NetworkLabNotes/chapter/networkmgmt.tex

\chapter{Net Mgmt}

\section{Triple A\tsq{s}}

\myquote{}{Remember to log the details, too.}

\xkcd{latitude}{Remember logging when necessary}

\newpage

\begin{itemize}
    \item \textbf{Authentication:}
    \begin{enumerate}
        \item Identify the user,
        \item Validate the user,
        \item Allow/Disallow user based upon credentials.
    \end{enumerate}
    \item \textbf{Authorization:}
    \begin{enumerate}
        \item Have defined levels of allowed operations/tasks divided into groups,
        \item Validate user-to-groups relations,
        \item Allow/Disallow user actions.
        \item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.
    \end{enumerate}
    \item \textbf{Accounting:}
    \begin{enumerate}
        \item Network nodes collect user and session information from start to end when connecting to a node,
        \item All information is transferred back to \gls{aaa} server,
        \item Transferred info can be leveraged for several purposes. Typically logged info is:
        \begin{itemize}
            \item session duration,
            \item user commands,
            \item disallowed commands
        \end{itemize}
    \end{enumerate}
\end{itemize}

\bigskip

\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.

\newpage

\begin{table}[!ht]
    \centering
    \caption{Tacacs+ vs. Radius}
    \label{radiusversustacacsplus}
    \resizebox{\columnwidth}{!}{%
        \begin{tabular}{|l|l|l|l|l|}
            \hline
            \multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline
            Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline
            Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline
            \gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline
            Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline
            Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline
        \end{tabular}%
    }
\end{table}

\newpage

\section{RADIUS}

\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}

\begin{txt}
radius server DK-RADIUS-SERVER
 address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813
 key unkn0wn!unic@st.|.
!
aaa new-model
aaa group server RADIUS
 server name DK-RADIUS-SERVER
!
aaa authentication login radius_list group RADIUS local
!
line vty 0-4
 login authentication radius_list
line vty 5-15
 login authentication radius_list
\end{txt}

\newpage

\section{TACACS+}

\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}

\begin{txt}
aaa group server tacacs+ TACACS
server-private 1.1.1.1 unkn0wn!unicAst
ip tacacs source-interface Loopback0
!
aaa authentication attempts login 1
aaa authentication login default group TACACS local-case
aaa authentication login console local-case
aaa authentication enable default group TACACS enable
aaa authorization exec default group TACACS local 
aaa authorization commands 0 default group TACACS local 
aaa authorization commands 15 default group TACACS local 
aaa accounting exec default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 1 default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 2 default
 action-type start-stop
 group tacacs+
!
aaa accounting commands 15 default
 action-type start-stop
 group tacacs+
!
aaa session-id common
!
tacacs-server host 10.21.0.45
tacacs-server unkn0wn!unicAst
\end{txt}

\section{802.1X}

802.1X deviates from standard \gls{aaa} used in network management by also providing support for:
\begin{itemize}
    \item user mobility and
    \item user access control by way of governing policies.
\end{itemize}

\fig{8021x/8021x}{8021x}{ID Management}

Based upon the user connecting to the network. They can be given access to
\begin{itemize}
    \item the resources their group/identity have been assigned or
    \item put into a guest \gls{vlan} if nothing is assigned to them or
    \item simply block the client/user altogether.
\end{itemize}

Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.

\begin{itemize}
	\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.
	\item The \textbf{authentication server}
\end{itemize}

\fig{8021X/portauth}{portauth}{802.1X Port Auth}

802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.

\clearpage

\subsection*{Enable with Cisco config}

\begin{txt}
aaa new-model
radius server host radiusserver.example.com key .unkown!unicAst.
aaa group server radius RADIUS-SERVER-DK
 server radiusserver.example.com
aaa authetication dot1x default group RADIUS-SERVER-DK
dot1x system-auth-control
interface GigabitEthernet 0/4
 switchport mode access         ! Port must be an access port prior
 dot1x port-control auto        ! to enable dot1x on the port
\end{txt}
netmgmt: Initial 802.1X section content 2017-06-01 19:55:40 +00:00			`\chapter{Net Mgmt}`

			`\section{Triple A\tsq{s}}`
Changed file structure 2017-06-01 18:41:55 +00:00
			`\myquote{}{Remember to log the details, too.}`

