Skip to main content

Centralized Authentication for network devices with AAA server (Radius) and IAS

By

Why should i have Centralized Authentication? or Why should I integrate Active Directory with AAA router?

Of course, Managment is very easy. It is not an integration of AD and AAA, What do we do here is using the Active directory user database for routers' and switches' access. Also every time you need not to login into all the routers and switches just to change password. In order to have a centralized authentication for all the network devices we configured Internet Authentication Service in our Domain Controller to act as a Radius server. Using IAS service we can build a centralized authentication server for all the network devices in both Backbone and Master setup. AAA client also should be configured in all the network devices in order to communicate with IAS Server. 

What If my Radius Server Fails ?

In this blog, I will be covering the backup authentication method also. In case if your Radius servers fails, still your routers and switches can use their local database to authenticate users. A picture would give you a better idea, refer the snap below.



Installation of IAS Service and configuration in Win2k3

Follow the steps to install Internet Authentication Service in your Windows Server 2003 server. 
  1. Log in as an administrator.
  2. Go to Start | Control Panel, and double-click the Add or Remove Programs applet.
  3. Click Add/Remove Windows Components.
  4. In the Windows Components Wizard, click Networking Services, and click Details.
  5. In the Networking Services dialog box, select Internet Authentication Service, click OK, and click Next.
  6. The system may prompt you to insert your Windows Server 2003 CD, so have it handy.
  7. After IAS is installed, click Finish, and then Close.
  8. Then open IAS from Administrative Tools.

How to add a Radius Client in IAS ?




Now we need to add a RADIUS client. Follow these steps:

  1. In the left pane, right-click RADIUS Clients, and select New RADIUS Client.
  2. In the New RADIUS Client dialog box, as shown in the below figure, enter a display name for the client (i.e., your router or switch). I suggest using the router's hostname.
  3. Enter the LAN IP address of the client.
  4. Click Next, and select Cisco for the Client-Vendor.
  5. Enter a password (called a key on a router or switch) that the two devices will share for the authentication process. For this example, I used XX as my test password.
  6. Click Finish. 


Create Remote Access Policy in IAS

Next, we need to create a remote access policy. Follow these steps:
  1. In the Internet Authentication Service window, click Remote Access Policies in the left pane.
  2. In the right pane, right-click the default policy, and select Delete.
  3. Right-click inside the right pane, and select New Remote Access Policy.
  4. In the Remote Access Policy Wizard, click Next.
  5. Click Set Up A Custom Policy, name it IMSA (for example), and click Next.
  6. Click Add, select Windows-Groups, and click Add, as shown in the below image.


    Enter whatever groupname you want to use. In this example, we're using a local Windows server group. You can also use a Windows AD group -- which, of course, is preferable. The below image shows the Groups dialog group with the Senthil_Test group listed.



    Select the new group, and click OK. This takes you to the Policy Conditions screen of the New Remote Access Policy Wizard, as show in below image.



    Click Next, select Grant Remote Access Permission, and click Next.
    Click Edit Profile, and select the Authentication tab.
    Deselect all check boxes; only select the Unencrypted Authentication (PAP/SPAP) check box, as shown in below image, and click OK.


    Next, select the Advanced tab.
    Select Service-Type, and click Edit.
    In the Enumerable Attribute Information dialog box, select Login from the Attribute Value drop-down list, as shown in following image, and click OK.

      Back on the Advanced tab, select Framed-Protocol, and click Remove. Below image displays the resulting dialog box.


      All you have to do now is click OK. The system will likely ask if you want to view Help topics, as shown in the following image.


      We're almost there. Click Next, click Finish, and that's it!

      How to configure AAA in Cisco Router?

      Enable AAA

      Login into router with privilege 15 user.
      (config)# aaa new-model
      The above command will enable aaa in network device.

      Configure Radius server details
      (config)# radius-server host 10.56.245.32 auth-port 1645 acct-port 1646 key KEY1
      In the above command you have to specify radius server IP, authentication port details and shared key.
      (config)# ip radius source-interface Vlan1
      In ip radius command we need to mention the source which we are using as source interface to communicate with radius server.

      Configure AAA fallback to local datavase of Router
      (config)# aaa authentication login LIST1 group radius local
      In the above command you have to specify authentication list (In our case LIST1) and user database to which fallback should happen.

      Creating local user
      I suggest configuring a local username/password in case the RADIUS server is ever unavailable and you need to access your network device. Because we used the login authentication method radius and then local, the router will fail back to the local authentication server if the RADIUS server ever goes down. Here's how to configure a local user:
      (config)# user ops priv 15 secret secretpass1
      (config)# ip domain-name blogg.com
      We also have to specify the domain server with ip domain-name command. This also acts as name server.

      Configure line connections to use AAA
      Get into line configuration mode by using the below command.
      (config)# line vty 0 4
      Now use the below command to advise the router to use AAA authentication for telnet and ssh connections.
      (config-line)# login authentication LIST1
      That’s all. Now all you have to do is verify the settings by testing the below items.

