Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 3: Authentication, Authorization, and Accounting

Published byJared Carson Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 3: Authentication, Authorization, and Accounting"— Presentation transcript:

1 Chapter 3: Authentication, Authorization, and Accounting
CCNA Security v2.0

2 Chapter Outline 3.0 Introduction 3.1 Purpose of the AAA
3.2 Local AAA Authentication 3.3 Server-Based AAA 3.4 Server-Based AAA Authentication 3.5 Server-Based Authorization and Accounting 3.6 Summary Chapter Outline

3 Section 3.1: Purpose of the AAA
Upon completion of this section, you should be able to: Explain why AAA is critical to network security. Describe the characteristics of AAA.

4 Topic 3.1.1: AAA Overview

5 Authentication without AAA
Telnet is Vulnerable to Brute-Force Attacks Authentication without AAA

6 Authentication without AAA (Cont.)
SSH and Local Database Method Authentication without AAA

7 AAA Components AAA Components

8 Topic 3.1.2: AAA Characteristics

9 Authentication Modes Local AAA Authentication
Server-Based AAA Authentication

10 Authorization AAA Authorization Authorization

11 Accounting AAA Accounting Types of accounting information: Network
Connection EXEC System Command Resource AAA Accounting Accounting Activity - Indentify the Characteristics of AAA

12 Section 3.2: Local AAA Authentication
Upon completion of this section, you should be able to: Configure AAA authentication, using the CLI, to validate users against a local database. Troubleshoot AAA authentication that validates users against a local database.

13 Topic 3.2.1: Configuring Local AAA Authentication with CLI

14 Authenticating Administrative Access
Add usernames and passwords to the local router database for users that need administrative access to the router. Enable AAA globally on the router. Configure AAA parameters on the router. Confirm and troubleshoot the AAA configuration. Authenticating Administrative Access

15 Authentication Methods

16 Default and Named Methods
Example Local AAA Authentication Default and Named Methods

17 Fine-Tuning the Authentication Configuration
Command Syntax Display Locked Out Users Fine-Tuning the Authentication Configuration Show Unique ID of a Session

18 Topic 3.2.2: Troubleshooting Local AAA Authentication

19 Debug Options Debug Local AAA Authentication Debug Options

20 Debugging AAA Authentication
Understanding Debug Output Debugging AAA Authentication

21 Section 3.3: Server-Based AAA
Upon completion of this section, you should be able to: Describe the benefits of server-based AAA. Compare the TACACS+ and RADIUS authentication protocols.

22 Topic 3.3.1: Server-Based AAA Characteristics

23 Comparing Local AAA and Server-Based AAA Implementations
Local authentication: User establishes a connection with the router. Router prompts the user for a username and password, authentication the user using a local database. Server-based authentication: User establishes a connection with the router. Router prompts the user for a username and password. Router passes the username and password to the Cisco Secure ACS (server or engine) The Cisco Secure ACS authenticates the user. Comparing Local AAA and Server-Based AAA Implementations

24 Introducing Cisco Secure Access Control System

25 Topic 3.3.2: Server-Based AAA Communication Protocols

26 Introducing TACACS+ and RADIUS

27 TACACS+ Authentication
TACACS+ Authentication Process TACACS+ Authentication

28 RADIUS Authentication
RADIUS Authentication Process RADIUS Authentication

29 Integration of TACACS+ and ACS
Cisco Secure ACS Integration of TACACS+ and ACS

30 Integration of AAA with Active Directory
Video - Integration of AAA with Identity Service Engine Activity - Identify the AAA Communication Protocol

31 Section 3.4: Server-Based AAA Authentication
Upon completion of this section, you should be able to: Configure server-based AAA authentication, using the CLI, on Cisco routers. Troubleshoot server-based AAA authentication.