			`\xkcd{latitude}{Remember logging when necessary}`

			`\newpage`

			`\begin{itemize}`
			`\item \textbf{Authentication:}`
			`\begin{enumerate}`
			`\item Identify the user,`
			`\item Validate the user,`
			`\item Allow/Disallow user based upon credentials.`
			`\end{enumerate}`
			`\item \textbf{Authorization:}`
			`\begin{enumerate}`
			`\item Have defined levels of allowed operations/tasks divided into groups,`
			`\item Validate user-to-groups relations,`
			`\item Allow/Disallow user actions.`
			`\item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node.`
			`\end{enumerate}`
			`\item \textbf{Accounting:}`
			`\begin{enumerate}`
			`\item Network nodes collect user and session information from start to end when connecting to a node,`
			`\item All information is transferred back to \gls{aaa} server,`
			`\item Transferred info can be leveraged for several purposes. Typically logged info is:`
			`\begin{itemize}`
			`\item session duration,`
			`\item user commands,`
			`\item disallowed commands`
			`\end{itemize}`
			`\end{enumerate}`
			`\end{itemize}`

			`\bigskip`

			`\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}.`

			`\newpage`

			`\begin{table}[!ht]`
			`\centering`
			`\caption{Tacacs+ vs. Radius}`
			`\label{radiusversustacacsplus}`
			`\resizebox{\columnwidth}{!}{%`
			`\begin{tabular}{\|l\|l\|l\|l\|l\|}`
			`\hline`
			`\multicolumn{1}{\|c\|}{\textbf{Feature}} & \multicolumn{1}{c\|}{\textbf{RADIUS}} & \multicolumn{1}{c\|}{\textbf{TACACS+}} \\ \hline`
			`Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline`
			`Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline`
			`\gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline`
			`Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline`
			`Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline`
			`\end{tabular}%`
			`}`
			`\end{table}`

			`\newpage`

			`\section{RADIUS}`

			`\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication}`

			`\begin{txt}`
			`radius server DK-RADIUS-SERVER`
			`address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813`
			`key unkn0wn!unic@st.\|.`
			`!`
			`aaa new-model`
			`aaa group server RADIUS`
			`server name DK-RADIUS-SERVER`
			`!`
			`aaa authentication login radius_list group RADIUS local`
			`!`
			`line vty 0-4`
			`login authentication radius_list`
			`line vty 5-15`
			`login authentication radius_list`
			`\end{txt}`

			`\newpage`

			`\section{TACACS+}`

			`\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication}`

			`\begin{txt}`
			`aaa group server tacacs+ TACACS`
			`server-private 1.1.1.1 unkn0wn!unicAst`
			`ip tacacs source-interface Loopback0`
			`!`
			`aaa authentication attempts login 1`
			`aaa authentication login default group TACACS local-case`
			`aaa authentication login console local-case`
			`aaa authentication enable default group TACACS enable`
			`aaa authorization exec default group TACACS local`
			`aaa authorization commands 0 default group TACACS local`
			`aaa authorization commands 15 default group TACACS local`
			`aaa accounting exec default`
			`action-type start-stop`
			`group tacacs+`
			`!`
			`aaa accounting commands 1 default`
			`action-type start-stop`
			`group tacacs+`
			`!`
			`aaa accounting commands 2 default`
			`action-type start-stop`
			`group tacacs+`
			`!`
			`aaa accounting commands 15 default`
			`action-type start-stop`
			`group tacacs+`
			`!`
			`aaa session-id common`
			`!`
			`tacacs-server host 10.21.0.45`
			`tacacs-server unkn0wn!unicAst`
			`\end{txt}`
netmgmt: Initial 802.1X section content 2017-06-01 19:55:40 +00:00
			`\section{802.1X}`

			`802.1X deviates from standard \gls{aaa} used in network management by also providing support for:`
			`\begin{itemize}`
			`\item user mobility and`
			`\item user access control by way of governing policies.`
			`\end{itemize}`

Merge branch 'feature/802.1x' into develop 2017-06-01 21:47:05 +00:00			`\fig{8021x/8021x}{8021x}{ID Management}`

			`Based upon the user connecting to the network. They can be given access to`
			`\begin{itemize}`
			`\item the resources their group/identity have been assigned or`
			`\item put into a guest \gls{vlan} if nothing is assigned to them or`
			`\item simply block the client/user altogether.`
			`\end{itemize}`

			`Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass.`

			`\begin{itemize}`
			`\item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation.`
			`\item The \textbf{authentication server}`
			`\end{itemize}`

			`\fig{8021X/portauth}{portauth}{802.1X Port Auth}`

			`802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}.`

			`\clearpage`

			`\subsection*{Enable with Cisco config}`

			`\begin{txt}`
			`aaa new-model`
			`radius server host radiusserver.example.com key .unkown!unicAst.`
			`aaa group server radius RADIUS-SERVER-DK`
			`server radiusserver.example.com`
			`aaa authetication dot1x default group RADIUS-SERVER-DK`
			`dot1x system-auth-control`
			`interface GigabitEthernet 0/4`
			`switchport mode access ! Port must be an access port prior`
			`dot1x port-control auto ! to enable dot1x on the port`
			`\end{txt}`