CCNA Security Ch. 3
AAA Authentication
----------------------------------------------------
Cisco Secure ACS advanced features
-Automatic service monitoring -Database synchronization and importing of tools for large-scale deployments -LDAP user authentication support -User and administrative access reporting -Restrictions to network access based on criteria such as the time of day and the day of week -User and device group profiles
Cisco Secure ACS several benefits
-Extends access security by combining authentication, user access, and administrator access with policy control within a centralized identity networking solution. -Allows greater flexibility and mobility, increased security, and user-productivity gains. -Enforces a uniform security policy for all users, regardless of how they access the network. -Reduces the administrative and management burden when scaling user and network administrator access to the network.
Benefits of AAA
-Increased flexibility and control of access configuration Scalability -Multiple backup systems -Standardized authentication methods
Steps to AAA authorization
-User has authenticated and a session has been established to the AAA server. -When the user attempts to enter privileged EXEC mode command, the router requests authorization from a AAA server to verify that the user has the right to use it. -The AAA server returns a "PASS/FAIL" response.
Steps for server-based AAA authentication
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.
Packet Mode
A user sends a request to establish a connection through the router with a device on the network.
Character Mode
A user sends a request to establish an EXEC mode process with the router for administrative purposes
Accounting and auditing
Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made
Authorization
After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform.
AAA
Authentication, Authorization and Accounting
When Cisco Secure ACS is configured to communicate with an external user database, it can be configured to authenticate users with the external user database in one of two ways
By specific user assignment - Authenticate specific users with an external user database. By unknown user policy - Use an external database to authenticate users not found in the Cisco Secure user database. This method does not require administrators to define users in the Cisco Secure user database.
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database. This database is the same one required for establishing role-based CLI. Local AAA is ideal for small networks.
Diameter Protocol
Planned replacement for RADIUS. Diameter uses a new transport protocol called Stream Control Transmission Protocol (SCTP) and TCP instead of UDP.
Critical factors for RADIUS include:
Remote Authentication Dial-In User Services -Uses RADIUS proxy servers for scalability -Combines RADIUS authentication and authorization as one process -Encrypts only the password -Utilizes UDP -Supports remote-access technologies, 802.1X, and Session Initiation Protocol (SIP)
Steps to configuring AAA services to authenticate administrator access
Step 1. Add usernames and passwords to the local router database for users that need administrative access to the router. Step 2. Enable AAA globally on the router. Step 3. Configure AAA parameters on the router. Step 4. Confirm and troubleshoot the AAA configuration.
Configuring AAA authentication with CCP
Step 1. Choose Configure > Router > AAA > Authentication Policies > Login. Any defined method lists will be displayed. Step 2. To view the options for a method list, select the list name and click Edit. Step 3. From the Edit a Method List for Authentication Login window, click Add. Step 4. From the Select Method List(s) for Authentication Login window, choose local from the method list if it is not already selected. Step 5. Click OK.
Using CCP to configure AAA services for local Authentication is to create users
Step 1. Choose Configure > Router > Router Access > User Accounts/View. Step 2. Click Add to add a new user. Step 3. In the Add an Account window, enter the username and password in the appropriate fields to define the user account. Step 4. From the Privilege Level drop-down list, choose 15, unless there are lesser privilege levels defined. Step 5. If views have been defined, check the Associate a View with the user check box and choose a view from the View Name list that is associated with a user. Step 6. Click OK.
Steps to configure server-based authentication:
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all other AAA commands. Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a TACACS+ or RADIUS server. Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server and Cisco Secure ACS. Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server. For redundancy, it is possible to configure more than one server.
Difference between TACACS+ and RADIUS
TACACS+ is more secure and encrypts everything while RADIUS only encrypts user passwords
Critical factors for TACACS+ include
Terminal Access Control Access Control Server Plus -Is incompatible with its predecessors TACACS and XTACACS -Separates authentication and authorization -Encrypts all communication -Utilizes TCP port 49
Server-based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple routers, server-based AAA is more appropriate.
Configuring the ACS external databases, there are three major configuration options
Unknown User Policy - Configures the authentication procedure for users that are not located in the Cisco Secure ACS database. Database Group Mappings - Configures what group privileges external database users inherit when Cisco Secure ACS authenticates them. In most cases, when a user is authenticated by an external user database, the actual privileges are drawn from Cisco Secure ACS and not the external database. Database Configuration - Defines the external servers that Cisco Secure ACS works with.
Authentication
Users and administrators must prove that they are who they say they are
To configure command authorization, use the aaa authorization {network | exec | commands level} {default | list-name} method1...[method4] command. The service type can specify the types of commands or services
commands level - for exec (shell) commands exec - for starting an exec (shell) network - for network services (PPP, SLIP, ARAP)
