SlideShare a Scribd company logo

CCNA Security 06- AAA

Download as PPT, PDF
Ahmed Habib
Ahmed Habib

CCNA Security 640-554 By Eng-Ahmed Sultan

Education
1 of 28
05- AAA Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
AAA Access Security Authentication Who are you? Accounting What did you spend it on? Authorization which resources the user is allowed to access and which operations the user is allowed to perform? © 2009 Cisco Learning Institute. 2
Authentication – Password-Only User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Password-Only Method Internet • Uses a login and password combination on access lines • Easiest to implement, but most unsecure method • Vulnerable to brute-force attacks • Provides no accountability © 2009 Cisco Learning Institute. 3
Authentication – Local Database • Creates individual user account/password on each device • Provides accountability • User accounts must be configured locally on each device R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method © 2009 Cisco Learning Institute. 4
Local Vs. Remote Access R1 Local Access LAN 1 Internet Administrator Console Port LAN 2 Remote Access R1 Internet Firewall R2 LAN 3 Management LAN Administration Host Logging Host Requires a direct connection to a console port using a computer running terminal emulation software Uses Telnet, SSH or HTTP connections to the router from a computer © 2009 Cisco Learning Institute. 5
Password Security To increase the security of passwords, use additional configuration parameters: - Minimum password lengths should be enforced - Unattended connections should be disabled - All passwords in the configuration file should be encrypted R1(config)# service password-encryption R1(config)# exit R1# show running-config line con 0 exec-timeout 3 30 password 7 094F471A1A0A login line aux 0 exec-timeout 3 30 password 7 094F471A1A0A login © 2009 Cisco Learning Institute. 6
Passwords An acceptable password length is 10 or more characters Complex passwords include a mix of upper and lowercase letters, numbers, symbols and spaces Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = 5ecur1ty) Change passwords often Do not write passwords down and leave them in obvious places © 2009 Cisco Learning Institute. 7
Access Port Passwords Command to restrict access to privileged EXEC mode Commands to establish a login password on incoming Telnet sessions R1 R1(config)# enable secret cisco Commands to establish a login password for dial-up modem connections R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Commands to establish a login password on the console line © 2009 Cisco Learning Institute. 8
Creating Users username name secret {[0]password|5encrypted-secret} Parameter Description name This parameter specifies the username. 0 (Optional) This option indicates that the plaintext password is to be hashed by the router using MD5. password This parameter is the plaintext password to be hashed using MD5. 5 This parameter indicates that the encrypted-secret password was hashed using MD5. encrypted-secret This parameter is the MD5 encrypted-secret password that is stored as the encrypted user password. © 2009 Cisco Learning Institute. 9
Enhanced Login Features The following commands are available to configure a Cisco IOS device to support the enhanced login features: © 2009 Cisco Learning Institute. 10
login block-for Command All login enhancement features are disabled by default. The login block-for command enables configuration of the login enhancement features. - The login block-for feature monitors login device activity and operates in two modes: o Normal-Mode (Watch-Mode) —The router keeps count of the number of failed login attempts within an identified amount of time. o Quiet-Mode (Quiet Period) — If the number of failed logins exceeds the configured threshold, all login attempts made using Telnet, SSH, and HTTP are denied. © 2009 Cisco Learning Institute. 11
System Logging Messages • To generate log messages for successful/failed logins: - login on-failure log - login on-success log • To generate a message when failure rate is exceeded: - security authentication failure rate threshold-rate log • To verify that the login block-for command is configured and which mode the router is currently in: - show login • To display more information regarding the failed attempts: - show login failures © 2009 Cisco Learning Institute. 12
Self-Contained AAA Authentication AAA Remote Client Router 1 2 3 Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. • Used for small networks • Stores usernames and passwords locally in the Cisco router © 2009 Cisco Learning Institute. 13
Server-Based AAA Authentication • Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express • More appropriate if there are multiple routers AAA Router (AAA Client) ) Remote Client 1 2 4 3 Server-Based AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. Cisco Secure ACS Server © 2009 Cisco Learning Institute. 14
AAA Authorization • Typically implemented using an AAA server-based solution • Uses a set of attributes that describes user access to the network 1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization. © 2009 Cisco Learning Institute. 15
AAA Accounting • Implemented using an AAA server-based solution • Keeps a detailed log of what an authenticated user does on a device 1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process. © 2009 Cisco Learning Institute. 16
Local AAA Authentication Commands R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local R1(config)# aaa local authentication attempts max-fail 10 To authenticate administrator access (character mode access) 1.Add usernames and passwords to the local router database 2.Enable AAA globally 3.Configure AAA parameters on the router 4.Confirm and troubleshoot the AAA configuration © 2009 Cisco Learning Institute. 17
Sample Configuration R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local enable R1(config)# aaa authentication login TELNET-LOGIN local R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN © 2009 Cisco Learning Institute. 18
The debug aaa Command R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets R1# debug aaa © 2009 Cisco Learning Institute. 19
Sample Output R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS © 2009 Cisco Learning Institute. 20
Local Vs. Server-Based Authentication Local Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password authenticating the user using a local database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4 Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. © 2009 Cisco Learning Institute. 21
Overview of TACACS+ and RADIUS TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. Perimeter Router Remote User Cisco Secure ACS for Windows Server Cisco Secure ACS Express © 2009 Cisco Learning Institute. 22
TACACS+/RADIUS Comparison TACACS+ RADIUS Functionality Separates authentication and authorization . Combines authentication and authorization . Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Confidentiality Entire packet encrypted Password encrypted © 2009 Cisco Learning Institute. 23
TACACS+ Authentication Process Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? “Str0ngPa55w0rd” • Provides separate AAA services • Utilizes TCP port 49 Password prompt? Use “Password” “Str0ngPa55w0rd” Accept/Reject © 2009 Cisco Learning Institute. 24
RADIUS Authentication Process Username? JR-ADMIN Password? Str0ngPa55w0rd Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept • Works in both local and roaming situations • Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting © 2009 Cisco Learning Institute. 25
Installation Options Cisco Secure ACS for Windows can be installed on: - Windows 2000 Server with Service Pack 4 - Windows 2000 Advanced Server with Service Pack 4 - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition Cisco Secure ACS Solution Engine - A highly scalable dedicated platform that serves as a high-performance ACS - 1RU, rack-mountable - Preinstalled with a security-hardened Windows software, Cisco Secure ACS software - Support for more than 350 users Cisco Secure ACS Express 5.0 - Entry-level ACS with simplified feature set - Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period © 2009 Cisco Learning Institute. 26
Deploying ACS LAB © 2009 Cisco Learning Institute. 27
CCNA Security 06- AAA

