Documente Academic
Documente Profesional
Documente Cultură
what they are allowed to do when they are connected. These design
specifications are identified in the network security policy. The policy
specifies how network administrators, corporate users, remote users,
business partners, and clients access network resources. The network
security policy can also mandate the implementation of an accounting
system that tracks who logged in and when and what they did while
logged in.
Managing network access using only the user mode or privilege mode
password commands is limited and does not scale well. Instead, using the
Authentication, Authorization, and Accounting (AAA) protocol provides the
necessary framework to enable scalable access security.
Cisco IOS routers can be configured to use AAA to access a local username
and password database. Using a local username and password database
provides greater security than a simple password and is a cost effective
and easily implemented security solution. Cisco IOS routers can also be
configured to use AAA to access a Cisco Secure Access Control Server
(ACS). Using Cisco ACS is very scalable because all infrastructure devices
access a central server. The Cisco Secure ACS solution is also fault tolerant
because multiple servers can be configured. The Cisco Secure ACS
solution is often implemented by large organizations.
AAA Overview
Authentication without AAA
Anyone with the password can gain entry to the device and alter the
configuration.To help provide accountability, local database authentication
may be implemented using one of the following commands:
Internet
User EXEC mode or privilege EXEC mode password access is limited and
does not scale well.
AAA Overview
AAA Components
scalability than the con, aux, vty and privileged EXEC authentication
commands alone.
Authentication - Users and administrators must prove that they are who
they say they are. Authentication can be established using username and
password combinations, challenge and response questions, token cards,
and other methods. For example: I am user student. I know the
password to prove that I am user student.
AAA Authentication
Local AAA uses a local database for authentication. This method stores
usernames and passwords locally in the Cisco router, and users
authenticate against the local database, as shown in Figure 2. This
database is the same one required for establishing role-based CLI. Local
AAA is ideal for small networks.
AAA Accounting
Accounting collects and reports usage data so that it can be employed for
purposes such as auditing or billing. The collected data might include the
start and stop connection times, executed commands, number of packets,
and number of bytes.
AAA Characteristics
Authorization
1. User has authenticated and a session has been established to the AAA
server.
2. When the user attempts to enter privileged EXEC mode command, the
router requests authorization from a AAA server to verify that the user has
the right to use it.
3. The AAA server returns a PASS/FAIL response.
Authorization is automatic and does not require additional user steps after
authentication
Step 1. Add usernames and passwords to the local router database for users
that need administrative access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
CAUTION:Do not issue the command unless you are prepared to configure
AAA authentication. Doing so could force Telnet users to authenticate with
a username, even if no username database or authentication method is
configured.
Authentication Methods
To specify that a user can authenticate using the enable password, use
the enable keyword.
To enable a specific list name, use the login authentication listname command in line configuration mode.
The option also exists to configure a default list name. When AAA is first
enabled, the default method list named default is automatically applied
to all interfaces and lines, but it has no authentication methods defined.
Additional security can be implemented on the line using the aaa local
authentication attempts max-fail number-of-unsuccessfulattempts command in global configuration mode.
This command secures AAA user accounts by locking out accounts that
have excessive failed attempts.
This command locks the user account if the authentication fails and the
account stays locked until it is cleared by an administrator using:
The command differs from the login delay command in how it handles
failed attempts.
The login delay command introduces a delay between failed login attempts
without locking the account.
Troubleshooting Local AAA Authentication
Debug Options
To solve this challenge, one or more AAA servers, such as Cisco Secure
ACS, can be used to manage the user and administrative access needs for
an entire corporate network. Cisco Secure ACS can create a central user
and administrative access database that all devices in the network can
access. It can also work with many external databases, including Active
Directory and Lightweight Directory Access Protocol (LDAP). These
databases store user account information and passwords, allowing for
central administration of user accounts, as shown in Figure 2.
RADIUS works in both local and roaming situations, and is commonly used
for accounting purposes.
UDP port 1645 or 1812 for auth UDP port 1646 or 1813 for accounting
Allows greater flexibility and mobility, increased security, and userproductivity gains.
Product flexibility - Can be used across virtually any network access server
that Cisco sells.
Cisco devices that are not Cisco IOS AAA clients must be
configured with TACACS+, RADIUS, or both.
The computer running Cisco Secure ACS must be able to reach all
AAA clients using ping.
GO THROUGH PAGE 37