CAPITULO3- AAA

8/2/2019 CAPITULO3- AAA

1/15

3. AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING

3.1 AAA OVERVIEW

To help provide accountability, local database authentication may be implemented using one of

the following commands:

- username username password password- username username secret password

The username secret combination is highly recommended because it provides MD5-style

encryption. The local database method has some limitations. The user accounts must be

configured locally on each device.

AAA is a way to control who is permitted to access a network (authenticate), what they can do

while they are there (authorize), and to audit what actions they performed while accessing the

network (accounting). It provides a higher degree of scalability than the con, aux, vty andprivileged EXEC authentication commands alone.

Accountability responsabiblidad

Network and administrative AAA security in the Cisco environment has several functional

components:

Environment entorno challenge desafio

Authentication - Users and administrators must prove that they are who they say they are.

Authentication can be established using username and password combinations, challenge andresponse questions, token cards, and other methods. For example: "I am user 'student'. I know

the password to prove that I am user 'student'."

Authorization - After the user is authenticated, authorization services determine which resources

the user can access and which operations the user is allowed to perform. An example is "User

'student' can access host serverXYZ using Telnet only."

Allow permitir perform realizar

Accounting and auditing - Accounting records what the user does, including what is accessed, the

amount of time the resource is accessed, and any changes that were made. Accounting keeps

track of how network resources are used. An example is "User 'student' accessed host serverXYZ

using Telnet for 15 minutes."

Accounting contabilizacin auditing autoria

3.1.2 AAA CHARACTERISTICS

AAA AUTHENTICATION

AAA can be used to authenticate users for administrative access or it can be used to authenticate

users for remote network access. These two access methods use different modes to request AAA

services:


2/15

Character mode - A user sends a request to establish an EXEC mode process with the router for

administrative purposes.

Packet mode - A user sends a request to establish a connection through the router with a device

on the network.

Cisco provides two common methods of implementing AAA services.

Local AAA Authentication

Local AAA uses a local database for authentication. This method stores usernames and passwords

locally in the Cisco router, and users authenticate against the local database. This database is the

same one required for establishing role-based CLI. Local AAA is ideal for small networks.

Server-Based AAA Authentication

The server-based method uses an external database server resource that leverages RADIUS orTACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows

Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple

routers, server-based AAA is more appropriate.

Leverages aprovecha

Prompts pedira, aviso


3/15

3.1.2 AAA CHARACTERISTICS

AAA AUTHORIZATION

after users are successfully authenticated against the selected AAA data source (local or server-

based), they are then authorized for specific network resources. Authorization is basically what a

user can and cannot do on the network after that user is authenticated, similar to how privilege

levels and role-based CLI give users specific rights and privileges to certain commands on the

router.

AAAACCOUNTING

Accounting collects and reports usage data so that it can be employed for purposes such as

auditing or billing. The collected data might include the start and stop connection times, executed

commands, number of packets, and number of bytes.


4/15

Accounting is implemented using a AAA server-based solution. This service reports usage statistics

back to the ACS server. These statistics can be extracted to create detailed reports about the

configuration of the network.

Billing facturacion

AAA ACCOUNTING FUNCTION

Outbound de salida reboots se reinicia

3.2.1 CONFIGURING LOCAL AAA AUTHENTICATION WITH CLI

Local AAA Authentication, also referred to as self-contained authentication, should be configured

for smaller networks. Smaller networks are those networks that have one or two routers thatprovide access to a limited number of users. This method uses the local usernames and passwords


5/15

stored on a router. configuring local AAA services to authenticate administrator access (character

mode access) requires a few basic steps:

- Step 1. Add usernames and passwords to the local router database for users that needadministrative access to the router.

- Step 2. Enable AAA globally on the router.- Step 3. Configure AAA parameters on the router.- Step 4. Confirm and troubleshoot the AAA configuration.

Troubleshoot solucionar problemas

To enable AAA, use the aaa new-model global configuration command. To disable AAA, use the no

form of this command.

