December 22nd, 2009
From the ACS GUI, complete these steps:
- In the navigation bar, click External User Databases.
- On the External User Databases page, click Database Configuration.
The ACS displays a list of all possible external user database types.
- Click Windows Database.
If no Windows database configuration exists, the Database Configuration Creation table appears. Otherwise, the External User Database Configuration page appears.
- Click Configure.
The Windows User Database Configuration page appears with several options.
- Configure the required options. All the settings on the Windows User Database Configuration page are optional and do not need to be enabled unless you want to permit and configure the specific features that they support.
- Submit in order to finish this configuration.
Now we need create user account in ACS and in the field password authentication set “Windows Database”. However it is not best variant especially if we have a lot of user accounts in AD. In this case we have to set what will do ACS if user do not exist in internal database.
Categories: Security
Tags: ACS, internal users
December 21st, 2009
In this posts I want to briefly tell how configurate ACS to work with Active Directory.
- Install ACS on the server according instruction for the install. Do not forget during installing choose option “Also check the Windows User Database”. This server has to be include into AD.
- Create user in AD, for example csadmin. On this step this account does not need to include into any groups.
- 3. Open editor local politic on the server (where we install ACS). Next go Local Policies > Security Options and find LAN Manager Authentication Level policy. Change the value to Send LM & NTLM responses. ACS does not support NTLM v2 protocol.
- 4. Configuring Local Security Policies. Open Start > Settings > Control Panel > Administrative Tools > Local Security Policy and then Local Policies > User Rights Assignment. Add account of user csadmin into next politics:
•Act as part of the operating system.
•Log on as a service.
- Next we have check properties local network adapter for enabling NetBIOS. Cisco Secure ACS requires NetBIOS for communications with all domain controllers to which it submits user authentication requests. This means that you must enable NetBIOS on the following computers:
•The member server running Cisco Secure ACS.
•The domain controller of the domain containing Cisco Secure ACS.
- 6. Configure WINS. If Cisco Secure ACS must authenticate users belonging to a trusted or child domain and if Cisco Secure ACS cannot rely upon DNS to contact the domain controllers in those domains, you must enable WINS on your network.
- 7. Next go to Start > Settings > Control Panel > Administrative Tools > Services. We interested in the next services:
•CSAdmin
•CSAuth
•CSDbSync
•CSLog
•CSMon
•CSRadius
•CSTacacs
We need that these services start from the name our user csadmin. For this purpose carried our following actions:
a) Go into properties of the service.
b) On the tab Log On choosing option This account
d)Choosing our account csadmin, and enter password for this accoutn.
e)Doing the on the all listed above services.
f)Rebooted all these services.
Categories: Security
Tags: ACS, AD
December 16th, 2009
Using 802.1x protocol required RADIUS server (we choose Windows IAS), switches which support 802.1x (we use Cisco 2950) and client which support 802.1x and (our case it Windows XP SP3).
Configuring the IAS service.
Service IAS is build in system Windows server RADIUS and realizes data transmission functions between the switches and service AD. When the client is connected to switches port, the switch establishes connection with server IAS for identification of client and check of its rights of use of a network. In the process of identification the switch act in a role of device of check (authenticator, in terminology 802.1x) between the client (supplicant) and service IAS server (check service). Client and server IAS can communicate by using EAP (using md5 or PEAP) protocol. If you are going to use PEAP protocol, you will be need install Certification Service for using certificate which need for PEAP. However, if you don’t want install CS you can use md5 protocol.
So, install service IAS. Open in Control Panel point Add or Remove Programs and choose section Add/Remove Windows Components. Next open container Networking Services and put a tag in the field Internet Authentication Service. Put the button OK, then Next. After this for configuring IAS, we have to open Internet Authentication Service MMC console, which located in Administrative Tools folder.
