1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Slides:



Advertisements
Similar presentations
© 2003, Cisco Systems, Inc. All rights reserved..
Advertisements

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Radius based ssh authentication Location of Radius server – radius-server host auth-port 1812 acct-port 1813 key WinRadius – The same config.
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—5-1 Establishing Serial Point-To-Point Connections Configuring Serial Point-To-Point Encapsulation.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
© 2006 Cisco Systems, Inc. All rights reserved. ICND v2.3—4-1 Managing IP Traffic with ACLs Scaling the Network with NAT and PAT.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Three Authentication, Authorization, and Accounting.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 2: Teleworker Connectivity.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter Three Authentication, Authorization, and Accounting
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—3-1 Implementing a Scalable Multiarea Network OSPF- Based Solution Configuring and Verifying.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.1 Module 3 Configuring a Router.
Setup a Cisco Switch with AAA Server CS580 Winter 2005 Presented by: Chris Orona Kevork Tamamian Xuong Tsan.
Authentication, Authorization, and Accounting
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Chapter 17 TACACS+.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.
Configuring ISDN BRI and PRI
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0 Module 3 PPP.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 2 v3.0 Module 3 Configuring a Router.
Chapter 3: Authentication, Authorization, and Accounting
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
1 of 18 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 4 v3.0: Module 1; 1.2.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 EDCS- Call Accounting and Call Detail Record Collection for UC500 Marcos.
Cisco Discovery Protocol. CDP and Router Boot Up When a Cisco device boots up, CDP starts up automatically and allows the device to detect neighbor devices.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco Unity Connection 2.0 Phone View Troubleshooting Mike Maas, Unified.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Chapter 3: Authentication, Authorization, and Accounting
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1350 TAC Training © 2000, Cisco Systems, Inc. Wireless Lab.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
Configuring the PIX Firewall Presented by Drew Spesard.
Jose Luis Flores / Amel Walkinshaw
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
Lesson 3a © 2005 Cisco Systems, Inc. All rights reserved. CSPFA v4.0—19-1 System Management and Maintenance.
Access Control Authentication, Authorization, and Accounting
© 2002, Cisco Systems, Inc. All rights reserved..
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 1 Introduction to Classless Routing.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
Cisco Routers Routers collectively provide the main feature of the network layer—the capability to forward packets end-to-end through a network. routers.
Operating & Configuring a Cisco IOS Device
Information Security Professionals
Chapter Three Authentication, Authorization, and Accounting
Troubleshooting and Maintaining Cisco IP Networks (TSHOOT) practice-questions.html.
Cisco Real Exam Dumps IT-Dumps
Ch. 7 Network Management CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016.
Presentation transcript:

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

2 © 2005 Cisco Systems, Inc. All rights reserved. Network Security 1 Module 5 – Cisco Secure Access Control Server

3 © 2005 Cisco Systems, Inc. All rights reserved. Learning Objectives 5.1 Cisco Secure Access Control Server for Windows 5.2 Configuring RADIUS and TACACS+ with CSACS

4 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Cisco Secure Access Control Server 5.1 Cisco Secure Access Control Server for Windows

5 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Products

6 © 2005 Cisco Systems, Inc. All rights reserved. What Is Cisco Secure ACS for Windows Server?

7 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS General Features

8 © 2005 Cisco Systems, Inc. All rights reserved. Authentication and User Databases

9 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS Windows Services

10 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS User Database

11 © 2005 Cisco Systems, Inc. All rights reserved. Keeping databases current

12 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS System Architecture

13 © 2005 Cisco Systems, Inc. All rights reserved. Cisco ACS Windows Services

14 © 2005 Cisco Systems, Inc. All rights reserved. Using the ACS Database Alone

15 © 2005 Cisco Systems, Inc. All rights reserved. Using the Windows Database

16 © 2005 Cisco Systems, Inc. All rights reserved. Using External User Databases

17 © 2005 Cisco Systems, Inc. All rights reserved. Using Token Cards

18 © 2005 Cisco Systems, Inc. All rights reserved. User-Changeable Passwords

19 © 2005 Cisco Systems, Inc. All rights reserved. Module 5 – Cisco Secure Access Control Server 5.2 Configuring RADIUS and TACACS+ with CSACS

20 © 2005 Cisco Systems, Inc. All rights reserved. Gathering Answers for the Installation Questions

21 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Secure ACS for Windows Server: Installation Overview

22 © 2005 Cisco Systems, Inc. All rights reserved. Administering Cisco Secure ACS for Windows Server

23 © 2005 Cisco Systems, Inc. All rights reserved. Troubleshooting Use the Failed Attempts Report under Reports and Activity as a starting point. Provides a valuable source of troubleshooting information.

24 © 2005 Cisco Systems, Inc. All rights reserved. Globally Enable AAA Cisco Secure ACS for Windows Server NAS aaa new-model router(config)# router(config)# aaa new-model

25 © 2005 Cisco Systems, Inc. All rights reserved. tacacs-server Commands tacacs-server key keystring router(config)# router(config)# tacacs-server key tacacs-server host ipaddress router(config)# router(config)# tacacs-server host tacacs-server host ipaddress key keystring router(config)# router(config)# tacacs-server host key The two commands shown here can be used to share the key with all servers or This command can be used for a single server

26 © 2005 Cisco Systems, Inc. All rights reserved. AAA Configuration Example aaa authentication {login | enable default | arap | ppp | nasi} {default | list-name} method1 [method2 [method3 [method4]]] aaa accounting {system | network | exec | connection | commands level}{default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] aaa authorization {network | exec | commands level | reverse-access} {default | list-name} {if-authenticated | local | none | radius | tacacs+ | krb5-instance} router(config)#

27 © 2005 Cisco Systems, Inc. All rights reserved.

