S6C12 - AAA
AAA Facts
AAA Defined
• Authentication, Authorization, and Accounting• Central Management of AAA
– Information in a single, centralized, secure database• Easier to administer
• Permits access control from a central database
– Access server, and network access server (NAS), refer to a router connected to the "edge" of a network.
• This router allows outside users to access the network
Authentication
• Authentication asks the question, "Who are• you?"• Determines who user is• Determines if user should be allowed access• Bars intruders from networks
– May use simple database of users and passwords
– Can use one-time passwords
Why Use AAA for Authentication?
• AAA provides scalability.• Supports standardized security protocols, namely
Terminal Access Controller Access Control System Plus (TACACS+), Remote Authentication Dial-In User Service (RADIUS), and Kerberos
• Allows you to configure multiple backup systems.– For example, you can configure an access server to
consult a security server first and a local database second
Authorization
• Asks the question, "What privileges do you have?"
• Determines what user is allowed to do• Network managers can limit which network
services are available to each user• Limits commands a new network
administrator may issue on corporate NAS or routers
Accounting
• Asks the questions, "What did you do and when did you do it?"
• Tracks what user did and when they did it
• Can be used as audit trail
• Can be used for billing connection time or resources used
TACACS+
• PROTOCOL– Designed to allow effective communications of AAA
information between NAS and central server– Uses TCP for reliable connections between client and
servers– NAS sends authentication and authorization requests &
accounting information to TACACS+ server– Shifts logic and policy to database and server software –
moves it from Cisco IOS
• Provides centralized validation of users attempting to gain access to a router or network access server
RADIUS
• Developed by Livingston Enterprises, Inc.– Secures remote access to networks and network
services against unauthorized access
• Protocol with frame format; utilizes UDP/IP• A Server
– Authenticates, authorizes, accounts– Runs on customer site
• A Client– Resides in dial-up access servers– Distributed throughout network
Kerberos
• A secret-key network authentication protocol used with AAA that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication– Designed to authenticate requests for network
resources. – Based on the concept of a trusted third party that
performs secure verification of users and services.– a trusted Kerberos server issues tickets to users
• can be used in place of the standard username and password authentication mechanism
How RADIUS Client/Server Works
• NAS operates as client of RADIUS• Client passes user information to designated
RADIUS server• RADIUS server receives request,
authenticates and returns necessary configuration
• RADIUS server can act as proxy client for other kinds of authentication servers
RADIUS and Network Security
• Transactions authenticated through use of shared secret (never sent over network)
• User passwords are encrypted between client and RADIUS server
• Supports a variety of methods to authenticate user– PAP, CHAP, UNIX, et. Al.
Cisco Access Secure Server
• Specialized security software that runs on Windows NT/2000 and Unix– simplifies and centralizes control for all user
authentication, authorization, and accounting– can distribute the AAA information to hundreds or
even thousands of access points in a network– uses either the TACACS+ or the RADIUS protocol to
provide this network security and tracking– also acts as a central repository for accounting
information
Configuring AAA
• Enable AAA– AAA new-model
• Tell NAS where to locate the server– Tacacs-server host ip-address– Tacacs-server host ip-address 2
– Two servers provide redundancy
• Set encryption key– Tacacs-server key key
• Tell which TACACS+ features to use – Next Slide
Configuration Process
• follow a three-step process for each AAA authentication command, as shown in– Specify the authentication type (login, enable, PPP,
etc.).
– Specify the method list as default or give it a name.
– List the authentication methods to be tried, in order. • Router(config)#AAA authentication ppp {default | list-name}
method1 [...[method4]
Authentication
• Authentication provides the method of identifying users including: – login and password dialog – challenge and response – messaging support
• AAA authentication can be used to configure all of these configuration types– Access to privileged EXEC mode (enable mode) – Access to virtual terminals – Access to the console CHAP and PAP authentication for PPP connections – NetWare Asynchronous Services Interface (NASI) authentication – AppleTalk Remote Access Protocol (ARAP) authentication
Authentication Methods
• Using a password already configured on the router, such as the enable password or a line password
• Using the local username/password database• Consulting a Kerberos server • Consulting a RADIUS server, or group of
RADIUS servers • Consulting a TACACS+ server or group of
TACACS+ servers
Sample TACACS+ Features
• AAA authentication login default tacacs+ line none
• AAA authentication login admin_only tacacs_ enable none
• AAA authentication login old_way line none– You just created three login lists named default,
admin_only and old_way
Four Methods
Enable Use enable password
Line Use line password
None Use no authentication
Tacacs+ Use TACACS+ authentication
Error Not same as failure (server could
be unreachable)• Line con0
– Login authentication admin_only
• Line aux 0– Login authentication admin_only
• Line vty 0 4– Login authentication old_way
• Line 1 16– Login authentication default
Sample Code
• AAA authorization network tacacs+ none• AAA authorization connection tacacs+ if-
authenticated• AAA authorization command 1 tacacs+ server if-
authenticated• AAA authorization command 15 tacacs+ if-
authenticated– NOTE – can’t configure router until you become
authenticated
Eight Authorization Methods
• Authentication proxy services• Commands• Configuration Commands - Using no AAA
authorization • EXEC • Network services • Reverse Telnet access • Configuration• ip Mobile
Configuring AAA Authorization
• Enable AAA using the AAA new-model command.
• Configure AAA authentication. Authorization generally takes place after authentication and relies on authentication to work properly.
• Configure the router as a TACACS+ or RADIUS client, if necessary.
• Configure the local username/password database, if necessary. Using the username command, you can define the rights associated with specific users.
Privilege Levels
• privilege level 1 = non-privileged (prompt is router>), the default level for login
• privilege level 15 = privileged (prompt is router#), the level after going into enable mode
• privilege level 0 = includes 5 commands: disable, enable, exit, help, and logout
AAA supports six differenttypes of accounting:
• Network
• Exec
• Commands
• Connection
• System
• Resource
Security Example – W/WO TACACS• AAA new-model• AAA authentication login default local user-name
admin password cisco• With Tacacs
– AAA new-model– AAA authentication login default group tacacs+ local– AAA authentication enable default group tacacs+
enable– AAA authentication exec tacacs+– Tacacs-server host 10.1.1.254– Tacacs-server timeout 30– Tacacs-server key superman– Username admin password cisco– Enable password cisco
Top Related