Firstly, we have to check sufficient rights IAS service in AD. For this click the right button of the mouse on the root knot Internet Authentication Service(Local) and choose point Register server in Active Directory. Secondly, we have to allow logging for IAS Service. For this again click the right button of the mouse on the root knot IAS and choose Properties. Put tags in both fields, so server will record both rejects and accepted inquiries about authentication in the Event Log.
Now, configure connection between IAS server and switch. Firstly, we have to create records about client in the IAS server, that service IAS could accept inquiries about authentication from the switch. For this we have to click the right button on the element RADIUS clients in root knot of IAS tree and choose New RADIUS Client for the start of the wizard. On the first page of the wizard we need to enter a description name of the switch and also IP address or DNS name and then press button Next. On last page we need input key for secure connection between IAS and switch device and put tag in the field Request must contain the Message Authenticator attribute. Also we need change element in the field Client-Vendor from RADIUS Standard to Cisco (or name other vendors of switch). Changing this elements is not necessary but it give more conveniences when you will use more remote access policies.
Next step, we have to create Remote Access Policies. Together with policy of remote access we defined type of authentication which should pass the end user and also some additional restrictions. There are may way of configuring different policies. In our case we will not complicate this process and will use only attribute client-vendor as criterion of selection. Therefore, our policy will be applied to inquiries which have attribute client-vendor set Cisco and will ignore other clients inquiries. For this we have click the right button of the mouse on Remote Access Policies and choose element New Remote Access Policy. Put tag in the field Use the wizard to set up a typical policy for a common scenario, and input descriptive name your policy (for example, Switch Port Access Control) and then press Next. On the next page we need select Ethernet and click Next. On the page User and group Access we need add Domain Users and Domain Computers in the list Group name.
We need add Domain Computers for giving access these computers to the controllers domain during their loading and applying domain policies and time synchronization. However, we need configurate our policy so that unathorization users could not get access to the network till the moment of successful identification on the switch. Press button Next to pass the next page Authentication Methods. Choose in our case type MD5-Challenge and again press Next.
You will see resulting page and for finishing configuration press Finish. Now we just have created policy which allow get access to our network. However, if we open properties this policy we will see initial condition this policy which required presence port of the type NAS-Port-Type for conformity to standard Ethernet.
But Cisco switches 2950 do not describe their ports as ports Ethernet which service IAS expect during working with switches 802.1x. Therefore we have to just remove this condition of the policy. But we have to connect our policy with the inquiries arriving from switches. We need add new condition with attribute Client-Vendor which would be set to Cisco. Now our service IAS is ready to serve inquiries from switches.
Configuring CISCO switches.
- Enable AAA on the switch.
Switch(config)#aaa new-model
The new-model keyword refers to the use of method lists, by which authentication methods and sources can be grouped or organized.
- Define external RADIUS servers.
Switch(config)#radius-server host XXX.XXX.XXX.XXX key CISCO
- Define authentication method for 802.1x
Switch(config)#aaa authentication dot1x default group radius local
- Enable 802.1x on the switch
Switch(config)dot1x system-auth-control
- Configure each switch port that will use 802.1x:
Switch(config)#interface fa0/x
Switch(config-if)#switchport mode access
Switch(config-if)#dot1x port-control {force-authorized | force-unauthorized | auto}
Here, the 802.1x state is one of the following:
- force-authorized – the port is forced to always authorize any connected client. No authentication is necessary. This is default state for all switch ports when 802.1x is enabled.
- force-unauthorized – the port if forced to never authorize any connected client. As a result, the port cannot move to the authorized state.
- auto- the port uses an 802.1x exchange to move from the unauthorized to the authorized state, if successful. This required an 802.1x-capable application on the client PC.
The command “switchport mode access” is necessary because without it will be impossible to inter dot1.x mode on the interface.
Configuring client system (Windows XP)
First of all we need to check working condition of the service Wired AutoConfig, in the case of Windows XP SP3, in the case of using early version Windows XP we have check Wireless Configuration. This service have to be run and startup type has to be set in Automatic mode.
