Submit Search
Upload
CCNA Security 06- AAA
•
Download as PPT, PDF
•
17 likes
•
4,527 views
Ahmed Habib
Follow
CCNA Security 640-554 By Eng-Ahmed Sultan
Read less
Read more
Education
Report
Share
Report
Share
1 of 28
Download now
Recommended
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
Ahmed Habib
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
Ahmed Habib
Chapter 3 overview
Chapter 3 overview
ali raza
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
Ahmed Habib
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Ahmed Habib
CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
Recommended
CCNA Security 05- securing the management plane
CCNA Security 05- securing the management plane
Ahmed Habib
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
Ahmed Habib
Chapter 3 overview
Chapter 3 overview
ali raza
CCNA Security - Chapter 3
CCNA Security - Chapter 3
Irsandi Hasan
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
Ahmed Habib
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Ahmed Habib
CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice Exam
Jysmeen
ASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
Chapter 2 overview
Chapter 2 overview
ali raza
Cisco ASA Firewalls
Cisco ASA Firewalls
Bryley Systems Inc.
CCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
Ahmed Habib
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
IT Tech
Chapter 5 overview
Chapter 5 overview
ali raza
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
Ccna security
Ccna security
dkaya
network security
network security
Dayanna Moyano
Chapter 8 overview
Chapter 8 overview
ali raza
Chapter 1 overview
Chapter 1 overview
ali raza
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
CCA security answers chapter 2 test
CCA security answers chapter 2 test
Soporte Yottatec
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
Asa sslvpn security
Asa sslvpn security
Jack Melson
Cisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8
Irsandi Hasan
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7
Irsandi Hasan
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
Irsandi Hasan
More Related Content
What's hot
Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice Exam
Jysmeen
ASA Multiple Context Training
ASA Multiple Context Training
Tariq Bader
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
Chapter 2 overview
Chapter 2 overview
ali raza
Cisco ASA Firewalls
Cisco ASA Firewalls
Bryley Systems Inc.
CCNP Security-VPN
CCNP Security-VPN
mohannadalhanahnah
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
Ahmed Habib
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
IT Tech
Chapter 5 overview
Chapter 5 overview
ali raza
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Solomon Abavire Kobina,
Ccna security
Ccna security
dkaya
network security
network security
Dayanna Moyano
Chapter 8 overview
Chapter 8 overview
ali raza
Chapter 1 overview
Chapter 1 overview
ali raza
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
CCA security answers chapter 2 test
CCA security answers chapter 2 test
Soporte Yottatec
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
Asa sslvpn security
Asa sslvpn security
Jack Melson
Cisco asa cx firwewall
Cisco asa cx firwewall
Anwesh Dixit
What's hot
(19)
Cisco CCNA Security 210-260 Practice Exam
Cisco CCNA Security 210-260 Practice Exam
ASA Multiple Context Training
ASA Multiple Context Training
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Chapter 2 overview
Chapter 2 overview
Cisco ASA Firewalls
Cisco ASA Firewalls
CCNP Security-VPN
CCNP Security-VPN
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
Chapter 5 overview
Chapter 5 overview
Brkcrt 1160 c3-rev2
Brkcrt 1160 c3-rev2
Ccna security
Ccna security
network security
network security
Chapter 8 overview
Chapter 8 overview
Chapter 1 overview
Chapter 1 overview
CCNP Security-Firewall
CCNP Security-Firewall
CCA security answers chapter 2 test
CCA security answers chapter 2 test
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Asa sslvpn security
Asa sslvpn security
Cisco asa cx firwewall
Cisco asa cx firwewall
Viewers also liked
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8
Irsandi Hasan
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7
Irsandi Hasan
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
Irsandi Hasan
VMware vShield - Overview
VMware vShield - Overview
Irsandi Hasan
ITE - Chapter 9
ITE - Chapter 9
Irsandi Hasan
OSPF v3
OSPF v3
Irsandi Hasan
CCNA Security - Chapter 8
CCNA Security - Chapter 8
Irsandi Hasan
CCNA Security - Chapter 7
