Authorization and Autentification EcoRouter Documentation / Authorization and Autentification
- Entering the system
- Access levels
- Creating an user account
- Show commands
- Accounting (Syslog)
- Service users
- AAA configuration
- Security profiles
- Open keys infrastructure
AAA (Authentication, Authorization, Accounting) — used to describe the process of granting access and control it.
- Authentication — comparison of person (request) with existing account in the security system. Implemented by login, password or certificate.
- Authorization (the credentials, verification of access level) — the comparison account in the system (and the person that passed authentication) and access level. In EcoRouter users are provided with several predefined levels of access to system commands.
- Accounting — monitoring the consumption of resources (especially network) by the user. In the accounting is also included the recording of the facts to gain access to the system (access logs).
Entering the system
When connecting to the management console EcoRouter the user is prompted to enter a username and password matching one of the user accounts in the system.
By default there is admin account with administrator role (admin) and password admin.
After verification at the console the system version and the command prompt are displayd where the hostname ("ecorouter" in example) and the icon of the user console mode ('>' in example) shown.
Example:
<<< EcoRouter 3.2.0.21.6870-develop-d7b28a2 (x86_64) - ttyS0 >>>
ecorouter login: admin
Password:|
User Access Verification
EcoRouterOS version 3.2.0 EcoRouter 06/29/16 15:35:53
ecorouter>
Access levels
User roles are used for the differentiation of access levels in EcoRouter.
The following roles are preset:
Role | Description | Console modes |
|---|---|---|
admin | Administrator | user, administration, configuration |
noc | Auditor | user, administration |
helpdesk | Support | user |
A different set of commands is available for each role.
See the Command Reference for a full list of commands for each role.
In administrative mode use the show role command to see full information about all commands and modes available for each role.
The three preset roles are prohibited to edit. One can create a new role with all parameters needed.
In the configuration mode use the role <NAME> [based-on {admin | noc | helpdesk}] command to create a new role. Here the new role name <NAME> is an obligatory parameter. As a result of executing the role <NAME> command a new role which contains no rights will be created. A role can be created on the preset one basis, so all its commands and modes will be copied into this new role. First case of role creation is more suitable when there's need in a role with a short list of commands. The second one (on the preset role basis) is more suitable when there's need in a role with a long list of commands or list of commanmds which differs slightly of one of the preset role.
In configuration mode use the same role <NAME> command to edit an existing role.
In context role editing mode use the description <DESCRIPTION> command to add description.
Use the permit {config | context-config | enable-exec | user-exec} <COMMAND> command to add a specify availability of a command and the no permit {config | context-config | enable-exec | user-exec} <COMMAND> to prohibit access to the specified command. By default all commands which are not listed as available, prohibited for a role. There are two obligatory parameters in the command syntaxis. First one is a CLI mode indication which is allowed/prohobited faor a specific role (access level), where:
- config - configuration mode;
- context-config - context configuration mode;
- enable-exec - administrative mode;
- user-exec - user mode.
The second obligatory parameter in command syntax is <COMMAND> command name. If the command name consists of two or more words, for example banner motd, it's allowed to specify only the first one (banner). When a command is added into the role the same command with no and do prefixes (reverse command and enabling command in the configuration mode) is added automatically. When a command is deleted an access to reverse command and to enabling it in configuration mode (no and do prefixes) will be prohibited too. That's why it's not recommended to add command with prefixes into list!
To add or delete several commands each one should be entered by permit command in separate row.
See an example:
ecorouter(config)# role myrole
ecorouter(config-role)# permit enable-exec copy
ecorouter(config-role)# no permit enable-exec copy
ATTENTION: some commands can notbe added into role (are available only in the preset role admin). Read more about it in the Command Reference section.
In configuration mode use the no role <NAME> command to delete a role.
ATTENTION! All changes and additions of the roles and users will be applied in the system only after the write command.
Creating an user account
A user account creation only in configuration mode is possible. Use the username <NAME> command to create an user account .
In user mode set user account's parameters. See control commands to change these parameters in the table below.
