Professional Documents
Culture Documents
Network Security: Major Concepts
Network Security: Major Concepts
1 3
1 3
4 5
4 5
1
Authentication, Authorization and
Accounting Purpose of AAA
6 7
6 7
• Authentication
Password: cisco1
Password: cisco12
% Bad passwords
Internet
8 9
8 9
2
Authentication – Local Database AAA Access Security
Authorization
which resources the user is allowed to access and which
• Creates individual user account/password on each Authentication operations the user is allowed to perform?
• Provides accountability
• User accounts must be configured locally on each device
• Provides no fallback authentication method
R1(config)# username Admin secret User Access Verification
Str0ng5rPa55w0rd
R1(config)# line vty 0 4 Username: Admin
Password: cisco1
R1(config-line)# login local % Login invalid
Username: Admin
Password: cisco12
Internet % Login invalid Accounting
What did you spend it on?
10 11
• Packet Mode
A user sends a request to
establish a connection through
the router with a device on the
network
12 13
12 13
3
Self-Contained AAA Authentication Server-Based AAA Authentication
Remote Client AAA
1 Router
• Uses an external database server
- Cisco Secure Access Control Server (ACS) for Windows Server
2
3 - Cisco Secure ACS Solution Engine
Self-Contained AAA
1. The client establishes a connection with the router. - Cisco Secure ACS Express
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the user is authorized to access the network
based on information in the local database.
• More appropriate if there are multiple routers
AAA Cisco Secure
• Used for small networks Remote Client
1 Router ACS Server
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.
14 15
14 15
• Typically implemented using an AAA server-based • Implemented using an AAA server-based solution
solution
• Keeps a detailed log of what an authenticated user does
• Uses a set of attributes that describes user access to the on a device
network
16 17
16 17
4
Configuring Local AAA Authentication Using a Local Database
18 19
18 19
R1# conf t
R1(config)#
R1(config)#
username JR-ADMIN secret Str0ngPa55w0rd
username ADMIN secret Str0ng5rPa55w0rd • aaa authentication enable
R1(config)# aaa new-model
R1(config)#
R1(config)#
aaa authentication login default local-case
aaa local authentication attempts max-fail 10 Enables AAA for EXEC mode access
• aaa authentication ppp
To authenticate administrator access
(character mode access) Enables AAA for PPP network access
1. Add usernames and passwords to the
local router database
2. Enable AAA globally
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA
configuration
20 21
20 21
5
AAA Authentication Command
Elements Method Type Keywords
router(config)#
Keywords Description
aaa authentication login {default | list-name} enable Uses the enable password for authentication. This keyword cannot be used.
method1…[method4]
krb5 Uses Kerberos 5 for authentication.
Command Description krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect
to the router.
line Uses the line password for authentication.
Uses the listed authentication methods that follow this local Uses the local username database for authentication.
default
keyword as the default list of methods when a user logs in local-case Uses case-sensitive local username authentication.
none Uses no authentication.
list-name Character string used to name the list of authentication cache group-name Uses a cache server group for authentication.
methods activated when a user logs in group radius Uses the list of all RADIUS servers for authentication.
password- Enables password aging on a local authentication list. group tacacs+ Uses the list of all TACACS+ servers for authentication.
expiry group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined
by the aaa group server radius or aaa group server tacacs+ com m and.
method1 Identifies the list of methods that the authentication
[method2... algorithm tries in the given sequence. You must enter at
] least one method; you may enter up to four methods.
22 23
22 23
router(config)#
aaa local authentication attempts max-fail [number-of-
unsuccessful-attempts]
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1# show aaa sessions R1(config)# username ADMIN secret Str0ng5rPa55w0rd
Total sessions since last reload: 4 R1(config)# aaa new-model
Session Id: 1 R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
Unique Id: 175
R1(config)# line vty 0 4
User Name: ADMIN R1(config-line)# login authentication TELNET-LOGIN
IP Address: 192.168.1.10
Idle Time: 0
CT Call Handle: 0
24 25
24 25
6
Troubleshooting The debug aaa Command
R1# debug aaa ?