Recommended

CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLIHoàng Hải Nguyễn
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2Irsandi Hasan
 

Recommended

CCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeCCNA Security 05- securing the management plane
CCNA Security 05- securing the management planeAhmed Habib
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLIHoàng Hải Nguyễn
 
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsCCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentalsAhmed Habib
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
CCNA Security - Chapter 3
CCNA Security - Chapter 3CCNA Security - Chapter 3
CCNA Security - Chapter 3Irsandi Hasan
 
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsCCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systemsAhmed Habib
 
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsCCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ipsAhmed Habib
 
CCNA Security - Chapter 2
CCNA Security - Chapter 2CCNA Security - Chapter 2
CCNA Security - Chapter 2Irsandi Hasan
 
Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamCisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamJysmeen
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPNmohannadalhanahnah
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overviewali raza
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Solomon Abavire Kobina,
 
Ccna security
Ccna securityCcna security
Ccna securitydkaya
 
network security
network securitynetwork security
network securityDayanna Moyano
 
Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overviewali raza
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewali raza
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 testSoporte Yottatec
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8Irsandi Hasan
 
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7Irsandi Hasan
 
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8Irsandi Hasan
 

More Related Content

What's hot

Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamCisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamJysmeen
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaAhmed Habib
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overviewali raza
 
Ccna security
Ccna securityCcna security
Ccna securitydkaya
 
Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overviewali raza
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewali raza
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 testSoporte Yottatec
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6Irsandi Hasan
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn securityJack Melson
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 

What's hot (19)

Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice ExamCisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice Exam
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context Training
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPN
 
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asaCCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
Chapter 5 overview
Chapter 5 overviewChapter 5 overview
Chapter 5 overview
 
