© 2012 Cisco and/or its affiliates. All rights reserved. 1

CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting

© 2012 Cisco and/or its affiliates. All rights reserved. 2

• Explain the function and operation of the authentication, authorization, and accounting (AAA) protocol.

• Configure a Cisco router to perform AAA authentication with a local database.

• Describe how to configure Cisco ACS to support AAA for Cisco IOS routers.

• Configure server-based AAA.

© 2012 Cisco and/or its affiliates. All rights reserved. 3

3.0 Implementing AAA on Cisco Devices

3.1 Implement AAA (authentication, authorization, accounting)

3.1.1 AAA using CCP on routers

3.1.2 AAA using CLI on routers and switches

3.1.3 AAA on ASA

3.2 Describe TACACS+

3.3 Describe RADIUS

3.4 Describe AAA

3.4.1 Authentication

3.4.2 Authorization

3.4.3 Accounting

3.5 Verify AAA functionality

© 2012 Cisco and/or its affiliates. All rights reserved. 4

• AAA is a critical task that involves securing network devices to limit who can access them and how they can access them, as well as to account for the actions taken while accessing them.

• Local AAA authentication is configured on a device-by-device basis and has some advantages over basic authentication against the local database (local authentication). Centralized or server-based AAA is a scalable enterprise solution for AAA.

• The Cisco solution for server-based AAA is Cisco Secure Access Control Server (CSACS).

• Server-based AAA can be implemented with RADIUS (standards-based protocol) or TACACS+ (Cisco-proprietary protocol). Each option has a number of defining qualities that differentiate one from the other.

• AAA can be configured using the CLI or CCP.

• AAA technology is required for the implementation of several other features, such as Cisco Easy VPN for remote-access.

© 2012 Cisco and/or its affiliates. All rights reserved. 5

• Chapter 3 Lab: Securing Administrative Access Using AAA and RADIUS

Part 1: Basic Network Device Configuration

Part 2: Configure Local Authentication

Part 3: Configure Local Authentication Using AAA

Part 4: Configure Centralized Authentication Using AAA and RADIUS

© 2012 Cisco and/or its affiliates. All rights reserved. 6

AAA Authentication, authorization, and accounting

Authentication Means of verifying approved person or device

Authorization Delineation of resources available upon authentication

Accounting Logging or documentation of actions taken by individual during

authenticated session

Character mode AAA access mode specified for accessing an EXEC mode

process with the networking device for administrative purposes

Packet mode AAA access mode for accessing network resources through

the networking device

Local AAA authentication

AAA solution whereby a user is authenticated against the local

username database – local AAA authentication is distinguished

from local authentication in that it can be applied to all lines at

once

Server-based AAA

authentication AAA authentication relying on a RADIUS or TACACS+ server

© 2012 Cisco and/or its affiliates. All rights reserved. 7

Authentication method

Method of authentication, such as the enable password, the

local username database, or an authentication server; the

default method applies to all lines

Method list List of authentication, authorization, or accounting methods

CSACS

Cisco Secure Access Control Server; Cisco-proprietary

software used on a network server to provide an enterprise

AAA solution, supporting both TACACS+ and RADIUS

TACACS+

Terminal Access Control Access Control Server Plus; Cisco-

proprietary TCP-based protocol used in conjunction with a

TACACS+ server for AAA support; uses TCP port 49;

separates authentication and authorization; supports limited

accounting

RADIUS

Remote Authentication Dial-in User Service; standards-based

UDP-based protocol used in conjunction with a RADIUS

server for AAA support; UDP ports 1645 or 1812 for

authentication; UDP ports 1646 or 1813 for accounting;

combines authentication and authorization into one process;

supports extensive accounting

Diameter AAA protocol; planned replacement for RADIUS; utilizes

Stream Control Transmission Protocol (SCTP)

© 2012 Cisco and/or its affiliates. All rights reserved. 8

CHAP Challenge-Handshake Authentication Protocol; more secure

than PAP; requires both peers to know the secret; uses MD5

to avoid having to send the plaintext secret over the network

PAP

Password Authentication Protocol; validates users to allow

access to network resources; plaintext password is sent over

the network

LDAP Lightweight Director Access Protocol; application protocol for

maintaining distributed directory information over IP

SecureX Cisco architecture designed to enforce security policies across

a distributed network, using Cisco Security Intelligence

Operation (SIO)

SIO Security Intelligence Operations; Cisco early warning

intelligence, threat and vulnerability analysis system, with

mitigation solutions to protect networks

TrustSec

Cisco solution to enable organizations to secure networks and

services through identity-based access control; provides data

integrity, confidentiality services, policy-based governance,

and centralized monitoring, troubleshooting, and reporting

services

© 2012 Cisco and/or its affiliates. All rights reserved. 9

802.1X IEEE standard for port-based network access control; provides

authentication mechanism for devices attaching to a LAN or

WLAN

NAC Feature designed to restrict access to network based on

identity or security posture; can be configured for switches,

routers, access points, or DHCP servers

CSACS Solution Engine

1U rack-mountable, security-hardened appliance with pre-

installed CSACS license used in organizations with more than

350 users

CSACS Express 1U rack-mountable unit intended for 350 or less users

RSA Rivest-Shamir-Adleman; algorithm for public-key cryptography

RSA SecurID Two-factor authentication based on password or PIN and an

authenticator

LEAP

Lightweight Extensible Authentication Protocol; Cisco-

proprietary wireless authentication protocol; relies on RADIUS

server

ODBC Open Database Connectivity; standard C programming

interface for database management

© 2012 Cisco and/or its affiliates. All rights reserved. 10

• Cisco Configuration Professional (CCP) has replaced SDM to do the following:

