We will discuss the following: Classical Security Methods, AAA, Authentication, Authorization, Accounting, AAA Characteristic, Local Based AAA, Server Based AAA, TACACS+ and RADIUS.
5. CCNA Security
Uses a login and password combination on access lines
Easiest to implement, but most unsecure method
Vulnerable to brute-force attacks
Provides no accountability
R1(config)# line vty 0 4
R1(config-line)# password cisco
R1(config-line)# login
Internet
User Access Verification
Password: cisco
Password: cisco1
Password: cisco12
% Bad passwords
Password-Only Method
6. CCNA Security
Creates individual user account/password on each device
Provides accountability
User accounts must be configured locally on each device
Provides no fallback authentication method
Internet
User Access Verification
Username: Admin
Password: cisco1
% Login invalid
Username: Admin
Password: cisco12
% Login invalid
Local Database Method
R1(config)# username Admin secret
Str0ng5rPa55w0rd
R1(config)# line vty 0 4
R1(config-line)# login local
8. CCNA Security
Authentication, authorization, and accounting (AAA) is a
term for a framework for intelligently controlling access to
computer resources, enforcing policies, auditing usage,
and providing the information necessary. These combined
processes are considered important for effective network
management and security.
10. CCNA Security
Accounting
What did you spend it on?
Authentication
Who are you?
Authorization
which resources the user is allowed to access and which
operations the user is allowed to perform?
12. CCNA Security
Authentication is the process that determines whether a
client (a person, a device, or a software process) is
a legal or valid user of the system.
Cisco provides two common methods of implementing
AAA services:
Local AAA Authentication
Server-Based AAA Authentication
13. CCNA Security
Local AAA uses a local database for authentication. This
method is sometimes known as self-contained
authentication.
14. CCNA Security
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using the
local database and the user is authorized to access the network
based on information in the local database.
AAA
RouterRemote Client
1
2
3
15. CCNA Security
Server-based method, uses a server database for
authentication. The router accesses a central AAA server,
such as the Cisco Secure Access Control System (ACS).
16. CCNA Security
1. The client establishes a connection with the router.
2. The AAA router prompts the user for a username and password.
3. The router authenticates the username and password using a
remote AAA server.
4. The user is authorized to access the network based on information
on the remote AAA Server
AAA
Router
Remote Client
1
2
4
Cisco Secure
ACS Server
3
18. CCNA Security
After the user is authenticated, Authorization is the
process that determines which resources the user can
access and which operations the user is allowed to
perform.
19. CCNA Security
1.When a user has been authenticated, a session is
established with an AAA server.
2.The router requests authorization for the requested service
from the AAA server.
3.The AAA server returns a PASS/FAIL for authorization.
21. CCNA Security
Accounting is the process of monitoring and recording a
client's use of the network. Accounting records what the
user does, including what is accessed, the amount of time
the resource is accessed, and any changes that were
made. Accounting keeps track of how network resources
are used.
22. CCNA Security
1.When a user has been authenticated, the AAA accounting
process generates a start message to begin the accounting
process.
2.When the user finishes, a stop message is recorded
ending the accounting process.
25. CCNA Security
Local AAA Authentication should be configured for
smaller networks. Smaller networks are those networks that
have one or two routers that provide access to a limited
number of users.
This method uses the local usernames and passwords
stored on a router.
26. CCNA Security
Configuring local AAA services to authenticate
administrator access requires a few basic steps:
1. Add usernames and passwords to the local router
database
2. Enable AAA globally
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA configuration
28. CCNA Security
The AAA authentication login command in the figure
allows the ADMIN and JR-ADMIN users to log into the
router via the console or vty terminal lines.
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
29. CCNA Security
To enable AAA, the aaa new-model global configuration
command must first be configured.
R1(config)# aaa new-model
30. CCNA Security
The default keyword means that the authentication method
applies to all lines, except those for which a specific line
configuration overrides the default.
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case
31. CCNA Security
The authentication is case-sensitive, indicated by the local-
case keyword. This means that both the password and the
username are case sensitive.
