CCNAS Ch3 AAA

Chapter 3:
Authentication,
Authorization, and
Accounting
CCNA-Security
Presentation_ID
2008 Cisco Systems, Inc. All rights reserved.
Chapter 3: Objectives
In this chapter you will:
Describe the importance of AAA as it relates to authentication,
authorization, and accounting.
Describe the characteristics of AAA.
Configure AAA authentication, using the CLI, to validate users against a
local database.
Troubleshoot AAA authentication that validates users against a local
database.
Describe the benefits of server-based AAA.
Compare the TACACS+ and RADIUS authentication protocols.
Configure server-based AAA authentication, using the CLI, on Cisco
routers.
Presentation_ID
Chapter 3
3.0 Introduction
3.1 Purpose of AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based AAA Authorizing and Accounting
3.6 Summary
Presentation_ID
3.1 Purpose of AAA
Presentation_ID
AAA Overview
Authentication without AAA

Many types of authentication methods can be performed on a
Cisco device, and each method offers varying levels of security.
The simplest form of authentication is passwords.
Password-only logins are very vulnerable to brute-force attacks,
and do not provide accountability.
Presentation_ID
Password Only Method
Internet
User Access Verification

Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords
R1(config)# line vty 0 4

R1(config-line)# password cisco
R1(config-line)# login
Presentation_ID
User EXEC mode or privilege EXEC mode password access is

limited and does not scale well.
AAA Overview
Authentication without AAA

The local database method provides additional security, because an
attacker is required to know a username and a password. It also provides
more accountability, because the username is recorded when a user logs
in.
To help provide accountability, local database authentication may be
implemented using one of the following commands:
username username password password
username username secret password
Keep in mind that the username password command combination
displays the password in plaintext in the configuration file if the service
password-encryption command is not configured. The username
secret combination is highly recommended because it provides MD5style encryption
Presentation_ID
Local Database Method

Internet
Welcome
Welcometo
toSPAN
SPAN
Engineering
User
Access Verification
Engineering
User
Verification
Username:
Admin
UserAccess
Access
Verification
Username
Password:
cisco1
Usernameadmin
admin
Password:
cisco
%
Login invalid
Password:
cisco
Username: Admin
Password: cisco12
% Login invalid
R1(config)# username Admin secret Str0ng5rPa55w0rd

R1(config)# line vty 0 4
R1(config-line)# login local
It provides greater security than a simple password.

Its a cost effective and easily implemented security solution.
A better solution is to have all devices refer to the same database
of usernames and passwords from a central server.
Presentation_ID
AAA Overview
AAA Components
Network and administrative AAA security in the Cisco environment
has several functional components:
Authentication- Users and administrators must prove that they
are who they say they are. Authentication can be established
using username and password combinations, challenge and
response questions, token cards, and other methods.
Authorization- After the user is authenticated, authorization
services determine which resources the user can access and
which operations the user is allowed to perform.
Accounting and auditing- Accounting records what the user
does, including what is accessed, the amount of time the resource
is accessed, and any changes that were made.
Presentation_ID
AAA - Credit Card Analogy

Authentication
Authentication
Who
Who are
are you?
you?
Authorization
Authorization
How
How much
much can
can you
you spend?
spend?
Accounting
Accounting
What
What did
did you
you spend
spend itit on?
on?
Presentation_ID
10
AAA Characteristics
Authentication Modes
AAA can be used to authenticate users for administrative access or to
authenticate users for remote network access. These two access
methods use different modes to request AAA services.
Character mode - A user sends a request to establish an

EXEC mode process with the router for administrative
purposes.
Packet mode - A user sends a request to establish a
connection through the router with a device on the
network.
Presentation_ID
11
AAA Authentication Methods

Cisco IOS routers can implement AAA using either:
Local username and
password database
Cisco Secure Access