Next we need configure properties of the Network Connection (in the Control Panel) which we use for getting access to our network. Choose tab Authentication and put tag in the field Enable IEEE 802.1x authentication for this network.
In the field EAP type we need to choose MD5-Challenge and set one more tag in the field Authenticate as computer when computer information is available. So now our computer is ready for authentication via 802.1x protocol.
Note: I just have described using 802.1x with MD5 EAP type. In this case you have understand that all users who will be authenticated through this protocol have to store their password in reversible encryption. You can set it in user account properties or in GPO. By default, Microsoft Active Directory does not store user accounts with reversible encryption. So when user is trying to enter into computer, he got message about mistake.
The following information might also appear on the RADIUS server Event Log, depending on server logging levels:
Event Type: Warning
Event Source: IAS
Event Category: None
Event ID: 2
Date: 8/28/2007
Time: 11:05:06 AM
User: N/A
Computer: NAFR-DC2
Description:
User jeffsan was denied access.
Fully-Qualified-User-Name = NAFR\jeffsan
NAS-IP-Address = 0.0.0.0
NAS-Identifier = NS2
Called-Station-Identifier = <not present>
Calling-Station-Identifier = <not present>
Client-Friendly-Name = NS2
Client-IP-Address = 192.168.70.102
NAS-Port-Type = <not present>
NAS-Port = <not present>
Proxy-Policy-Name = Use Windows authentication for all users
Authentication-Provider = Windows
Authentication-Server = <undetermined>
Policy-Name = <undetermined>
Authentication-Type = MD5-CHAP
EAP-Type = <undetermined>
Reason-Code = 19
Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.
As I said this error occurs when the user’s account is not stored in reversible encryption.
CHAP provides protection against playback attack by the peer through the use of an incrementally changing identifier and a variable challenge value. The use of repeated challenges is intended to limit the time of exposure to any single attack. The authenticator is in control of the frequency and timing of the challenges. This authentication method depends upon a secret known only to the authenticator and that peer. The secret is not sent over the link. Although the authentication is only one-way, by negotiating CHAP in both directions the same secret set may easily be used for mutual authentication.
Because CHAP may be used to authenticate many different systems, Name fields may be used as an index to locate the proper secret in a large table of secrets. This scheme also makes it possible to support more than one name/secret pair per system and change the secret in use at any time during the session.
CHAP requires that the secret be available in plaintext form. CHAP cannot use irreversibly encrypted password databases that are commonly available. If the RADIUS server does not have access to the plaintext password, it cannot perform the one-way hash to verify the user and the authentication will fail.
So to resolve this problem you must enable this setting manually on each account or through Group Policy Objects when dealing with multiple users.
However, storing passwords using reversible encryption is essentially the same as storing plaintext versions of the passwords. For this reason, this policy should never be enabled unless application requirements outweigh the need to protect password information.
Except EAP with MD5, IAS support EAP with PEAP authentication protocols. For better security you can you EAP with PEAP. In this case you will need use certificates. You can use certificate only for IAS server or install PKI infrastructure and use certificates for IAS servers and for clients computers. However using PEAP with IAS required Windows Server Enterprise Edition.
Categories: Security
Tags: 802.1x, Authentication, EAP, IAS, md5, PEAP
December 15th, 2009
After establishing an IPSec tunnel, you can verify and view the tunnel’s parameters by issuing the show crypto engine connections active which shows a summary crypto engine connections and show crypto session which shows the status for each active crypto session.
Also we can use show crypto isakmp sa, which shows all existing IKE Phase 1 (ISAKMP) security associations.
show crypto ipsec sa – shows all existing IKE Phase 2 (IPSec) security associations.
Site-to-site VPN has one serous drawback. All devices uses this type of VPN has to have static path definition. In some topologies with big number of routes which use dynamic route protocol will be difficult to use this type of VPN, because in this case we need manually input all possible path. In this case we can use other type of VPN, but about it I will tell in other posts.
