Access Control Authentication, Authorization, and Accounting

Slides:



Advertisements
Similar presentations
Inter WISP WLAN roaming
Advertisements

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Three Authentication, Authorization, and Accounting.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter Three Authentication, Authorization, and Accounting
Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Authentication, Authorization, and Accounting
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
© 1999, Cisco Systems, Inc. 3-1 Configuring the Network Access Server for AAA Security.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Chapter 13 – Network Security
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Chapter 3: Authentication, Authorization, and Accounting
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.
User Access to Router Securing Access.
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.
Computer Networking From LANs to WANs: Hardware, Software, and Security Chapter 13 FTP and Telnet.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Chapter 3: Authentication, Authorization, and Accounting
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Router Fundamentals PJC CCNA Semester 2 Ver. 3.0 by William Kelly.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir CCNP-SWITCHING Mohamed Samir YouTube channel Double.
AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.
Jose Luis Flores / Amel Walkinshaw
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
RADIUS Protocol Sowjanya Talasila Shilpa Pamidimukkala.
Configuring AAA Kamyar Miremadi Laila Sherif Summer 2005.
RADIUS What it is Remote Authentication Dial-In User Service
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
CCNA4 Perrine / Brierley Page 12/20/2016 Chapter 05 Access Control Non e0e1 s server.
 Router Configurations part1 2 nd semester
Cisco Exam Questions IMPLEMENTING CISCO IOS NETWORK SECURITY (IINS V2.0) VERSION: Presents: 1.
RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.
Information Security Professionals
Configuring and Troubleshooting Routing and Remote Access
Radius, LDAP, Radius used in Authenticating Users
Marcos Hernandez, SMB Technical Marketing Engineer
NAT , Device Discovery Chapter 9 , chapter 10.
Chapter Three Authentication, Authorization, and Accounting
– Chapter 3 – Device Security (B)
Ch. 7 Network Management CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016.
– Chapter 3 – Device Security (B)
Lock and Key by Linda Wier 2/23/2019.
Presentation transcript:

Access Control Authentication, Authorization, and Accounting Source: CCNA Security Cisco Networking Academy

Authentication, Authorization and Accounting Overview of AAA Local AAA Authentication Server-Based AAA Server-Based AAA Authentication Server-Based AAA Authorization and Accounting

AAA Overview Authentication Users and administrators must prove that they are who they say they are. Can be established using username and password combinations, challenge and response questions, token cards, and other methods. Authorization After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. An example is "User 'student' can access host serverXYZ using Telnet only." Accounting and auditing Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. An example is "User 'student' accessed host serverXYZ using Telnet for 15 minutes."

AAA Overview Similar to the use of a credit card Authorization Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform? 4

Authentication – Password-Only User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method Internet R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Uses a login and password combination on access lines. Easiest to implement, but most unsecure method. Vulnerable to brute-force attacks. Provides no accountability.

Authentication – Local Database Creates individual user account/password on each device. Provides accountability. User accounts must be configured locally on each device. Provides no fallback authentication method. R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local User Access Verification Username: Admin Password: cisco1 % Login invalid Password: cisco12 Internet Local Database Method

Access Methods Character Mode – Remote administrative access A user sends a request to establish an EXEC mode process with the router for administrative purposes. Packet Mode – Remote network access A user sends a request to establish a connection through the router with a device on the network.

Local AAA Authentication Used for small networks. Stores usernames and passwords locally in the router.

Server-Based AAA Authentication Uses an external database server Example Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express More appropriate if there are multiple routers

AAA Authorization When a user has been authenticated, a session is established with an AAA server. The router requests authorization for the requested service from the AAA server. The AAA server returns a PASS/FAIL for authorization. Typically implemented using an AAA server-based solution Uses a set of attributes that describes user access to the network These attributes are compared to the information contained within the AAA database, and a determination of restrictions for that user is made and delivered to the local router where the user is connected

AAA Accounting Implemented using an AAA server-based solution When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. When the user finishes, a stop message is recorded ending the accounting process. Implemented using an AAA server-based solution Keeps a detailed log of what an authenticated user does on a device Reports usage statistics back to the ACS server. These statistics can be extracted to create detailed reports about the configuration of the network

AAA Accounting

Configuring Local AAA Authentication To authenticate administrator access (character mode access) Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router. Step 2. Enable AAA globally on the router. Step 3. Configure AAA parameters on the router. Step 4. Confirm and troubleshoot the AAA configuration.