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
 
Ccna security
Ccna securityCcna security
Ccna security
 
network security
network securitynetwork security
network security
 
Chapter 8 overview
Chapter 8 overviewChapter 8 overview
Chapter 8 overview
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
CCA security answers chapter 2 test
CCA security answers chapter 2 testCCA security answers chapter 2 test
CCA security answers chapter 2 test
 
CCNA Security - Chapter 6
CCNA Security - Chapter 6CCNA Security - Chapter 6
CCNA Security - Chapter 6
 
Asa sslvpn security
Asa sslvpn securityAsa sslvpn security
Asa sslvpn security
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewall
 

Viewers also liked

CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8Irsandi Hasan
 
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7Irsandi Hasan
 
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8Irsandi Hasan
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - OverviewIrsandi Hasan
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8Irsandi Hasan
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7Irsandi Hasan
 
CCNA Security - Chapter 9
CCNA Security - Chapter 9CCNA Security - Chapter 9
CCNA Security - Chapter 9Irsandi Hasan
 
CCNA Security - Chapter 5
CCNA Security - Chapter 5CCNA Security - Chapter 5
CCNA Security - Chapter 5Irsandi Hasan
 
CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4Irsandi Hasan
 
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1Irsandi Hasan
 
CCNA Discovery 1 - Chapter 4
CCNA Discovery 1 - Chapter 4CCNA Discovery 1 - Chapter 4
CCNA Discovery 1 - Chapter 4Irsandi Hasan
 
CCNA Exploration 4 - Chapter 6
CCNA Exploration 4 - Chapter 6CCNA Exploration 4 - Chapter 6
CCNA Exploration 4 - Chapter 6Irsandi Hasan
 
CCNA Exploration 2 - Chapter 11
CCNA Exploration 2 - Chapter 11CCNA Exploration 2 - Chapter 11
CCNA Exploration 2 - Chapter 11Irsandi Hasan
 
CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 3CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 3Irsandi Hasan
 
CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 2CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 2Irsandi Hasan
 
CCNA Discovery 3 - Chapter 1
CCNA Discovery 3 - Chapter 1CCNA Discovery 3 - Chapter 1
CCNA Discovery 3 - Chapter 1Irsandi Hasan
 

Viewers also liked (20)

CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8
 
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7
 
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
ITE - Chapter 9
ITE - Chapter 9ITE - Chapter 9
ITE - Chapter 9
 
OSPF v3
OSPF v3OSPF v3
OSPF v3
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8
 
CCNA Security - Chapter 7
CCNA Security - Chapter 7CCNA Security - Chapter 7
CCNA Security - Chapter 7
 
CCNA Security - Chapter 9
CCNA Security - Chapter 9CCNA Security - Chapter 9
CCNA Security - Chapter 9
 
CCNA Security - Chapter 5
CCNA Security - Chapter 5CCNA Security - Chapter 5
CCNA Security - Chapter 5
 
ITE - Chapter 2
ITE - Chapter 2ITE - Chapter 2
ITE - Chapter 2
 
CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4
 
ITE - Chapter 7
ITE - Chapter 7ITE - Chapter 7
ITE - Chapter 7
 
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1
 
CCNA Discovery 1 - Chapter 4
CCNA Discovery 1 - Chapter 4CCNA Discovery 1 - Chapter 4
CCNA Discovery 1 - Chapter 4
 
CCNA Exploration 4 - Chapter 6
CCNA Exploration 4 - Chapter 6CCNA Exploration 4 - Chapter 6
CCNA Exploration 4 - Chapter 6
 
CCNA Exploration 2 - Chapter 11
CCNA Exploration 2 - Chapter 11CCNA Exploration 2 - Chapter 11
CCNA Exploration 2 - Chapter 11
 
CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 3CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 3
 
CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 2CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 2
 
CCNA Discovery 3 - Chapter 1
CCNA Discovery 3 - Chapter 1CCNA Discovery 3 - Chapter 1
CCNA Discovery 3 - Chapter 1
 

Similar to CCNA Security 06- AAA

CCNA_Security_03.ppt
CCNA_Security_03.pptCCNA_Security_03.ppt
CCNA_Security_03.pptveracru1
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.pptveracru1
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Mohamed Loey
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxCopyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxbobbywlane695641
 
