The flashcards below were created by user
on FreezingBlue Flashcards.
AAA can be used to authenticate users for administrative access or it can be used to authenticate users for remote network access. These two access methods use different modes to request AAA services:
- Character mode - A user sends a request to establish an EXEC mode process with the router for administrative purposes.
- Packet mode - A user sends a request to establish a connection through the router with a device on the network.
With the exception of accounting commands, all AAA commands apply to both character mode and packet mode. This topic focuses on securing character mode access. For a truly secure network, it is important to also configure the router for secure administrative access and remote LAN network access using AAA services as well.Cisco provides two common methods of implementing AAA services.
- Local AAA Authentication
- Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. This database is the same one required for establishing role-based CLI. Local AAA is ideal for small networks.
- Server-Based AAA AuthenticationThe server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple routers, server-based AAA is more appropriate.
Local AAA ?
- 1. The client establishes a connection with the router.
- 2. The AAA router prompts the user for a username and password.
- 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.
Server based AAA?
- 1.The client establishes a connection with the router.
- 2. The AAA router prompts the user for a username and password.
- 3. The router authenticates the username and password using a remote AAA server.
- 4. The user is authorized to access the network based on information on the remote AAA Server.
After users are successfully authenticated against the selected AAA data source (local or server-based), they are then authorized for specific network resources.
Authorization is basically
what a user can and cannot do on the network after that user is authenticated, similar to how privilege levels and role-based CLI give users specific rights and privileges to certain commands on the router.
Authorization is typically implemented using an
AAA server-based solution.
authorization uses a created set of attributes that describes the user's access to the network. These attributes are compared to the information contained within the AAA database, and a determination of restrictions for that user is made and delivered to the local router where the user is connected.
1-does not require users to perform additional steps after authentication. 2-authorization is implemented immediately after the user is authenticated.
1. When a user has been authenticated, a session is established with an AAA server.
2. The router requests authorization for the requested service from the AAA server.
3. The AAA server returns a PASS/FAIL for authorization.
Accounting collects and reports usage data so that it can be employed for purposes such as auditing or billing. The collected data might include:
the start and stop connection times, executed commands, number of packets, and number of bytes.
Accounting is implemented using an
AAA server-based solution
One widely deployed use of accounting is combining it with
- AAA authentication for managing access to internetworking devices by
- network administrative staff. Accounting provides extra accountability
- above and beyond authentication. The AAA servers keep a detailed log of
- exactly what the authenticated user does on the device.
The AAA servers keep a detailed log of exactly what the authenticated user does on the device. This includes all EXEC and configuration commands issued by the user. The log contains :
- numerous data fields, including the username, the date and time, and the
- actual command that was entered by the user. This information is useful
- when troubleshooting devices. It also provides leverage against
- individuals who perform malicious actions.
Local AAA Authentication, also referred to as self-contained authentication, should be configured for :
smaller networks, such as those with one or two routers providing access to a limited number of users.
The Local AAA Authentication method is similar to using the login local command with one exception.
AAA also provides a way to configure backup methods of authentication
Configuring local AAA services to authenticate administrator access (character mode access) requires a few basic steps.
- Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router.
- Step 2. Enable AAA globally on the router.
- Step 3. Configure AAA parameters on the router.
- Step 4. Confirm and troubleshoot the AAA configuration.
for Cisco Cert
Local AAA authentication is the same as:
Self Contained AAA
To enable AAA, use the aaa new-model global configuration command. The command, aaa new-model, tells the router that you are:
- using either TACACS+ or RADIUS for authentication.
- To disable AAA, use the no form of this command.
After AAA is enabled, to configure authentication on vty ports, asynchronous lines (tty), the auxiliary port, or the console port,:
define a named list of authentication methods and then apply that list to the various interfaces.
To define a named list of authentication methods, use the aaa authentication login command. This command requires a list name and the authentication methods. The list name identifies the list of authentication methods activated when a user logs in.
The method list is a sequential list describing the authentication methods to be queried for authenticating a user. Method lists enable an administrator to designate one or more security protocols for authentication.
Using more than one protocol provides a backup system for authentication in case the initial method fails.
The difference between the two options is that local accepts a username regardless of case, and local-case is :
A minimum of one method and a maximum of four methods can be specified for a :
single method list.
