(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Point-to-Point Protocol (PPP)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
Point-to-Point Protocol Semester 4, Chapter 4. PPP and Data Links PPP operates at the Data Link layer. Components of PPP include:  A method for encapsulating.
Point-to-Point Protocol
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Remote Access Network Management Kelly Given Allison Traina.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA 2 v3.1 Module 2.
Remote Networking Architectures
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Module 11: Supporting Remote Users. Overview Establishing Remote Access Connections Connecting to Virtual Private Networks Configuring Authentication.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
1 Semester 2 Module 2 Introduction to Routers Yuda college of business James Chen
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
Working with Workgroups and Domains
Configuring Routing and Remote Access(RRAS) and Wireless Networking
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
KU Network Project 1)Eagle 9 We trust on what we know Design and Documentation By: Team: Eagle 9 Phone: Date:
© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Chapter 13 – Network Security
Robert E. Meyers CCNA, CCAI Youngstown State University Cisco Regional Academy Instructor Cisco Networking Academy Program Semester 4, v Chapter.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3: Authentication, Authorization, and Accounting
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 7: Fundamentals of Administering Windows Server 2008.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 Module 2 Introduction to Routers.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Will learn to use router modes and configuration methods to update a router's configuration file with current and prior versions of Cisco Internetwork.
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
1 Example security systems n Kerberos n Secure shell.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 2 Introduction to Routers.
Point-Point Protocol (PPP) by William F. Widulski.
Information Security Professionals
Remote Access Lecture 2.
Router Startup and Setup
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
– Chapter 3 – Device Security (B)
Ch. 7 Network Management CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016.
Computer Security Distributed System Security
– Chapter 3 – Device Security (B)
Kerberos Part of project Athena (MIT).
Router Startup and Setup
KERBEROS.
Presentation transcript:

(Remote Access Security) AAA

2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will prompt the user for a name and password. The access server authenticates the user’s identity by requiring the username and password. This process of verification to gain access is called authentication The user may then be able to execute commands on that server once “flannery” has been successfully authenticated

3 Authorization The server uses a process called authorization to determine which commands and resources should be made available to that particular user. Authorization asks the question, "What privileges does this user have?"

4 Accounting Finally, the number of login attempts, the specific commands entered, and other system events can be logged and time-stamped by the accounting process. Accounting can be used to trace a problem, such as a security breach, or it may be used to compile usage statistics or billing data. Accounting asks the questions, "What did this user do and when was it done?"

5 Authentication can be configured without using AAA. Module 2, "Modems and Asynchronous Connections," and Module 3, "PPP," demonstrated the commands necessary to configure a local username and password database in conjunction with CHAP and Password Authentication Protocol (PAP). This same local database can be used to authenticate users that start an EXEC session with the router.

6 AAA advantages 1. AAA provides scalability. Typical AAA configurations rely on a server or group of servers to store usernames and passwords. This means that local databases do not have to be built and updated on every router and access server in the network. Instead, the routers in the network become clients of these security servers. By centralizing the username/password database, AAA makes it possible to enter, update, and store information in one place.

7 2. AAA supports standardized security protocols, specifically TACACS+, RADIUS, and Kerberos. 3. AAA allows for multiple backup systems. For example, an access server can be configured to consult a security server first and a local database second. The second method is used if the first method returns an error.

8 TACACS+ A security application used with AAA that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running on a UNIX, Windows NT, or Windows 2000 workstation. TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.

9 RADIUS A distributed client/server system used with AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server. This central server contains all user authentication and network service access information.

10

11 Kerberos A secret-key network authentication protocol used with AAA that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos is based on the concept of a trusted third party that performs secure verification of users and services. The primary use of Kerberos is to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache. These tickets are then used in place of the standard username and password authentication mechanism.

12 Of the three protocols, TACACS+ and RADIUS offer the most comprehensive AAA support. Kerberos provides a highly secure method of authentication, in which passwords are never sent over the wire. However, Kerberos does not support the authorization and accounting components of AAA.