010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldapBabaa Naya
 
010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldapBabaa Naya
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp ukJohnsmith5188
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server SecurityBrian Pontarelli
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data planeNetProtocol Xpert
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network securityZhaoyang Wang
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1milkux
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 

Similar to CCNA Security 06- AAA (20)

CCNA_Security_03.ppt
CCNA_Security_03.pptCCNA_Security_03.ppt
CCNA_Security_03.ppt
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.ppt
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docxCopyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
 
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
 
010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldap
 
010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldap
 
Network topology by essay corp uk
Network topology by essay corp ukNetwork topology by essay corp uk
Network topology by essay corp uk
 
Application and Server Security
Application and Server SecurityApplication and Server Security
Application and Server Security
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
 
Basics to Configure NW Device
Basics to Configure NW DeviceBasics to Configure NW Device
Basics to Configure NW Device
 
Securing management, control & data plane
Securing management, control & data planeSecuring management, control & data plane
Securing management, control & data plane
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network security
 
Student packet tracer manual v1.1
Student packet tracer manual v1.1Student packet tracer manual v1.1
Student packet tracer manual v1.1
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Chapter4ccna
Chapter4ccnaChapter4ccna
Chapter4ccna
 
CCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptxCCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptx
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 

Recently uploaded

Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceSamikshaHamane
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxMaryGraceBautista27
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersSabitha Banu
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxnelietumpap1
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPCeline George
 

Recently uploaded (20)

Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in PharmacovigilanceRoles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptxScience 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginnersDATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptxQ4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERPWhat is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
 

