Securing Switch Access

November 7, 2016 by Neel Rao

Filed under Network

Last modified November 7, 2016

Securing Switch Access

Switch AAA

You can manage user activity to and through a switch with authentication, authorization, and accounting (AAA) features. AAA uses standardized methods to challenge users for their credentials before access is allowed or authorized. Accounting protocols can also record user activity on a switch.

Authentication

Switch or network access can be granted only after a user’s identity has been validated. User authentication is commonly used on switches and routers to limit Telnet access to the network administration staff. In this case, when someone uses Telnet to log on to a switch, that individual is first challenged with a username and password. The individual’s credentials are then submitted to a device that can grant the user access.

User authentication can be handled by several methods:

  • Usernames and passwords configured locally on the switch
  • One or more external Remote Authentication Dial-In User Service (RADIUS) servers
  • One or more external Terminal Access Controller Access Control System+ (TACACS+) servers.

Any combination of these methods can be used. In fact, authentication must be defined by grouping the desired methods into a method list. The list contains the types or protocols that will be used, in the sequential order that they will be tried.

To use authentication on a Catalyst switch, you must configure several things in the following order

Step 1 Enable AAA on the switch.

By default, AAA is disabled. Therefore, all user authentication is handled locally, by configured usernames and passwords. To enable AAA, use the following global configuration command:

Switch(config)# aaa new-model

The new-model refers to the use of method lists, where authentication methods and sources can be grouped or organized. The new model is much more scalable than the “old model,” where the authentication source was explicitly configured.

Step 2 Define the source of authentication.

You can compare user credentials against locally configured usernames and passwords, or against a database managed by external RADIUS or TACACS+ servers.

Use locally configured usernames and passwords as a last resort, when no other authentication servers are reachable or in use on the network. To define a username, use the following global configuration command:

Switch(config)# username username password password

RADIUS or TACACS+ servers are defined in groups. First, define each server along with its secret shared password. This string is known only to the switch and the server and provides a key for encrypting the authentication session. Use one of the following global configuration commands:

Switch(config)# radius-server host {hostname | ip-address} [key string]

Switch(config)# tacacs-server host {hostname | ip-address} [key string]

Then, define a group name that will contain a list of servers, using the following global configuration command:

Switch(config)# aaa group server {radius | tacacs+} group-name

Define each server of the group type with the following server-group configuration command:

Switch(config)# server ip-address

You can define multiple RADIUS or TACACS+ servers by repeating these commands.

Step 3 Define a list of authentication methods to try.

You can list switch login authentication methods by giving the method a descriptive name or as the unnamed “default” method. List each method or protocol type in the order that it should be tried. If none of the servers for the first method respond, the switch tries the servers in the next method listed.

Use the following global configuration command to define a method list:

Switch(config)# aaa authentication login {default | list-name} method1[method2 …]

Here, the methods refer to these values:

  • tacacs+—Each of the TACACS+ servers configured on the switch will be tried, in the order that it was configured.
  • radius—Each of the RADIUS servers configured on the switch will be tried, in the order that it was configured.
  • local—The user’s credentials will be compared against all of the username commands configured on the local switch.
  • line—The line passwords authenticate any connected user. No usernames can be used

Step 4 Apply a method list to a switch line.

First, select a line (console or vty for Telnet access) using the line line command. Then, trigger the user authentication on that line to use an AAA method list. Use the following line configuration command:

Switch(line)# login authentication {default | list-name}

You can use the default method list if only one list is sufficient for all circumstances on the switch. Otherwise, if you have configured named method lists, you can reference one of them here.

Authorization

After a user is authenticated, the switch allows access to certain services or switch commands based on the user’s privilege level. Authenticating puts the user at the EXEC level, by default. Certain commands, such as show interface, are available at the EXEC level. Other commands, such as configure terminal, are accessible only if the user is able to move into the privileged EXEC or “enable” mode.

Authorization provides a means to grant specific users the ability to perform certain tasks. Like authentication, authorization is performed by querying external RADIUS or TACACS+ servers. If the authorization server has an entry for a user and a service or command, the switch allows the user  to perform that task.

You configure authorization by first defining any RADIUS or TACACS+ servers that will be used. These are normally defined as part of the authentication configuration and do not need to be redefined for authorization.