Additional Commands and Information aaa authentication enable Enables AAA for EXEC mode access aaa authentication ppp Enables AAA for PPP network access

AAA Authentication Command Elements router(config)# aaa authentication login {default | list-name} method1…[method4] Command Description default Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in list-name Character string used to name the list of authentication methods activated when a user logs in password-expiry Enables password aging on a local authentication list. method1 [method2...] Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods.

Login Method Type Keywords Description enable Uses the enable password for authentication. This keyword cannot be used. krb5 Uses Kerberos 5 for authentication. krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. line Uses the line password for authentication. local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. none Uses no authentication. cache group-name Uses a cache server group for authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Configuring Local AAA Authentication Example Requirement: The enable method could be configured as a fallback mechanism in case the username and password is forgotten. aaa authentication login TELNET-ACCESS local enable In this example, an AAA authentication list named TELNET-ACCESS is created that requires users to attempt to authenticate to the router's local user database first. If that attempt returns an error, such as a local user database is not configured, the user can attempt to authenticate by knowing the enable password.

Configuring Local AAA Authentication Additional Security router(config)# aaa local authentication attempts max-fail [number-of-unsuccessful-attempts] R1# show aaa local user lockout Local-user Lock time JR-ADMIN 04:28:49 UTC Sat Dec 27 2008 R1# show aaa sessions Total sessions since last reload: 4 Session Id: 1 Unique Id: 175 User Name: ADMIN IP Address: 192.168.1.10 Idle Time: 0 CT Call Handle: 0

Configuring Local AAA Authentication Sample Configuration The authentication methods in the default list are used by default on all lines, unless a custom authentication method list is created. If an interface or line has a nondefault method list applied to it, that method overrides the default method list for that interface. If the default list is not set and there is no other list, only the local user database is checked. This has the same effect as the command aaa authentication login default local. On the console, login succeeds without any authentication checks if default is not set. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN Default后面的参数可以写过个,本例中先验证local-case,如果路由器中有username的配置,则使用local验证,如果没有配置任何username,这是用enable的口令验证。

Troubleshooting Local AAA Authentication R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets

Troubleshooting Local AAA Authentication R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

Server-Based AAA Local implementations of AAA do not scale well. Most corporate environments have multiple routers with multiple router administrators and hundreds or thousands of users needing access to the corporate LAN. Maintaining local databases for each router for this size of network is not feasible. To solve this challenge, one or more AAA servers can be used to manage the user and administrative access needs for an entire corporate network. Example: Cisco Secure ACS can create a central user and administrative access database that all devices in the network can access. It can also work with many external databases, including Active Directory and Lightweight Directory Access Protocol (LDAP). These databases store user account information and passwords, allowing for central administration of user accounts.

Local Versus Server-Based Authentication

Server-Based AAA Communication Protocols TACACS+ and RADIUS are both authentication protocols. Whether TACACS+ or RADIUS is selected depends on the needs of the organization. A large ISP might select RADIUS because it supports detailed accounting required for billing users. An organization with various user groups might select TACACS+ because it requires select authorization policies to be applied on a per-user or per-group basis. TACACS+ is considered the more secure protocol. This is because all TACACS + protocol exchanges are encrypted. RADIUS only encrypts the user password. It does not encrypt user names, accounting information, or any other information carried in the radius message.

Server-Based AAA Communication Protocols TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. Cisco Secure ACS for Windows Server Perimeter Router Remote User Cisco Secure ACS Express

Server-Based AAA Communication Protocols Critical factors for TACACS+ include: Is incompatible with TACACS and XTACACS Separates authentication and authorization Encrypts all communication Utilizes TCP port 49 Critical factors for RADIUS include: Uses RADIUS proxy servers for scalability Combines RADIUS authentication and authorization as one process. Encrypts only the password Utilizes UDP Supports remote-access technologies, 802.1X, and SIP

Server-Based AAA Communication Protocols TACACS+/RADIUS Comparison

Server-Based AAA Communication Protocols TACACS+ Authentication Process Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password prompt? Password? Use “Password” “Str0ngPa55w0rd” “Str0ngPa55w0rd” Accept/Reject Provides separate AAA services Separating the AAA services provides flexibility in implementation, because it is possible to use TACACS+ for authorization and accounting while using another method of authentication. Utilizes TCP port 49

Server-Based AAA Communication Protocols RADIUS Authentication Process Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Username? JR-ADMIN Access-Accept Password? Str0ngPa55w0rd RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. Works in both local and roaming situations and is commonly used for accounting purposes. Currently defined by RFCs 2865, 2866, 2867, and 2868. Combines authentication and authorization as one process. When a user is authenticated, that user is also authorized. Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting.