Command | Description |
|---|---|
description <DESCR> | Add user account description |
no description | Delete user account description |
password <PASS> | Set user password |
no password | Clear user password |
role {admin|noc|helpdesk} | Assign the role to user. One of preset value must be specified |
no role {admin|noc|helpdesk} | Unassign the role form user |
custom-role <NAME> | Assign the specific role to user. If specified name has no matches in existing roles the "empty" role will be created |
vr <NAME> | Grant user access to virtual router |
no vr <NAME> | Prohibit user access to virtual router |
ATTENTION: the user which has no role containing rights can execute no actions.
Several roles can be assigned to one user in the same time. Each role can be assigned to several users in the same time.
In configuration mode use the no username <NAME> to delete the user account.
Example:
ecorouter(config)# username user1
ecorouter(config-user)# description sysadmin
ecorouter(config-user)# password administrator
ecorouter(config-user)# role admin
In addition to preset roles, a custom role can be created. In context menu mode use the custom-role <NAME> command to create a custom role.
Use the no custom-role <NAME> command to delete a custome role.
During the authorization process, the user role can be defined by a record in the local database or obtained from the RADIUS/TACACS+ server. If the user exists both in the local user database of the router and in RADIUS/TACACS+ user database, the role is defined by authorizaton method.
Show commands
To view running terminals as well as active user roles use the show users connected command in user mode. Read more about it in the "Command Line Interface" section.
ecorouter>show users connected
Line User Logged Location PID Roles
0 con 0 admin 00:00:15 ttyS0 1979 admin
130 vty 0 ecouser 00:00:00 pts/0 2090 admin_tes
To see user accounts stored in the EcoRouter database, use the show users localdb command.
ecorouter#show users localdb
User: admin
Description: Administrator User
VR:
pvr
Roles:
admin ''
User: daemon
Description: The user is used to get configuration data
VR:
pvr
Roles:
User: tacacs
Description: The user is used to make authorization through tacacs
VR:
pvr
Roles:
noc ''
For these commands modifiers and output to a file are available, as well as for other show commands.
Accounting (Syslog)
An authentication functions are carried out by creating a user account in the local database.
An authorization functions are implemented by assigning a role with a certain set of commands to a specific user. This set of commands can be edited by user.
An accounting functions are implemented by sending the log-data to remote server via router integrated message sending function according to the Syslog standars (rsyslog). Use the rsyslog host <address> {mgmt | vr {default | <VR_NAME>}} command to configure Syslog messages sending, where <address> is server's which logs will be sent to IP-address. The messages can be sent via management-interface (mgmt) or via virtual router vr {default | <VR_NAME>}, where <VR_NAME> is the virtual router's name. The default value means a standard (non-virtualized) router.
Service users
By default there is one service user tacacs with an Auditor role (noc).
User authentified in EcoRouter via TACACS+ will be authentified as tacacs. Thus the user's rights when accessing via TACACS+ will be limited by respective service user's rights. For example, if the admin user is authorized on EcoRouter via TACACS+ his access level will match to the Auditor role (noc) but not Administrator.
The roles assigned to tacacs users can be edited. User can create a role with a specific set of commands and assign it to tacacs and radius users in the same way just like for ordinary user (see "Access levels").
Both user's real name and the service user name will be fixed into the log files (see "Syslog") in case the user is authentified via TACACS+.
AAA configuration
For ААА configuration is used several configuration mode commands, as described below.
Authorization priority
To set the priority of authentication types, use the aaa precedence <local | radius | tacacs> command.
As the parameters of this command are entered a types of authorization in order of priority:
ecorouter(config)#aaa precedence radius local tacacs
RADIUS (Remote Authentication in Dial-In User Service) – network protocol, designed to provide centralized Authentication, Authorization, and Accounting, (AAA) of users, that are connecting to various network services. Used, for example, for user authentication: WiFi, VPN, in the past, dialup-connections, and other similar cases. Described in the standards RFC 2058, RFC 2059, RFC 2865 and RFC 2866.