Control Server (ACS)
Local AAA Authentication - Uses a local database for

authentication. This method stores usernames and
passwords locally in the Cisco router, and users authenticate
against the local database.
Server-Based AAA Authentication - The server-based
method uses an external database server resource that
leverages RADIUS or TACACS+ protocols.
Presentation_ID
12
AAA Characteristics
Authorization
Remote Client
Cisco Secure
ACS Server
AAA
Router
1
2
3
1.User has authenticated and a session has been established to

the AAA server.
2.When the user attempts to enter privileged EXEC mode
command, the router requests authorization from a AAA server to
verify that the user has the right to use it.
3.The AAA server returns a PASS/FAIL response.
Authorization is automatic and does not require additional user
steps after authentication
Presentation_ID
13
AAA Characteristics
Accounting
Provides the method for collecting and sending security server
information.
Used for billing, auditing, and reporting, such as user identities,
start and stop times, executed commands, number of packets /
bytes,
With AAA accounting activated, the router reports user activity to
the TACACS+ security server in the form of accounting records.
Accounting is configured by defining a named list of accounting
methods, and then applying that list to various interfaces.
Presentation_ID
14
AAA Characteristics
Accounting
Remote Client
AAA
Router
Cisco Secure
ACS Server
1
2
1.When a user has been authenticated, the AAA accounting

process generates a start message to begin the accounting
process.
2.When the user logs out, a stop message is recorded and the
accounting process ends.
One use of accounting is to combine it with authentication for
managing access to internetworking devices by network
administrative staff.
Presentation_ID
15
3.2 Local AAA

Authorization
Presentation_ID
16
Configuring Local AAA Authentication with CLI
Authenticating Administrative Access

The Local AAA Authentication method is similar to using the login
local command with one exception. AAA also provides a way to
configure backup methods of authentication.
Configuring local AAA services to authenticate administrator access
(character mode access) requires a few basic steps:
Step 1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
Step 2. Enable AAA globally on the router.
Step 3. Configure AAA parameters on the router.
Step 4. Confirm and troubleshoot the AAA configuration.
Presentation_ID
17
Authentication Methods
To enable AAA, use the aaa new-model global configuration mode
command.
AAA commands can now be configured.
To disable AAA, use the no aaa new-model command.
CAUTION:
Do not issue the command unless you are prepared to configure
AAA authentication. Doing so could force Telnet users to
authenticate with a username, even if no username database or
authentication method is configured.
R1(config)#
Presentation_ID
aaa new-model
18
Authentication Methods
To configure authentication on vty ports, asynchronous lines (tty), the
auxiliary port, or the console port, define a named list of
authentication methods and then apply that list to the various
interfaces.
To define a named list of authentication methods, use the aaa
authentication login command.
Presentation_ID
Login - enables AAA for logins on TTY, VTYs, and con 0.

Enable - enables AAA for EXEC mode access.
PPP - enables AAA for logins on PPP
(packet transfer).
19
Authentication Methods Cont.

To configure authentication, define a named list of authentication methods,
and then apply that list to the various interfaces.
To define a named list of authentication methods, use the aaa
authentication login command.
To enable local authentication using a preconfigured local database, use the

local or local-case (case-sensitive) keyword.
To specify that a user can authenticate using the enable password, use
the enable keyword.
A minimum of one method and a maximum of four methods can be specified
for a single method list. When a user attempts to log in, the first method listed
is used.
Presentation_ID
20
Default and Named Methods

The defined list of authentication methods must be applied to specific
interfaces or lines. Different method lists can be applied to different interfaces
and lines.
To enable a specific list name, use the login authentication listnamecommand in line configuration mode.
The option also exists to configure a default list name. When AAA is first
enabled, the default method list named default is automatically applied to all
interfaces and lines, but it has no authentication methods defined.
To assign multiple authentication methods to the default list, use the
command aaa authentication login default method1...[method2].
Presentation_ID
21
Locking Accounts with Excessive Failed Attemps

Additional security can be implemented on the line using the aaa
local authentication attempts max-fail number-ofunsuccessful-attemptscommand in global configuration mode.
This command secures AAA user accounts by locking out accounts

that have excessive failed attempts.
To show locked out users
Presentation_ID
22
Locking a User Account

This command locks the user account if the authentication
fails and the account stays locked until it is cleared by an
administrator using:
clear aaa local user lockout {username username |
all}
The command differs from the login delay command

in how it handles failed attempts.
The login delay command introduces a delay between failed
login attempts without locking the account.
Presentation_ID
23
Troubleshooting Local AAA Authentication
Debug Options
The debug aaa authentication command is instrumental when
troubleshooting AAA problems.
Look specifically for GETUSER and GETPASS status messages.
These messages are helpful when identifying which method list is
referenced.
R1# debug aaa authentication

