Professional Documents
Culture Documents
Session 3 - Authentication
Session 3 - Authentication
Session 3 - Authentication
In rare circumstances, the system administrator may have to provision for escape
route into a network. Network configurations may fail to run properly due to a variety
of reasons. In those extreme situation a no authentication approach may be used to
enter into the network. This is however a highly risky option.
In the aaa configuration, after specifying the servers and the sequence in which they
ought to process authentication, if it is anticipated that all the prior servers may not be
unavailable for the process, then the last option (no authentication) highlighted in
figure 1 may be configured
Enable
Group
Line
None
Figure 1: Authentication Options
The no authentication method is implemented as shown in figure 2 below:
Telnet
Telnet is a network protocol used on networks to provide a bidirectional interactive
text-oriented communication facility using a virtual terminal connection. User data is
interspersed in-band with Telnet control information in an 8-bit byte oriented data
connection over the Transmission Control Protocol (TCP). Note that Telnet has been
replaced with Secure Shell (SSH) due to security concerns described below:
• Telnet, by default, does not encrypt any data sent over the connection
(including passwords), and so it is often possible to eavesdrop on the
communications and use the password later for malicious purposes; anybody
who has access to a router, switch, hub or gateway located on the network
between the two hosts where Telnet is being used can intercept the packets
passing by and obtain login, password and whatever else is typed with a packet
analyzer.
• Most implementations of Telnet have no authentication that would ensure
communication is carried out between the two desired hosts and not intercepted
in the middle.
• Several vulnerabilities have been discovered over the years in commonly used
Telnet daemons.
2
Figure 3: Telneting Action
3
to control the server and communicate with other servers on the network. To start a
Telnet session, we must log in to a server by entering a valid username and password.
Telnet is a common way to remotely control Web servers.
The term telnet also refers to software which implements the client part of the protocol.
TELNET clients have been available on most Unix systems for many years and are
available virtually for all platforms. Most network equipment and OSs with a TCP/IP
stack support some kind of TELNET service server for their remote configuration
including ones based on Windows NT. TELNET is a client server protocol, based on
a reliable connection oriented transport. Typically this protocol used to establish a
connection to TCP port 23, where a getty-equivalent program (telnetd) is listening,
although TELNET predates.
Telnet can be used to connect to virtually any machine that listens on ports. In other
words, you can connect to any machine that has certain ports open. Once connected
to a machine, you need to issue UNIX based commands to interact with the remote
service. For example, a user don't need to login, check and send mails only through
his e-mail service provider's interface but this can be achieved using simple telnet
commands.
It is because of this reason that many hackers can send spoofed emails or access
information such as which services are running on the remote machine. This is also
called banner grabbing or daemon tracking. Black hat hackers can also use telnet to
sniff network packets which might contain sensitive information such as usernames
and passwords. This is achieved by using telnet and network utilities such as TCP
dump and wire shark.
Telnet client and server functionality comes built-in in most operating systems.
However, there are several third-party applications like putty client that enable remote
connectivity. A user can connect to a remote machine through several access modes
such as raw access, SSH access, etc. SSH mode offers encryption and security and
hence can prevent eavesdropping by hackers. This is by far the most secure way of
connecting to a machine.
4
However, it is necessary that the remote machine supports SSH login to make use of
the encryption and security features. On windows machines, telnet client can simply
be started by issuing the telnet command in windows command shell. The following
example would help you connect to a remote machine on the HTTP Port 80 and issue
a GET command which would fetch a file as your web browser does it behind scenes:
GET/HTTP/1.1host: Issuing the command above would make the HTTP Server return
the file requested, in this case it would be the default file at the root location, most
applications and embedded devices make use of the telnet technology to connect to
remote server machines and provide end user functionality. The most common use of
telnet stands to enable remote authentication and access,
5
Your IP address is also sent so that information can be routed back to you.
Additionally, specific Telnet commands that the other NVT will use, are sent to decide
what to do with the data, or how to respond to the data. E.g. when data is sent from
one NVT to another and certain information must be sent back to the originating NVT
for a process to proceed, the Telnet Go Ahead (GA) command is sent.
After Telnet host receives data you have sent it, processes the data and returns to
your screen and give the results of using the data or running the command on a distant
computer.
Telnet is versatile. You can establish Telnet sessions over the phone. If there is no
phone connection and your device is accessible to the Internet, you can establish a
Telnet session over the Internet. In any of these conditions you can establish a Telnet
session with a remote host.
Terminal Emulation
6
A personal computer can connect via Modem to a large computer and run a terminal
emulation program. The most common terminal emulation is the VT100. The computer
works like a dumb terminal, except it is connected via a phone line instead of a direct
connection. Often, you will not be able to use graphics on the Internet, such as the
WWW (World Wide Web), this kind of access, although you will be able to browse the
text-only portion of the Web.
This kind of Internet account is sometimes called "Shell" account. This shell account
is available with VSNL for students in India. Many terminal emulation programs can
emulate DEC terminals, including the VT52 and VT200 series terminals. For example,
tty pathname of your terminal's device file.
Setting Password to R3
7
Enabling Secret Password
Telneting R3 from R1
Invisibility of Password
8
Attempting Login Second Time After Incomplete Configuration
On telneting, R1 is open and the next step is to supply password. However, in this
case, it is not the password requested. Authentication is seeking, unusually, ‘user
name”
9
Use of Named Authentication List
10
Testing Telnet after Completing Configuration
11
Point to Point Protocol (PPP) Authentication Command
Accounting
Accounting is tracking resources used by authorized persons
The tracking can be used for security purposes by:
Checking users doing things they are not authorized to
Tracking network usage in order to bill the various departments. This is more
relevant for very large networks.
Configuring Accounting
Command: Information regarding EXEC mode commands issued by user
12
Connection: Information regarding all outbound connections made from
network access server including telnet and rlogin
EXEC: Information about user EXEC terminal sessions
Network: Information regarding all PPP, ARAP, and SLIP sessions
Resource: Information regarding start and stop records for calls passing
authentication, and stop records for calls that fail authentication.
System: Non-user related system-level events recording.
Accounting Commands
13
Final Commands Generated Using Library
Authorization
Authorization determines what users can do once they are in the network. To achieve
objectives of authorization, aaa authorization creates a profile of users. It can use
default or named list. Authorization is tied to privilege levels that define what resources
and commands a user can run. The three pre-defined levels are 0, 1, and 15.
Authorization Options
14
Show Privilege Command
15
Additional Tasks
16
17