CCNA Advance

Chapter 4Authentication, Authorization, and

Accounting - AAA

AAA Overview

3Introduction to AAA

Authentication: Who are you? I am user student and my password validateme proves it. Authorization: What can you do? What can you access? User student can access host serverXYZ using Telnet. Assign an IP address and ACL to user student connecting throughVPN. When user student starts an EXEC session, assign privilege level10. Accounting: What did you do? How long and how often did you do it? User student accessed host serverXYZ using Telnet for 15minutes. User student was connected to VPN for 25 minutes. EXEC session of user student lasted 20 minutes and only showcommands were executed.

4Implementing AAA

Administrative access: Console, Telnet, and AUX access Remote user network access: Dialup or VPN access

AAA Protocols

6AAA Protocols: RADIUS and TACACS+

7TACACS+

A Cisco-proprietary protocol, TACACS+ is not compatible with TACACS or extendedTACACS. TACACS+ uses TCP (Port 49) to communicate between a TACACS+ server and aTACACS+ client. Unlike RADIUS, TACACS+ separates the functions of authentication, authorization, and accounting. Use TACACS+ to take advantage of all of the features supported by AAA. You can use the following router command to test whether your TACACS server isaccessible: telnet (TACACS_SERVER_IP_ADDRESS):49

8TACACS+ Authentication

The example shows how TACACS+ exchange starts before the user is prompted for username and password. The prompt text can be supplied by the TACACS+ server.

9TACACS+ Network Authorization

The example shows the process of network authorization which startsafter successful authentication.

10

TACACS+ Command Authorization

The example illustrates the command authorization process which isrepeatedly started for every single command that requires authorization (based on command privilege level)

11

RADIUS

The RADIUS protocol was developed by Livingston Enterprises as anauthentication and accounting protocol for use with access servers. RADIUS is specified in RFCs 2865, 2866, and 2868. Even though TACACS+ offers more flexible AAA configurations, RADIUS is a popular AAA solution. RADIUS is an open standard and typically uses fewer CPU cycles. RADIUS is less memory intensive than the proprietary TACACS+. Currently, RADIUS is the only security protocol supported by emerging wireless authentication protocols.

12

RADIUS Authentication and Authorization

The example shows how RADIUS exchange starts once the NAS is in possession of the username and password. The ACS can reply with Access-Accept message, or Access-Reject if authentication is not successful.

13

CiscoSecure Access Control Server

The CiscoSecure Access Control Server (ACS) is specialized security software that runs on Windows 2000. The software simplifies and centralizes access control and accounting for dialup access servers, virtual private networks (VPNs) and firewalls, voice-over-IP (VoIP) solutions, broadband access, content networks, and wireless networks.

14

CiscoSecure Access Control Server

Cisco ACS uses a web-based graphical interface and can distribute the AAA information to hundreds or even thousands of access points in a network.

The CiscoSecure ACSsoftware uses either the TACACS+ or the RADIUS protocol to provide network security andtracking.

Configuring AAA

16

Configuring the AAA Server

TACACS+

RADIUS

17

AAA Authentication Commands

18

Verifying AAA Login AuthenticationCommands

19

Troubleshoot AAA Login Authentication onCisco Routers

20

AAA Authorization Commands

Example:

21

Authorization Example

22

Troubleshooting Authorization

23

Setting Multiple Privilege Levels

There are three privilege levels on the router by default: Level 0 is predefined for user-level access privileges:

- disable, enable, exit, help, logout Level 1: non-privilege (prompt is router>), the default level for login Level 15 is predefined for enable mode (enable command) Levels 2 to 14 may be customized for user-level privileges

24

Setting Multiple Privilege Levels

Once privilege levels have been defined, the aaa authorization command can be used to give access to commands by privilege level. The user who logs in with level 7 privileges can ping and do snmp-serverconfiguration in configuration mode. Other configuration commands are not available. The security server or the local username/password database can determine a users privilege level

25

AAA Accounting Commands

26

AAA Accounting Example

27

AAA Accounting Example (Cont.)

28

Troubleshooting Accounting

29

Summary

Authentication, authorization, and accounting are used to effectively control network access. The router access modes for AAA are character and packet. The most popular AAA protocols are TACACS+ and RADIUS. AAA can be configured on the router using CLI or SDM. SDM simplifies the AAA configuration process. One of the troubleshooting tools for login authentication is the debug aaa authentication command. The aaa authorization exec command is used for character modewhile aaa authorization network command is used for packet mode access authorization. The aaa accounting command provides numerous options foraccounting purposes.

Question ?

Thank you !

CCNA AdvanceAAA OverviewIntroduction to AAAImplementing AAAAAA Protocols: RADIUS and TACACS+TACACS+TACACS+ AuthenticationTACACS+ Network AuthorizationTACACS+ Command AuthorizationRADIUSRADIUS Authentication and AuthorizationCiscoSecure Access Control ServerCiscoSecure Access Control ServerConfiguring AAAConfiguring the AAA ServerAAA Authentication CommandsVerifying AAA Login AuthenticationCommandsTroubleshoot AAA Login Authentication onCisco RoutersAAA Authorization CommandsAuthorization ExampleTroubleshooting AuthorizationSetting Multiple Privilege LevelsSetting Multiple Privilege LevelsAAA Accounting CommandsAAA Accounting ExampleAAA Accounting Example (Cont.)Troubleshooting AccountingSummaryQuestion ?