For security purposes, use the (___) keyword only when testing the AAA configuration. It should never be applied on a live network.
To enable a specific list name, use the:
aaa login authentication list-name command in line configuration mode.
The authentication methods in the default list are used by default on all lines, unless a custom authentication method list is created. If an interface or line has a nondefault method list applied to it, that method overrides the default method list for that interface.
On the console, login succeeds without any authentication checks if default is :
Once a custom authentication method-list is applied to an interface, it is possible to return to the default method list by using the no aaa authentication login list-name command. If the default list has not been defined, then AAA authentication does not occur.
Additional security can be implemented on the line using the: (___) command in global configuration mode.
aaa local authentication attempts max-fail number-of-unsuccessful-attempts command
The aaa local authentication attempts max-fail command differs from the login delay command in how it handles failed attempts.
The aaa local authentication attempts max-fail command locks the user account if the authentication fails. This account stays locked until it is cleared by an administrator.
The login delay command introduces a delay between failed login attempts without locking the account.
When a user logs into a Cisco router and uses AAA, a unique ID is assigned to the session. Throughout the life of the session, various attributes that are related to the session are collected and stored internally within the AAA database.
The first task when using SDM to configure AAA services for local authentication is to create users:
- Step 1. Choose Configure > Additional Tasks > Router Access >
- User Accounts/View.
- Step 2. Click Add to add a new user.Step 3. In the
- Add an Account window, enter the username and password in the
- appropriate fields to define the user account.
- Step 4. From the Privilege
- Level drop-down list, choose 15, unless there are lesser privilege
- levels defined.
- Step 5. If views have been defined, check the Associate a
- View with the User check box and choose a view from the View Name list
- that is associated with a user.
- Step 6. Click OK.
To configure AAA authentication, an administrator must first either:
- define a list of authentication methods for the default method
- configure a named method list and apply it. Different method lists can
- be created and applied to different interfaces or lines.
The CLI command that Cisco SDM generates is
aaa authentication login default local.
The Cisco router has debug commands that are useful for troubleshooting authentication issues. The debug aaa command contains several keywords that can be used for this purpose. Of special interest is the:
debug aaa authentication command.
Local implementations of AAA do not scale well. Most corporate environments have multiple Cisco routers with multiple router administrators and hundreds or thousands of users needing access to the corporate LAN. Maintaining local databases for each Cisco router for this size of network is not feasible.
To solve this challenge, one or more AAA servers, such as Cisco Secure ACS, can be used to manage the user and administrative access needs for an entire corporate network
The Cisco Secure ACS family of products supports both Terminal Access Control Access Control Server Plus (TACACS+) and Remote Dial-in User Services (RADIUS) protocols, which are the two predominant protocols used by Cisco security appliances, routers, and switches for implementing AAA.
While both protocols can be used to communicate between client and AAA servers, (____) is considered the more secure protocol. This is because all TACACS + protocol exchanges are encrypted; Radius only encrypts the user password. It does not encrypt user names, accounting information, or any other information carried in the radius message.
TACACS+ more secure
TACACS+ and RADIUS are (___ ___ ___) Each supports different capabilities and functionality. Whether TACACS+ or RADIUS is selected depends on the needs of the organization.
both authentication protocols.
Critical factors for TACACS+ include:
- Is incompatible with its predecessors TACACS and XTACACS
- Separates authentication and authorization
- Encrypts all communication
- Utilizes TCP
- port 49
Critical factors for Radius include:
- Uses RADIUS proxy servers for scalability
- Combines RADIUS authentication
- and authorization as one process
- Encrypts only the password
- Utilizes UDP
- Supports remote-access technologies, 802.1X, and SIP
The RADIUS protocol hides passwords during transmission, even with the Password Authentication Protocol (PAP), using a rather complex operation that involves Message Digest 5 (MD5) hashing and a shared secret. However, the rest of the packet is sent in plaintext.
RADIUS combines authentication and authorization as one process. When a user is authenticated, that user is also authorized. RADIU
RADIUS is widely used by:
VoIP service providers.
Fortunately, the Cisco Secure ACS for Windows Server (ACS) is a single solution that offers AAA for both TACACS+ and RADIUS.