To configure AAA local authentication

To configure centralized authentication with AAA and RADIUS

© 2012 Cisco and/or its affiliates. All rights reserved. 11

• The chapter 3 lab introduces the major options for AAA configuration. Students use CLI and CCP tools to implement authentication both locally and centrally. Debug options for AAA are explored.

• This lab is divided into four parts. The local authentication part, the local authentication with AAA part, and the centralized authentication with RADIUS can be administered individually or in combination with the other parts as time permits. The main goal is to configure various types of user access authentication. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router authentication configuration, one student configuring R1 and the other student configuring R3.

• Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.

© 2012 Cisco and/or its affiliates. All rights reserved. 12

• When introducing AAA, point out that there are a wide variety of methods of authentication people and devices. Security protocols and security technologies are changing rapidly. The focus is on local authentication, local authentication with AAA, and centralized authentication with CSACS and RADIUS servers. A large organization requires a centralized mechanism for AAA.

• Use the Who, How, What mnemonic to explain AAA.

• Time permitting, discuss authentication options in general: biometrics, single sign-on, one-time password, PKI and digital certificates, security tokens, and smart cards. Many of these options are discussed at various points in the course.

© 2012 Cisco and/or its affiliates. All rights reserved. 13

• Emphasize that local AAA authentication has some advantages over local authentication.

Ask the students “What can be done with local AAA authentication that cannot be done with local authentication?”

Explain that local AAA authentication gives one the ability to configure all or multiple lines at one time.

• Make sure to clarify the difference between character mode and packet mode. Character mode is used with tty, vty, auxiliary, and console access, while packet mode is used with dial-up and VPN access.

Character mode uses the login, exec, and enable commands.

Packet mode uses the ppp and network commands.

• Emphasize that centralized or server-based AAA is scalable. It is not practical to replicate a local database on 100 networking devices.

© 2012 Cisco and/or its affiliates. All rights reserved. 14

• Compare and contrast TACACS+ and RADIUS:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

• Emphasize that when using method lists with AAA, the methods are accessed in sequence only if an error occurs. If there is an authentication failure, the next method is NOT invoked.

• The aaa new-model command enables AAA. All subsequent

commands depend on this first step.

• The AAA syntax is inherently difficult to understand and the implementation is awkward. Make a point that the main idea is to provide flexibility with authentication and authorization options.

© 2012 Cisco and/or its affiliates. All rights reserved. 15

• To illustrate the power of AAA, conduct a demo with local AAA authentication to show how the vty and console lines are automatically secured with the default option.

Note that a named list must be applied to a particular line before that method works for that line; the default method applies to that line in the mean time.

• Demonstrate how incorrect AAA configuration can lock you out of a router:

Enable AAA local authentication prior to configuring a local username database.

• Show the AAA page in CCP to illustrate that AAA is enabled by default on CCP.

• Installing and configuring CSACS can be overwhelming. Use the two VoD’s under Tools for this course at cisco.netacad.net to see how an expert makes it easy for you.

© 2012 Cisco and/or its affiliates. All rights reserved. 16

• Ask students what they think the advantages to centralized authentication are?

Possible answers include saving time over the long term, enhanced security, scalability, and ease of control and management.

• Discuss authentication methods in general and ask an open-ended question to students about what can be done to enhance authentication, especially given that more of our lives are connected with the Internet over time.

See http://www.csoonline.com/article/655483/report-breaches-in-the-cloud-illustrate-need-for-stronger-authentication for discussion points.

© 2012 Cisco and/or its affiliates. All rights reserved. 17

• There are many examples of security breaches that have occurred in the news lately. Ask students to research some of these and report back on how they could have been deterred better.

http://en.wikipedia.org/wiki/Password#Incidents

• Lead by example as a network engineer. Use sophisticated password rules and ask users to do the same.

• Every protocol that has an MD5 option or stronger (RIPv2, NTP, etc.), should implement that option. If there is an option for authentication and encryption, use both.

• Wireless LANs are the ideal stage for authentication scenarios because they are the most vulnerable. Secure your network as if it were as vulnerable as a WLAN.

© 2012 Cisco and/or its affiliates. All rights reserved. 18

• http://en.wikipedia.org/wiki/AAA_protocol

• http://www.nytimes.com/2010/01/21/technology/21password.html

• http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-usr-aaa-15-2mt-book.html

• https://www.infosecisland.com/blogview/14756-AAA-Security-Troubleshooting.html

© 2011 Cisco and/or its affiliates. All rights reserved. 19