Rich CCNA Security 03 (1)

8/13/2019 Rich CCNA Security 03 (1)

http://slidepdf.com/reader/full/rich-ccna-security-03-1 1/30

CATC

Birmingham City University

CCNA Security

Chapter Three

Authentication, Authorization,and Accounting



AAA Access Security

AccountingWhat did you spend it on?

AuthenticationWho are you?

AuthorizationWhich resources the user is allowed to access?

Which operations the user is allowed to perform?



Access Methods

o User requests to establish

Character Mode• an EXEC mode process for administrative purposes

Packet Mode• a connection through to a device on the network



Local AAA Authentication

o Used for small networks

o Stores usernames and passwords locally in the Cisco router

o Authorisation to access the network based on information in the local

database.

1. Client establishes connection.

2. Router prompts for username andpassword.

3. Router authenticates against the localdatabase.

2

1

3

Perimeterrouter

Remote client



Server-Based AAA Authentication

o Uses an external database server Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express

o More appropriate if there are multiple routers

1. Client establishes connection.

2. Router prompts for username and password.

3. Router communicates with the Cisco Secure ACS (server or appliance).

4. The Cisco Secure ACS authenticates the user.

5. Authorisation to access the network based on information in the CiscoSecure ACS database.

13

Perimeterrouter

Remote client

Cisco SecureACS

Cisco Secure

ACS appliance

4

2



AAA Authorization

o Typically implemented using an AAA server-based

solution

o Uses a set of attributes that describes user access to the

network

1. Once authenticated, a session is established with an AAA server.

2. Router requests authorisation for the requested service.

3. The AAA server returns a PASS/FAIL for authorisation.



AAA Accounting

o Implemented using an AAA server-based solution

o Keeps a detailed log of what an authenticated user does

on a device

1. Once authenticated, the AAA accounting process generates a start

message to begin the accounting process.

2. When the user finishes, a stop message is recorded ending the

accounting process.



Overview of TACACS+ and RADIUS

PerimeterRouter

Remote User

Cisco Secure ACS forWindows Server

Cisco Secure

ACS Express

TACACS+ or RADIUS protocols areused to communicate between theclients and AAA security servers.



TACACS+/RADIUS Comparison

TACACS+ RADIUS

Functionality Separates AAA according to the AAAarchitecture, allowing modularity ofthe security server implementation

Combines authentication andauthorization but separatesaccounting, allowing less flexibility inimplementation than TACACS+.

Standard Mostly Cisco supported Open/RFC standard

Transport Protocol TCP UDP

CHAP Bidirectional challenge and responseas used in Challenge Handshake Authentication Protocol (CHAP)

Unidirectional challenge and responsefrom the RADIUS security server tothe RADIUS client.

Protocol Support Multiprotocol support No ARA, no NetBEUI

Confidentiality Entire packet encrypted Password encrypted

Customization Provides authorization of routercommands on a per-user orper-group basis.

Has no option to authorize routercommands on a per-user orper-group basis

Confidentiality Limited Extensive



TACACS+ Authentication Process

o Provides separate AAA services

o Uses TCP port 49

Connection request1

Remoteclient

ACSSTART2

REPLY Username? 3Username? 4

Admin015CONTINUE Admin016

REPLY Password?7Password?8

Admin01pa55 9CONTINUE Admin01pa55 10

REPLY PASS/FAIL11

AAA Client



Connection request1

Remoteclient

ACSUsername? 2

Admin013

Password?4

Admin01pa55 5 Access-Request

(“Admin01”, “Admin01pa55”) 6

Access-Accept/Access-Reject7

AAA Client

RADIUS Authentication Process

o Works in both local and roaming situations

o UDP ports 1645 or 1812 for authentication

o UDP ports 1646 or 1813 for accounting



Cisco Secure ACS Benefits

o Extends access security by combining

authentication, user access, and

administrator access with policy control

o Allows greater flexibility and mobility,

increased security, and user-productivity

gains

o Enforces a uniform security policy for all

users

o Reduces the administrative and

management efforts



Cisco Secure ACS Advanced Features

o Automatic service monitoringo Database synchronization

importing of tools for large-scale deployments

o Lightweight Directory Access Protocol(LDAP) user authentication support

o User and administrative access reporting

o Restrictions to network access based oncriteriao User and device group profiles