After AAA is enabled, to configure authentication on vty ports, asynchronous lines (tty), the

auxiliary port, or the console port, define a named list of authentication methods and then apply

that list to the various interface. To define a named list of authentication methods, use the aaa

authentication login command. This command requires a list name and the authentication

methods. The list name identifies the list of authentication methods activated when a user logs in.

The method list is a sequential list describing the authentication methods to be queried for

authenticating a user. Method lists enable an administrator to designate one or more security

protocols for authentication. Using more than one protocol provides a backup system for

authentication in case the initial method fails.

The difference between the two options is that local accepts a username regardless of case, and

local-case is case-sensitive. To specify that a user can authenticate using the enable password, use

the enable keyword. To ensure that the authentication succeeds even if all methods return an

error, specify none as the final method.

Sensitive mayusculas y minusculas

aaa authentication login TELNET-ACCESS local enable

- regardless tener en cuenta succeeds xito- even incluso


6/15

Additional security can be implemented on the line using the aaa local authentication attempts

max-fail number-of-unsuccessful-attempts command in global configuration mode. This command

secures AAA user accounts by locking out accounts that have excessive failed attempts.

To display a list of all locked-out users, use the show aaa local user lockout command in privileged

EXEC mode. Use the clear aaa local user lockout {username username | all} command inprivileged EXEC mode to unlock a specific user or to unlock all locked users.

the aaa local authentication attempts max-fail command differs from the login delay command in

how it handles failed attempts. The aaa local authentication attempts max-fail command locks the

user account if the authentication fails. This account stays locked until it is cleared by an

administrator. The login delay command introduces a delay between failed login attempts

without locking the account.

The first task when using CCP to configure AAA services for local authentication is to create

users:

Step 1. Choose Configure > Router > Router Access > User Accounts/View.

AA can be enabled using CCP. To verify the AAA configuration and to enable or disable AAA,

choose Configure > Router > AAA > AAA Summary.

The option also exists to configure a default list name. When AAA is first enabled, the default

method list named "default" is automatically applied to all interfaces and lines, but it has no

authentication methods defined. To assign multiple authentication methods to the default list,

use the command aaa authentication login default method1...[method2].For example, the enable

method could be configured as a fallback mechanism in case the username and password is

forgotten.

The first task when using CCP to configure AAA services for local authentication is to create

users:


7/15

- Step 1. Choose Configure > Router > Router Access > User Accounts/View.- Step 2. Click Add to add a new user.- Step 3. In the Add an Account window, enter the username and password in the

appropriate fields to define the user account.

- Step 4. From the Privilege Level drop-down list, choose 15, unless there are lesserprivilege levels defined.

- Step 5. If views have been defined, check the Associate a View with the user check boxand choose a view from the View Name list that is associated with a user.

- Step 6. Click OK.The CLI command that CCP generates is username AAAadmin privilege 15 secret 5

$1$f16u$uKOO6J/UnojZ0bCEzgnQi1 view root.

- Step 1. Choose Configure > Router > AAA > Authentication Policies > Login. Any definedmethod lists will be displayed.

- Step 2. To view the options for a method list, select the list name and click Edit.- Step 3. From the Edit a Method List for Authentication Login window, click Add.- Step 4. From the Select Method List(s) for Authentication Login window, choose local

from the method list if it is not already selected.

- - Step 5. Click OK.3.3.1 SERVER-BASED AAA CHARACTERISTICS

Local implementations of AAA do not scale well. Most corporate environments have multiple

Cisco routers with multiple router administrators and hundreds or thousands of users needing

access to the corporate LAN. Maintaining a local database for each Cisco router for this size ofnetwork is not feasible.

To solve this challenge, one or more AAA servers, such as Cisco Secure ACS, can be used to

manage the user and administrative access needs for an entire corporate network.


