From 6b35616aff4cf8a4bee61e79746a9255de899760 Mon Sep 17 00:00:00 2001 From: chhan11 Date: Mon, 5 Jun 2017 20:20:11 +0200 Subject: [PATCH] Moved content of networkmgmt.tex to mgmt.tex --- chapter/mgmt.tex | 167 +++++++++++++++++++++++++++++++++++++++- chapter/networkmgmt.tex | 166 --------------------------------------- main.tex | 1 - 3 files changed, 166 insertions(+), 168 deletions(-) delete mode 100644 chapter/networkmgmt.tex diff --git a/chapter/mgmt.tex b/chapter/mgmt.tex index 86da597..37bc983 100644 --- a/chapter/mgmt.tex +++ b/chapter/mgmt.tex @@ -152,7 +152,172 @@ Other things can go wrong, too. Such as \subsection[ERSPAN]{Encapsulated Remote Switch Port Analyzer} -\chapter[Mgmt]{Management} +\chapter[Mgmt]{Network Management} + +\section{Triple A\tsq{s}} + +\myquote{}{Remember to log the details, too.} + +\xkcd{latitude}{Remember logging when necessary} + +\newpage + +\begin{itemize} + \item \textbf{Authentication:} + \begin{enumerate} + \item Identify the user, + \item Validate the user, + \item Allow/Disallow user based upon credentials. + \end{enumerate} + \item \textbf{Authorization:} + \begin{enumerate} + \item Have defined levels of allowed operations/tasks divided into groups, + \item Validate user-to-groups relations, + \item Allow/Disallow user actions. + \item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node. + \end{enumerate} + \item \textbf{Accounting:} + \begin{enumerate} + \item Network nodes collect user and session information from start to end when connecting to a node, + \item All information is transferred back to \gls{aaa} server, + \item Transferred info can be leveraged for several purposes. Typically logged info is: + \begin{itemize} + \item session duration, + \item user commands, + \item disallowed commands + \end{itemize} + \end{enumerate} +\end{itemize} + +\bigskip + +\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}. + +\newpage + +\begin{table}[!ht] + \centering + \caption{Tacacs+ vs. Radius} + \label{radiusversustacacsplus} + \resizebox{\columnwidth}{!}{% + \begin{tabular}{|l|l|l|l|l|} + \hline + \multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline + Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline + Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline + \gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline + Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline + Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline + \end{tabular}% + } +\end{table} + +\newpage + +\section{RADIUS} + +\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication} + +\begin{txt} + radius server DK-RADIUS-SERVER + address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813 + key unkn0wn!unic@st.|. + ! + aaa new-model + aaa group server RADIUS + server name DK-RADIUS-SERVER + ! + aaa authentication login radius_list group RADIUS local + ! + line vty 0-4 + login authentication radius_list + line vty 5-15 + login authentication radius_list +\end{txt} + +\newpage + +\section{TACACS+} + +\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication} + +\begin{txt} + aaa group server tacacs+ TACACS + server-private 1.1.1.1 unkn0wn!unicAst + ip tacacs source-interface Loopback0 + ! + aaa authentication attempts login 1 + aaa authentication login default group TACACS local-case + aaa authentication login console local-case + aaa authentication enable default group TACACS enable + aaa authorization exec default group TACACS local + aaa authorization commands 0 default group TACACS local + aaa authorization commands 15 default group TACACS local + aaa accounting exec default + action-type start-stop + group tacacs+ + ! + aaa accounting commands 1 default + action-type start-stop + group tacacs+ + ! + aaa accounting commands 2 default + action-type start-stop + group tacacs+ + ! + aaa accounting commands 15 default + action-type start-stop + group tacacs+ + ! + aaa session-id common + ! + tacacs-server host 10.21.0.45 + tacacs-server unkn0wn!unicAst +\end{txt} + +\section{802.1X} + +802.1X deviates from standard \gls{aaa} used in network management by also providing support for: +\begin{itemize} + \item user mobility and + \item user access control by way of governing policies. +\end{itemize} + +\fig{8021x/8021x}{8021x}{ID Management} + +Based upon the user connecting to the network. They can be given access to +\begin{itemize} + \item the resources their group/identity have been assigned or + \item put into a guest \gls{vlan} if nothing is assigned to them or + \item simply block the client/user altogether. +\end{itemize} + +Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass. + +\begin{itemize} + \item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation. + \item The \textbf{authentication server} +\end{itemize} + +\fig{8021X/portauth}{portauth}{802.1X Port Auth} + +802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}. + +\clearpage + +\subsection*{Enable with Cisco config} + +\begin{txt} + aaa new-model + radius server host radiusserver.example.com key .unkown!unicAst. + aaa group server radius RADIUS-SERVER-DK + server radiusserver.example.com + aaa authetication dot1x default group RADIUS-SERVER-DK + dot1x system-auth-control + interface GigabitEthernet 0/4 + switchport mode access ! Port must be an access port prior + dot1x port-control auto ! to enable dot1x on the port +\end{txt} \section[Network Mgmt]{Network Management} diff --git a/chapter/networkmgmt.tex b/chapter/networkmgmt.tex deleted file mode 100644 index 3cf5203..0000000 --- a/chapter/networkmgmt.tex +++ /dev/null @@ -1,166 +0,0 @@ -\chapter{Net Mgmt} - -\section{Triple A\tsq{s}} - -\myquote{}{Remember to log the details, too.} - -\xkcd{latitude}{Remember logging when necessary} - -\newpage - -\begin{itemize} - \item \textbf{Authentication:} - \begin{enumerate} - \item Identify the user, - \item Validate the user, - \item Allow/Disallow user based upon credentials. - \end{enumerate} - \item \textbf{Authorization:} - \begin{enumerate} - \item Have defined levels of allowed operations/tasks divided into groups, - \item Validate user-to-groups relations, - \item Allow/Disallow user actions. - \item On network gear the Allow/Disallowed actions can be stored on either the central \gls{aaa} server or locally\footnote{May not apply to all network gear} in the network node. - \end{enumerate} - \item \textbf{Accounting:} - \begin{enumerate} - \item Network nodes collect user and session information from start to end when connecting to a node, - \item All information is transferred back to \gls{aaa} server, - \item Transferred info can be leveraged for several purposes. Typically logged info is: - \begin{itemize} - \item session duration, - \item user commands, - \item disallowed commands - \end{itemize} - \end{enumerate} -\end{itemize} - -\bigskip - -\textbf{Obvious} benefits by using the \gls{aaa} is scalability, increased flexibility and granularity of assigned rights, standardization, having failover by using multiple triple a\tsq{s} server\footnote{Cisco devices uses the descending order in which \gls{aaa} servers are configured on the node}. - -\newpage - -\begin{table}[!ht] - \centering - \caption{Tacacs+ vs. Radius} - \label{radiusversustacacsplus} - \resizebox{\columnwidth}{!}{% - \begin{tabular}{|l|l|l|l|l|} - \hline - \multicolumn{1}{|c|}{\textbf{Feature}} & \multicolumn{1}{c|}{\textbf{RADIUS}} & \multicolumn{1}{c|}{\textbf{TACACS+}} \\ \hline - Developer & \begin{tabular}[c]{@{}l@{}}Livington Enterprise\\ (now industry standard)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Cisco\\ (proprietary)\end{tabular} \\ \hline - Transport protocol & UDP ports 1812-1813 & TCP port 49 \\ \hline - \gls{aaa} support & \begin{tabular}[c]{@{}l@{}}Combines authentication\\ and authorization and \\ separate accounting\end{tabular} & \begin{tabular}[c]{@{}l@{}}Uses the \gls{aaa}\\ model and sep-\\ arates all three\\ services\end{tabular} \\ \hline - Challange response & \begin{tabular}[c]{@{}l@{}}One-way, unidirectional\\ (single challenge response)\end{tabular} & \begin{tabular}[c]{@{}l@{}}Two-way, bidirec-\\ tional (multiple\\ challenge responses)\end{tabular} \\ \hline - Security & \begin{tabular}[c]{@{}l@{}}Encrypts only the password\\ in the packet\end{tabular} & \begin{tabular}[c]{@{}l@{}}Encrypt the entire\\ packet body\end{tabular} \\ \hline - \end{tabular}% - } -\end{table} - -\newpage - -\section{RADIUS} - -\fig{radius/radiuscommunication}{radiuscommunication}{Radius handshake and communication} - -\begin{txt} -radius server DK-RADIUS-SERVER - address ipv4 radiusserver.example.com auth-port 1812 acct-port 1813 - key unkn0wn!unic@st.|. -! -aaa new-model -aaa group server RADIUS - server name DK-RADIUS-SERVER -! -aaa authentication login radius_list group RADIUS local -! -line vty 0-4 - login authentication radius_list -line vty 5-15 - login authentication radius_list -\end{txt} - -\newpage - -\section{TACACS+} - -\fig{tacacsplus/tacacspluscommunication}{tacacspluscommunication}{Tacacs plus handshake and communication} - -\begin{txt} -aaa group server tacacs+ TACACS -server-private 1.1.1.1 unkn0wn!unicAst -ip tacacs source-interface Loopback0 -! -aaa authentication attempts login 1 -aaa authentication login default group TACACS local-case -aaa authentication login console local-case -aaa authentication enable default group TACACS enable -aaa authorization exec default group TACACS local -aaa authorization commands 0 default group TACACS local -aaa authorization commands 15 default group TACACS local -aaa accounting exec default - action-type start-stop - group tacacs+ -! -aaa accounting commands 1 default - action-type start-stop - group tacacs+ -! -aaa accounting commands 2 default - action-type start-stop - group tacacs+ -! -aaa accounting commands 15 default - action-type start-stop - group tacacs+ -! -aaa session-id common -! -tacacs-server host 10.21.0.45 -tacacs-server unkn0wn!unicAst -\end{txt} - -\section{802.1X} - -802.1X deviates from standard \gls{aaa} used in network management by also providing support for: -\begin{itemize} - \item user mobility and - \item user access control by way of governing policies. -\end{itemize} - -\fig{8021x/8021x}{8021x}{ID Management} - -Based upon the user connecting to the network. They can be given access to -\begin{itemize} - \item the resources their group/identity have been assigned or - \item put into a guest \gls{vlan} if nothing is assigned to them or - \item simply block the client/user altogether. -\end{itemize} - -Cisco switches allow by default only the following 3 protos until the client is authenticated: \gls{eapol}, \gls{cdp}, \gls{stp} traffic to pass. - -\begin{itemize} - \item The \textbf{authenticator\footnote{Network node}} is the edge node/\gls{ap} closest to the client/user. This node controls the clients physical access to the network. The node sends encapsulated \gls{eap} frames to the authentication server by radius for validation. - \item The \textbf{authentication server} -\end{itemize} - -\fig{8021X/portauth}{portauth}{802.1X Port Auth} - -802.1X can be enabled on a Cisco switch globally by \cliline{dot1x system-auth-control} and \textit{then} enabled on the switch port{\footnotesize (s)} by \cliline{aaa authentication dot1x}. - -\clearpage - -\subsection*{Enable with Cisco config} - -\begin{txt} -aaa new-model -radius server host radiusserver.example.com key .unkown!unicAst. -aaa group server radius RADIUS-SERVER-DK - server radiusserver.example.com -aaa authetication dot1x default group RADIUS-SERVER-DK -dot1x system-auth-control -interface GigabitEthernet 0/4 - switchport mode access ! Port must be an access port prior - dot1x port-control auto ! to enable dot1x on the port -\end{txt} diff --git a/main.tex b/main.tex index 5554703..047ebf7 100644 --- a/main.tex +++ b/main.tex @@ -29,7 +29,6 @@ \include{chapter/layer3} \include{chapter/dhcp} \include{chapter/fhrp} -\include{chapter/networkmgmt} \include{chapter/ntp} \include{chapter/mgmt} \include{chapter/internet}