Categories: Security, VPN
Tags: Site-to-Site, VPN
December 14th, 2009
The CLI configuring involves five primary steps:
Step 1 – Define what parameters will be used for the IKE Phase 1 tunnel (that is, the ISAKMP tunnel). This set of parameters is called an ISAKMP policy. These parameters concern authentication (pre-share or using certification), protocol of hashing, protocol encryption, DH group and lifetime.
Step 2 – Define what parameters will be used for the IKE Phase 2 tunnel (that is, the IPsec tunnel). This set of parameters is called a transform set. Transform set could be esp-aes and esp-sha or another…
Step 3 – Create an ACL to identify “interesting” traffic, which should be protected and sent over the IPsec tunnel.
Step 4 – Create a crypto map, which logically groups the parameters identified in previous steps and points to an IPsec peer. The crypto map should then be applied to the appropriate interface.
Step 5 – Optionally, create an additional ACL to block nonintersecting traffic from passing between VPN terminations devices.
Let us suppose we need to make IPSec in the next topology.
Step 1
To begin the configurate, we need specify the ISAKMP parameters:
R1# conf term
R1(config)# crypto isakmp policy 1
R1(config-isakmp)#authentication pre-share
R1(config-isakmp)#hash sha
R1(config-isakmp)#encryption aes 128
R1(config-isakmp)#group 2
R1(config-isakmp)#lifetime 86400
R1(config-isakmp)#end
R1(config)#crypto isakmp key 0 cisco address 172.16.1.2
Almost the same commands we have to impute on the other router R2 expect last command of cause.
R2(config)#crypto isakmp key 0 cisco address 172.16.1.1
In this example we use command “crypto isakmp policy 1” to inter ISAKMP configuration mode. From within this mode, the “authentication pre-share” command specifies that preshared keys are to be used for authentication. The “hash sha” command specifies that Secure Hash Algorithm (SHA) will be used as the hashing algorithm. The “encryption aes 128” command means that 128-bit Advanced Encryption Standard (AES) to be used. The “group 2” command specifies that Diffie-Hellman Group 2 be used for secure exchange of shared keys. Finally in this configuration, the lifetime of the SA is set to one day (86400 seconds). Then , in global configuration mode, the “crypto isakmp key…” command sets the shared key to “cisco” when communication with the other router (that is, the peer IP address).
Step 2, Step 3 and Step 4
Remember that IKE Phase 2 tunnel ( an IPSec tunnel) is negotiated and set up within the protection of IKE Phase 1 tunnel ( an ISAKMP tunnel).
R1(config)#crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
R1(cfg-crypto-trans)#exit
R1(config)#access-list 101 permit ip 192.168.0.0 0.0.0.255 10.12.0.0 0.0.0.255
R1(config)#crypto map R1_TO_R2 10 ipsec-isakmp
R1(config-crypto-map)#set peer 172.16.0.2
R1(config-crypto-map)#match address 101
R1(config-crypto-map)#set transform-set MYSET
The same command we have to input on the other router R2 except access-list and set peer.
In this example, a transform set named MYSET is created with the “crypto ipsec transform-set MYSET …” command. The esp-aes parameter specifies the encryption algorithm to be used, and the esp-sha-hmac parameter specifies the hashing algorithm. This example contains an ACL numbered 101, which specifies traffic the IPSec tunnel will protect. In this step we created crypto map by command “crypto map R1_TO_R2 10 ipsec-isakmp”. In crypto map configuration mode, the “set peer…” command specifies the IP address of the IPSec peer. The “match address 101” associated the previously created ACL 101 with the crypto map, and the MYSET transform set is linked with the crypto map using “set transform-set MYSET” command.
Applying Crypto maps
A crypto maps need to be applying to an interface for IPSec tunnel to be set up.
R1(config)#interface f0/0
R1(config-if)#crypto map R1_TO_R2
R1(config-if)#end
In the next post I will tell about what command we can use to check and control our IPSec tunnels.
Categories: Security, VPN
Tags: VPN