RADIUS Authentication Configuring
For authentication and/or accounting using RADIUS, subscriber AAA profile which should be used for this must be specified. First a subscriber AAA profile must be created and configured.
Use the subscriber-aaa <SUBSCRIBER_AAA> command in configuration mode to create subscriber AAA profile where <SUBSCRIBER_AAA> is the subscriber AAA profile name. If the profile with the specified name already exists or was just created, as a result of the command execution the context configuration mode will be entered automatically, the invitation prefix will be changed to (config-sub-aaa).
Use the no subscriber-aaa <SUBSCRIBER_AAA> command in configuration mode to delete subscriber AAA profile where <SUBSCRIBER_AAA> is the subscriber AAA profile name to be deleted.
In the context configuration mode of subscriber AAA profile operator can edit or delete profile description, specify RADIUS server groups used for authentication and/or accounting.
Use the description <TEXT> command in the context configuration mode (config-sub-aaa) to edit subscriber AAA profile description where <TEXT> is the description string.
Use the no description command in the context configuration mode (config-sub-aaa) to delete subscriber AAA profile description.
Use the authentication radius <RADIUS_GROUP> command in the context configuration mode (config-sub-aaa) to configure authentication mode using RADIUS where <RADIUS_GROUP> is the RADIUS server group name.
Use the accaunting radius <RADIUS_GROUP> command in the context configuration mode (config-sub-aaa) to configure accounting mode using RADIUS where <RADIUS_GROUP> is the RADIUS server group name.
Example:
ecorouter(config)#subscriber-aaa NEW_AAA
ecorouter(config-sub-aaa)#authentication
radius RADIUS authentication
ecorouter(config-sub-aaa)#authentication radius
RADIUS_GROUP RADIUS server group
ecorouter(config-sub-aaa)#authentication radius test
ecorouter(config-sub-aaa)#accounting radius test2
ecorouter(config-sub-aaa)#
Subscriber AAA commands:
accounting Subscriber AAA profile accounting method
authentication Subscriber AAA profile authentication method
description Subscriber AAA profile description
exit Exit from the current mode to the previous mode
help Description of the interactive help system
no Negate a command or set its defaults
show Show running system information
ecorouter(config-sub-aaa)#
Switch to the context configuration mode (config-subscriber-map) and execute the set aaa <SUBSCRIBER_AAA> command to use the configured profile where <SUBSCRIBER_AAA> is the subscriber AAA profile name.
Currently, to install the service from the AAA server, the following conditions must be met:
1) Availability of a configured subscriber-service on the router.
2) Configuration of AAA-servers for subscribers using subscriber-aaa command.
3) Full compliance between the name of the subscriber-service and the name of the service in the message from the AAA server.
If you meet the above requirements, you can install the service from the RADIUS server using the set aaa <NAME> command, where <NAME> is the pre-configured group of AAA servers for subscribers. If this command is present in the subscriber card, authentication and authorization change from local to remote for this sequence in a subscriber-map.
If the name of a service comes from the AAA server, is not found in the router configuration, and local services for these subscribers are not provided in the subscriber-map, then the service for clients is considered invalid and traffic from subscribers will be blocked.
To use a configured profile in PPPoE, go to the PPPoE context configuration mode of the profile (config-pppoe) and execute the similar command set aaa <SUBSCRIBER_AAA>.
TACACS+ (Terminal Access Controller Access Control System plus) — the session protocol, the result is further improvement of TACACS made by Cisco.
Improved Protocol security (encryption), and introduced the dividing of the functions of authentication, authorization and accounting, which can now be used separately.
TACACS+ uses the concept of sessions. Under TACACS + possible to establish three different types of sessions AAA (Authentication, authorization, accounting). Establishing a session type does not generally require prior successful establishment of any other. Protocol specification does not require to open the first session authentication for the opening of the authorization session. TACACS + server may require authentication, but the protocol does not specify this.
