Documente Academic
Documente Profesional
Documente Cultură
Authentication,
Authorization, and
Accounting
CCNA-Security
Presentation_ID
Chapter 3: Objectives
In this chapter you will:
Describe the importance of AAA as it relates to authentication,
authorization, and accounting.
Describe the characteristics of AAA.
Configure AAA authentication, using the CLI, to validate users against a
local database.
Troubleshoot AAA authentication that validates users against a local
database.
Describe the benefits of server-based AAA.
Compare the TACACS+ and RADIUS authentication protocols.
Configure server-based AAA authentication, using the CLI, on Cisco
routers.
Presentation_ID
Chapter 3
3.0 Introduction
3.1 Purpose of AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based AAA Authorizing and Accounting
3.6 Summary
Presentation_ID
Presentation_ID
AAA Overview
Presentation_ID
Internet
Presentation_ID
AAA Overview
Presentation_ID
AAA Overview
AAA Components
Network and administrative AAA security in the Cisco environment
has several functional components:
Authentication- Users and administrators must prove that they
are who they say they are. Authentication can be established
using username and password combinations, challenge and
response questions, token cards, and other methods.
Authorization- After the user is authenticated, authorization
services determine which resources the user can access and
which operations the user is allowed to perform.
Accounting and auditing- Accounting records what the user
does, including what is accessed, the amount of time the resource
is accessed, and any changes that were made.
Presentation_ID
Authorization
Authorization
How
How much
much can
can you
you spend?
spend?
Accounting
Accounting
What
What did
did you
you spend
spend itit on?
on?
Presentation_ID
10
AAA Characteristics
Authentication Modes
AAA can be used to authenticate users for administrative access or to
authenticate users for remote network access. These two access
methods use different modes to request AAA services.
11
12
AAA Characteristics
Authorization
Remote Client
Cisco Secure
ACS Server
AAA
Router
1
2
3
13
AAA Characteristics
Accounting
Provides the method for collecting and sending security server
information.
Used for billing, auditing, and reporting, such as user identities,
start and stop times, executed commands, number of packets /
bytes,
With AAA accounting activated, the router reports user activity to
the TACACS+ security server in the form of accounting records.
Accounting is configured by defining a named list of accounting
methods, and then applying that list to various interfaces.
Presentation_ID
14
AAA Characteristics
Accounting
Remote Client
AAA
Router
Cisco Secure
ACS Server
1
2
15
Presentation_ID
16
Presentation_ID
17
Authentication Methods
To enable AAA, use the aaa new-model global configuration mode
command.
AAA commands can now be configured.
To disable AAA, use the no aaa new-model command.
CAUTION:
Do not issue the command unless you are prepared to configure
AAA authentication. Doing so could force Telnet users to
authenticate with a username, even if no username database or
authentication method is configured.
R1(config)#
Presentation_ID
aaa new-model
18
Authentication Methods
To configure authentication on vty ports, asynchronous lines (tty), the
auxiliary port, or the console port, define a named list of
authentication methods and then apply that list to the various
interfaces.
To define a named list of authentication methods, use the aaa
authentication login command.
Presentation_ID
19
20
Presentation_ID
21
Presentation_ID
22
Presentation_ID
23
Debug Options
The debug aaa authentication command is instrumental when
troubleshooting AAA problems.
Look specifically for GETUSER and GETPASS status messages.
These messages are helpful when identifying which method list is
referenced.
Presentation_ID
24
Presentation_ID
25
Presentation_ID
26
Presentation_ID
27
Presentation_ID
28
Presentation_ID
29
TACACS+ Authentication
TACACS+ is an entirely new protocol that is incompatible with any
previous version of TACACS. TACACS+ is supported by the Cisco
family of routers and access servers.
TACACS+ offers multiprotocol support.
TACACS+ operation encrypts the entire body of the packet.
TACACS+ utilizes TCP port 49.
Presentation_ID
30
RADIUS Authentication
RADIUS is an open IETF standard AAA protocol for applications such as
network access or IP mobility.
RADIUS works in both local and roaming situations, and is commonly
used for accounting purposes.
RADIUS hides passwords during transmission.
UDP port 1645 or 1812 for auth UDP port 1646 or 1813 for accounting
RADIUS combines authentication and authorization as one process.
RADIUS is widely used by VoIP service providers.
Presentation_ID
31
Presentation_ID
32
33
Presentation_ID
34
Presentation_ID
35
Presentation_ID
36
Presentation_ID
37
Presentation_ID
38
Presentation_ID
39
40
Presentation_ID
41
Presentation_ID
42
Presentation_ID
43
Presentation_ID
44
Presentation_ID
45
Presentation_ID
46
Presentation_ID
47
Presentation_ID
48
Presentation_ID
49
Presentation_ID
50
Presentation_ID
51
Presentation_ID
52
Presentation_ID
53
3.6 Summary
Presentation_ID
54
Chapter 3
Summary
The AAA protocol provides a scalable framework for enabling
administrative access.
AAA controls who is allowed to connect to the network, what they are
allowed to do, and tracks records of what was done.
In small or simple networks, AAA authentication can be implemented
using the local database.
In larger or complex networks, AAA authentication should be
implemented using server-based AAA.
AAA servers can use RADIUS or TACACS+ protocols to communicate
with client routers.
The Cisco ACS can be used to provide AAA server services.
Local AAA and server-based AAA authentication can be configured
using the CLI or CCP.
Presentation_ID
55
ITE PC v4.1
Chapter 1
Cisco Public
56
Presentation_ID
57