CCNA Security - Chapter 7
Irsandi Hasan
CCNA Security - Chapter 9
CCNA Security - Chapter 9
Irsandi Hasan
CCNA Security - Chapter 5
CCNA Security - Chapter 5
Irsandi Hasan
ITE - Chapter 2
ITE - Chapter 2
Irsandi Hasan
CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4
Irsandi Hasan
ITE - Chapter 7
ITE - Chapter 7
Irsandi Hasan
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1
Irsandi Hasan
CCNA Discovery 1 - Chapter 4
CCNA Discovery 1 - Chapter 4
Irsandi Hasan
CCNA Exploration 4 - Chapter 6
CCNA Exploration 4 - Chapter 6
Irsandi Hasan
CCNA Exploration 2 - Chapter 11
CCNA Exploration 2 - Chapter 11
Irsandi Hasan
CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 3
Irsandi Hasan
CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 2
Irsandi Hasan
CCNA Discovery 3 - Chapter 1
CCNA Discovery 3 - Chapter 1
Irsandi Hasan
Viewers also liked
(20)
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
VMware vShield - Overview
VMware vShield - Overview
ITE - Chapter 9
ITE - Chapter 9
OSPF v3
OSPF v3
CCNA Security - Chapter 8
CCNA Security - Chapter 8
CCNA Security - Chapter 7
CCNA Security - Chapter 7
CCNA Security - Chapter 9
CCNA Security - Chapter 9
CCNA Security - Chapter 5
CCNA Security - Chapter 5
ITE - Chapter 2
ITE - Chapter 2
CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4
ITE - Chapter 7
ITE - Chapter 7
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 4
CCNA Discovery 1 - Chapter 4
CCNA Exploration 4 - Chapter 6
CCNA Exploration 4 - Chapter 6
CCNA Exploration 2 - Chapter 11
CCNA Exploration 2 - Chapter 11
CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 3
CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 2
CCNA Discovery 3 - Chapter 1
CCNA Discovery 3 - Chapter 1
Similar to CCNA Security 06- AAA
CCNA_Security_03.ppt
CCNA_Security_03.ppt
veracru1
CCNA_Security_02.ppt
CCNA_Security_02.ppt
veracru1
AAA Implementation
AAA Implementation
Ahmad El Tawil
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
bobbywlane695641
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
Chaing Ravuth
010 sa302 aaa+ldap
010 sa302 aaa+ldap
Babaa Naya
010 sa302 aaa+ldap
010 sa302 aaa+ldap
Babaa Naya
Network topology by essay corp uk
Network topology by essay corp uk
Johnsmith5188
Application and Server Security
Application and Server Security
Brian Pontarelli
Ccnas v11 ch02_eb
Ccnas v11 ch02_eb
Edgar Benavente
Basics to Configure NW Device
Basics to Configure NW Device
Haitham El-Ghareeb
Securing management, control & data plane
Securing management, control & data plane
NetProtocol Xpert
Oracle security 08-oracle network security
Oracle security 08-oracle network security
Zhaoyang Wang
Student packet tracer manual v1.1
Student packet tracer manual v1.1
milkux
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Felipe Prado
Chapter4ccna
Chapter4ccna
Lakshan Perera
CCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptx
mohamedabdelwahed68
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
BeyondTrust
Similar to CCNA Security 06- AAA
(20)
CCNA_Security_03.ppt
CCNA_Security_03.ppt
CCNA_Security_02.ppt
CCNA_Security_02.ppt
AAA Implementation
AAA Implementation
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
Copyright © 2016 VIT, All Rights Reserved. VIT and its log.docx
CCNP ROUTE V7 CH8
CCNP ROUTE V7 CH8
010 sa302 aaa+ldap
010 sa302 aaa+ldap
010 sa302 aaa+ldap
010 sa302 aaa+ldap
Network topology by essay corp uk
Network topology by essay corp uk
Application and Server Security
Application and Server Security
Ccnas v11 ch02_eb
Ccnas v11 ch02_eb
Basics to Configure NW Device
Basics to Configure NW Device
Securing management, control & data plane
Securing management, control & data plane
Oracle security 08-oracle network security
Oracle security 08-oracle network security
Student packet tracer manual v1.1
Student packet tracer manual v1.1
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
Chapter4ccna
Chapter4ccna
CCNASv2_InstructorPPT_CH2.pptx
CCNASv2_InstructorPPT_CH2.pptx
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
Recently uploaded
Visit to a blind student's school🧑🦯🧑🦯(community medicine)
Visit to a blind student's school🧑🦯🧑🦯(community medicine)
lakshayb543
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Carlos105
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
SamikshaHamane
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
navabharathschool99
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
JhezDiaz1
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
Dr.Ibrahim Hassaan
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
Postal Advocate Inc.