Cisco Secure ACS Overview

o Centrally manages access to network resources for a

growing variety of access types, devices, and user

groups

o Addresses the following:

Support for a range of protocols including Extensible

Authentication Protocol (EAP) and non-EAP

Integration with Cisco products for device administration access

control allows for centralized control and auditing of

administrative actions

Support for external databases, posture brokers, and audit

servers centralizes access policy control



Cisco Secure ACS Installation Options

Cisco Secure ACS for Windows can be installed on:

- Windows 2000 Server with Service Pack 4

- Windows 2000 Advanced Server with Service Pack 4

- Windows Server 2003 Standard Edition

- Windows Server 2003 Enterprise Edition

Cisco Secure ACS Solution Engine

- A highly scalable dedicated platform that serves as a high-performance ACS

- 1RU, rack-mountable

- Preinstalled with a security-hardened Windows software, CiscoSecure ACS software

- Support for more than 350 users

Cisco Secure ACS Express 5.0

- Entry-level ACS with simplified feature set

- Support for up to 50 AAA device and up to 350 unique user ID logins ina 24-hour period



Configuring Cisco Secure ACS

o Deploying ACS

o Cisco Secure ACS Homepage

o Network Configurationo Interface Configuration

o External User Database

o Windows User Database Configuration



Cisco Secure ACS Homepage

add, delete, modify settings for AAA clients (routers)

set menu display options for TACACS and RADIUS

configure database settings



Network Configuration

1. Click Network Configuration on the navigation bar

2. Click Add Entry

3. Enter the hostname

4. Enter the IP address

5. Enter the secret key

6. Choose the appropriat protocols

7. Make any other necessaryselections and click Submit

and Apply



Interface Configuration

The selection made in the Interface Configuration window

controls the display of options in the user interface



External User Database

1. Click the External User Databases button on the navigation bar

2. Click Database Configuration

3. Click Windows Database



Windows User Database Configuration

4. Click configure

5. Configure options



Configuring a TACACS+ Server

o Configuring the Unknown User Policy

o Configuring Database Group Mappingso Configuring Users



Configuring the Unknown User Policy

1. Click External User Databases on the navigation bar

2. Click Unknown User Policy

3. Place a check in the box

4. Choose the database in from the list and clickthe right arrow to move it to the Selected list

6. Click Submit5. Manipulate the databases to reflect the orderin which each will be checked



Group Setup

Database group mappings - Control authorizations for

users authenticated by the Windows server in one groupand those authenticated by the LDAP server in another

1. Click Group Setup on the navigation bar

2. Choose thegroup to edit

and clickEdit Settings

3. Click Permit in the Unmatche Cisco IOS commands option

4. Check the Command check boxand select an argument

5. For the Unlisted Arguments optio click Permit



User Setup

1. Click User Setup on the navigation bar

2. Enter a username and click Add/Edit

3. Enter the data to define the user account

4. Click Submit



Configuring Server-Based AAA Authentication

1. Globally enable AAA

2. Specify the Cisco Secure ACS for the

network access server3. Configure the encryption key between the

network access server and the CiscoSecure ACS

4. Configure the AAA authentication methodlist





AAA Authorization Overview

o RADIUS combines the authentication and authorization process

o TACACS+ allows the separation of authentication from authorization. Can restrict the user to performing only certain functions after

successful authentication.o Authorization can be configured for

character mode (exec authorization)

packet mode (network authorization)

show version

Command authorization for user

JR-ADMIN, command “show version”?

AcceptDisplay “show

version” output

configure terminal

Command authorization for user

JR-ADMIN, command “config terminal”?

RejectDo not permit

“configure terminal”

AAA A i O i



AAA Accounting Overview

o Provides the ability to

track usage such as dial-in access log the data gathered to a database

produce reports on the data gathered

o Supports six different types of accounting:

Network

Connection

Exec

System

commands level

resource

o To configure AAA accounting using named method lists:

aaa accounting {system | network | exec | connection

| commands level } {default | list-name} {start-stop |

wait-start | stop-only | none} [method1 [method2 ]]

CATC



CATC

Birmingham City University

www.catcemea.org.uk

[email protected]

Documents

Rich CCNA Security 03 (1)