13

14 RADIUS RADIUS is an open standard and typically uses fewer CPU cycles. RADIUS is less memory intensive than the proprietary TACACS+. Currently, RADIUS is the only security protocol supported by emerging wireless authentication pro

15 CiscoSecure Access Control Server The software simplifies and centralizes access control and accounting for dialup access servers, virtual private networks (VPNs) and firewalls, voice- over-IP (VoIP) solutions, broadband access, content networks, and wireless networks. Cisco ACS uses a web-based graphical interface and can distribute the AAA information to hundreds or even thousands of access points in a network. The CiscoSecure ACS software uses either the TACACS+ or the RADIUS protocol to provide network security and tracking.

16 Configuring AAA The aaa new-model command enables the AAA feature so that other AAA commands can be entered. To disable AAA, use the no aaa new-model command. Do not issue the aaa new-model command without first preparing to configure AAA authentication.

17

18 Configuring AAA authentication AAA can be used to authenticate several types of connections, including the following: Access to privileged EXEC mode (enable mode) Access to virtual terminals Access to the console CHAP and PAP authentication for PPP connections NetWare Asynchronous Services Interface (NASI) authentication AppleTalk Remote Access Protocol (ARAP) authentication

19 AAA authentication is configured with the aaa authentication command. When using this command, the type of authentication that is being configured must be specified as to whether it is login, enable, PPP, and so on. Once an authentication type has been specified, either a default method list or a named method list must be defined. Named method lists must be applied to a specific interface before any of the defined authentication methods will be performed. The default method list is automatically applied to all interfaces if no other method list is defined.

20 Step 1Specify the authentication type whether login, enable, PPP, and so on. Step 2Specify the method list as default or give it a name.S tep 3List, in order, the authentication methods to be tried.

21

22 Configuring login authentication RTB# aaa authentication login PASSPORT group radius local none command creates a named method list called PASSPORT. The first method in this list is the group of RADIUS servers. If RTB cannot contact a RADIUS server, then RTB will try and contact the local username/password database. Finally, the none keyword assures that if no usernames exist in the local database, the user is granted access.

23 Enabling password protection at the privileged level The aaa authentication enable command enables AAA authentication for privileged EXEC mode access. This authentication method is applied when a user issues the enable command in user EXEC mode as follows: RTB(config)#aaa authentication enable default method1 [...[method4]]

24 Configuring PPP authentication using AAA Many remote users access networks through a router using PPP over asynchronous dialup or ISDN BRI. These remote users can completely bypass the command line interface on that router. Instead, PPP starts a packet session as soon as the connection is established. A router can be configured to use AAA with the aaa authentication ppp command to authenticate these users.

25 Configuring AAA authorization When AAA authorization is enabled, the router uses information retrieved from the user's profile to configure the session. This profile is located either in the local user database or on the security server. Once this authorization is done, the user will be granted access to a requested service only if the information in the user profile will allow it.

26

27 IOS command privilege levels The aaa authorization command can also be used to control exactly which commands a user is allowed to enter on the router. Users can only enter commands at or beneath their privilege level. All IOS router commands are assigned a privilege level from 0 to 15. There are three privilege levels on the router by default. 1, 0 and 15

28 Configuring command authorization The privilege command can be used to configure precisely which commands belong to which privilege levels, including user-defined levels. The commands entered on RTA move the snmp-server commands from privilege level 15, the default, to privilege level 7. The ping command is moved up from privilege level 1 to privilege level 7

29 Once privilege levels have been defined, the aaa authorization command can be used to give access to commands by privilege level

30 Configuring AAA accounting RTA is configured with the aaa accounting network command. This command enables accounting for network services, such as PPP, SLIP, and ARAP sessions. RTA will send accounting information for PPP sessions to a TACACS+ server.

31

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.