8/15

The Cisco Secure ACS family of products supports both Terminal Access Control A Whether

TACACS+ or RADIUS is selected depends on the needs of the organization. For example, a large ISP

might select RADIUS because it supports detailed accounting required for billing users. An

organization with various user groups might select TACACS+ because it requires select

authorization policies to be applied on a per-user or per-group basis. ccess Control Server Plus

(TACACS+) and Remote Authentication Dial-In User Services (RADIUS) protocols, which are the

two predominant protocols used by Cisco security appliances, routers, and switches for

implementing AAA. While both protocols can be used to communicate between client and AAA

servers, TACACS+ is considered the more secure protocol. This is because all TACACS + protocol

exchanges are encrypted; RADIUS only encrypts the user password. It does not encrypt user

names, accounting information, or any other information carried in the RADIUS message.

It is important to understand the many differences between the TACACS+ and RADIUS protocols.

Critical factors for TACACS+ include:

- Is incompatible with its predecessors TACACS and XTACACS- Separates authentication and authorization- Encrypts all communication- Utilizes TCP port 49

Critical factors for RADIUS include:

- Uses RADIUS proxy servers for scalability- Combines RADIUS authentication and authorization as one process- Encrypts only the password- Utilizes UDP

3.3.2 SERVER-BASED AAA COMUNICATION PROTOCOLS

The extensions to the TACACS+ protocol provide more types of authentication requests and

response codes than were in the original TACACS specification. TACACS+ offers multiprotocol

support, such as IP and AppleTalk. Normal TACACS+ operation encrypts the entire body of thepacket for more secure communications and utilizes TCP port 49.


9/15

RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for

applications such as network access or IP mobility. RADIUS works in both local and roaming

situations and is commonly used for accounting purposes. RADIUS is currently defined by RFCs

2865, 2866, 2867, and 2868.

The RADIUS protocol hides passwords during transmission, even with the Password

Authentication Protocol (PAP), using a rather complex operation that involves Message Digest 5

(MD5) hashing and a shared secret. However, the rest of the packet is sent in plaintext.

RADIUS is widely used by VoIP service providers. It passes login credentials of a SIP endpoint, such

as a broadband phone, to a SIP registrar using digest authentication, and then to a RADIUS server

using RADIUS. RADIUS is also a common authentication protocol that is utilized by the 802.1X

security standard.

3.3.3 CISCO SECURE ACS

Fortunately, Cisco Secure ACS for Windows Server is a single solution that offers AAA for both

TACACS+ and RADIUS.

The Cisco ACS family of products are highly scalable, high-performance access control servers that

can be leveraged to control administrator access and configuration for all network devices in a

network supporting RADIUS or TACACS+ or both. Cisco Secure ACS offers several benefits:

- Extends access security by combining authentication, user access, and administratoraccess with policy control within a centralized identity networking solution.

- Allows greater flexibility and mobility, increased security, and user-productivity gains.- Enforces a uniform security policy for all users, regardless of how they access the

network.

- Reduces the administrative and management burden when scaling user and networkadministrator access to the network.

Cisco Secure ACS can authenticate users against an internal Cisco Secure user database, or it can

be configured to leverage external databases that can be centrally managed. This centralizes the

control of all user privileges and distributes them to access points throughout the network. Cisco

Secure ACS provides detailed reporting and monitoring capabilities of user behavior, access

connections, and device configuration changes.

Cisco Secure ACS provides a variety of advanced features:

- Automatic service monitoring- Database synchronization and importing of tools for large-scale deployments- LDAP user authentication support- User and administrative access reporting- Restrictions to network access based on criteria such as the time of day and the day of

week

- User and device group profilesCisco Secure ACS has many high-performance and scalability features:


10/15

Ease of use - A web-based user interface simplifies and distributes the configuration for user

profiles, group profiles, and Cisco Secure ACS configuration.

Scalability - Cisco Secure ACS is built to provide large networked environments with support for

redundant servers, remote databases, and database replication and backup services.

Extensibility - LDAP authentication forwarding supports the authentication of user profiles that

are stored in directories from leading directory vendors, including Sun, Novell, and Microsoft.

Management - Microsoft Windows Active Directory support consolidates Windows username and

password management and uses the Windows Performance Monitor for real-time statistics

viewing.

Administration - Different access levels for each Cisco Secure ACS administrator and the ability to

group network devices together make it easier and more flexible to control the enforcement and

changes of security policy administration for all devices in a network.