Cisco Secure ACS is a highly scalable, high-performance access control server that can be leveraged to control administrator access and configuration for all network devices in a network supporting RADIUS or TACACS+ or both. Cisco Secure ACS offers several benefits:
Cisco Secure ACS uses a central database. It centralizes the control of all user privileges and distributes them to access points throughout the network. Cisco Secure ACS provides detailed reporting and monitoring capabilities of user behavior, access connections, and device configuration changes. This feature is extremely important for organizations trying to comply with various government regulations. Cisco Secure ACS supports a broad variety of access connections, including wired and wireless LAN, dialup, broadband, content, storage, VoIP, firewalls, and virtual private networks (VPNs).
Cisco Secure ACS is an important component of the Cisco Identity Based Networking Services (IBNS) architecture.
Cisco Secure ACS is also an important component of Cisco Network Admission Control (NAC).
Cisco Secure ACS has many high-performance and scalability features:like-->
- ease of use
- product flexibility
- third party control
Cisco Secure ACS is available as software installed on a Windows Server or on a 1U, rack-mountable, security-hardened server, such as ACS Solution Engine or ACS Express. All are server-based examples of providing AAA services using a remote security database. The Cisco Secure ACS for Windows option enables the AAA services on a router to contact an external Cisco Secure ACS installed on a Windows server system for user and administrator authentication.
The home page of Cisco Secure ACS is divided into frames. The buttons on the navigation bar represent particular areas or functions that can be configured:
- User Setup
- Group Setup
- Shared Profile
- ConfigurationSystem ConfigurationInterface ConfigurationAdministration ControlExternal
- User Databases
- Posture Validation
- Network Access ProfilesReports and ActivityOnline Documentation
Before configuring a router, switch, or firewall as a TACACS+ or RADIUS client, the AAA client to the server must be added and the IP address and encryption key specified. The Network Configuration page is where the AAA clients are added, deleted, or modified.
Cisco Secure ACS can be configured to forward authentication of users to one or more external user databases. Support for external user databases means that Cisco Secure ACS does not require duplicate user entries to be created in the Cisco Secure user database.
Allow a network administrator to assign users and groups of users multiple CLI views at once instead of having to assign a single CLI view per user with all commands associated to that one CLI view.
After Cisco Secure ACS is configured to communicate with an external user database, it can be configured to authenticate users with the external user database in one of two ways:.
- By specific user assignment - Authenticate specific users with an external user database.
- By unknown user policy - Use an external database to authenticate users not found in the Cisco Secure user database. This method does not require administrators to define users in the Cisco Secure user database.
After a user is authenticated to an external database, the authorization that takes place is determined by Cisco Secure ACS. This can complicate things because users that are authenticated by a Windows server might require different authorization than users that are authenticated by the LDAP server.Because of this potential need for different authorizations, place users that are authenticated by the Windows server in one group and users that are authenticated by the LDAP server in another group. To do this,
use database group mappings.
steps to configure a AAA server:
- 1. Enable AAA.
- 2. Specify the IP address of the ACS server.
- 3. Configure the secret key.
- 4. Configure authentication to use either the RADIUS or TACACS+ server.
To configure a TACACS+ server, use the tacacs-server host ip-address single-connection command.
To configure a RADIUS server, use the radius-server host ip-address command. B
After AAA is enabled and the TACACS+ servers are configured, the router can be configured to use the Cisco Secure ACS server to authenticate user access to the router.
To configure the router to use the Cisco Secure ACS server for login authentication, a user-defined authentication login method list must be created, or the default method list must be edited. Keep in mind, the default method list is automatically applied to all interfaces and lines, except those that have a user-defined method list explicitly applied.
After the authentication login method lists are created, apply the lists to lines and interfaces on the router.
- debug AAA authentication
- debug tacacs
- debug radius
chapter summary !!!!!!!!!
The Authentication, Authorization, and Accounting (AAA) protocol provides a scalable framework for enabling access security.
AAA controls who is allowed to connect to the network, what they are allowed to do, and keeps records of what was done.
In small or simple networks, AAA authentication can be implemented using a local database.
Local AAA can be configured using CLI and SDM.
In large or complex networks, AAA authentication can be implemented using server-based AAA.
AAA servers can use RADIUS or TACACS+ protocols to communicate with client routers.
The Cisco Access Control Server (ACS) can be used to provide AAA server
Server-based AAA authentication can be configured using CLI or SDM.
Server-based AAA authorization and accounting can be configured using CLI or SDM.