Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Authentication, Authorization, and Accounting

Published byMoses Dennis Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Control Authentication, Authorization, and Accounting"— Presentation transcript:

1 Access Control Authentication, Authorization, and Accounting
Source: CCNA Security Cisco Networking Academy

2 Authentication, Authorization and Accounting
Overview of AAA Local AAA Authentication Server-Based AAA Server-Based AAA Authentication Server-Based AAA Authorization and Accounting

3 AAA Overview Authentication
Users and administrators must prove that they are who they say they are. Can be established using username and password combinations, challenge and response questions, token cards, and other methods. Authorization After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform. An example is "User 'student' can access host serverXYZ using Telnet only." Accounting and auditing Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used. An example is "User 'student' accessed host serverXYZ using Telnet for 15 minutes."

4 AAA Overview Similar to the use of a credit card Authorization
Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform? 4

5 Authentication – Password-Only
User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method Internet R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Uses a login and password combination on access lines. Easiest to implement, but most unsecure method. Vulnerable to brute-force attacks. Provides no accountability.

6 Authentication – Local Database
Creates individual user account/password on each device. Provides accountability. User accounts must be configured locally on each device. Provides no fallback authentication method. R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local User Access Verification Username: Admin Password: cisco1 % Login invalid Password: cisco12 Internet Local Database Method

7 Access Methods Character Mode – Remote administrative access
A user sends a request to establish an EXEC mode process with the router for administrative purposes. Packet Mode – Remote network access A user sends a request to establish a connection through the router with a device on the network.

8 Local AAA Authentication
Used for small networks. Stores usernames and passwords locally in the router.

9 Server-Based AAA Authentication
Uses an external database server Example Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express More appropriate if there are multiple routers

10 AAA Authorization When a user has been authenticated, a session is established with an AAA server. The router requests authorization for the requested service from the AAA server. The AAA server returns a PASS/FAIL for authorization. Typically implemented using an AAA server-based solution Uses a set of attributes that describes user access to the network These attributes are compared to the information contained within the AAA database, and a determination of restrictions for that user is made and delivered to the local router where the user is connected

11 AAA Accounting Implemented using an AAA server-based solution
When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. When the user finishes, a stop message is recorded ending the accounting process. Implemented using an AAA server-based solution Keeps a detailed log of what an authenticated user does on a device Reports usage statistics back to the ACS server. These statistics can be extracted to create detailed reports about the configuration of the network

12 AAA Accounting

13 Configuring Local AAA Authentication
To authenticate administrator access (character mode access) Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router. Step 2. Enable AAA globally on the router. Step 3. Configure AAA parameters on the router. Step 4. Confirm and troubleshoot the AAA configuration.

14 Additional Commands and Information
aaa authentication enable Enables AAA for EXEC mode access aaa authentication ppp Enables AAA for PPP network access

15 AAA Authentication Command Elements
router(config)# aaa authentication login {default | list-name} method1…[method4] Command Description default Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in list-name Character string used to name the list of authentication methods activated when a user logs in password-expiry Enables password aging on a local authentication list. method1 [method2...] Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods.

16 Login Method Type Keywords
Description enable Uses the enable password for authentication. This keyword cannot be used. krb5 Uses Kerberos 5 for authentication. krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. line Uses the line password for authentication. local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. none Uses no authentication. cache group-name Uses a cache server group for authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

17 Configuring Local AAA Authentication Example
Requirement: The enable method could be configured as a fallback mechanism in case the username and password is forgotten. aaa authentication login TELNET-ACCESS local enable In this example, an AAA authentication list named TELNET-ACCESS is created that requires users to attempt to authenticate to the router's local user database first. If that attempt returns an error, such as a local user database is not configured, the user can attempt to authenticate by knowing the enable password.

18 Configuring Local AAA Authentication Additional Security
router(config)# aaa local authentication attempts max-fail [number-of-unsuccessful-attempts] R1# show aaa local user lockout Local-user Lock time JR-ADMIN :28:49 UTC Sat Dec R1# show aaa sessions Total sessions since last reload: 4 Session Id: 1 Unique Id: 175 User Name: ADMIN IP Address: Idle Time: 0 CT Call Handle: 0

