Telnet logging to Cisco router with Radius authentication based on Windows 2008 R2

Say you want to give a network admin access to a Cisco router via telnet with Radius authentication (user account is stored in AD).

The network admin is not a system admin so he does not have administrator rights on the AD domain but it has to have level 15 access to all Cisco devices.

Here is the configuration of the router (tested on Cisco 1800 Series)

enable secret 5 ############

aaa new-model
aaa authentication login default group radius local
aaa authorization exec default group radius local

privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

line con 0
password 7 ############
line aux 0
line vty 0 4
password 7 ############
transport input telnet

session-timeout 60

Quick description:
enable secret 5 - password for admin level to restrict the use of "enable" command


aaa new-model - start the AAA configuration
aaa authentication login default group radius local - login authentication is done by the AAA mechanism in the following fasion:

• first the default authentication group is used (I did not create my own authgroup for this example) and checked by a Radius server
• if the server does not respond (and only then) - local user database is checked

aaa authorization exec default group radius local- command execution authorization is done in the same way as above.


The next set of commands is to create a new priviledge level. In Cisco IOS the admin level is 15. It has the full right on any hardware. Lower level must be defined before can be used.
In this case I created a 7th level of access with right to execute ping, enter configuration options and configure SNMP settings.


line vty 0 4 - telnet connection configuration (total of 5 lines - from 0 to 4)



Now for the Windows 2008 Server R2 side:

Network policy for level 15:

• Windows Group: NetAdmins
• Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
• Cisco Attributes AV-Pair: shell:priv-lvl=15

Network policy for level 7:

• Windows Group: SomeoneElse
• Standard Attributes: 7 (Framed Protocol) - PPP, 6 (Service Type) - NAS Prompt
• Cisco Attributes AV-Pair: shell:priv-lvl=7

Now when logging via telnet users belonging to NetAdmin group gain full access to router (without the need for "enable" command) while users from SomeoneElse group have only level 7.
If the other user would want the full access he would have to know the secret password

Cisco ASA NetFlow Support – NetFlow Security Event Logging – NSEL

Cisco has changed its ways! Cisco ASA now supports NetFlow. The new feature in Cisco ASA version 8.2 is called NSEL (NetFlow Security Event Logging) and it allows all ASA models to support NetFlow. Below I have provided the NetFlow configuration of a Cisco ASA.

Three event types can trigger a NetFlow record.

flow-export destination inside x.x.x.x xxxx(Collector & Port)

access-list flow_export_acl permit ip host x.x.x.x host x.x.x.x

class-map flow_export_class

match access-list flow_export_acl

policy-map flow_export_policy

class flow_export_class

flow-export event-type flow-creation destination x.x.x.x(Collector IP)

service-policy flow_export_policy global

To see all event type records with NetFlow

event-type all

If you disable logging for flow export events this will increase performance

logging flow-export syslogs disable

• Conf Configuration-Firewall->Service Policy Rules.
• Click Add->select “Use class-default as the traffic class”->Next->Netflow (tab)->Add (check the collector(s) you want to use)->Finish->Apply.

NetFlow can be configured in the Cisco ASDM GUI by clicking:

* flow-create

* flow-denied

* flow-teardown

This isn’t your typical NetFlow

AAA

Authentication, Authorization, and Accounting... Otherwise Known as AAA (triple A). Most people who have had to implement AAA on a router or switch probably know very little about the commands they copy to the router config. Most simply grab the AAA configs from another working router or switch and be done with. But have you ever wondered what these commands do? Have you asked yourself - "Do I even need this? What's the best way to implement AAA?" Today we're gonna get our [ROUTER]FREAK on and check out some best practices with AAA.

If your working in an environment that uses AAA then you no doubt have a TACACS+ or ACS server running somewhere that is used for management of logins to your devices. AAA works in conjuction with TACACS+ to provide management of your login security. Who can login (Authentication), What can that user do (Athorization), and track the commands that are used (Accounting).

I've recently worked directly with Cisco to bang out what exactly is the best practices for configuring AAA on a router. what we came up with is the following:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+


Some router configurations look more intimidating than others and AAA is always one them. Don't worry, we'll break this down and you will see its not so bad after all.

So lets take a look at it one line at a time...

aaa new-model
This basically turns on aaa on the router.

aaa authentication login default group tacacs+ local
Here we are saying that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then use the local user account configured on the router. (This is why you always want to make sure you have a local user configured on your router)

aaa authentication enable default group tacacs+ enable
Here we are saying that for enable mode we want to use the default group tacacs+ (notice the local keyword is not used. This is because that a locally defined user will have specified the authorization level they require. . for example leve 15 will get enable mode)

aaa authorization config-commands
This says we want to check with TACACS+ to authorize going into config mode.

aaa authorization exec default group tacacs+ local if-authenticated
Notice the "if-authenticated" keyword at the end of this line. This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.

aaa authorization commands 1 default group tacacs+ if-authenticated
For best practices Cisco recommends that authorization be configured to each level of user access to network devices. In this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user. This also requires the use of tacacs+.

aaa authorization commands 15 default group tacacs+ local if-authenticated
Here we are providing authorization for level 15 users against tacacs+. If tacacs+ is not available then the local user account is used. If authenticated the user will immediately be dropped into exec/enable mode.

aaa accounting exec default start-stop group tacacs+
AAA Accounting for each level of commands ensures there is accountability for use of privileged commands on the router. Privilege levels range from 1 to 15, with 15 being the highest level. Some organizations may want to implement additional levels of commands where 1 might be a help desk and 15 are network administrators.

aaa accounting commands 1 default start-stop group tacacs+
This is an optional command as far as best practices go... but this provides accountability or tracking of user activity even they thay have only logged in (not exec/enable)

aaa accounting commands 15 default start-stop group tacacs+
This command will provide for accounting of adminsitrators or priveledge level 15

... And that's it! See? Oonce you go over each line its not quite so bad. The biggest hurdle is understanding the freaky Cisco command structure.

I hope this break down has helped clear things up a bit