Pierky’s Blog

mostly a system and network engineer’s repository

Archive for September, 2009

Cisco IOS configuration management using SCP and pscp

Posted by pierky on September 28, 2009

SCP is a powerful tool introduced in IOS 12.2(2)T which allows us to securely transfer files to and from our routers. With this feature we can transfer files, images and configurations in an encrypted way, and we can also authenticate accesses on the routers.

It’s easy to deploy, easy to use and Cisco recommends to use it in the Guide to Harden Cisco IOS Devices too: why do not use it?! :)

It relays on SSH and AAA, so both features have to be enabled on the device:

Router(config)#hostname R1
R1(config)#crypto key generate rsa general-keys modulus 512
The name for the keys will be: R1.mydomain

% The key modulus size is 512 bits
% Generating 512 bit RSA keys, keys will be non-exportable...[OK]
R1(config)#
R1(config)#aaa new-model
R1(config)#aaa authentication login default local
R1(config)#aaa authorization exec default local

In order to use scp to manage configuration we must have an user account with enough privileges to access it:

R1(config)#
R1(config)#username admin privilege 15 secret 0 topsecret

Finally, we can turn the scp server on:

R1(config)#ip scp server enable

On the client side we can use an utility such as pscp, from the PuTTY suite, to interact with our SCP server – the router!

C:\>pscp.exe
PuTTY Secure Copy client
Release 0.59
Usage: pscp [options] [user@]host:source target
       pscp [options] source [/source] [user@]host:target
       pscp [options] -ls [user@]host:filespec
[cut]

For example, we can download the startup-config and put it on a directory:

C:\>pscp.exe admin@192.168.0.42:nvram:startup-config C:\MyConfigs\R1.cfg
admin@192.168.0.42's password:
R1.cfg                    | 0 kB |   0.6 kB/s | ETA: 00:00:00 | 100%

C:\>

Using an integrated AAA system, such as a Radius based AAA with IAS and Active Directory as backend, we can also omit the username part and use our own domain password!

Dear TFTP & Co., it’s time for retirement!

References

Cisco.com: Cisco Guide to Harden Cisco IOS Devices

Cisco.com: Cisco Secure Copy (SCP) Feature Guide – 12.2T

PuTTY: PuTTY: A Free Telnet/SSH Client

Posted in Networking | Tagged: , , , , | 2 Comments »

Different policies in Cisco RADIUS AAA

Posted by pierky on September 18, 2009

These days I had to implement centralized terminal authentication on a few Cisco routers using aaa new-model and RADIUS.

The solution in its own was pretty simple: it was based on the usual Microsoft IAS (Internet Authentication Service) which was integrated in an Active Directory domain.

The interesting aspect is that those routers were under different administrative controls, so some users had to be granted access on a part of them and denied on other. Let’s say Group1 had to be enabled on routers RA, RB and RC, while Group2 on routers RD, RE and RF.

Solution adopted

In order to achieve this goal we may use a lot of solutions, but most of them are quite unscalable, because we have to map each router to the specific policy.

To obtain a good degree of scalability we may use the radius-server attribute 32 include-in-access-req command. This command tells IOS to append the NAS-Identifier attribute in the RADIUS authentication request message, and let us to set a format for its value:

RA(config)#radius-server attribute 32 include-in-access-req format ?
  LINE  A string where %i = IP address and %h = hostname, %d = domain name

For example, we can prepend the router’s hostname with a “tag” to distinguish the owner group:

Group1 routers:

RA(config)#radius-server attribute 32 include-in-access-req format Group1-%h
RB(config)#radius-server attribute 32 include-in-access-req format Group1-%h
RC(config)#radius-server attribute 32 include-in-access-req format Group1-%h

Group2 routers:

RD(config)#radius-server attribute 32 include-in-access-req format Group2-%h
RE(config)#radius-server attribute 32 include-in-access-req format Group2-%h
RF(config)#radius-server attribute 32 include-in-access-req format Group2-%h

IAS policy filtered by NAS-Identifier attributeFinally we can create two policies in IAS to handle the incoming authentication requests, by filtering them on the basis of NAS-Identifier attribute.
On the NAS-Identifier filter, we can use a star (“*”) to match any character which follows the router’s “tag”. Once we matched the router’s tag, we bind it to the right Active Directory group. Please take a look at the picture for details.

References

Cisco.com: Cisco IOS Security Command Reference, Release 12.3 T

Cisco.com: Command Lookup Tool

PacketLife.net Blog: Seven free ways to improve your network’s security

Kpjungle’s Weblog: Authentication by Radius on a Cisco device

Posted in Networking | Tagged: , , , | Leave a Comment »