

Authorization

After a user is authenticated, the switch allows access to certain services or switch commands based on the user’s privilege level. Authenticating puts the user at the EXEC level, by default. Certain commands, such as show interface, are available at the EXEC level. Other commands, such as configure terminal, are accessible only if the user is able to move into the privileged EXEC or “enable” mode.

Authorization provides a means to grant specific users the ability to perform certain tasks. Like authentication, authorization is performed by querying external RADIUS or TACACS+ servers. If the authorization server has an entry for a user and a service or command, the switch allows the user to perform that task.

458 Chapter 19: Securing Switch Access

You configure authorization by first defining any RADIUS or TACACS+ servers that will be used. These are normally defined as part of the authentication configuration and do not need to be redefined for authorization.

Next, define a method list of authorization methods that will be tried in sequence using the following global configuration command:

Switch(config)# aaa authorization {commands | config-commands | configuration | exec | network | reverse-access} {default | list-name} method1 [method2 ...]

Here, you specify the function or service needing authorization with one of the following values:

■commands—The server must return permission to use any switch command at any privilege level.

■config-commands—The server must return permission to use any switch configuration command.

■configuration—The server must return permission to enter the switch configuration mode.

■exec—The server must return permission for the user to run a switch EXEC session. The server can also return the privilege level for the user so that the user can immediately be put into the privileged EXEC (“enable”) mode without having to type in the enable command.

■network—The server must return permission to use network-related services.

■reverse-access—The server must return permission for the user to access a reverse Telnet session on the switch.

You can identify the method with a descriptive name (list-name), if you are configuring more than one list. Otherwise, a single unnamed list is called the default list. Each authorization method is then listed in the order it will be tried. The methods can be any of the following values:

■group group-name—Requests are sent to the servers in a specific group.

■group {radius | tacacs+}—Requests are sent to all servers of this type.

■if-authenticated—Requests are granted if the user is already authenticated.

■none—No external authorization is used; every user is successfully authorized.

NOTE Only TACACS+ servers can authorize users with permission to use specific commands. RADIUS servers offer more of an “all-or-nothing” approach.

Next, you can apply an authorization method list to a specific line on the switch. Users accessing the switch through that line will be subject to authorization. Use the following line configuration command:

Switch(config-line)# authorization {commands level | exec | reverse-access} {default | list-name}

Port-Based Authentication 461

A violation occurs if more than the maximum number of MAC addresses are learned, or if an unknown (not statically defined) MAC address attempts to transmit on the port. The switch port takes one of the following configured actions when a violation is detected:

■shutdown—The port is immediately put into the errdisable state, which effectively shuts it down. It must be re-enabled manually or through errdisable recovery to be used again.

■restrict—The port is allowed to stay up, but all packets from violating MAC addresses are dropped. The switch keeps a running count of the number of violating packets and can send an SNMP trap and a syslog message as an alert of the violation.

■protect—The port is allowed to stay up, as in the restrict mode. Although packets from violating addresses are dropped, no record of the violation is kept.

Port-Based Authentication

Catalyst switches can support port-based authentication, a combination of AAA authentication and port security. This feature is based on the IEEE 802.1x standard.

Basically, a switch port will not pass any traffic until a user has authenticated with the switch. If the authentication is successful, the user can use the port normally.

For port-based authentication, both the switch and the end –user’s PC must support the 802.1x standard, using the Extensible Authentication Protocol over LANs (EAPOL). The 802.1x standard is a cooperative effort between the client and the switch offering network service. If the client PC is configured to use 802.lx but the switch does not support it, the PC abandons the protocol and communicates normally. However, if the switch is configured for 802.1x but the PC does not support it, the switch port remains in the unauthorized state so that it will not forward any traffic to the client PC.

NOTE 802.1x EAPOL is a Layer 2 protocol. At the point where a switch detects the presence of a device on a port, the port remains in the unauthorized state. Therefore, the client PC cannot communicate with anything other than the switch by using EAPOL. If the PC does not already have an IP address, it cannot request one. The PC also has no knowledge of the switch or its IP address, so any means other than a Layer 2 protocol is not possible. This is why the PC must also have an 802.1x-capable application or client software.

An 802.1x switch port begins in the unauthorized state so that no data other than the 802.1x protocol itself is allowed through the port. Either the client or the switch can initiate an 802.1x session. The authorized state of the port ends when the user logs out, causing the 802.1x client to inform the switch to revert back to the unauthorized state. The switch can also time out the user’s authorized session. In this event, the client must reauthenticate to continue using the switch port.

462 Chapter 19: Securing Switch Access

802.1x Configuration

Port-based authentication uses a variety of methods to authenticate potential clients. A method list is configured, defining the methods to be tried in sequence. Begin by configuring an 802.1x method list with the following global configuration command:

Be sure that the aaa new-model command has already been configured. Here, a method is defined by one of the following keywords:

■group {group-name | radius | tacacs+}—Authentication servers are used to authenticate the user. These are configured as the group group-name. Otherwise, all the available RADIUS or TACACS+ servers are tried. These servers are configured exactly the same as the AAA feature.

■enable—The enable password authenticates the user.

■line—The line password authenticates the user. This applies only when 802.1x is being used on a switch line (console or vty).

■local—The locally defined usernames and passwords are used to authenticate the user.

■none—No authentication is performed.

If RADIUS or TACACS+ servers are used as a method, including one of the local methods at the end of the line is wise. This gives a predictable last-resort method if all of the authentication servers are unavailable. Otherwise, users or support staff could be locked out of the switch.

Next, enable the use of 802.1x on the switch with the following global configuration command:

Switch(config)# dot1x system-auth-control

You must configure each switch port that will use 802.1x. Use the following interface configuration command to set the authentication state:

Switch(config-if)# dot1x port-control {force-authorized | force-unauthorized | auto}

Here, the 802.1x state is one of the following:

■force-authorized—The port is forced to always authorize any connected client. No authentication is necessary. This is the default state for all switch ports when 802.1x is enabled.

■force-unauthorized—The port is forced to never authorize any connected client. As a result, the port cannot move to the authorized state to pass traffic to a connected client.

■auto—The port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This requires an 802.1x-capable application on the client PC.

Port-Based Authentication 463

It might be obvious that port-based authentication is tailored for controlling access to a single host PC that is connected to a switch port. However, it also supports cases where multiple hosts are attached to a single switch port through an Ethernet hub or another access layer switch.

If the switch should expect to find multiple hosts present on the switch port, use the following interface configuration command:

Switch(config-if)# dot1x multi-hosts

464 Chapter 19: Securing Switch Access

Foundation Summary

The Foundation Summary is a collection of tables that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, these tables and figures are a convenient way to review the day before the exam.

Table 19-2 AAA Configuration Commands