32 Topic 3.4.1: Configuring Server-Based Authentication with CLI

33 Steps for Configuring Server-Based AAA Authentication with CLI
Enable AAA. Specify the IP address of the ACS server. Configure the secret key. Configure authentication to use either the RADIUS or TACACS+ server. Steps for Configuring Server-Based AAA Authentication with CLI

34 Configuring the CLI with TACACS+ Servers
Server-Based AAA Reference Topology Configuring the CLI for TACACS+ Servers Configure a AAA TACACS+ Server

35 Configuring the CLI for RADIUS Servers
Configure a AAA RADIUS Server Configuring the CLI for RADIUS Servers

36 Configure Authentication to Use the AAA Server
Command Syntax Configure Authentication to Use the AAA Server Syntax Checker - Configure Server-Based AAA Authentication Configure Server-Based AAA Authentication

37 Topic 3.4.2: Troubleshooting Server-Based AAA Authentication

38 Monitoring Authentication Traffic
Troubleshooting Server-Based AAA Authentication Monitoring Authentication Traffic

39 Debugging TACACS+ and RADIUS
Troubleshooting RADIUS Debugging TACACS+ and RADIUS Troubleshooting TACACS+

40 Debugging TACACS+ and RADIUS (Cont.)
AAA Server-Based Authentication Success Debugging TACACS+ and RADIUS (Cont.) Video Demonstration: Configure a Cisco Router to Access a AAA RADIUS Server AAA Server-Based Authentication Failure

41 Section 3.5: Server-Based AAA Authorization and Accounting
Upon completion of this section, you should be able to: Configure server-based AAA authorization. Configure server-based AAA accounting. Explain the functions of 802.1x components.

42 Topic 3.5.1: Configuring Server-Based AAA Authorization

43 Introduction to Server-Based AAA Authorization
Authentication vs. Authorization Authentication ensures a device or end-user is legitimate Authorization allows or disallows authenticated users access to certain areas and programs on the network. TACACS+ vs. RADIUS TACACS+ separates authentication from authorization RADIUS does not separate authentication from authorization Introduction to Server-Based AAA Authorization

44 AAA Authorization Configuration with CLI
Command Syntax Authorization Method Lists AAA Authorization Configuration with CLI Example AAA Authorization

45 Topic 3.5.2: Configuring Server-Based AAA Accounting

46 Introduction to Server-Based AAA Accounting

47 AAA Accounting Configuration with CLI
Command Syntax Accounting Method Lists AAA Accounting Configuration with CLI Syntax Checker - Configure AAA Accounting Example AAA Accounting

48 Topic 3.5.3: 802.1X Authentication

49 Security Using 802.1X Port-Based Authentication
802.1X Roles 802.1X Message Exchange Security Using 802.1X Port-Based Authentication

50 802.1X Port Authorization State
Command Syntax for dot1x port-control X Port Authorization State

51 Configuring 802.1X 3.5.3.3 Configuring 802.1X
Syntax Checker - Configure 802.1X Port-Authentication on a 2960 Switch Packet Tracer - Configure Authentication on Cisco Routers Lab - Securing Administrative Access Using AAA and RADIUS

52 Section 3.6: Summary Chapter Objectives:
Explain how AAA is used to secure a network. Implement AAA authentication that validates users against a local database. Implement server-based AAA authentication using TACACS+ and RADIUS protocols. Configure server-based AAA authorization and accounting. Packet Tracer - Configure Authentication on Cisco Routers Lab - Securing Administrative Access Using AAA and RADIUS Summary

53

54 Instructor Resources Remember, there are helpful tutorials and user guides available via your NetSpace home page. ( These resources cover a variety of topics including navigation, assessments, and assignments. A screenshot has been provided here highlighting the tutorials related to activating exams, managing assessments, and creating quizzes. 1 2

Download ppt "Chapter 3: Authentication, Authorization, and Accounting"

Similar presentations

© 2003, Cisco Systems, Inc. All rights reserved..

© 2003, Cisco Systems, Inc. All rights reserved..
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implement Inter- VLAN Routing LAN Switching and Wireless – Chapter 6.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 4 – Implementing Firewall Technologies.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Configuring and Testing Your Network Network Fundamentals – Chapter 11.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Configuring and Testing Your Network Network Fundamentals – Chapter 11.
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity

CCNA 5.0 Planning Guide Chapter 7: Securing Site-to-Site Connectivity
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 CCNA 5.0 Planning Guide Chapter 5: Network Address Translation for IPv4.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 CCNA 5.0 Planning Guide Chapter 5: Network Address Translation for IPv4.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Configuring and Testing Your Network Network Fundamentals – Chapter 11 Final.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Configuring and Testing Your Network Network Fundamentals – Chapter 11 Final.
Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.

Implementing RADIUS AAA Phil & Rick. Content Terms and Concepts Access Control What is AAA? Benefits of AAA What is RADIUS? Microsoft IAS Overview Installation.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.

Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Configuring a network os

Configuring a network os
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 5 City College.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google