Next, define a method list of authorization methods that will be tried in sequence using the following global configuration command:

Switch(config)# aaa authorization {commands | config-commands | configuration | exec |

network | reverse-access} {default | list-name} method1 [method2 …]

Here, you specify the function or service needing authorization with one of the following values:

  • commands—The server must return permission to use any switch command at any privilegelevel.
  • configcommands—The server must return permission to use any switch configurationcommand.
  • configuration—The server must return permission to enter the switch configuration mode.
  • exec—The server must return permission for the user to run a switch EXEC session. The server can also return the privilege level for the user so that the user can immediately be put into the privileged EXEC (“enable”) mode without having to type in the enable
  • network—The server must return permission to use network-related services.
  • reverseaccess—The server must return permission for the user to access a reverse Telnet session on the switch.

You can identify the method with a descriptive name (list-name), if you are configuring more than one list. Otherwise, a single unnamed list is called the default list. Each authorization method is then listed in the order it will be tried. The methods can be any of the following values:

  • group group-name—Requests are sent to the servers in a specific group.
  • group {radius | tacacs+}—Requests are sent to all servers of this type.
  • ifauthenticated—Requests are granted if the user is already authenticated.
  • none—No external authorization is used; every user is successfully authorized.

Next, you can apply an authorization method list to a specific line on the switch. Users accessing the switch through that line will be subject to authorization. Use the following line configuration command:

Switch(config-line)# authorization {commands level | exec | reverse-access} {default | list-name}

If you do not use this command, the default group will be used for all lines.

Accounting

Catalyst switches also support the capability to use AAA for producing accounting information of user activity. RADIUS and TACACS+ servers can also collect this accounting information from switches, if wanted. Again, the RADIUS and TACACS+ servers must already be configured and grouped as part of the authentication configuration.

As usual, you must define a method list giving a sequence of accounting methods by using the following global configuration command:

Switch(config)# aaa accounting {system | exec | commands level} {default | list-name} {start-stop | stop-only | wait-start | none} method1 [method2 …]

The function triggering the accounting can be one of the following:

  • system—Major switch events such as a reload will be recorded.
  • exec—User authentication into an EXEC session is recorded, along with information about theuser’s address and the time and duration of the session.
  • Commands level—Information about any command running at a specific privilege level is recorded, along with the user that issued the command. You can specify that certain types of accounting records be sent to the accounting server using the following keywords:
  • start-stop—Events are recorded when they start and stop.
  • stoponly—Events are recorded only when they stop.
  • none—No events are recorded.

Next, you can apply an accounting method list to a specific line on the switch. Users accessing the switch through that line will have their activity recorded. Use the following line configuration command to accomplish this:

Switch(config-line)# accounting {commands level | connection | exec} {default | list-name}

If you do not use this command, the default group will be used for all lines.

Port Security

In some environments, a network must be secured by controlling what stations can gain access to the network itself. Where user workstations are stationary, their MAC addresses can always be expected to connect to the same access layer switch ports. If stations are mobile, their MAC addresses can be dynamically learned or added to a list of addresses to expect on a switch port.

Catalyst switches offer the port security feature to control port access based on MAC addresses. To configure port security on an access layer switch port, begin by enabling it with the following interface configuration command:

Switch(config-if)# switchport port-security

Next, you must identify a set of allowed MAC addresses so that the port can grant them access. You can explicitly configure addresses or they can be dynamically learned from port traffic. On each interface that uses port security, specify the maximum number of MAC addresses that will be allowed access using the following interface configuration command:

Switch(config-if)# switchport port-security maximum max-addr

By default, only one MAC address will be allowed access on each switch port. You can set the maximum number of addresses in the range of 1 to 1024.

Each interface using port security dynamically learns MAC addresses by default. MAC addresses are learned as hosts transmit frames on an interface. The interface learns up to the maximum number of addresses allowed. Learned addresses can also be aged out of the table if those hosts are silent for a period of time. By default, no aging occurs.

You can also statically define one or more MAC addresses on an interface. Any of these addresses are allowed to access the network through the port. Use the following interface configuration command to define a static address:

Switch(config-if)# switchport port-security mac-address mac-addr

The MAC address is given in dotted-triplet format. If the number of static addresses configured is less than the maximum number of addresses secured on a port, the remaining addresses are dynamically learned. So, be sure to set the maximum number appropriately.

Finally, you must define how each interface using port security should react if a MAC address is in violation by using the following interface configuration command:

Switch(config-if)# switchport port-security violation {shutdown | restrict | protect}

By N.R.Rao

For SkyBird Technology Solutions Pvt Ltd.

 

Leave a Comment