28 © 2005 Cisco Systems, Inc. All rights reserved. AAA TACACS+ Troubleshooting Displays detailed information associated with TACACS+ debug tacacs router# debug tacacs events router# Displays detailed information from the TACACS+ helper process

29 © 2005 Cisco Systems, Inc. All rights reserved. debug aaa authentication Command TACACS+ Example Output 14:01:17: AAA/AUTHEN ( ): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ ( ): received authen response status = PASS 14:01:17: AAA/AUTHEN ( ): status = PASS

30 © 2005 Cisco Systems, Inc. All rights reserved. debug tacacs Command Example Output – Failure 13:53:35: TAC+: Opening TCP/IP connection to /49 13:53:35: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/START) 13:53:35: TAC+: Receiving TCP/IP packet number from /49 13:53:35: TAC+ ( ): received authen response status = GETUSER 13:53:37: TAC+: send AUTHEN/CONT packet 13:53:37: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 13:53:37: TAC+: Receiving TCP/IP packet number from /49 13:53:37: TAC+ ( ): received authen response status = GETPASS 13:53:38: TAC+: send AUTHEN/CONT packet 13:53:38: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 13:53:38: TAC+: Receiving TCP/IP packet number from /49 13:53:38: TAC+ ( ): received authen response status = 13:53:40: TAC+: Closing TCP/IP connection to /49 FAIL

31 © 2005 Cisco Systems, Inc. All rights reserved. debug tacacs Command Example Output – Pass 14:00:09: TAC+: Opening TCP/IP connection to /49 14:00:09: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/START) 14:00:09: TAC+: Receiving TCP/IP packet number from /49 14:00:09: TAC+ ( ): received authen response status = GETUSER 14:00:10: TAC+: send AUTHEN/CONT packet 14:00:10: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 14:00:10: TAC+: Receiving TCP/IP packet number from /49 14:00:10: TAC+ ( ): received authen response status = GETPASS 14:00:14: TAC+: send AUTHEN/CONT packet 14:00:14: TAC+: Sending TCP/IP packet number to /49 (AUTHEN/CONT) 14:00:14: TAC+: Receiving TCP/IP packet number from /49 14:00:14: TAC+ ( ): received authen response status = 14:00:14: TAC+: Closing TCP/IP connection to /49 PASS

32 © 2005 Cisco Systems, Inc. All rights reserved. debug tacacs events Command Output router# debug tacacs events %LINK-3-UPDOWN: Interface Async2, changed state to up 00:03:16: TAC+: Opening TCP/IP to /49 timeout=15 00:03:16: TAC+: Opened TCP/IP handle 0x48A87C to /49 00:03:16: TAC+: periodic timer started 00:03:16: TAC+: req=3BD868 id= ver=193 handle=0x48A87C (ESTAB) expire=14 AUTHEN/START/SENDAUTH/CHAP queued 00:03:17: TAC+: ESTAB 3BD868 wrote 46 of 46 bytes 00:03:22: TAC+: CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:22: TAC+: CLOSEWAIT read=61 wanted=61 alloc=61 got=49 00:03:22: TAC+: received 61 byte reply for 3BD868 00:03:22: TAC+: req=3BD868 id= ver=193 handle=0x48A87C (CLOSEWAIT) expire=9 AUTHEN/START/SENDAUTH/CHAP processed 00:03:22: TAC+: periodic timer stopped (queue empty) 00:03:22: TAC+: Closing TCP/IP 0x48A87C connection to /49 00:03:22: TAC+: Opening TCP/IP to /49 timeout=15 00:03:22: TAC+: Opened TCP/IP handle 0x489F08 to /49 00:03:22: TAC+: periodic timer started 00:03:22: TAC+: req=3BD868 id= ver=192 handle=0x489F08 (ESTAB) expire=14 AUTHEN/START/SENDPASS/CHAP queued 00:03:23: TAC+: ESTAB 3BD868 wrote 41 of 41 bytes 00:03:23: TAC+: CLOSEWAIT read=12 wanted=12 alloc=12 got=12 00:03:23: TAC+: CLOSEWAIT read=21 wanted=21 alloc=21 got=9 00:03:23: TAC+: received 21 byte reply for 3BD868 00:03:23: TAC+: req=3BD868 id= ver=192 handle=0x489F08 (CLOSEWAIT) expire=13 AUTHEN/START/SENDPASS/CHAP processed 00:03:23: TAC+: periodic timer stopped (queue empty)

33 © 2005 Cisco Systems, Inc. All rights reserved. RADIUS Server Command radius-server key keystring router(config)# router(config)# radius-server key radius-server host {host-name | ipaddress} router(config)# router(config)# radius-server host radius-server host ipaddress key keystring router(config)# router(config)# radius-server host key The two commands shown here can be used to share the key with all servers Or This command can be used for a single server

34 © 2005, Cisco Systems, Inc. All rights reserved.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.