A network must be designed to control who is allowed to connect to it and

what they are allowed to do when they are connected. These design
specifications are identified in the network security policy. The policy
specifies how network administrators, corporate users, remote users,
business partners, and clients access network resources. The network
security policy can also mandate the implementation of an accounting
system that tracks who logged in and when and what they did while
logged in.

Managing network access using only the user mode or privilege mode
password commands is limited and does not scale well. Instead, using the
Authentication, Authorization, and Accounting (AAA) protocol provides the
necessary framework to enable scalable access security.

Cisco IOS routers can be configured to use AAA to access a local username
and password database. Using a local username and password database
provides greater security than a simple password and is a cost effective
and easily implemented security solution. Cisco IOS routers can also be
configured to use AAA to access a Cisco Secure Access Control Server
(ACS). Using Cisco ACS is very scalable because all infrastructure devices
access a central server. The Cisco Secure ACS solution is also fault tolerant
because multiple servers can be configured. The Cisco Secure ACS
solution is often implemented by large organizations.

AAA Overview
Authentication without AAA

Many types of authentication methods can be performed on a Cisco

device, and each method offers varying levels of security.

The simplest form of authentication is passwords.

Password-only logins are very vulnerable to brute-force attacks, and do

not provide accountability.

Anyone with the password can gain entry to the device and alter the
configuration.To help provide accountability, local database authentication
may be implemented using one of the following commands:

username username password password

username username secret password

Password Only Method

Internet

User EXEC mode or privilege EXEC mode password access is limited and
does not scale well.

The password-only method creates individual user accounts on each

device with a specific password assigned to each user, as shown in Figure
1. The local database method provides additional security, because an
attacker is required to know a username and a password. It also provides
more accountability, because the username is recorded when a user logs
in. Keep in mind that the username password command combination
displays the password in plaintext in the configuration file if the service
password-encryption command is not configured. The username
secret combination is highly recommended because it provides MD5-style
encryption.
The local database method provides additional security, because an
attacker is required to know a username and a password. It also provides
more accountability, because the username is recorded when a user logs
in.
To help provide accountability, local database authentication may be
implemented using one of the following commands:

username username password password

username username secret password

Keep in mind that the username password command combination
displays the password in plaintext in the configuration file if the service
password-encryption command is not configured. The username
secret combination is highly recommended because it provides MD5-style
encryption

Local Database Method

R1(config)# username Admin secret Str0ng5rPa55w0rd
R1(config)# line vty 0 4
R1(config-line)# login local

It provides greater security than a simple password.

Its a cost effective and easily implemented security solution.

A better solution is to have all devices refer to the same database of

usernames and passwords from a central server.

AAA Overview
AAA Components

AAA network security services provide the primary framework to set up

access control on a network device. AAA is a way to control who is
permitted to access a network (authenticate), what they can do while they
are there (authorize), and to audit what actions they performed while
accessing the network (accounting). It provides a higher degree of

scalability than the con, aux, vty and privileged EXEC authentication
commands alone.

Network and administrative AAA security in the Cisco environment has

several functional components:

Authentication - Users and administrators must prove that they are who
they say they are. Authentication can be established using username and
password combinations, challenge and response questions, token cards,
and other methods. For example: I am user student. I know the
password to prove that I am user student.

Authorization - After the user is authenticated, authorization services

determine which resources the user can access and which operations the
user is allowed to perform. An example is User student can access host
server XYZ using Telnet only.

Accounting and auditing - Accounting records what the user does,

including what is accessed, the amount of time the resource is accessed,
and any changes that were made. Accounting keeps track of how network
resources are used. An example is "User 'student' accessed host server
XYZ using Telnet for 15 minutes."

AAA Authentication

AAA can be used to authenticate users for administrative access or it can

be used to authenticate users for remote network access. These two
access methods use different modes to request AAA services, as shown in
Figure 1:

1. Character mode - A user sends a request to establish an EXEC mode

process with the router for administrative purposes.
2. Packet mode - A user sends a request to establish a connection through
the router with a device on the network.

With the exception of accounting commands, all AAA commands apply to

both character mode and packet mode. This topic focuses on securing
character mode access. For a truly secure network, it is important to also
configure the router for secure administrative access and remote LAN
network access using AAA services as well. Cisco provides two common
methods of implementing AAA services.

Local AAA Authentication

Local AAA uses a local database for authentication. This method stores
usernames and passwords locally in the Cisco router, and users
authenticate against the local database, as shown in Figure 2. This
database is the same one required for establishing role-based CLI. Local
AAA is ideal for small networks.

Server-Based AAA Authentication

The server-based method uses an external database server resource that

leverages RADIUS or TACACS+ protocols. Examples include Cisco Secure
Access Control Server (ACS) for Windows Server, as shown in Figure 3,
Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there
are multiple routers, server-based AAA is more appropriate.