113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
Presentation_ID
24
Presentation_ID
25
Server-Based AAA Characteristics
Comparing Local and Server-Based AAA

Local implementations of
AAA do not scale well. To
solve this challenge, one or
more AAA servers, can be
used to manage the user
and administrative access
needs for an entire
corporate network.
Cisco Secure ACS can work
with many external
databases, including Active
Directory and Lightweight
Directory Access Protocol
(LDAP)
Presentation_ID
26
Server-Based AAA Characteristics
Introducing Cisco Secure Access Control Server

The Cisco Secure ACS family of products supports both Terminal
Access Control Access Control Server Plus (TACACS+) and Remote
Authentication Dial-In User Services (RADIUS) protocols.
Presentation_ID
27
Server-Based AAA Communication Protocols
Introducing TACACS+ and RADIUS

Both protocols can be used to communicate between client
and AAA servers.
TACACS+ is considered the more secure protocol because
all exchanges are encrypted.
Radius only encrypts the user password.
It does not encrypt user names, accounting information,
or any other information carried in the radius message.
Presentation_ID
28
Introducing TACACS+ and RADIUS

TACACS+ and RADIUS are both authentication protocols with
different capabilities and functionality.
Presentation_ID
29
TACACS+ Authentication
TACACS+ is an entirely new protocol that is incompatible with any
previous version of TACACS. TACACS+ is supported by the Cisco
family of routers and access servers.
TACACS+ offers multiprotocol support.
TACACS+ operation encrypts the entire body of the packet.
TACACS+ utilizes TCP port 49.
Presentation_ID
30
RADIUS Authentication
RADIUS is an open IETF standard AAA protocol for applications such as
network access or IP mobility.
RADIUS works in both local and roaming situations, and is commonly
used for accounting purposes.
RADIUS hides passwords during transmission.
UDP port 1645 or 1812 for auth UDP port 1646 or 1813 for accounting
RADIUS combines authentication and authorization as one process.
RADIUS is widely used by VoIP service providers.
Presentation_ID
31
Cisco Secure ACS
TACACS+ and RADIUS with Cisco Secure ACS

Cisco Secure ACS for Windows Server is a single solution that offers
AAA for both TACACS+ and RADIUS, and the following benefits:
Extends access security by combining authentication, user access,
and administrator access with policy control within a centralized
identity networking solution.
Allows greater flexibility and mobility, increased security, and userproductivity gains.
Enforces a uniform security policy for all users, regardless of how
they access the network.
Reduces the administrative and management burden when scaling
user and network administrator access to the network.
Presentation_ID
32
Cisco Secure ACS
Cisco Secure ACS Features

Cisco Secure ACS provides a
variety of advanced features:
Automatic service monitoring
Database synchronization and
importing of tools for large-scale
deployments
Lightweight Directory Access
Protocol (LDAP) user
authentication support
User and administrative access
reporting
Restrictions to network access
based on criteria such as the
time of day and the day of week
User and device group profiles
Presentation_ID
33
Cisco Secure ACS
Cisco Secure ACS High Performance and Scalability

Cisco Secure ACS has many high-performance and scalability features:
Ease of use - A web-based user interface simplifies and distributes the
configuration.
Scalability - Cisco Secure ACS is built to provide large networked
environments with support for redundant servers, remote databases, and
database replication and backup services.
Extensibility - LDAP authentication forwarding supports the authentication of
user profiles that are stored in directories from leading directory vendors,
including Sun, Novell, and Microsoft.
Management - Microsoft Windows Active Directory support.
Administration - Different access levels for each Cisco Secure ACS
administrator and the ability to group network devices together.
Product flexibility - Can be used across virtually any network access server
that Cisco sells.
Presentation_ID
34
Configuring Cisco Secure ACS
Software and Network Requirements