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
MaryGraceBautista27
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
Celine George
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Mr Bounab Samir
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
Sabitha Banu
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Celine George
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
nelietumpap1
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
Jisc
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
9953056974 Low Rate Call Girls In Saket, Delhi NCR
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
Nguyen Thanh Tu Collection
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
Mark Reed
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
AshokKarra1
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
ChelloAnnAsuncion2
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
Celine George
Recently uploaded
(20)
Visit to a blind student's school🧑🦯🧑🦯(community medicine)
Visit to a blind student's school🧑🦯🧑🦯(community medicine)
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Roles & Responsibilities in Pharmacovigilance
Roles & Responsibilities in Pharmacovigilance
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Science 7 Quarter 4 Module 2: Natural Resources.pptx
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
DATA STRUCTURE AND ALGORITHM for beginners
DATA STRUCTURE AND ALGORITHM for beginners
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Q4 English4 Week3 PPT Melcnmg-based.pptx
Q4 English4 Week3 PPT Melcnmg-based.pptx
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
What is Model Inheritance in Odoo 17 ERP
What is Model Inheritance in Odoo 17 ERP
CCNA Security 06- AAA
1.
05- AAA Ahmed
Sultan CCNA | CCNA Security | CCNP Security | JNCIA-Junos | CEH © 2009 Cisco Learning Institute. 1
2.
AAA Access Security
Authentication Who are you? Accounting What did you spend it on? Authorization which resources the user is allowed to access and which operations the user is allowed to perform? © 2009 Cisco Learning Institute. 2
3.
Authentication – Password-Only
User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Password-Only Method Internet • Uses a login and password combination on access lines • Easiest to implement, but most unsecure method • Vulnerable to brute-force attacks • Provides no accountability © 2009 Cisco Learning Institute. 3
4.
Authentication – Local
Database • Creates individual user account/password on each device • Provides accountability • User accounts must be configured locally on each device R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method © 2009 Cisco Learning Institute. 4
5.
Local Vs. Remote
Access R1 Local Access LAN 1 Internet Administrator Console Port LAN 2 Remote Access R1 Internet Firewall R2 LAN 3 Management LAN Administration Host Logging Host Requires a direct connection to a console port using a computer running terminal emulation software Uses Telnet, SSH or HTTP connections to the router from a computer © 2009 Cisco Learning Institute. 5
6.
Password Security To
increase the security of passwords, use additional configuration parameters: - Minimum password lengths should be enforced - Unattended connections should be disabled - All passwords in the configuration file should be encrypted R1(config)# service password-encryption R1(config)# exit R1# show running-config line con 0 exec-timeout 3 30 password 7 094F471A1A0A login line aux 0 exec-timeout 3 30 password 7 094F471A1A0A login © 2009 Cisco Learning Institute. 6
7.
Passwords An acceptable
password length is 10 or more characters Complex passwords include a mix of upper and lowercase letters, numbers, symbols and spaces Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = 5ecur1ty) Change passwords often Do not write passwords down and leave them in obvious places © 2009 Cisco Learning Institute. 7
8.
Access Port Passwords
Command to restrict access to privileged EXEC mode Commands to establish a login password on incoming Telnet sessions R1 R1(config)# enable secret cisco Commands to establish a login password for dial-up modem connections R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Commands to establish a login password on the console line © 2009 Cisco Learning Institute. 8
9.
Creating Users username
name secret {[0]password|5encrypted-secret} Parameter Description name This parameter specifies the username. 0 (Optional) This option indicates that the plaintext password is to be hashed by the router using MD5. password This parameter is the plaintext password to be hashed using MD5. 5 This parameter indicates that the encrypted-secret password was hashed using MD5. encrypted-secret This parameter is the MD5 encrypted-secret password that is stored as the encrypted user password. © 2009 Cisco Learning Institute. 9
10.