TACACS+
Command aaa tacacs-config debug starts uploading of TACACS debugging information in syslog format.
ecorouter(config)#aaa tacacs-config debug
If the encryption key is specified in server settings, then the information in the logs is also encrypted.
If you are using multiple servers, by default, queries will be sent to the first available server from the server list. Only user's login/logout time will be sent to all servers.
To configure the TACACS server use the command aaa tacacs-server.
Command syntax: aaa tacacs-server <IP> port <NUM> secret <PASS> ( vrf ) ( account | auth ) timeout <0-300>.
The parameters of the command are described in a table below.
| Parameter | Description |
|---|---|
| <IP> | IP address of TACACS server |
| port <NUM> | Specify the port |
| secret <PASS> | The encryption key. If specified, encryption will be automatically enabled |
| mgmt | Connection through the management port |
| (vrf (NAME | ) | VRF name where server IP address specified (the default value is VRF of the current virtual router) |
| account | Enable accounting |
| auth | Enable authentication and authorization |
| timeout | Set timeout in seconds. Valid values from 0 to 300 seconds |
Example:
ecorouter(config)#aaa tacacs-server 192.168.0.1 port 80 vrf management timeout 200 account auth
Security profiles
So called security profiles are used for filter incoming EcoRouter's traffic. A security profile is a set of rules specifying which protocol's packets will be allowed to pass by router (and by virtual routers in its structure).
In configuration mode use the security-profile <NUMBER> command to create security profile. This ordinal number serves as a profile name.
Use the rule <0-1023> [permit | deny] <PROTOCOL> <SOURCE> <DESTINATION> (<DEST PORT> <DP NUMBER>) command to create a rule. Command's parameters are in the table below.
| Parameter | Description |
|---|---|
| <0-1023> | Rule's ordinal number from 0 to 1023 range. Rules are implemented in order from 0 to 1023 |
| permit | deny | Rule's type: permit or deny |
| PROTOCOL | Specify which protocol's packets this rule will be implemented on. Protocol's number according IANA specification from 0 to 255 or one of the following values can be specified:
|
| SOURCE | Source IP address with a mask is to be specified in A.B.C.D/M form. If all the addresses should meet the rule specify the any value of the parameter. If the only one address should meet the rule specify the host <IP-address> value of the parameter. |
| DESTINATION | Destination IP address with a mask is to be specified in A.B.C.D/M form. If all the addresses should meet the rule specify the any value of the parameter. If the only one address should meet the rule specify the host <IP-address> value of the parameter. |
| Filtering depending on destination port, available for TCP and UDP protocols | |
| DEST PORT | Filtering variant. Specify one of following values:
|
| DP NUMBER | Port number or identifier. Possible values for TCP:
Possible values for UDP:
When port range is set (range) lower and upper limits to be specified by numbers divided by space symbol. |
If a traffic does not meet any rule it will be allowed to pass (permit).
The EcoRouter has a default profile which can not be changed.
The default profile's parameters are following:
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
Management port and VRFs
For management port all protocols are allowed by default.
In configuration mode use the security <SP_NAME> vrf management command to assign security profile to the management port. SP_NAME is the name of the profile. In configuration mode use the security <SP_NAME> command to assign security profile to the default VRF. In configuration mode use the security <SP_NAME> vrf <NAME> command to assign security profile to the specified VFR.
In configuration mode of the virtual router use the above commands to assign security profile to the virtual router.
To unplug security profile from the VRF or management port use the same command with the prefix no. After this, a blank security profile with the name security none is applied to the VRF or management port.
To delete all rules for VRF or port management, you can assign a blank security profile named security none.
After security profile is assigned it can not be changed. To change an assigned security profile first unplug it from VRF and/or managemant port which it assigned to.
For correct operation it's reccomended first to unplug the security assigned to virtual router and then to delet the virtual router itself.
In adminstration mode use the show security-profile command to display current configured security profiles' parameters.
In adminstration mode use the show ip vrf command to display current security parameters.