Server-Based AAA Communication Protocols Authentication Server Many enterprise-level authentication servers are on the market today. RADIUS http://technet.microsoft.com/en-us/network/bb643123 http://en.wikipedia.org/wiki/FreeRADIUS TACACS+ Cisco Secure ACS for Windows Server (ACS) is a single solution that offers AAA for both TACACS+ and RADIUS.

Configuring Server-Based AAA Authentication Server-based AAA must identify various TACACS+ and RADIUS servers that the AAA service should consult when authenticating and authorizing users. Basic steps to configure server-based authentication: Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a TACACS+ or RADIUS server. Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server and Cisco Secure ACS. Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.

Configuring Server-Based AAA Authentication Configure a TACACS+ Server and Encryption Key To configure a TACACS+ server: Use the tacacs-server host ip-address single-connection command. The single-connection keyword enhances TCP performance by maintaining a single TCP connection for the life of the session. Otherwise, by default, a TCP connection is opened and closed for each session. To configure encryption key : Use the tacacs-server key key command to configure the shared secret key to encrypt the data transfer between the TACACS+ server and AAA-enabled router. This key must be configured exactly the same on the router and the TACACS+ server.

To configure a RADIUS server: Configuring Server-Based AAA Authentication Configure a RADIUS Server and Encryption Key To configure a RADIUS server: Use the radius-server host ip-address command. Because RADIUS uses UDP, there is no equivalent single-connection keyword. To configure encryption key Use the radius-server key key command. This key must be configured exactly the same on the router and the RADIUS server.

Configuring Server-Based AAA Authentication Configure Authentication to Use the AAA Server When the AAA security servers have been identified, the servers must be included in the method list of the aaa authentication login command. AAA servers are identified using the group tacacs+ or group radius keywords. For example, to configure a method list for the default login to authenticate using a RADIUS server, a TACACS+ server, or a local username database: aaa authentication login default group radius group tacacs+ local-case.

Configuring Server-Based AAA Authentication AAA Authentication Commands R1(config)# aaa authentication type { default | list-name } method1 … [method4] R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group

Configuring Server-Based AAA Authentication Sample Configuration

Troubleshooting Server-Based AAA Authentication R1# debug aaa authentication AAA Authentication debugging is on R1# 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS The debug aaa authentication command provides a view of login activity. For successful TACACS+ login attempts, a status message of PASS results.

Troubleshooting Server-Based AAA Authentication R1# debug radius ? accounting RADIUS accounting packets only authentication RADIUS authentication packets only brief Only I/O transactions are recorded elog RADIUS event logging failover Packets sent upon fail-over local-server Local RADIUS server retransmit Retransmission of packets verbose Include non essential RADIUS debugs <cr> R1# debug radius R1# debug tacacs ? accounting TACACS+ protocol accounting authentication TACACS+ protocol authentication authorization TACACS+ protocol authorization events TACACS+ protocol events packet TACACS+ packets <cr>

Sever-Based AAA Authorization Overview Command authorization for user JR-ADMIN, command “show version”? show version Display “show version” output Accept Command authorization for user JR-ADMIN, command “config terminal”? configure terminal Do not permit “configure terminal” Reject The TACACS+ protocol allows the separation of authentication from authorization. Can be configured to restrict the user to performing only certain functions after successful authentication. Authorization can be configured for character mode (exec authorization) packet mode (network authorization) RADIUS does not separate the authentication from the authorization process.

Sever-Based AAA Authorization Commands R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z To configure command authorization: Use aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] Service types of interest include: commands level For exec (shell) commands exec For starting an exec (shell) network For network services. (PPP, SLIP, ARAP)

Server-Based AAA Accounting Overview Provides the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered. To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] Supports six different types of accounting: network, connection, exec, system, commands level, and resource.

Server-Based AAA Accounting Commands R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z aaa accounting exec default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for user EXEC terminal sessions. aaa accounting network default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for all network-related service requests.

Summary The Authentication, Authorization, and Accounting (AAA) protocol provides a scalable framework for enabling access security. AAA controls who is allowed to connect to the network, what they are allowed to do, and keeps records of what was done.