Note: In this course the focus is on implementing network security with

IPv4 on Cisco routers, switches, and Adaptive Security Appliances. On
occasion, references are made to IPv6-specific technologies and protocols.

AAA Accounting

Accounting collects and reports usage data so that it can be employed for
purposes such as auditing or billing. The collected data might include the
start and stop connection times, executed commands, number of packets,
and number of bytes.

Accounting is implemented using an AAA server-based solution. This

service reports usage statistics back to the ACS server. These statistics
can be extracted to create detailed reports about the configuration of the
network.

One widely deployed use of accounting is combining it with AAA

authentication for managing access to internetworking devices by network
administrative staff. Accounting provides more security than just
authentication. The AAA servers keep a detailed log of exactly what the
authenticated user does on the device, as shown in Figure 1. Further
descriptions of the different types of accounting that is logged is shown in
Figure 2. This includes all EXEC and configuration commands issued by the
user. The log contains numerous data fields, including the username, the
date and time, and the actual command that was entered by the user. This
information is useful when troubleshooting devices. It also provides
leverage against individuals who perform malicious actions.

AAA Characteristics
Authorization

1. User has authenticated and a session has been established to the AAA
server.
2. When the user attempts to enter privileged EXEC mode command, the
router requests authorization from a AAA server to verify that the user has
the right to use it.
3. The AAA server returns a PASS/FAIL response.
Authorization is automatic and does not require additional user steps after
authentication

1. When a user has been authenticated, the AAA accounting process

generates a start message to begin the accounting process.
2. When the user logs out, a stop message is recorded and the accounting
process ends.
One use of accounting is to combine it with authentication for managing
access to internetworking devices by network administrative staff.

Configuring Local AAA Authentication with CLI

Authenticating Administrative Access

The Local AAA Authentication method is similar to using the login

local command with one exception. AAA also provides a way to configure
backup methods of authentication.

Configuring local AAA services to authenticate administrator access

(character mode access) requires a few basic steps:

Step 1. Add usernames and passwords to the local router database for users
that need administrative access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.

To enable AAA, use the aaa new-model global configuration mode

command.
AAA commands can now be configured.
To disable AAA, use the no aaa new-model command.

CAUTION:Do not issue the command unless you are prepared to configure
AAA authentication. Doing so could force Telnet users to authenticate with
a username, even if no username database or authentication method is
configured.

Authentication Methods

To configure authentication on vty ports, asynchronous lines (tty), the

auxiliary port, or the console port, define a named list of authentication
methods and then apply that list to the various interfaces.

To define a named list of authentication methods, use the aaa

authentication login command.

Login - enables AAA for logins on TTY, VTYs, and con 0.

Enable - enables AAA for EXEC mode access.
PPP - enables AAA for logins on PPP (packet transfer).

To configure authentication, define a named list of authentication

methods, and then apply that list to the various interfaces.

To define a named list of authentication methods, use the aaa

authentication login command.

To enable local authentication using a preconfigured local database, use

the local or local-case (case-sensitive) keyword.

To specify that a user can authenticate using the enable password, use
the enable keyword.

A minimum of one method and a maximum of four methods can be

specified for a single method list. When a user attempts to log in, the first
method listed is used.

Configuring Local AAA Authentication with CLI

Default and Named Methods

The defined list of authentication methods must be applied to specific

interfaces or lines. Different method lists can be applied to different
interfaces and lines.

To enable a specific list name, use the login authentication listname command in line configuration mode.

The option also exists to configure a default list name. When AAA is first
enabled, the default method list named default is automatically applied
to all interfaces and lines, but it has no authentication methods defined.

To assign multiple authentication methods to the default list, use the

command aaa authentication login default method1...[method2].

Configuring Local AAA Authentication with CLI

Locking Accounts with Excessive Failed Attemps

Additional security can be implemented on the line using the aaa local
authentication attempts max-fail number-of-unsuccessfulattempts command in global configuration mode.

This command secures AAA user accounts by locking out accounts that
have excessive failed attempts.

To show locked out users

This command locks the user account if the authentication fails and the
account stays locked until it is cleared by an administrator using:

clear aaa local user lockout {username username | all}

The command differs from the login delay command in how it handles
failed attempts.

The login delay command introduces a delay between failed login attempts
without locking the account.
Troubleshooting Local AAA Authentication
Debug Options

The debug aaa authentication command is instrumental when

troubleshooting AAA problems.
Look specifically for GETUSER and GETPASS status messages. These messages
are helpful when identifying which method list is referenced.

Server-Based AAA Characteristics

Comparing Local and Server-Based AAA

Local implementations of AAA do not scale well. Most corporate

environments have multiple Cisco routers with multiple router
administrators and hundreds or thousands of users needing access to the
corporate LAN. Maintaining a local database for each Cisco router for this
size of network is not feasible.

