Identity and access management (IAM)
IAM is a framework that facilitates the management of electronic or digital identities. The framework includes the organizational policies for managing digital identity as well as the technologies needed to support identity management. With an IAM solution, people who are responsible for the network management can control user access to critical information within their organizations. Identity and access management products offer role-based access control, which lets system administrators regulate access to systems or networks based on the roles of individual users within the organization. The roles can be dynamically defined within the application and support granular customization of access rights.
An Identity and Access Management solution is a must in terms of infrastructure security as it enables the right people to access the appropriate resources when they are allowed to do so. The goal is to address a need to ensure resources are protected against unauthorized access and at the same time compliance requirements are well met within the infrastructure. For an organization, an IAM solution can be a very valuable asset as it can reduce administration efforts and reduce costs if developed internally.
There are various IAM commercial solutions on the market that provides all the necessary AAA level and much more, though, not many are willing to give in to the costs, especially public institutions funded by the state budget such as educational and research institutions. The alternative is to build an IAM solution internally using open source tools and link them together through a central component to achieve a solid working product that can be used in production. When a user attempts to access a system or data, he or she first makes a claim of identity, typically by entering a username into the system. The system must then verify this claim of identity through an authentication process. Authentication may use basic knowledge-based techniques, such as passwords, or rely upon other methods, such as a centralized directory service-based authentication. Once a user successfully completes the authentication process, the IAM system must then verify the user’s authorization to perform the requested activity. The fact that a user proves his or her identity is not sufficient to gain access — the system must also ensure that users perform actions only within their scope of authority. Having an IAM platform can solve this administration burden in the situation where there are many network devices and you need the ability to provide access to all of them for a certain user, instead of going through each network device and configure access you can configure from a single centralized point. Within an organization, the directory service is one of the most important parts when it comes to integrating various applications to work together.
The IAM platform needs a way of storing or retrieving information about users or groups from a centralized directory such as LDAP or Active Directory, thus, everything can be managed from a single location by using conventional means, a web browser to interact with the system.  This paper describes the protocols that the IAM platform covers to ease the process of administration for Network or System Engineers within a network infrastructure by solving the AAA burden by linking the appropriate open source components to achieve the desired outcome. The reason we started this project is that there are no open-source or free IAM solutions that cover the network part by providing an easy way to manage network equipment in terms of security context (AAA) making use of tacacs+ and radius protocols integrated into a centralized identity and access management system.
The IAM platform is composed of a set of components that are designed to provide a specific communication protocol for network devices to achieve as best as possible the granularity and strict security contexts, for example for CISCO equipment we will be using the tac_plus component which talks natively using the TACACS+ protocol which allows us to enforce full AAA capabilities and for the non-CISCO equipment we will use the FreeRADIUS component which will cover a wide variety of vendors including endpoint port-security through 802.1x. As for the services and applications running on servers, they will communicate through the central IAM component that will act as an LDAP proxy, relaying queries to a directory service such as an LDAP, thus, not exposing the real directory server within the infrastructure. It also provides a caching mechanism to the directory service in case it is temporarily unavailable. The authorization part consists of filtering the LDAP query responses. Applications will check if the user has a special attribute set in order to provide access or not. The central component will provide a web interface to easily manage identity and access management. All devices will be configured to query the IAM platform in order to establish whether a user has access to a specific service or otherwise, as well as every action a user will make will be logged and stored centrally on the IAM component for future review at any given time. The figure below depicts the IAM platform architecture that centrally integrates the components that provide, on the left, network management, and security contexts and on the right, providing means for various applications and services to allow authorized access to specific users.