accounting Accounting
• The debug aaa Command administrative
api
Administrative
AAA api events
attr AAA Attr Manager
• Sample Output authentication
authorization
Authentication
Authorization
cache Cache activities
coa AAA CoA processing
db AAA DB Manager
dead-criteria AAA Dead-Criteria Info
id AAA Unique Id
ipc AAA IPC
mlist-ref-count Method list reference counts
mlist-state Information about AAA method list state change and
notification
per-user Per-user attributes
pod AAA POD processing
protocol AAA protocol processing
server-ref-count Server handle reference counts
sg-ref-count Server group handle reference counts
sg-server-selection Server Group Server Selection
subsys AAA Subsystem
testing Info. about AAA generated test packets
26 27
28 29
28 29
7
Local Versus Server-Based
Server-Based AAA Authentication
Local Authentication
• Comparing Local versus Server-Based AAA 1. The user establishes a connection with the router.
2. The router prompts the user for a username and password authenticating
the user using a local database.
Cisco Secure ACS
• Overview of TACACS+ and RADIUS Perimeter
for Windows Server
1 Router
3
2
4
Remote User
Server-Based Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the
network based on information found in the Cisco Secure ACS database.
30 31
30 31
32 33
32 33
8
TACACS+/RADIUS Comparison TACACS+ Authentication Process
TACACS+ RADIUS
Functionality Separates AAA according to the AAA Combines authentication and Connect Usernam e prom pt?
architecture, allowing modularity of authorization but separates Use “ Usernam e ”
the security server implementation accounting, allowing less flexibility in Usernam e?
implementation than TACACS+. JR-ADMIN
JR-ADMIN
Standard Mostly Cisco supported Open/RFC standard
Password prom pt?
Transport Protocol TCP UDP
Password? Use “ Password ”
CHAP Bidirectional challenge and response Unidirectional challenge and response
“ Str0ngPa55w0rd ” “ Str0ngPa55w0rd ”
as used in Challenge Handshake from the RADIUS security server to
Authentication Protocol (CHAP) the RADIUS client. Accept/Reject
34 35
34 35
Usernam e?
Access-Request
(JR_ADMIN, “ Str0ngPa55w0rd ” ) • Overview
JR-ADMIN Access-Accept
Password? • Troubleshooting
Str0ngPa55w0rd
36 37
36 37
9
Configuring Server-Based AAA
Overview Authentication
• CLI aaa authentication Command 1. Globally enable AAA to allow the user of all
AAA elements (a prerequisite)
• Sample Configuration
2. Specify the Cisco Secure ACS that will provide
AAA services for the network access server
3. Configure the encryption key that will be used
to encrypt the data transfer between the
network access server and the Cisco Secure
ACS
4. Configure the AAA authentication method list
38 39
38 39
40 41
40 41
10
Troubleshooting Server-Based AAA
Authentication Sample Commands
42 43
42 43
44 45
44 45
11
Server-Based AAA Authorization AAA Authorization Overview
Command authorization for user
show version JR-ADMIN, command “show version”?
Do not permit
Reject
“configure terminal”
46 47
46 47
R1# conf t
• Overview
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-case • AAA Accounting Commands
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
48 49
48 49
12
AAA Accounting Overview AAA Accounting Commands
R1# conf t
• Provides the ability to track usage, such as dial-in R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
access; the ability to log the data gathered to a database; R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
and the ability to produce reports on the data gathered R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# aaa authorization exec group tacacs+
R1(config)# aaa authorization network group tacacs+
• To configure AAA accounting using named method lists: R1(config)# aaa accounting exec start-stop group tacacs+
R1(config)# aaa accounting network start-stop group tacacs+
aaa accounting {system | network | exec | connection R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
| commands level} {default | list-name} {start-stop | R1(config-line)# ^Z
wait-start | stop-only | none} [method1 [method2]] • aaa accounting exec default start-stop group tacacs+
Defines a AAA accounting policy that uses TACACS+ for logging
• Supports six different types of accounting: network, both start and stop records for user EXEC terminal sessions.
connection, exec, system, commands level, and • aaa accounting network default start-stop group tacacs+
resource. Defines a AAA accounting policy that uses TACACS+ for logging
both start and stop records for all network-related service requests.
50 51
50 51
52
52
13