To solve this challenge, one or more AAA servers, such as Cisco Secure
ACS, can be used to manage the user and administrative access needs for
an entire corporate network. Cisco Secure ACS can create a central user
and administrative access database that all devices in the network can
access. It can also work with many external databases, including Active
Directory and Lightweight Directory Access Protocol (LDAP). These
databases store user account information and passwords, allowing for
central administration of user accounts, as shown in Figure 2.

Both protocols can be used to communicate between client and AAA

servers.

TACACS+ is considered the more secure protocol because all exchanges

are encrypted.

Radius only encrypts the user password.

It does not encrypt user names, accounting information, or any

other information carried in the radius message.

TACACS+ and RADIUS are both authentication protocols. Each supports

different capabilities and functionality, as shown in the figure. Whether
TACACS+ or RADIUS is selected depends on the needs of the organization.
For example, a large ISP might select RADIUS because it supports detailed
accounting required for billing users. An organization with various user
groups might select TACACS+ because it requires select authorization
policies to be applied on a per-user or per-group basis.

It is important to understand the many differences between the TACACS+

and RADIUS protocols.

Critical factors for TACACS+ include:

1. Is incompatible with its predecessors TACACS and XTACACS

2. Separates authentication and authorization
3. Encrypts all communication
4. Utilizes TCP port 49
5. Critical factors for RADIUS include:
6. Uses RADIUS proxy servers for scalability
7. Combines RADIUS authentication and authorization as one process
8. Encrypts only the password
9. Utilizes UDP
10.Supports remote-access technologies, 802.1X, and Session Initiation
Protocol (SIP)
TACACS+ and RADIUS are both authentication protocols with different
capabilities and functionality.

Server-Based AAA Communication Protocols

TACACS+ Authentication
TACACS+ is an entirely new protocol that is incompatible with any
previous version of TACACS. TACACS+ is supported by the Cisco family of
routers and access servers.

TACACS+ offers multiprotocol support.

TACACS+ operation encrypts the entire body of the packet.

TACACS+ utilizes TCP port 49.

Server-Based AAA Communication Protocols

RADIUS Authentication

RADIUS is an open IETF standard AAA protocol for applications such

as network access or IP mobility.

RADIUS works in both local and roaming situations, and is commonly used
for accounting purposes.

RADIUS hides passwords during transmission.

UDP port 1645 or 1812 for auth UDP port 1646 or 1813 for accounting

RADIUS combines authentication and authorization as one process.

RADIUS is widely used by VoIP service providers.

Cisco Secure ACS
TACACS+ and RADIUS with Cisco Secure ACS
Cisco Secure ACS for Windows Server is a single solution that offers AAA
for both TACACS+ and RADIUS, and the following benefits:

Extends access security by combining authentication, user access,

and administrator access with policy control within a centralized
identity networking solution.

Allows greater flexibility and mobility, increased security, and userproductivity gains.

Enforces a uniform security policy for all users, regardless of how

they access the network.

Reduces the administrative and management burden when scaling

user and network administrator access to the network.

Cisco Secure ACS

Cisco Secure ACS Features

Cisco Secure ACS provides a variety of advanced features:

Automatic service monitoring

Database synchronization and importing of tools for large-scale

deployments

Lightweight Directory Access Protocol (LDAP) user authentication support

User and administrative access reporting

Restrictions to network access based on criteria such as the time of day

and the day of week

User and device group profiles

Cisco Secure ACS
Cisco Secure ACS High Performance and Scalability
Cisco Secure ACS has many high-performance and scalability
features:

Ease of use - A web-based user interface simplifies and distributes the

configuration.

Scalability - Cisco Secure ACS is built to provide large networked

environments with support for redundant servers, remote databases, and
database replication and backup services.

Extensibility - LDAP authentication forwarding supports the authentication

of user profiles that are stored in directories from leading directory
vendors, including Sun, Novell, and Microsoft.

Management - Microsoft Windows Active Directory support.

Administration - Different access levels for each Cisco Secure ACS

administrator and the ability to group network devices together.

Product flexibility - Can be used across virtually any network access server
that Cisco sells.

Configuring Cisco Secure ACS

Software and Network Requirements
The network should meet specified requirements before administrators
begin deploying Cisco Secure ACS:

Cisco devices that are not Cisco IOS AAA clients must be
configured with TACACS+, RADIUS, or both.

Dial-in, VPN, or wireless clients must be able to connect to the

applicable AAA clients.

The computer running Cisco Secure ACS must be able to reach all
AAA clients using ping.

Gateway devices between the Cisco Secure ACS and other

network devices must permit communication over the ports that
are needed to support the applicable feature or protocol.

A supported web browser must be installed on the computer

running Cisco Secure ACS.

All NICs in the computer running Cisco Secure ACS must be

enabled.

GO THROUGH PAGE 37