Product flexibility - Because Cisco IOS software has embedded support for AAA, Cisco Secure ACS

can be used across virtually any network access server that Cisco sells (the Cisco IOS software

release must support RADIUS or TACACS+). Cisco Secure ACS is available in three options: Cisco

Secure ACS Solution Engine, Cisco Secure ACS Express, and Cisco Secure ACS for Windows.

Integration - Tight coupling with Cisco IOS routers and VPN solutions provides features such as

multi-chassis multilink PPP and Cisco IOS software command authorization.

Third-party support - Cisco Secure ACS offers token server support for any one-time password

(OTP) vendor that provides an RFC-compliant RADIUS interface, such as RSA, PassGo, SecureComputing, ActiveCard, Vasco, or CryptoCard.

Control - Cisco Secure ACS provides dynamic quotas to restrict access based on the time of day,

network use, number of logged sessions, and the day of the week.


11/15

3.3 SERVER-BASED AAA

3.3.4 CONFIGURIG CISCO SECURE ACS

Before installing the Cisco Secure ACS, it is important to prepare the server. Third-party software

requirements and the network and port requirements of the server and AAA devices must beconsidered.

Network and Port Prerequisites

- The network should meet specified requirements before administrators begin deployingCisco Secure ACS:

- For full TACACS+ and RADIUS support on Cisco IOS devices, AAA clients must run Cisco IOSRelease 11.2 or later.

- Cisco devices that are not Cisco IOS AAA clients must be configured with TACACS+,RADIUS, or both.

- Dial-in, VPN, or wireless clients must be able to connect to the applicable AAA clients.- The computer running Cisco Secure ACS must be able to reach all AAA clients using ping.- Gateway devices between the Cisco Secure ACS and other network devices must permit

communication over the ports that are needed to support the applicable feature or

protocol.

- A supported web browser must be installed on the computer running Cisco Secure ACS.For the most recent information about tested browsers, see the release notes for the

Cisco Secure ACS product on Cisco.com.

All NICs in the computer running Cisco Secure ACS must be enabled. If there is a disabled network

card on the computer running Cisco Secure ACS, installing Cisco Secure ACS might proceed slowly

because of delays caused by the Microsoft CryptoAPI.

The home page of the Cisco Secure ACS contains a navigation bar with buttons that represent

functions that can be configured:

- User Setup- Group Setup- Shared Profile Components- Network Configuration- System Configuration- Interface Configuration- Administration Control- External User Databases- Posture Validation- Network Access Profiles- Reports and Activity- Online Documentation

The Interface Configuration page allows the administrator to control the display of properties on

the User Setup page. The specific options displayed depend on whether TACACS+ or RADIUSclients have been added to the server:


12/15

- User Data Configuration- TACACS+ (Cisco IOS)- RADIUS (Microsoft)- RADIUS (Ascend)- RADIUS (IETF)- RADIUS (IOS/PIX)- Advanced Options

cisco Secure ACS can be configured to forward authentication of users to one or more external

user databases. Support for external user databases means that Cisco Secure ACS does not

require duplicate user entries to be created in the Cisco Secure user database

The Database Configuration screen is used to define the parameters of the external server.

Options include:

- RSA SecurID Token Server- RADIUS Token Server- External ODBC Database- Windows Database- LEAP Proxy RADIUS Server- - Generic LDAP

3.3.5 CONFIGURINF CISCO SECURE ACS USER AND GROUPS

When Cisco Secure ACS is configured to communicate with an external user database, it can beconfigured to authenticate users with the external user database in one of two ways:

By specific user assignment - Authenticate specific users with an external user database.

By unknown user policy - Use an external database to authenticate users not found in the Cisco

Secure user database. This method does not require administrators to define users in the Cisco

Secure user database.

3.4.1 CONFIGURING SEVER-BASED AAA AUTHENTICATION WITH CLI

nlike Local AAA Authentication, server-based AAA must identify various TACACS+ and RADIUSservers that the AAA service should consult when authenticating and authorizing users.