19 Configuring Local AAA Authentication Sample Configuration
The authentication methods in the default list are used by default on all lines, unless a custom authentication method list is created. If an interface or line has a nondefault method list applied to it, that method overrides the default method list for that interface. If the default list is not set and there is no other list, only the local user database is checked. This has the same effect as the command aaa authentication login default local. On the console, login succeeds without any authentication checks if default is not set. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN Default后面的参数可以写过个,本例中先验证local-case,如果路由器中有username的配置,则使用local验证,如果没有配置任何username,这是用enable的口令验证。

20 Troubleshooting Local AAA Authentication
R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets

21 Troubleshooting Local AAA Authentication
R1# debug aaa authentication 113123: Feb 4 10:11: CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11: CST: AAA/AUTHEN/START ( ): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11: CST: AAA/AUTHEN/START ( ): using "default" list 113126: Feb 4 10:11: CST: AAA/AUTHEN/START ( ): Method=LOCAL 113127: Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETUSER 113128: Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): continue_login (user='(undef)') 113129: Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETUSER 113130: Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): Method=LOCAL 113131: Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETPASS 113132: Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): continue_login (user='diallocal') 113133: Feb 4 10:11: CST: AAA/AUTHEN ( ): status = GETPASS 113134: Feb 4 10:11: CST: AAA/AUTHEN/CONT ( ): Method=LOCAL 113135: Feb 4 10:11: CST: AAA/AUTHEN ( ): status = PASS

22 Server-Based AAA Local implementations of AAA do not scale well. Most corporate environments have multiple routers with multiple router administrators and hundreds or thousands of users needing access to the corporate LAN. Maintaining local databases for each router for this size of network is not feasible. To solve this challenge, one or more AAA servers can be used to manage the user and administrative access needs for an entire corporate network. Example: Cisco Secure ACS can create a central user and administrative access database that all devices in the network can access. It can also work with many external databases, including Active Directory and Lightweight Directory Access Protocol (LDAP). These databases store user account information and passwords, allowing for central administration of user accounts.

23 Local Versus Server-Based Authentication

24 Server-Based AAA Communication Protocols
TACACS+ and RADIUS are both authentication protocols. Whether TACACS+ or RADIUS is selected depends on the needs of the organization. A large ISP might select RADIUS because it supports detailed accounting required for billing users. An organization with various user groups might select TACACS+ because it requires select authorization policies to be applied on a per-user or per-group basis. TACACS+ is considered the more secure protocol. This is because all TACACS + protocol exchanges are encrypted. RADIUS only encrypts the user password. It does not encrypt user names, accounting information, or any other information carried in the radius message.

25 Server-Based AAA Communication Protocols
TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. Cisco Secure ACS for Windows Server Perimeter Router Remote User Cisco Secure ACS Express

26 Server-Based AAA Communication Protocols
Critical factors for TACACS+ include: Is incompatible with TACACS and XTACACS Separates authentication and authorization Encrypts all communication Utilizes TCP port 49 Critical factors for RADIUS include: Uses RADIUS proxy servers for scalability Combines RADIUS authentication and authorization as one process. Encrypts only the password Utilizes UDP Supports remote-access technologies, 802.1X, and SIP

27 Server-Based AAA Communication Protocols TACACS+/RADIUS Comparison

28 Server-Based AAA Communication Protocols TACACS+ Authentication Process
Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password prompt? Password? Use “Password” “Str0ngPa55w0rd” “Str0ngPa55w0rd” Accept/Reject Provides separate AAA services Separating the AAA services provides flexibility in implementation, because it is possible to use TACACS+ for authorization and accounting while using another method of authentication. Utilizes TCP port 49

29 Server-Based AAA Communication Protocols RADIUS Authentication Process
Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Username? JR-ADMIN Access-Accept Password? Str0ngPa55w0rd RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. Works in both local and roaming situations and is commonly used for accounting purposes. Currently defined by RFCs 2865, 2866, 2867, and 2868. Combines authentication and authorization as one process. When a user is authenticated, that user is also authorized. Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting.

30 Server-Based AAA Communication Protocols Authentication Server
Many enterprise-level authentication servers are on the market today. RADIUS TACACS+ Cisco Secure ACS for Windows Server (ACS) is a single solution that offers AAA for both TACACS+ and RADIUS.

31 Configuring Server-Based AAA Authentication
Server-based AAA must identify various TACACS+ and RADIUS servers that the AAA service should consult when authenticating and authorizing users. Basic steps to configure server-based authentication: Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a TACACS+ or RADIUS server. Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server and Cisco Secure ACS. Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.

