Presentation is loading. Please wait.

Presentation is loading. Please wait.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Published byHerbert Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure."— Presentation transcript:

1 S6C12 - AAA AAA Facts

2 AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure database Easier to administer Permits access control from a central database – Access server, and network access server (NAS), refer to a router connected to the "edge" of a network. This router allows outside users to access the network

3 Authentication Authentication asks the question, "Who are you?" Determines who user is Determines if user should be allowed access Bars intruders from networks –May use simple database of users and passwords –Can use one-time passwords

4 Why Use AAA for Authentication? AAA provides scalability. Supports standardized security protocols, namely Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), and Kerberos Allows you to configure multiple backup systems. – For example, you can configure an access server to consult a security server first and a local database second

5 Authorization Asks the question, "What privileges do you have?" Determines what user is allowed to do Network managers can limit which network services are available to each user Limits commands a new network administrator may issue on corporate NAS or routers

6 Accounting Asks the questions, "What did you do and when did you do it?" Tracks what user did and when they did it Can be used as audit trail Can be used for billing connection time or resources used

7 TACACS+ PROTOCOL –Designed to allow effective communications of AAA information between NAS and central server –Uses TCP for reliable connections between client and servers –NAS sends authentication and authorization requests & accounting information to TACACS+ server –Shifts logic and policy to database and server software – moves it from Cisco IOS Provides centralized validation of users attempting to gain access to a router or network access server

8 RADIUS Developed by Livingston Enterprises, Inc. –Secures remote access to networks and network services against unauthorized access Protocol with frame format; utilizes UDP/IP A Server –Authenticates, authorizes, accounts –Runs on customer site A Client –Resides in dial-up access servers –Distributed throughout network

9 Kerberos A secret-key network authentication protocol used with AAA that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication –Designed to authenticate requests for network resources. –Based on the concept of a trusted third party that performs secure verification of users and services. –a trusted Kerberos server issues tickets to users can be used in place of the standard username and password authentication mechanism

10 How RADIUS Client/Server Works NAS operates as client of RADIUS Client passes user information to designated RADIUS server RADIUS server receives request, authenticates and returns necessary configuration RADIUS server can act as proxy client for other kinds of authentication servers

11 RADIUS and Network Security Transactions authenticated through use of shared secret (never sent over network) User passwords are encrypted between client and RADIUS server Supports a variety of methods to authenticate user –PAP, CHAP, UNIX, et. Al.

12 Cisco Access Secure Server Specialized security software that runs on Windows NT/2000 and Unix –simplifies and centralizes control for all user authentication, authorization, and accounting –can distribute the AAA information to hundreds or even thousands of access points in a network –uses either the TACACS+ or the RADIUS protocol to provide this network security and tracking –also acts as a central repository for accounting information

13 Configuring AAA Enable AAA –AAA new-model Tell NAS where to locate the server –Tacacs-server host ip-address –Tacacs-server host ip-address 2 –Two servers provide redundancy Set encryption key –Tacacs-server key key Tell which TACACS+ features to use –Next Slide

14 Configuration Process follow a three-step process for each AAA authentication command, as shown in –Specify the authentication type (login, enable, PPP, etc.). –Specify the method list as default or give it a name. –List the authentication methods to be tried, in order. Router(config)#AAA authentication ppp {default | list-name} method1 [...[method4]

15 Authentication Authentication provides the method of identifying users including: – login and password dialog – challenge and response – messaging support AAA authentication can be used to configure all of these configuration types – Access to privileged EXEC mode (enable mode) –Access to virtual terminals –Access to the console CHAP and PAP authentication for PPP connections – NetWare Asynchronous Services Interface (NASI) authentication –AppleTalk Remote Access Protocol (ARAP) authentication

16 Authentication Methods Using a password already configured on the router, such as the enable password or a line password Using the local username/password database Consulting a Kerberos server Consulting a RADIUS server, or group of RADIUS servers Consulting a TACACS+ server or group of TACACS+ servers

17 Sample TACACS+ Features AAA authentication login default tacacs+ line none AAA authentication login admin_only tacacs_ enable none AAA authentication login old_way line none –You just created three login lists named default, admin_only and old_way

18 Four Methods EnableUse enable password LineUse line password NoneUse no authentication Tacacs+Use TACACS+ authentication

19 Error Not same as failure (server could be unreachable) Line con0 –Login authentication admin_only Line aux 0 –Login authentication admin_only Line vty 0 4 –Login authentication old_way Line 1 16 –Login authentication default

20 Sample Code AAA authorization network tacacs+ none AAA authorization connection tacacs+ if- authenticated AAA authorization command 1 tacacs+ server if- authenticated AAA authorization command 15 tacacs+ if- authenticated –NOTE – can’t configure router until you become authenticated

21 Eight Authorization Methods Authentication proxy services Commands Configuration Commands - Using no AAA authorization EXEC Network services Reverse Telnet access Configuration ip Mobile

22 Configuring AAA Authorization Enable AAA using the AAA new-model command. Configure AAA authentication. Authorization generally takes place after authentication and relies on authentication to work properly. Configure the router as a TACACS+ or RADIUS client, if necessary. Configure the local username/password database, if necessary. Using the username command, you can define the rights associated with specific users.

23 Privilege Levels privilege level 1 = non-privileged (prompt is router>), the default level for login privilege level 15 = privileged (prompt is router#), the level after going into enable mode privilege level 0 = includes 5 commands: disable, enable, exit, help, and logout

24 AAA supports six different types of accounting: Network Exec Commands Connection System Resource

25 Security Example – W/WO TACACS AAA new-model AAA authentication login default local user-name admin password cisco With Tacacs –AAA new-model –AAA authentication login default group tacacs+ local –AAA authentication enable default group tacacs+ enable –AAA authentication exec tacacs+ –Tacacs-server host 10.1.1.254 –Tacacs-server timeout 30 –Tacacs-server key superman –Username admin password cisco –Enable password cisco

Download ppt "S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure."

Similar presentations

Point-to-Point Protocol (PPP)

Point-to-Point Protocol (PPP)
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Point-to-Point Protocol

Point-to-Point Protocol
1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen

1 Semester 2 Module 4 Learning about Other Devices Yuda college of business James Chen
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Authentication, Authorization, and Accounting

Authentication, Authorization, and Accounting
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Remote Networking Architectures

Remote Networking Architectures
Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.

Brian Dwyer – CITA370. Introduction  Network Device Security  Identity Management AAA Process Model ○ Authentication ○ Authorization ○ Accounting (Sometimes.
Chapter 17 TACACS+.

Chapter 17 TACACS+.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Similar presentations

Ads by Google