AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Securing the Router Chris Cunningham.
Web Security CS598MCC Spring 2013 Yiwei Yang. Definition a set of procedures, practices, and technologies for assuring the reliable, predictable operation.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
Authentication servers: RADIUS TACACS+
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Georgy Melamed Eran Stiller
Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Chapter 17 TACACS+.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Copyright Microsoft Corp Ramnish Singh IT Advisor Microsoft Corporation Secure Remote Access Challenges, Choices, Best Practices.
Virtual Private Network
Chapter 26 Client Server Interaction Communication across a computer network requires a pair of application programs to cooperate. One application on one.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Two-Way Active Measurement Protocol RFC 5357
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Chapter 3: Authentication, Authorization, and Accounting
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Cisco’s Secure Access Control Server (ACS)
User Access to Router Securing Access.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Chapter 3: Authentication, Authorization, and Accounting
Cody Brookshear Andy Borman
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
Security fundamentals Topic 7 Securing network communications.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala.
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
Access Control Chapter 3 Part 4 Pages 227 to 241.
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
Port Based Network Access Control
NET 536 Network Security Firewalls and VPN
Information Security Professionals
Remote Access Lecture 2.
Radius, LDAP, Radius used in Authenticating Users
IPSec VPN Chapter 13 of Malik.
Cisco Real Exam Dumps IT-Dumps
– Chapter 3 – Device Security (B)
Ch. 7 Network Management CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016.
– Chapter 3 – Device Security (B)
Presentation transcript:

AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting -What did the user do? -Logging of activities and auditing

Uses of AAA Two modes: –The character mode access AAA services are used to control administrative access such as Telent or Console access to network devices –The packet mode access AAA services are used to manage remote user network access such as dialup clients or VPN clients T. A. YangNetwork Security2

c.f., Alternative methods to AAA Examples: –Password-based authentication –Challenge-response authentication Incomplete access management –Limited to authentication only T. A. YangNetwork Security3

Local vs Centralized Databases in AAA FeaturesLocal dBCentralized dB Location of user datalocal on the device In a central authentication server (remote to the device) Copies of user dataMultiple copies (one per device) Single copy ScalabilityPoor (Given a change, each copy needs to be updated.) Good Single-point failure ?Depends (possibly no)Yes Recommended ?Only for very small networks Yes (especially for larger networks) T. A. YangNetwork Security4

Authentication Protocols in AAA RADIUS vs TACACS+ RADIUS –Remote Authentication Dial In User Service –An IETF standard (RFC 2865) –Open source s/w –Interoperability among RADIUS-based products –Client/server authentication btwn a NAS (e.g., a router) and a RADIUS server A shared secret btwn the client and the server –on UDP (port 1812 for authentication and authorization; port 1813 for accounting) T. A. YangNetwork Security5

RADIUS RFC 2865 (2000): T. A. YangNetwork Security6

The Authenticator field Request Authenticator –The authenticator in the Access-Request packets –Rqts: The value SHOULD be unpredictable and unique over the lifetime of a shared secret Repetition of a request value in conjunction with the same secret would permit an attacker to reply with a previously intercepted response. Response Authenticator –The authenticator in the Access-Accept, Access- Reject, and Access-Challenge packets –ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) T. A. YangNetwork Security7

es_tech_note09186a e99.shtmlhttp:// es_tech_note09186a e99.shtml T. A. YangNetwork Security8 RADIUS Example Clients: router, switch, PIX/ASA, VPN3000 The Access- Request: contains username, encrypted password, NAS IP address, NAS port number, and session information.

RADIUS authentication Note: Both authentication and authorization information are combined in a single Access-Request packet. Upon receiving an Access-Request, the RADIUS server 1.Validates the shared secret 2.Validates the username and password If not validated, sends an Access-Reject response; 3.Authorizes the user If authorization fails, sends an Access-Reject response; Otherwise, sends an Access-Accept response; T. A. YangNetwork Security9

Security mechanisms in RADIUS Shared secret btwn the client and the server In the Access-Request packet, the password is encrypted. MD5 (shared secret + Request Authenticator) XOR the-first-16-octets-of-the-password  16-octet encrypted password Q: How would the RADIUS server authenticate the encrypted password? T. A. YangNetwork Security10

TACACS+ TACACS: Terminal Access Controller Access Control System A Cisco proprietary client/server authentication protocol A shared secret btwn the client & the server Can encrypt the entire body of the packet (as indicated by the flags field) On TCP T. A. YangNetwork Security11

TACACS+ T. A. YangNetwork Security12

T. A. YangNetwork Security13 Example interactions: om/en/US/tech/tk5 9/technologies_te ch_note09186a e99.shtml om/en/US/tech/tk5 9/technologies_te ch_note09186a e99.shtml TACACS+

TACACS+ vs RADIUS Shared: –Client/server based –Authentication btwn a NAS and an authentication server –Shared secret Differences ? T. A. YangNetwork Security14

T. A. YangNetwork Security15 TACACS+ vs RADIUS source: s/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/ s/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/ CriterionTACACS+RADIUS Transport TCP (reliable; more overhead) UDP (unreliable; higher performance) Authentication and Authorization Can be separated (more flexible) Combined Multiprotocol Support Supported (IP, Apple, NetBIOS, Novell, X.25) IP only Access to Router CLI Commands Supports two methods to control the authorization of router commands on a per- user or per-group basis Not supported EncryptionPacket payloadPasswords only

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.