CCNA Security 06- AAA

  • 1. 05- AAA Ahmed Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
  • 2. AAA Access Security Authentication Who are you? Accounting What did you spend it on? Authorization which resources the user is allowed to access and which operations the user is allowed to perform? © 2009 Cisco Learning Institute. 2
  • 3. Authentication – Password-Only User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Password-Only Method Internet • Uses a login and password combination on access lines • Easiest to implement, but most unsecure method • Vulnerable to brute-force attacks • Provides no accountability © 2009 Cisco Learning Institute. 3
  • 4. Authentication – Local Database • Creates individual user account/password on each device • Provides accountability • User accounts must be configured locally on each device R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method © 2009 Cisco Learning Institute. 4
  • 5. Local Vs. Remote Access R1 Local Access LAN 1 Internet Administrator Console Port LAN 2 Remote Access R1 Internet Firewall R2 LAN 3 Management LAN Administration Host Logging Host Requires a direct connection to a console port using a computer running terminal emulation software Uses Telnet, SSH or HTTP connections to the router from a computer © 2009 Cisco Learning Institute. 5
  • 6. Password Security To increase the security of passwords, use additional configuration parameters: - Minimum password lengths should be enforced - Unattended connections should be disabled - All passwords in the configuration file should be encrypted R1(config)# service password-encryption R1(config)# exit R1# show running-config line con 0 exec-timeout 3 30 password 7 094F471A1A0A login line aux 0 exec-timeout 3 30 password 7 094F471A1A0A login © 2009 Cisco Learning Institute. 6
  • 7. Passwords An acceptable password length is 10 or more characters Complex passwords include a mix of upper and lowercase letters, numbers, symbols and spaces Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = 5ecur1ty) Change passwords often Do not write passwords down and leave them in obvious places © 2009 Cisco Learning Institute. 7
  • 8. Access Port Passwords Command to restrict access to privileged EXEC mode Commands to establish a login password on incoming Telnet sessions R1 R1(config)# enable secret cisco Commands to establish a login password for dial-up modem connections R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Commands to establish a login password on the console line © 2009 Cisco Learning Institute. 8
  • 9. Creating Users username name secret {[0]password|5encrypted-secret} Parameter Description name This parameter specifies the username. 0 (Optional) This option indicates that the plaintext password is to be hashed by the router using MD5. password This parameter is the plaintext password to be hashed using MD5. 5 This parameter indicates that the encrypted-secret password was hashed using MD5. encrypted-secret This parameter is the MD5 encrypted-secret password that is stored as the encrypted user password. © 2009 Cisco Learning Institute. 9
  • 10. Enhanced Login Features The following commands are available to configure a Cisco IOS device to support the enhanced login features: © 2009 Cisco Learning Institute. 10
  • 11. login block-for Command All login enhancement features are disabled by default. The login block-for command enables configuration of the login enhancement features. - The login block-for feature monitors login device activity and operates in two modes: o Normal-Mode (Watch-Mode) —The router keeps count of the number of failed login attempts within an identified amount of time. o Quiet-Mode (Quiet Period) — If the number of failed logins exceeds the configured threshold, all login attempts made using Telnet, SSH, and HTTP are denied. © 2009 Cisco Learning Institute. 11
  • 12. System Logging Messages • To generate log messages for successful/failed logins: - login on-failure log - login on-success log • To generate a message when failure rate is exceeded: - security authentication failure rate threshold-rate log • To verify that the login block-for command is configured and which mode the router is currently in: - show login • To display more information regarding the failed attempts: - show login failures © 2009 Cisco Learning Institute. 12
  • 13. Self-Contained AAA Authentication AAA Remote Client Router 1 2 3 Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. • Used for small networks • Stores usernames and passwords locally in the Cisco router © 2009 Cisco Learning Institute. 13
  • 14. Server-Based AAA Authentication • Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express • More appropriate if there are multiple routers AAA Router (AAA Client) ) Remote Client 1 2 4 3 Server-Based AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. Cisco Secure ACS Server © 2009 Cisco Learning Institute. 14
  • 15. AAA Authorization • Typically implemented using an AAA server-based solution • Uses a set of attributes that describes user access to the network 1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization. © 2009 Cisco Learning Institute. 15
  • 16. AAA Accounting • Implemented using an AAA server-based solution • Keeps a detailed log of what an authenticated user does on a device 1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process. © 2009 Cisco Learning Institute. 16
  • 17. Local AAA Authentication Commands R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local R1(config)# aaa local authentication attempts max-fail 10 To authenticate administrator access (character mode access) 1.Add usernames and passwords to the local router database 2.Enable AAA globally 3.Configure AAA parameters on the router 4.Confirm and troubleshoot the AAA configuration © 2009 Cisco Learning Institute. 17
  • 18. Sample Configuration R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local enable R1(config)# aaa authentication login TELNET-LOGIN local R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN © 2009 Cisco Learning Institute. 18
  • 19. The debug aaa Command R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets R1# debug aaa © 2009 Cisco Learning Institute. 19
  • 20. Sample Output R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS © 2009 Cisco Learning Institute. 20
  • 21. Local Vs. Server-Based Authentication Local Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password authenticating the user using a local database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4 Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. © 2009 Cisco Learning Institute. 21
  • 22. Overview of TACACS+ and RADIUS TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. Perimeter Router Remote User Cisco Secure ACS for Windows Server Cisco Secure ACS Express © 2009 Cisco Learning Institute. 22
  • 23. TACACS+/RADIUS Comparison TACACS+ RADIUS Functionality Separates authentication and authorization . Combines authentication and authorization . Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Confidentiality Entire packet encrypted Password encrypted © 2009 Cisco Learning Institute. 23
  • 24. TACACS+ Authentication Process Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? “Str0ngPa55w0rd” • Provides separate AAA services • Utilizes TCP port 49 Password prompt? Use “Password” “Str0ngPa55w0rd” Accept/Reject © 2009 Cisco Learning Institute. 24
  • 25. RADIUS Authentication Process Username? JR-ADMIN Password? Str0ngPa55w0rd Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept • Works in both local and roaming situations • Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting © 2009 Cisco Learning Institute. 25
  • 26. Installation Options Cisco Secure ACS for Windows can be installed on: - Windows 2000 Server with Service Pack 4 - Windows 2000 Advanced Server with Service Pack 4 - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition Cisco Secure ACS Solution Engine - A highly scalable dedicated platform that serves as a high-performance ACS - 1RU, rack-mountable - Preinstalled with a security-hardened Windows software, Cisco Secure ACS software - Support for more than 350 users Cisco Secure ACS Express 5.0 - Entry-level ACS with simplified feature set - Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period © 2009 Cisco Learning Institute. 26
  • 27. Deploying ACS LAB © 2009 Cisco Learning Institute. 27