Configuring security profile example
Creating a new profile
ecorouter(config)#security-profile 1
ecorouter(config-security-profile)#rule 0 permit tcp any any eq 23
ecorouter(config-security-profile)#rule 1 deny udp any any eq bootp
ecorouter(config-security-profile)#rule 2 deny ospf host 127.0.0.12 any
ecorouter(config-security-profile)#rule 3 deny tcp any 192.168.10.2/24 range 21 23
ecorouter#show security-profile
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
Security profile 1
0: permit tcp any any eq 23
1: deny udp any any eq 67
2: deny ospf 127.0.0.12/32 any
3: deny tcp any 192.168.10.2/24 range 21 23
Creating a VRF and assigning security profile to it.
ecorouter(config)#ip vrf vrf0
ecorouter(config-vrf)#end
ecorouter#show ip vrf
VRF default
Interfaces:
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
permit any any any
VRF management
VRF vrf0
Interfaces:
ecorouter(config)#security 1 vrf vrf0
ecorouter(config)#end
ecorouter#show ip vrf
VRF default
Interfaces:
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
permit any any any
VRF management
VRF vrf0
Interfaces:
Security profile 1
0: permit tcp any any eq 23
1: deny udp any any eq 67
2: deny ospf 127.0.0.12/32 any
3: deny tcp any 192.168.10.2/24 range 21 23
permit any any any
Changing at security profile.
ecorouter(config)#security-profile 1
ecorouter(config-security-profile)#rule 4 permit any any any
% Profile is set on 1 namespaces. Unset profile prior to change it.
ecorouter(config-security-profile)#ex
ecorouter(config)#no security 1 vrf vrf0
ecorouter(config)#security-profile 1
ecorouter(config-security-profile)#rule 4 permit any any any
ecorouter(config-security-profile)#ex
ecorouter(config)#ex
ecorouter#show security-profile
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
Security profile 1
0: permit tcp any any eq 23
1: deny udp any any eq 67
2: deny ospf 127.0.0.12/32 any
3: deny tcp any 192.168.10.2/24 range 21 23
4: permit any any any
permit any any any
ecorouter#conf t
Enter configuration commands, one per line. End with CNTL/Z.
ecorouter(config)#security 1 vrf vrf0
ecorouter(config)#end
ecorouter#show ip vrfVRF default
Interfaces:
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
permit any any any
VRF management
VRF vrf0
Interfaces:
Security profile 1
0: permit tcp any any eq 23
1: deny udp any any eq 67
2: deny ospf 127.0.0.12/32 any
3: deny tcp any 192.168.10.2/24 range 21 23
4: permit any any any
permit any any any
Deleting security profile.
ecorouter(config)#no security 1 vrf vrf0
ecorouter(config)#no ip vrf vrf0
ecorouter(config)#end
ecorouter#show ip vrf
VRF default
Interfaces:
Security profile default
0: deny tcp any any eq 22
1: deny tcp any any eq 23
2: deny tcp any any eq 161
3: deny udp any any eq 22
4: deny udp any any eq 23
5: deny udp any any eq 161
permit any any any
VRF management
ecorouter#
ICMP echo request packet processing
ICMP echo request packet processing (response to ping) is performed by default in the data-plane and does not take into account security profiles.To apply security profiles to ICMP echo request packets, run the following configuration mode command:
icmp-echo control-planeAfter executing this command, ICMP echo request packets will be processed in the control-plane, the security profile rules will be taken into account.
To exclude ICMP echo request packet processing from security profiles, the following configuration mode command must be executed:
no icmp-echo control-plane
Open keys infrastructure
To secure users' connection in EcoRouterOS TLS (Transport Layer Security) protocol based on PKI (Public Key Infrastructure) and X.509 certificates are used. A secured connection between user and server performs together with client's authentication on server. In this case EcoRouter acts as a CA (Certificate Authority) and a server.
