© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting
© 2012 Cisco and/or its affiliates. All rights reserved. 2 Explain the function and operation of the authentication, authorization, and accounting (AAA) protocol. Configure a Cisco router to perform AAA authentication with a local database. Describe how to configure Cisco ACS to support AAA for Cisco IOS routers. Configure server-based AAA.
© 2012 Cisco and/or its affiliates. All rights reserved Implementing AAA on Cisco Devices 3.1 Implement AAA (authentication, authorization, accounting) AAA using CCP on routers AAA using CLI on routers and switches AAA on ASA 3.2 Describe TACACS+ 3.3 Describe RADIUS 3.4 Describe AAA Authentication Authorization Accounting 3.5 Verify AAA functionality
© 2012 Cisco and/or its affiliates. All rights reserved. 4 AAA is a critical task that involves securing network devices to limit who can access them and how they can access them, as well as to account for the actions taken while accessing them. Local AAA authentication is configured on a device-by-device basis and has some advantages over basic authentication against the local database (local authentication). Centralized or server-based AAA is a scalable enterprise solution for AAA. The Cisco solution for server-based AAA is Cisco Secure Access Control Server (CSACS). Server-based AAA can be implemented with RADIUS (standards-based protocol) or TACACS+ (Cisco-proprietary protocol). Each option has a number of defining qualities that differentiate one from the other. AAA can be configured using the CLI or CCP. AAA technology is required for the implementation of several other features, such as Cisco Easy VPN for remote-access.
© 2012 Cisco and/or its affiliates. All rights reserved. 5 Chapter 3 Lab: Securing Administrative Access Using AAA and RADIUS Part 1: Basic Network Device Configuration Part 2: Configure Local Authentication Part 3: Configure Local Authentication Using AAA Part 4: Configure Centralized Authentication Using AAA and RADIUS
© 2012 Cisco and/or its affiliates. All rights reserved. 6
7
8
9
10 Cisco Configuration Professional (CCP) has replaced SDM to do the following: To configure AAA local authentication To configure centralized authentication with AAA and RADIUS
© 2012 Cisco and/or its affiliates. All rights reserved. 11 The chapter 3 lab introduces the major options for AAA configuration. Students use CLI and CCP tools to implement authentication both locally and centrally. Debug options for AAA are explored. This lab is divided into four parts. The local authentication part, the local authentication with AAA part, and the centralized authentication with RADIUS can be administered individually or in combination with the other parts as time permits. The main goal is to configure various types of user access authentication. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router authentication configuration, one student configuring R1 and the other student configuring R3. Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.
© 2012 Cisco and/or its affiliates. All rights reserved. 12 When introducing AAA, point out that there are a wide variety of methods of authentication people and devices. Security protocols and security technologies are changing rapidly. The focus is on local authentication, local authentication with AAA, and centralized authentication with CSACS and RADIUS servers. A large organization requires a centralized mechanism for AAA. Use the Who, How, What mnemonic to explain AAA. Time permitting, discuss authentication options in general: biometrics, single sign-on, one-time password, PKI and digital certificates, security tokens, and smart cards. Many of these options are discussed at various points in the course.
© 2012 Cisco and/or its affiliates. All rights reserved. 13 Emphasize that local AAA authentication has some advantages over local authentication. Ask the students “What can be done with local AAA authentication that cannot be done with local authentication?” Explain that local AAA authentication gives one the ability to configure all or multiple lines at one time. Make sure to clarify the difference between character mode and packet mode. Character mode is used with tty, vty, auxiliary, and console access, while packet mode is used with dial-up and VPN access. Character mode uses the login, exec, and enable commands. Packet mode uses the ppp and network commands. Emphasize that centralized or server-based AAA is scalable. It is not practical to replicate a local database on 100 networking devices.
© 2012 Cisco and/or its affiliates. All rights reserved. 14 Compare and contrast TACACS+ and RADIUS: e99.shtml Emphasize that when using method lists with AAA, the methods are accessed in sequence only if an error occurs. If there is an authentication failure, the next method is NOT invoked. The aaa new-model command enables AAA. All subsequent commands depend on this first step. The AAA syntax is inherently difficult to understand and the implementation is awkward. Make a point that the main idea is to provide flexibility with authentication and authorization options.
© 2012 Cisco and/or its affiliates. All rights reserved. 15 To illustrate the power of AAA, conduct a demo with local AAA authentication to show how the vty and console lines are automatically secured with the default option. Note that a named list must be applied to a particular line before that method works for that line; the default method applies to that line in the mean time. Demonstrate how incorrect AAA configuration can lock you out of a router: Enable AAA local authentication prior to configuring a local username database. Show the AAA page in CCP to illustrate that AAA is enabled by default on CCP. Installing and configuring CSACS can be overwhelming. Use the two VoD’s under Tools for this course at cisco.netacad.net to see how an expert makes it easy for you.cisco.netacad.net
© 2012 Cisco and/or its affiliates. All rights reserved. 16 Ask students what they think the advantages to centralized authentication are? Possible answers include saving time over the long term, enhanced security, scalability, and ease of control and management. Discuss authentication methods in general and ask an open- ended question to students about what can be done to enhance authentication, especially given that more of our lives are connected with the Internet over time. See illustrate-need-for-stronger-authentication for discussion points. illustrate-need-for-stronger-authentication
© 2012 Cisco and/or its affiliates. All rights reserved. 17 There are many examples of security breaches that have occurred in the news lately. Ask students to research some of these and report back on how they could have been deterred better. Lead by example as a network engineer. Use sophisticated password rules and ask users to do the same. Every protocol that has an MD5 option or stronger (RIPv2, NTP, etc.), should implement that option. If there is an option for authentication and encryption, use both. Wireless LANs are the ideal stage for authentication scenarios because they are the most vulnerable. Secure your network as if it were as vulnerable as a WLAN.
© 2012 Cisco and/or its affiliates. All rights reserved xml/ios/sec_usr_aaa/configuration/15-2mt/sec-usr-aaa-15-2mt- book.html xml/ios/sec_usr_aaa/configuration/15-2mt/sec-usr-aaa-15-2mt- book.html Troubleshooting.html Troubleshooting.html
© 2011 Cisco and/or its affiliates. All rights reserved. 19