      Testing AD User Login

      Try to take telnet to any of the AAA client.

      Once it’s prompting for Username, Enter your domain controller credentials (blogg) and press Enter.

      You will be in Privileged execution mode of the router.


      Testing Fallback Support of AAA in Cisco Router

      There are cases where you might lose connectivity to your IAS server from your network device. In that case you should also have a fallback so that you can login with local database user and start configuring your device.

      I stopped IAS Service to test this fallback by going to Services.msc in IAS server.

      Later I tried to login into one of the AAA client. The below image shows this. 


      Now local user ops is able to login even the IAS service is stopped. Thanks for visiting, Please post your doubts in comment box.


      Labels:

      Comments

      Post a Comment

      Popular posts from this blog

      eXploit WP Themes Brainstorm Arbitrary File Upload Vulnerability

      By
      Hello World ; Malam Fans, Please Say Hello Haters :* xixixhi, Nuenomaru disini,  Sekarang Nue akan Share   Tutorial Deface dengan eXploit WP Themes Brainstorm Arbitrary File Upload Vulnerability * ini exploit lama sih wkwkw exploit ini salah satu bug/celah yang ada pada theme di CMS WordPress. iseng2 aja share, Kali aja masih  crotz  wkwkw * yg master minggir dlu ;* Lanjut intip tutor ae gaes :* mau sampai kapan ?! Dork: inurl:/wp-content/themes/brainstorm (Selebihnya kebangin lg menggunakan imajinasi vokepers kalian, biar dpt yg vuln n verawan) 1. Dorking di search Engine 2. pilih salah satu web target yg pengen ente tusb0l pak wkwk, lalu masukan exploitnya. exploit: /[path]/ /wp-content/themes/brainstorm/functions/jwpanel/scripts/uploadify/uploadify.php 3. Vulnerability ~ Blank Kurang lebih sih gituh awkkaw~ 4. Buat File Baru Berekstensi .php Contoh brain.php Dan Simpan Script Berikut Di Directory C:/XAMPP/php Masukan Script Berikut Edit-Edit Dikit dan taruh juga shell sobat di dire
      Post a Comment
      Read more

      Method Amazon Terbaru + Seller

      By
      Hallo Sobat Cyber, Kali Ini Saya Akan Membagikan Method AMAZON. Mungkin Sobat Sudah Pada Tahu Apa Itu AMAZON, Dan Sudah Tahu Juga Method AMAZON Bagi Yang Hoby Carding. Tapi Masih Ada Juga Sobat Yang Belom Tahu Method Untuk Carding Di AMAZON. Bagi Sobat Yang Penasaran Method Amazon, Silahkan Ikuti Tutorial Dari Saya, Cekidot : Alat Tempurnya : Akun Amazon VPN Premium, ane sih pake hma Jika sobat punya akun uk,fr,de,it,dll. loginnya di amazon . com aja, pake seller yang dibawah, jadi misalkan agan punya akun IT, akun itu gaperlu selalu login di amazon.it, di amazon . com juga bisa.Tapi jika sobat punya seller sendiri sillahkan gunakan :D boleh di amazon manapun :v Jika sobat co sebaiknya 1 1 dulu, setelah prepairing silahkan order lagi.   METHODE PAKE AKUN BULE (BILL=SHIP) : -Siapkan akun amazon live pastinya harus have card -Connect VPN sesuai negara cc akunnya, lalu clear cookies and chache - Terus Buka Check2ip.com dan atur tanggal dan waktu nya agar tidak ada yang merah -Buka a
      Post a Comment
      Read more

      How To Install Xpath Automated Sqli tool on Windows

      By
      Assalamualaikum warohmatullah wabarokatuh ^_^ Download Xpath Automated Sqli tool Mirror 1 Mirror 2 Bahan-Bahan : -Python27 -Prettytable -Requests -Colorama Langkah-langkahnya soub : 1. Install Python :v 2. Install Module  [ Prettytable ] Buka CMD, Masuk ke Directory C:/Python27/Scripts kemudian eksekusi perintah berikut : C:\Python27\Scripts>pip install prettytable 3. Install Module [ Requests ] Buka CMD, Masuk ke Directory C:/Python27/Scripts kemudian eksekusi perintah berikut : C:\Python27\Scripts>pip install requests 4. Install Module [ Colorama ] Buka CMD, Masuk ke Directory C:/Python27/Scripts kemudian eksekusi perintah berikut : C:\Python27\Scripts>pip install colorama 5.  Berhasil Terinstall ^_^ Cara pemakaiannya : xpath.py -u http://www.test.com/index.php?id=1 --dbs xpath.py -u http://www.test.com/ --data "index.php?id=1" --dbs Yang Mau bertanya silahkan di kolom komentar
      Post a Comment
      Read more