The network should meet specified requirements before administrators
begin deploying Cisco Secure ACS:
Cisco devices that are not Cisco IOS AAA clients must be configured with
TACACS+, RADIUS, or both.
Dial-in, VPN, or wireless clients must be able to connect to the applicable AAA
clients.
The computer running Cisco Secure ACS must be able to reach all AAA
clients using ping.
Gateway devices between the Cisco Secure ACS and other network devices
must permit communication over the ports that are needed to support the
applicable feature or protocol.
A supported web browser must be installed on the computer running Cisco
Secure ACS.
All NICs in the computer running Cisco Secure ACS must be enabled.
Presentation_ID
35
Cisco Secure ACS Homepage
Presentation_ID
36
Adding Cisco Secure ACS Clients

The specific steps to add and configure a client varies between different
ACS versions, but is done through the Network Configuration page (4.x)
or the Network Resources page (5.x) by clicking Add Entry.
Presentation_ID
37
Adding Cisco Secure ACS Clients Cont.

The User Data Configuration link on the Interface Configuration page
enables administrators to customize the fields that appear in the user
setup and configuration windows.
Presentation_ID
38
Cisco Secure ACS Databases

Cisco Secure ACS can be configured to forward
authentication of users to one or more external user
databases.
Support for external user databases means that Cisco
Secure ACS does not require duplicate user entries to be
created in the Cisco Secure user database.
To establish an external user database connection, you
must access the External User Databases page.
Presentation_ID
39
Cisco Secure ACS Databases Cont.

When configuring the ACS external databases, there are three
major options:
Unknown User Policy - Configures the authentication
procedure for users that are not located in the Cisco Secure
ACS database.
Database Group Mappings - Configures what group
privileges external database users inherit when Cisco Secure
ACS authenticates them. In most cases, the actual privileges
are drawn from Cisco Secure ACS and not the external
database.
Database Configuration - Defines the external servers that
Cisco Secure ACS works with.
Presentation_ID
40
Cisco Secure ACS Databases Cont.
Presentation_ID
41
Configuring Cisco Secure ACS Users and Groups
Cisco Secure ACS User Setup

Add a user account and configure user access from the User Setup
page.
Presentation_ID
42

Authentication
Presentation_ID
43
Configuring Server-Based AAA Authentication
Configuring Server-Based AAA Authentication with CLI

Server-based AAA must identify various TACACS+ and RADIUS servers
that the AAA service should consult when authenticating and authorizing
users.
Presentation_ID
44
Configuring the CLI for TACACS+ and RADIUS Servers

Globally enable AAA by using the aaa new-model command.
Configure a TACACS+ Server and Encryption Key
Use the tacacs-server host ip-addresssingleconnection command to configure a TACACS+ server.
Use the tacacs-server key keycommand to configure the
shared secret key.
Presentation_ID
45
Configuring the CLI for TACACS+ and RADIUS Servers Cont.

Configure a RADIUS Server and Encryption Key
Use the radius-server host ip-addresscommand.
To configure the shared secret key, use the radius-server

key keycommand.
Configure Authentication to Use the AAA Server - Use the aaa

authentication login default group radius group
tacacs+ local-case command.
Presentation_ID
46
Configuring the CLI for TACACS+ and RADIUS Servers Cont.

Sample Configuration
Presentation_ID
47
Troubleshooting Server-Based AAA Authentication Traffic
Monitoring Authentication Traffic

Other debugging Commands
debug radius and debug tacacs
debug tacacs events
Presentation_ID
48

Authorization and
Accounting
Presentation_ID
49
Configuring Server-Based AAA Authorization
Introduction to Server-Based AAA Authorization

Authorization allows and disallows authenticated users access to
certain areas and programs on the network.
The TACACS+ protocol allows the separation of authentication from
authorization.
A router can be configured to restrict the user to performing only
certain functions after successful authentication.
Authorization can be configured for both character mode (exec
authorization) and packet mode (network authorization).
Presentation_ID
50
Configuring Server-Based AAA Authorization
AAA Authorization Types

Authorization Method Lists
AAA Authorization Example
Presentation_ID
51
Configuring Server-Based AAA Accounting
Introduction to Server-Based AAA Accounting