Enhanced Login Features
The following commands are available to configure a Cisco IOS device to support the enhanced login features: © 2009 Cisco Learning Institute. 10
11.
login block-for Command
All login enhancement features are disabled by default. The login block-for command enables configuration of the login enhancement features. - The login block-for feature monitors login device activity and operates in two modes: o Normal-Mode (Watch-Mode) —The router keeps count of the number of failed login attempts within an identified amount of time. o Quiet-Mode (Quiet Period) — If the number of failed logins exceeds the configured threshold, all login attempts made using Telnet, SSH, and HTTP are denied. © 2009 Cisco Learning Institute. 11
12.
System Logging Messages
• To generate log messages for successful/failed logins: - login on-failure log - login on-success log • To generate a message when failure rate is exceeded: - security authentication failure rate threshold-rate log • To verify that the login block-for command is configured and which mode the router is currently in: - show login • To display more information regarding the failed attempts: - show login failures © 2009 Cisco Learning Institute. 12
13.
Self-Contained AAA Authentication
AAA Remote Client Router 1 2 3 Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. • Used for small networks • Stores usernames and passwords locally in the Cisco router © 2009 Cisco Learning Institute. 13
14.
Server-Based AAA Authentication
• Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express • More appropriate if there are multiple routers AAA Router (AAA Client) ) Remote Client 1 2 4 3 Server-Based AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. Cisco Secure ACS Server © 2009 Cisco Learning Institute. 14
15.
AAA Authorization •
Typically implemented using an AAA server-based solution • Uses a set of attributes that describes user access to the network 1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization. © 2009 Cisco Learning Institute. 15
16.
AAA Accounting •
Implemented using an AAA server-based solution • Keeps a detailed log of what an authenticated user does on a device 1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process. © 2009 Cisco Learning Institute. 16
17.
Local AAA Authentication
Commands R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local R1(config)# aaa local authentication attempts max-fail 10 To authenticate administrator access (character mode access) 1.Add usernames and passwords to the local router database 2.Enable AAA globally 3.Configure AAA parameters on the router 4.Confirm and troubleshoot the AAA configuration © 2009 Cisco Learning Institute. 17
18.
Sample Configuration R1#
conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local enable R1(config)# aaa authentication login TELNET-LOGIN local R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN © 2009 Cisco Learning Institute. 18
19.
The debug aaa
Command R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets R1# debug aaa © 2009 Cisco Learning Institute. 19
20.
Sample Output R1#
debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS © 2009 Cisco Learning Institute. 20
21.
Local Vs. Server-Based
Authentication Local Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password authenticating the user using a local database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4 Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. © 2009 Cisco Learning Institute. 21
22.
Overview of TACACS+
and RADIUS TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. Perimeter Router Remote User Cisco Secure ACS for Windows Server Cisco Secure ACS Express © 2009 Cisco Learning Institute. 22
23.
TACACS+/RADIUS Comparison TACACS+
RADIUS Functionality Separates authentication and authorization . Combines authentication and authorization . Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Confidentiality Entire packet encrypted Password encrypted © 2009 Cisco Learning Institute. 23
24.
TACACS+ Authentication Process
Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? “Str0ngPa55w0rd” • Provides separate AAA services • Utilizes TCP port 49 Password prompt? Use “Password” “Str0ngPa55w0rd” Accept/Reject © 2009 Cisco Learning Institute. 24
25.
RADIUS Authentication Process
Username? JR-ADMIN Password? Str0ngPa55w0rd Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept • Works in both local and roaming situations • Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting © 2009 Cisco Learning Institute. 25
26.
Installation Options Cisco
Secure ACS for Windows can be installed on: - Windows 2000 Server with Service Pack 4 - Windows 2000 Advanced Server with Service Pack 4 - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition Cisco Secure ACS Solution Engine - A highly scalable dedicated platform that serves as a high-performance ACS - 1RU, rack-mountable - Preinstalled with a security-hardened Windows software, Cisco Secure ACS software - Support for more than 350 users Cisco Secure ACS Express 5.0 - Entry-level ACS with simplified feature set - Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period © 2009 Cisco Learning Institute. 26
27.
Deploying ACS LAB
© 2009 Cisco Learning Institute. 27
Download now