NetAuth Mod 7
Authorization
- After the user is authenticated, this services determine which resources the user can access and which operations the user is allowed to perform.
AAA security in the Cisco environment has three functional components:
Authentication Authorization Accounting and auditing
RADIUS
Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS.
Cisco provides two common methods of implementing AAA services
Local AAA Authentication Server-Based AAA Authentication
TACACS+
Separates AAA according to the AAA architecture, allowing modularity of the security server implementation
4 steps to configure local AAA services to authenticate administrator access:
Step 1: Add usernames and passwords to the local router database for users that need administrative access to the router. Step 2: Enable AAA globally on the router. Step 3:. Configure AAA parameters on the router. Step 4:Confirm and troubleshoot the AAA configuration.
4 steps to configure server-based authentication:
Step 1: Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Step 2: Specify the server that will provide AAA services for the router. This can be a TACACS+ or RADIUS server. Step 3: Configure the encryption key needed to encrypt the data transfer between the network device and AAA server. Step 4: Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.
Authentication
Users and administrators must prove their identity before accessing the network and network resources. It can be established using username and password combinations, challenge and response questions, token cards, and other methods.
Server-Based AAA Authentication
With this authentication method, the router accesses a central AAA server, that contains the usernames and password for all users. The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server.
Cisco Identity Services Engine (ISE)
an identity and access control policy platform that enables enterprises to enforce compliance, enhance infrastructure security, and streamline their service operations
Local AAA Authentication
database for authentication. This method is sometimes known as self-contained authentication. In this course, it will be referred to as local AAA authentication.
Accounting and auditing
records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. it also keeps track of how network resources are used.