System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x First Published: 2020-01-20 Last Modified: 2020-11-30 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version. Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) © 2020 Cisco Systems, Inc. All rights reserved. CONTENTS PREFACE Preface xiii Changes to This Document xiii Communications, Services, and Additional Information xiii CHAPTER 1 New and Changed Feature Information 1 System Security Features Added or Modified in IOS XR Release 7.1.x 1 CHAPTER 2 Configuring AAA Services 3 Information About Configuring AAA Services 4 User, User Groups, and Task Groups 4 User Categories 4 User Groups 5 Task Groups 6 Cisco IOS XR Software Administrative Model 7 Administrative Access 7 AAA Database 8 Remote AAA Configuration 8 AAA Configuration 9 Authentication 10 Password Types 12 Type 8 and Type 9 Passwords 13 Type 10 Password 13 AAA Password Security for FIPS Compliance 13 AAA Password Security Policies 14 Minimum Password Length for First User Creation 16 Task-Based Authorization 17 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x iii Contents Task IDs 17 General Usage Guidelines for Task IDs 17 Task IDs for TACACS+ and RADIUS Authenticated Users 18 Task Maps 18 Privilege Level Mapping 20 XML Schema for AAA Services 21 About RADIUS 21 Network Security Situations in Which RADIUS is Unsuitable 22 RADIUS Operation 23 Differentiated Services Code Point (DSCP) Marking support for TACACS packets 23 How to Configure AAA Services 24 Prerequisites for Configuring AAA Services 24 Restrictions for Configuring AAA Services 24 Configuring Task Groups 24 Task Group Configuration 24 Configuring User Groups 26 Configure First User on Cisco Routers 27 Configuring Users 29 Configure Type 8 and Type 9 Passwords 31 Configure Type 10 Password 31 Backward Compatibility for Password Types 33 Configure AAA Password Policy 33 Configuring Router to RADIUS Server Communication 35 Configuring RADIUS Dead-Server Detection 38 Configuring Per VRF AAA 40 New Vendor-Specific Attributes (VSAs) 40 Configuring a TACACS+ Server 42 Configuring RADIUS Server Groups 44 Configuring TACACS+ Server Groups 46 Configure Per VRF TACACS+ Server Groups 48 Configuring AAA Method Lists 50 Configuring Authentication Method Lists 50 Configuring Authorization Method Lists 52 Configuring Accounting Method Lists 56 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x iv Contents Generating Interim Accounting Records 58 Applying Method Lists for Applications 60 Enabling AAA Authorization 60 Enabling Accounting Services 61 Configuring Login Parameters 62 Configuration Examples for Configuring AAA Services 63 Configuring AAA Services: Example 63 Command Accounting 65 Model-based AAA 66 Prerequisites for Model Based AAA 66 Initial Operation 66 NACM Configuration Management and Persistence 67 Overview of Configuring NACM 67 NACM Rules 68 Enabling NACM 71 Verify the NACM Configurations 71 Disabling NACM 72 Additional References 73 CHAPTER 3 Implementing Certification Authority Interoperability 75 Prerequisites for Implementing Certification Authority 76 Restrictions for Implementing Certification Authority 76 Information About Implementing Certification Authority 76 Supported Standards for Certification Authority Interoperability 76 Certification Authorities 77 Purpose of CAs 77 IPSec Without CAs 78 IPSec with CAs 78 IPSec with Multiple Trustpoint CAs 78 How IPSec Devices Use CA Certificates 78 CA Registration Authorities 79 How to Implement CA Interoperability 79 Configuring a Router Hostname and IP Domain Name 79 Generating an RSA Key Pair 80 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x v Contents Importing a Public Key to the Router 81 Declaring a Certification Authority and Configuring a Trusted Point 82 Authenticating the CA 83 Requesting Your Own Certificates 84 Configuring Certificate Enrollment Using Cut-and-Paste 85 Configuration Examples for Implementing Certification Authority Interoperability 86 Configuring Certification Authority Interoperability: Example 86 Expiry Notification for PKI Certificate 88 Learn About the PKI Alert Notification 88 Enable PKI Traps 90 Regenerate the Certificate 90 Integrating Cisco IOS XR and Crosswork Trust Insights 91 How to Integrate Cisco IOS XR and Crosswork Trust Insights 92 Generate Key Pair 94 Generate System Trust Point for the Leaf and Root Certificate 95 Generate Root and Leaf Certificates 96 System Certificates Expiry 98 Collect Data Dossier 99 Procedure to Test Key Generation and Data-signing with Different Key Algorithm 102 Where to Go Next 102 Additional References 102 CHAPTER 4 Implementing Keychain Management 105 Prerequisites for Configuring Keychain Management 105 Restrictions for Implementing Keychain Management 105 Information About Implementing Keychain Management 105 Lifetime of Key 106 How to Implement Keychain Management 106 Configuring a Keychain 107 Configuring a Tolerance Specification to Accept Keys 108 Configuring a Key Identifier for the Keychain 109 Configuring the Text for the Key String 110 Determining the Valid Keys 111 Configuring the Keys to Generate Authentication Digest for the Outbound Application Traffic 112 System Security Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 7.1.x vi Contents Configuring the Cryptographic Algorithm 113 Configuration Examples for Implementing Keychain Management 115 Configuring Keychain Management: Example 115 Additional References 116 CHAPTER 5 Configure MACSec 119 Understanding MACsec Encryption 120 Advantages of Using MACsec Encryption 121 Types of MACsec Implementation 121 MKA Authentication Process 122 MACSec Support on Line Cards and Routers 123 MACSec Limitations for Cisco ASR 9901 Routers 124 MACsec PSK 124 Fallback PSK 124 Configuring and Verifying MACSec Encryption 125 Creating a MACsec Key Chain 128 Prerequisites for Configuring MACSec on Bundle Member Interfaces 131 Creating a User-Defined MACsec Policy 132 MACsec SAK Rekey Interval 135 Applying MACsec Configuration on an Interface 135 MACsec Policy Exceptions 136 How to Create MACsec Policy Exception 136 Verifying MACsec Encryption on IOS XR 136 Verifying MACsec Encryption on ASR 9000 149 Configuring and Verifying MACsec Encryption as a Service 153 Configuring MACsec as a Service 155 Configuring MACsec Service for L2VPN Network 156 Configuring MACsec Service for L3VPN Network 157 Applying MACsec Service Configuration on an Interface 159 Verifying MACsec Encryption on IOS XR 160 Verifying MACsec Encryption on ASR 9000 173 Global MACsec Shutdown 177 Configure MACsec Shutdown 177 Verify MACsec Shutdown 178 System Security