Companies often must track resources that individuals or groups use.
AAA accounting enables usage tracking, such as dial-in access, to log
the data gathered to a database, and to produce reports on the data
gathered.
One security issue (addressed by accounting) is the creation of a user
list and the time of day a user dialed into the system.
Another reason to implement accounting is to create a list of changes
occurring on the network, the user that made the changes, and the
exact nature of the changes.
Presentation_ID
52
Configuring Server-Based AAA Accounting
AAA Accounting Configuration with CLI

Accounting Methods Lists
AAA Accounting Example
Presentation_ID
53
3.6 Summary
Presentation_ID
54
Chapter 3
Summary
The AAA protocol provides a scalable framework for enabling
administrative access.
AAA controls who is allowed to connect to the network, what they are
allowed to do, and tracks records of what was done.
In small or simple networks, AAA authentication can be implemented
using the local database.
In larger or complex networks, AAA authentication should be
implemented using server-based AAA.
AAA servers can use RADIUS or TACACS+ protocols to communicate
with client routers.
The Cisco ACS can be used to provide AAA server services.
Local AAA and server-based AAA authentication can be configured
using the CLI or CCP.
Presentation_ID
55
Lab - Securing Administrative Access

Using AAA and RADIUS
In this lab, you will complete the following
objectives:
Configure Basic Device Settings.
Configure Local Authentication.
Configure Local Authentication Using AAA.
Configure Centralized Authentication Using AAA and
RADIUS.
Lab - Securing Administrative Access Using AAA and
RADIUS.pdf
ITE PC v4.1
Chapter 1
2007 2010, Cisco Systems, Inc. All rights reserved.
Cisco Public
56
Presentation_ID
57

CCNAS Ch3 AAA

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CCNAS Ch3 AAA

Încărcat de

Drepturi de autor:

Formate disponibile

Chapter 3:

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

3.1 Purpose of AAA

2008 Cisco Systems, Inc. All rights reserved.

Authentication without AAA

2008 Cisco Systems, Inc. All rights reserved.

Password Only Method

User Access Verification

R1(config)# line vty 0 4

User EXEC mode or privilege EXEC mode password access is

Authentication without AAA

2008 Cisco Systems, Inc. All rights reserved.

Local Database Method

R1(config)# username Admin secret Str0ng5rPa55w0rd

It provides greater security than a simple password.

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

AAA - Credit Card Analogy

2008 Cisco Systems, Inc. All rights reserved.

Character mode - A user sends a request to establish an

2008 Cisco Systems, Inc. All rights reserved.

AAA Authentication Methods

Cisco Secure Access

Local AAA Authentication - Uses a local database for

2008 Cisco Systems, Inc. All rights reserved.

1.User has authenticated and a session has been established to

2008 Cisco Systems, Inc. All rights reserved.

2008 Cisco Systems, Inc. All rights reserved.

1.When a user has been authenticated, the AAA accounting

2008 Cisco Systems, Inc. All rights reserved.

3.2 Local AAA

2008 Cisco Systems, Inc. All rights reserved.

Configuring Local AAA Authentication with CLI

Authenticating Administrative Access

2008 Cisco Systems, Inc. All rights reserved.

Configuring Local AAA Authentication with CLI

2008 Cisco Systems, Inc. All rights reserved.

Configuring Local AAA Authentication with CLI

Login - enables AAA for logins on TTY, VTYs, and con 0.

Configuring Local AAA Authentication with CLI

Authentication Methods Cont.

To enable local authentication using a preconfigured local database, use the

2008 Cisco Systems, Inc. All rights reserved.

Configuring Local AAA Authentication with CLI

Default and Named Methods

2008 Cisco Systems, Inc. All rights reserved.

Configuring Local AAA Authentication with CLI

Locking Accounts with Excessive Failed Attemps

This command secures AAA user accounts by locking out accounts

2008 Cisco Systems, Inc. All rights reserved.

Configuring Local AAA Authentication with CLI

Locking a User Account

The command differs from the login delay command

2008 Cisco Systems, Inc. All rights reserved.

Troubleshooting Local AAA Authentication

R1# debug aaa authentication

2008 Cisco Systems, Inc. All rights reserved.

3.3 Server-Based AAA

2008 Cisco Systems, Inc. All rights reserved.

Server-Based AAA Characteristics

Comparing Local and Server-Based AAA