Professional Documents
Culture Documents
CCNA Security: Chapter Three Authentication, Authorization, and Accounting
CCNA Security: Chapter Three Authentication, Authorization, and Accounting
Chapter Three
Authentication, Authorization,
and Accounting
1
Lesson Planning
北京邮电大学思科网络技术学院 2
Major Concepts
北京邮电大学思科网络技术学院 3
Lesson Objectives
北京邮电大学思科网络技术学院 4
Lesson Objectives
北京邮电大学思科网络技术学院 5
Authentication, Authorization and Accounting
北京邮电大学思科网络技术学院 6
3.1 Purpose of AAA
北京邮电大学思科网络技术学院 7
3.1.1 AAA Overview
• Authentication
• AAA Access Security
北京邮电大学思科网络技术学院 8
Authentication – Password-Only
User Access Verification
Password-Only Method
Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords
Internet
北京邮电大学思科网络技术学院 9
Authentication – Local Database
Username: Admin
Password: cisco12
Internet % Login invalid
Accounting
What did you spend it on?
北京邮电大学思科网络技术学院 11
3.1.2 AAA Characteristics
北京邮电大学思科网络技术学院 12
Access Methods
• Character Mode
A user sends a request to establish an EXEC mode process with
the router for administrative purposes
• Packet Mode
A user sends a request to establish a connection through the
router with a device on the network
北京邮电大学思科网络技术学院 13
Self-Contained AAA Authentication
AAA
Remote Client Router
1
2
3
Self-Contained AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the local database and the
user is authorized to access the network based on information in the local database.
2 3
4
Server-Based AAA
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a remote AAA server.
4. The user is authorized to access the network based on information on the remote AAA Server.
北京邮电大学思科网络技术学院 15
AAA Authorization
1. When a user has been authenticated, a session is established with an AAA server.
2. The router requests authorization for the requested service from the AAA server.
3. The AAA server returns a PASS/FAIL for authorization.
北京邮电大学思科网络技术学院 18
3.2.1 Configure Local AAA Authentication with CLI
北京邮电大学思科网络技术学院 19
Additional Commands
北京邮电大学思科网络技术学院 20
AAA Authentication Command
Elements
router(config)#
Command Description
Keywords Description
enable Uses the enable password for authentication. This keyword cannot be used.
krb5 Uses Kerberos 5 for authentication.
krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect
to the router.
line Uses the line password for authentication.
local Uses the local username database for authentication.
local-case Uses case-sensitive local username authentication.
none Uses no authentication.
cache group-name Uses a cache server group for authentication.
group radius Uses the list of all RADIUS servers for authentication.
group tacacs+ Uses the list of all TACACS+ servers for authentication.
group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as
defined by the aaa group server radius or aaa group server tacacs+
command.
北京邮电大学思科网络技术学院 22
Additional Security
router(config)#
aaa local authentication attempts max-fail [number-of-
unsuccessful-attempts]
北京邮电大学思科网络技术学院 23
Sample Configuration
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
北京邮电大学思科网络技术学院 24
3.2.2 Using a Local Database in SDM
北京邮电大学思科网络技术学院 25
Verifying AAA Authentication
北京邮电大学思科网络技术学院 26
Using SDM
1. Select Configure > Additional Tasks > Router Access >
User Accounts/View
2. Click Add
3. Enter username
and password
4. Choose 15
5. Check the box and
select a view
6. Click OK
北京邮电大学思科网络技术学院 27
Configure Login Authentication
3. Click Add
4. Choose local
5. Click OK
6. Click OK
北京邮电大学思科网络技术学院 28
3.2.3 Troubleshooting
北京邮电大学思科网络技术学院 29
The debug aaa Command
R1# debug aaa ?
accounting Accounting
administrative Administrative
api AAA api events
attr AAA Attr Manager
authentication Authentication
authorization Authorization
cache Cache activities
coa AAA CoA processing
db AAA DB Manager
dead-criteria AAA Dead-Criteria Info
id AAA Unique Id
ipc AAA IPC
mlist-ref-count Method list reference counts
mlist-state Information about AAA method list state change and
notification
per-user Per-user attributes
pod AAA POD processing
protocol AAA protocol processing
server-ref-count Server handle reference counts
sg-ref-count Server group handle reference counts
sg-server-selection Server Group Server Selection
subsys AAA Subsystem
testing Info. about AAA generated test packets
北京邮电大学思科网络技术学院 31
3.3 Server-Based AAA
北京邮电大学思科网络技术学院 32
3.3.1 Server-Based AAA Characteristics
北京邮电大学思科网络技术学院 33
Local Versus Server-Based Authentication
北京邮电大学思科网络技术学院 34
Overview of TACACS+ and RADIUS
北京邮电大学思科网络技术学院 35
AAA Communication Protocols
• TACACS/RADIUS Comparison
• TACACS+ Authentication Process
• RADIUS Authentication Process
北京邮电大学思科网络技术学院 36
TACACS+/RADIUS Comparison
TACACS+ RADIUS
Combines
Functionality Separates AAA authentication and
authorization
Dial
Standard Mostly Cisco supported Open/RFC
Transport
TCP UDP
Protocol
TACACS+ Client
RADIUS Client CHAP Bidirectional Unidirectional
Protocol
Multiprotocol support No ARA, no NetBEUI
Support
Campus Entire packet
Confidentiality Password encrypted
encrypted
Has no option to
Provides authorization
authorize router
TACACS+ Server of router commands on
Customization commands on a per-
RADIUS Server a per-user or
user or
per-group basis.
per-group basis.