The IAM platform depends on the central component which is the main application that controls the configuration and state of the other components that cover the network protocols. It provides a web interface written in PHP and as a backend for storing data it uses a MySQL database. The web interface approach offers an easy and convenient way to interact with the system. Through the web interface, it is possible to configure identities (users), groups, access control lists, and device access control. Users must already be present in the directory service, the interface will allow you to select the users that need to have specific roles and access in terms of who can log in in order to manage a specific network device and what this user can do. Let’s say for example there is a user – junior network administrator that we need to provide access for, on the network equipment. In order for the user to have access, an identity must be created before he can log in. An identity must be created for each user that we need to grant special access to. Authorization can be set directly for that identity or it can be assigned to a role which makes it easier to scale when there are many identities to manage. For each identity, we can assign a role or also known as a group (for example operators, admins) that will inherit the authorization permissions from. The role or group must be created where we can configure all the permissions we need to allow for users that will be assigned. In an identity or group entry, we can specify an access control list (ACL) where we can restrict access to a user or group of users to not be able to log in on specific network equipment, say, for example, some of them do not need to have access to core routers just access switches instead. For network equipment to be able to communicate with the IAM platform a device access control entry must be created in order to allow that specific device to query the system, it’s a security measure to authorize only trusted devices that are configured with the correct secret key. After every operation that involves adding, modifying, or deleting entries the configuration must be applied by click on the Apply button. The apply function generates proper config files for both tac_plus+ and FreeRADIUS applications, and lastly, it restarts the services (daemons) to initialize with the new configuration in place, as shown in bellow:
All the entries are stored in the MySQL database from where the generator function reads and writes config files. Config files must not be modified manually as they will be overwritten each time a new configuration is applied through the web interface. It is also possible to have two IAM systems synchronized in a high availability scenario as it provides replication capabilities based on MySQL replication mechanism used in a master–master method. In a master–master method you are able to operate on both systems but not at the same time, the login session does not permit to be connected on both systems at once with the same user to avoid any possible conflicts. As databases keep in sync automatically, the IAM system has a script running in a cron job every minute that checks if there are changes in the database and if there are new modifications then regenerate config files to keep them in sync with the other system where the CRUD operations have been made on. We have named the IAM platform ACS Management which is short for Access Control System Management.
For the ACS Management application to be able to work accordingly and demonstrate its usefulness a few important settings need to be done first. User information has been configured to be retrieved from the existing LDAP Server by the ACS Management application which now allows the creation of appropriate identities for the network engineers responsible for maintaining the network equipment. All the network equipment has been configured to communicate with the ACS Management application for resolving any AAA request with the appropriate response, in a summarized view the result will be as shown in Figure 4. When a network admin is logging in on network equipment to carry out administration tasks, proper credentials need to be entered at the login prompt. The user credentials are those from the LDAP Directory Service, and for the authentication to succeed, the user needs to have an identity configured with the proper role assigned and authorization. Every time a user logins on any network equipment, the device will ask the ACS Management Server if the user exists, if correct credentials are provided, and if authorized to use that service.
In our testing environment, we have created identities for the appropriate users that need to have access to login to the network equipment. Instead of making the same configuration for each identity, we have created 2 groups (roles) where authorization is configured: admins group where users have full control and for the user’s group a set of commands have been set in the authorization section to limit what the user can do on the equipment as shown in figure below:
Users that are part of groups inherit the permissions set and ACL selection. As can be seen in Figure 6, we populated the user’s section with identities, and now we added a user neverland that is assigned to group users and we defined that the authentication method to be local, not from the LDAP directory, the other users are configured to be in admins group and authenticate using LDAP. It is possible to select multiple authentication realms, for the moment – local and LDAP can be used. The advantage of local authentication is that if we want to create a new identity for a user that is not present in the directory service we can create one as local defining the username and password
Now if you try to login to network equipment you will be providing my credentials from the LDAP Directory and you will be granted access and full authorization as stated in the identity configured in the interface as shown in the figure below
If we connect with the user “Neverland”, which is a restricted identity, we will not be able to execute any command, just the ones that have been set in the configuration section, as can be seen in the figure below:
Also, in order for the network devices to be able to communicate with ACS Management a Device Access Control entry must be created for each piece of equipment with a secret key, which is the recommended method to have strict control over which devices are trusted. It is possible to define a global shared secret key that is used by all the equipment instead of creating an entry for each piece of equipment, this method is looser in terms of device trust as devices share the same secret key and easier to setup. Additionally, if we need to restrict access to a user to specific equipment’s we can define an ACL entry and specify which IP address is the user allowed to log in on. Also as the ACS Management application has the FreeRADIUS component providing radius protocol communication, it is easy to set up 802.1X on switch devices and enforce port authentication restrictions and allow only the users that have identities configured in the interface.