There are a few basic steps to configure server-based authentication:

Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all

other AAA commands.

Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a

TACACS+ or RADIUS server.


13/15

Step 3. Configure the encryption key needed to encrypt the data transfer between the network

access server and Cisco Secure ACS.

Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.

For redundancy, it is possible to configure more than one server.

If using CCP for TACACS+ support, it is necessary to specify a list of available Cisco Secure ACS

servers that provide TACACS+ services for the router:

Step 1. From the CCP home page, choose Configure > Router > AAA > AAA Servers and Groups >

Servers.

Step 2. From the AAA Servers pane, click Add. The Add AAA Server window appears. Choose

TACACS+ from the Server Type list box.

Step 3. Enter the IP address or host name of the AAA server in the Server IP or Host field. If the

router has not been configured to use a DNS server, enter a DNS server IP address.

Step 4. The router can be configured to maintain a single open connection to the TACACS+ server

rather than opening and closing a TCP connection each time it communicates with the server. To

do so, check the Single connection to server(for CiscoSecure) check box.

Step 5. To override AAA server global settings and specify a server-specific timeout value in the

Server-Specific Setup section, enter a value in the Timeout (seconds) field. This field determines

how long the router waits for a response from this server before going on to the next server in the

group list. If a value is not entered, the router uses the value that is configured in the AAA Servers

Global Settings window. The default setting is five seconds.

Step 6. To configure a server-specific key, check the Configure Key check box and enter the key

that is used to encrypt traffic between the router and this server in the New Key field. Re-enter

the key in the Confirm Key field for confirmation. If this option is not checked and a value is not

entered, the router uses the value that was configured in the AAA Servers Global Settingswindow.


14/15

Step 7. Click OK.

he debug aaa authentication command is a useful AAA troubleshooting command because it

provides a high-level view of login activity.

The command indicates a status message of PASS when a TACACS+ login attempt is successful. Ifthe status message returned is FAIL, verify the secret key and troubleshoot as necessary.

3.5.1 CONFIGURING SERVER-BASED AAA AUTHORIZATION

he TACACS+ protocol allows the separation of authentication from authorization. A router can be

configured to restrict the user to performing only certain functions after successful

authentication. Authorization can be configured for both character mode (exec authorization) and

packet mode (network authorization). Keep in mind that RADIUS does not separate the

authentication from the authorization process.

Another important aspect of authorization is the ability to control user access to specific services.Controlling access to configuration commands greatly simplifies the infrastructure security in

large enterprise networks. Per-user permissions on the Cisco Secure ACS simplify network device

configuration.

By default, TACACS+ establishes a new TCP session for every authorization request, which can

lead to delays when users enter commands. Cisco Secure ACS supports persistent TCP sessions to

improve performance

To configure command authorization, use the aaa authorization {network | exec | commands

level} {default | list-name} method1...[method4] command. The service type can specify the typesof commands or services:

- commands level - for exec (shell) commands- exec - for starting an exec (shell)- network - for network services (PPP, SLIP, ARAP)

3.5.2 CONFIGURING SERVER-BASED AAA ACCOUNTING

To configure AAA accounting, use the aaa accounting {network | exec | connection} {default | list-

name} {start-stop | stop-only | none} [broadcast] method1...[method4] global configuration

mode command. The network, exec, and connection parameters are commonly used keywords.

Network - Runs accounting for all network-related service requests, including Serial Line Internet

Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs).

Exec - Runs accounting for the EXEC shell session.

Connection - Runs accounting on all outbound connections made from the network access server,

such as Telnet or local-area transport (LAT).

Default - Uses the listed accounting methods that follow this keyword as the default list of

methods.


15/15

List-name - Character string used to name a custom accounting method list.

Start-stop - Sends a "start" accounting notice at the beginning of a process and a "stop"

accounting notice at the end of a process.

Stop-only - Sends a "stop" accounting record for all cases including authentication failures.

None - Disables accounting services on a line or interface.

Broadcast - (Optional) Enables sending accounting records to multiple AAA servers.

Documents

CAPITULO3- AAA