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case
33. CCNA Security
Most corporate environments have multiple Cisco routers,
switches, and other infrastructure devices, multiple router
administrators, and hundreds or thousands of users
needing access to the corporate LAN.
Local implementations of AAA are acceptable in very
small networks. However, local authentication does not
scale well.
35. CCNA Security
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS
(server or engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to
access the router (administrative access) or the network based on
information found in the Cisco Secure ACS database.
Perimeter
Router
Remote User
Cisco Secure
ACS for
Windows
Server
1
2
3
4
36. CCNA Security
The Cisco Secure Access Control System (ACS) is a
centralized solution that ties together an enterprise’s
network access policy and identity strategy.
Cisco Secure ACS supports both TACACS+ and RADIUS
protocols
37. CCNA Security
TACACS+ and RADIUS are both authentication protocols
that are used to communicate with AAA servers.
While both protocols can be used to communicate
between a router and AAA servers, TACACS+ is
considered the more secure protocol.
38. CCNA Security
Protocol TACACS+ RADIUS
Functionality
Separates AAA according to the AAA
architecture, allowing modularity of the
security server implementation
Combines authentication and authorization
but separates accounting, allowing less
flexibility in implementation than TACACS+.
Standard Mostly Cisco supported Open/RFC standard
Transport Protocol TCP UDP
Protocol Support Multiprotocol support Not support Multiprotocol
Confidentiality Entire packet encrypted Password encrypted
Customization
Provides authorization of router commands
on a per-user or
per-group basis.
Has no option to authorize router commands
on a per-user or
per-group basis
39. CCNA Security
RADIUS, developed by Livingston Enterprises, is an open
IETF standard AAA protocol for applications such as
network access or IP mobility.
RADIUS is widely used by VoIP service providers.
40. CCNA Security
Works in both local and roaming situations
Uses UDP ports 1645 or 1812 for authentication and UDP ports
1646 or 1813 for accounting
Username?
JR-ADMIN
Password?
Str0ngPa55w0r
d
Access-Request
(JR_ADMIN, “Str0ngPa55w0rd”)
Access-Accept
41. CCNA Security
TACACS+ is a Cisco enhancement to the original TACACS
protocol. TACACS+ is an entirely new protocol that is
incompatible with any previous version of TACACS.
TACACS+ is supported by the Cisco family of routers and
access servers.
42. CCNA Security
Provides separate AAA services
Utilizes TCP port 49
Connect Username prompt?
Username? Use “Username”
JR-ADMIN JR-ADMIN
Password?
Password prompt?
“Str0ngPa55w0rd”
Use “Password”
Accept/Reject
“Str0ngPa55w0rd”
43. CCNA Security
Step 1. Globally enable AAA to allow the use of all AAA elements.
Step 2. Specify the AAA Server (ex. Cisco Secure ACS) that will
provide AAA services for the router.
Step 3. Configure the encryption key needed to encrypt the data
transfer between the network access server.
Step 4. Configure the AAA authentication method list to refer to the
TACACS+ or RADIUS server.
44. CCNA Security
To enable AAA, the aaa new-model global configuration
command must first be configured.
R1(config)# aaa new-model
45. CCNA Security
To configure a RADIUS server, use the radius server name
command. This puts you into radius server configuration
mode.
R1(config)# radius server Server-R
46. CCNA Security
RADIUS protocol has reserved ports 1812 for the RADIUS
authentication port and 1813 for the RADIUS accounting
port.
R1(config)# address ipv4 192.168.1.100 auth-port 1812
acct-port 1813
47. CCNA Security
To configure the shared secret key for encrypting the password,
use the key command. This key must be configured exactly the
same way on the router and the RADIUS server.
R1(config)# key RADIUS-Pa55w0rd
50. CCNA Security
Use MS Word
Send me mail to mloey@live.com with email subject “AAA“
Put your name on Arabic with department and section on word and
email body
Finally, press Send
Deadline Next Lecture