Accounting Limited Extensive
北京邮电大学思科网络技术学院 37
TACACS+ Authentication Process
JR-ADMIN JR-ADMIN
Password prompt?
Accept/Reject
北京邮电大学思科网络技术学院 38
RADIUS Authentication Process
Access-Request
Username? (JR_ADMIN, “Str0ngPa55w0rd”)
JR-ADMIN Access-Accept
Password?
Str0ngPa55w0rd
北京邮电大学思科网络技术学院 39
3.3.3 Cisco Secure ACS
• Benefits
• Advanced Features
• Overview
• Installation Options
北京邮电大学思科网络技术学院 40
Benefits
北京邮电大学思科网络技术学院 41
Advanced Features
北京邮电大学思科网络技术学院 42
Overview
北京邮电大学思科网络技术学院 43
Installation Options
Cisco Secure ACS for Windows can be installed on:
- Windows 2000 Server with Service Pack 4
- Windows 2000 Advanced Server with Service Pack 4
- Windows Server 2003 Standard Edition
- Windows Server 2003 Enterprise Edition
北京邮电大学思科网络技术学院 44
3.3.4 Configuring Cisco Secure ACS
• Deploying ACS
• Cisco Secure ACS Homepage
• Network Configuration
• Interface Configuration
• External User Database
• Windows User Database Configuration
北京邮电大学思科网络技术学院 45
Deploying ACS
北京邮电大学思科网络技术学院 46
Cisco Secure ACS Homepage
北京邮电大学思科网络技术学院 47
Network Configuration
1. Click Network Configuration on the navigation bar
北京邮电大学思科网络技术学院 49
External User Database
1. Click the External User Databases button on the navigation bar
北京邮电大学思科网络技术学院 50
Windows User Database Configuration
4. Click configure
5. Configure options
北京邮电大学思科网络技术学院 51
3.3.5 Configuring a TACACS+ Server
北京邮电大学思科网络技术学院 52
Configuring the Unknown User Policy
1. Click External User Databases on the navigation bar
北京邮电大学思科网络技术学院 54
User Setup
1. Click User Setup on the navigation bar
4. Click Submit
北京邮电大学思科网络技术学院 55
3.4 Server-Based AAA Authentication
北京邮电大学思科网络技术学院 56
3.4.1 Using CLI
北京邮电大学思科网络技术学院 57
aaa authentication Command
北京邮电大学思科网络技术学院 58
Sample Configuration
R1(config)# aaa authentication login default group tacacs+ group radius local-case Cisco Secure ACS
R1(config)# Solution Engine
using TACACS+
北京邮电大学思科网络技术学院 59
3.4.2 Using SDM
北京邮电大学思科网络技术学院 60
Add TACACS Support
1. Choose Configure > Additional Tasks > AAA > AAA Servers and
Groups > AAA Servers
2. Click Add
3. Choose TACACS+
192.168.1.101 4. Enter the IP address
(or hostname) of the
AAA server
5. Check the Single
Connection check box to
maintain a single
connection
2. Click Add
3. Choose User Defined
5. Click Add
8. Click Add to add a backup method 9. Choose enable from the list
Click OK twice
北京邮电大学思科网络技术学院 62
Apply Authentication Policy
1. Choose Configure>Additional Tasks>Router Access>VTY
2. Click Edit
北京邮电大学思科网络技术学院 63
3.4.3 Troubleshooting Server-Based AAA Authentication
北京邮电大学思科网络技术学院 64
Sample Commands
北京邮电大学思科网络技术学院 65
Sample Commands
北京邮电大学思科网络技术学院 66
3.5 Sever-Based AAA Authorization and Accounting
北京邮电大学思科网络技术学院 67
3.5.1 Server-Based AAA Authorization
• Overview
• AAA Authorization Command
• Configuring Authorization Using SDM-Character
Mode
• Configuring Authorization Using SDM-Packet
Mode
北京邮电大学思科网络技术学院 68
AAA Authorization Overview
Command authorization for user
show version JR-ADMIN, command “show version”?
Display “show
Accept
version” output
Do not permit
Reject
“configure terminal”
北京邮电大学思科网络技术学院 69
AAA Authorization Commands
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
北京邮电大学思科网络技术学院 70
Using SDM to Configure Authorization
Character Mode
1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec
2. Click Add
3. Choose Default
4. Click Add
2. Click Add
3. Choose Default
4. Click Add
• Overview
• AAA Accounting Commands
北京邮电大学思科网络技术学院 73
AAA Accounting Overview
北京邮电大学思科网络技术学院 74
AAA Accounting Commands
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# aaa authorization exec group tacacs+
R1(config)# aaa authorization network group tacacs+
R1(config)# aaa accounting exec start-stop group tacacs+
R1(config)# aaa accounting network start-stop group tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
北京邮电大学思科网络技术学院 75
北京邮电大学思科网络技术学院 76