32 Configuring Server-Based AAA Authentication Configure a TACACS+ Server and Encryption Key
To configure a TACACS+ server: Use the tacacs-server host ip-address single-connection command. The single-connection keyword enhances TCP performance by maintaining a single TCP connection for the life of the session. Otherwise, by default, a TCP connection is opened and closed for each session. To configure encryption key : Use the tacacs-server key key command to configure the shared secret key to encrypt the data transfer between the TACACS+ server and AAA-enabled router. This key must be configured exactly the same on the router and the TACACS+ server.

33 To configure a RADIUS server:
Configuring Server-Based AAA Authentication Configure a RADIUS Server and Encryption Key To configure a RADIUS server: Use the radius-server host ip-address command. Because RADIUS uses UDP, there is no equivalent single-connection keyword. To configure encryption key Use the radius-server key key command. This key must be configured exactly the same on the router and the RADIUS server.

34 Configuring Server-Based AAA Authentication Configure Authentication to Use the AAA Server
When the AAA security servers have been identified, the servers must be included in the method list of the aaa authentication login command. AAA servers are identified using the group tacacs+ or group radius keywords. For example, to configure a method list for the default login to authenticate using a RADIUS server, a TACACS+ server, or a local username database: aaa authentication login default group radius group tacacs+ local-case.

35 Configuring Server-Based AAA Authentication AAA Authentication Commands
R1(config)# aaa authentication type { default | list-name } method1 … [method4] R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group

36 Configuring Server-Based AAA Authentication Sample Configuration

37 Troubleshooting Server-Based AAA Authentication
R1# debug aaa authentication AAA Authentication debugging is on R1# 14:01:17: AAA/AUTHEN ( ): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ ( ): received authen response status = PASS 14:01:17: AAA/AUTHEN ( ): status = PASS The debug aaa authentication command provides a view of login activity. For successful TACACS+ login attempts, a status message of PASS results.

38 Troubleshooting Server-Based AAA Authentication
R1# debug radius ? accounting RADIUS accounting packets only authentication RADIUS authentication packets only brief Only I/O transactions are recorded elog RADIUS event logging failover Packets sent upon fail-over local-server Local RADIUS server retransmit Retransmission of packets verbose Include non essential RADIUS debugs <cr> R1# debug radius R1# debug tacacs ? accounting TACACS+ protocol accounting authentication TACACS+ protocol authentication authorization TACACS+ protocol authorization events TACACS+ protocol events packet TACACS+ packets <cr>

39 Sever-Based AAA Authorization Overview
Command authorization for user JR-ADMIN, command “show version”? show version Display “show version” output Accept Command authorization for user JR-ADMIN, command “config terminal”? configure terminal Do not permit “configure terminal” Reject The TACACS+ protocol allows the separation of authentication from authorization. Can be configured to restrict the user to performing only certain functions after successful authentication. Authorization can be configured for character mode (exec authorization) packet mode (network authorization) RADIUS does not separate the authentication from the authorization process.

40 Sever-Based AAA Authorization Commands
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z To configure command authorization: Use aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] Service types of interest include: commands level For exec (shell) commands exec For starting an exec (shell) network For network services. (PPP, SLIP, ARAP)

41 Server-Based AAA Accounting Overview
Provides the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered. To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] Supports six different types of accounting: network, connection, exec, system, commands level, and resource.

42 Server-Based AAA Accounting Commands
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z aaa accounting exec default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for user EXEC terminal sessions. aaa accounting network default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for all network-related service requests.

43 Summary The Authentication, Authorization, and Accounting (AAA) protocol provides a scalable framework for enabling access security. AAA controls who is allowed to connect to the network, what they are allowed to do, and keeps records of what was done.

Download ppt "Access Control Authentication, Authorization, and Accounting"

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
1 © 2009 Cisco Learning Institute. CCNA Security Chapter Three Authentication, Authorization, and Accounting.

1 © 2009 Cisco Learning Institute. CCNA Security Chapter Three Authentication, Authorization, and Accounting.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter Three Authentication, Authorization, and Accounting

Chapter Three Authentication, Authorization, and Accounting
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control 172.16.3.0172.16.4.0 Non-172.16.0.0 e0e1 s0 172.16.4.13 server.

CCNA2 Routing Perrine modified by Brierley Page 18/6/2015 Module 11 Access Control Non e0e1 s server.
Authentication, Authorization, and Accounting

Authentication, Authorization, and Accounting
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.

802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Similar presentations

Ads by Google