When connected to EcoRouter a device sends a message containing the router's certificate and user certificate request. The user sends a message containing his certificate and secured connection is set up. With this connection, all the information transmitted between the user and the device is encrypted with the private key. When the router sends a message it is encrypted by private key so that the user can decrypt it with a present public key (router's certificate). Conversely the user sends a message encrypted with his private key to the EcoRouter. The EcoRouter decrypts it with the user's certificate which was transfeered in the begiining of a session. In order to roganize this process the user and the EcoRouter must have an identical certificates set and a specific private keys set.
A private key and a certificate are generated automatically in the EcoRouter's firmware when user is created. The EcoRouter plays a CA's role that is a server which responsible for users registgration, keys release, released keys register storage and their status checking.
Thus for communicate to server via secured connection user must keep EcoRouter's certificate (CA), user's certificate, user's private key.
The EcoRouter generates several service certificates for TACACS and RADIUS servers connection.
The EcoRouter has several commands to view users sertificates. By default these commands are available only for users with the admin role.
In the administration mode use the crypto certificate export command to display users certificates. Modificators for user-based results filtering can be used. For example it is possible to exclude from output service certificates of users radius and tacacs.
In the example below certificates output is omitted. All certificates are stored and displayed on the console in Base64 encoding.
ecorouter#crypto certificate export
User: admin
Certificate: Valid
-----BEGIN CERTIFICATE-----
ESTCCA...gAyhj
-----END CERTIFICATE-----
User: radius
Certificate: Valid
-----BEGIN CERTIFICATE-----
ESzC...l0lBt18=
-----END CERTIFICATE-----
User: tacacs
Certificate: Valid
-----BEGIN CERTIFICATE-----
E...j7tDSM=
-----END CERTIFICATE-----
To export (display on a console) user's private key the administration mode crypto key export command is to be used. This command displays the current autentified user's private key.
In the example below key output is omitted. All keys are stored and displayed on the console in Base64 encoding. Private keys must be transferred to users' computers in a secure way which precludes it's obtaining by a third party.
ecorouter#crypto key export
User: admin
-----BEGIN RSA PRIVATE KEY-----
IEp...kjUcAQLyrg==
-----END RSA PRIVATE KEY-----
To export (display on a console) EcoRouter's certificate the administration mode crypto ca export command is to be used. This command displays server's certificate with a plain text fields such as server's name field - Subject: CN=ecorouter, server's signature and certificate itself.
In the example below certificate output and server's signature are omitted. CA certificate is stored in the router's database and displayed on the console in Base64 encoding. An information about it is displayed on the console as a plain text.
ecorouter#crypto ca export
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9a:14:57:6d:84:76:e9:31
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=ecorouter
Validity
Not Before: Oct 4 08:17:55 2016 GMT
Not After : Oct 5 08:17:55 2026 GMT
Subject: CN=ecorouter
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:c3:db:b8:b1:a7:a1:4b:34:82:af:1b:df:6a:2e:
...
0b:49:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
EA:DC:87:08:D8:03:AB:BB:44:C4:80:A1:58:38:91:45:16:E8:53:0A
X509v3 Authority Key Identifier:
keyid:EA:DC:87:08:D8:03:AB:BB:44:C4:80:A1:58:38:91:45:16:E8:53:0A
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
ac:57:98:1f:5f:00:fa:80:d1:cc:fe:c6:e5:50:06:ff:14:d6:
...
37:a7:ad:8f:2d:99:1a:0c
-----BEGIN CERTIFICATE-----
MIIE+z...kaDA==
-----END CERTIFICATE-----
Copy the displayed certificates and key to the appropriately named files in order to export them:
- cacert.pem - EcoRouter's certificate (CA),
- clientcert.pem - user's certificate,
- clientkey.pem - user's private key.
A user must copy a private key out put from the "-----BEGIN" symbols up to the last hyphen in the "-----END CERTIFICATE-----" string (or "-----END RSA PRIVATE KEY-----"). A user must copy CA certificate from the "Certificate:" string.
On the user's device these files must be placed into users's software directoties. For Unix/Linux by default these are following:
- /etc/pki/CA/cacert.pem
- /etc/pki/libvirt/private/clientkey.pem
- /etc/pki/libvirt/clientcert.pem