Upload
vanque
View
220
Download
1
Embed Size (px)
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. 1
CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• Explain the function and operation of the authentication, authorization, and accounting (AAA) protocol.
• Configure a Cisco router to perform AAA authentication with a local database.
• Describe how to configure Cisco ACS to support AAA for Cisco IOS routers.
• Configure server-based AAA.
© 2012 Cisco and/or its affiliates. All rights reserved. 3
3.0 Implementing AAA on Cisco Devices
3.1 Implement AAA (authentication, authorization, accounting)
3.1.1 AAA using CCP on routers
3.1.2 AAA using CLI on routers and switches
3.1.3 AAA on ASA
3.2 Describe TACACS+
3.3 Describe RADIUS
3.4 Describe AAA
3.4.1 Authentication
3.4.2 Authorization
3.4.3 Accounting
3.5 Verify AAA functionality
© 2012 Cisco and/or its affiliates. All rights reserved. 4
• AAA is a critical task that involves securing network devices to limit who can access them and how they can access them, as well as to account for the actions taken while accessing them.
• Local AAA authentication is configured on a device-by-device basis and has some advantages over basic authentication against the local database (local authentication). Centralized or server-based AAA is a scalable enterprise solution for AAA.
• The Cisco solution for server-based AAA is Cisco Secure Access Control Server (CSACS).
• Server-based AAA can be implemented with RADIUS (standards-based protocol) or TACACS+ (Cisco-proprietary protocol). Each option has a number of defining qualities that differentiate one from the other.
• AAA can be configured using the CLI or CCP.
• AAA technology is required for the implementation of several other features, such as Cisco Easy VPN for remote-access.
© 2012 Cisco and/or its affiliates. All rights reserved. 5
• Chapter 3 Lab: Securing Administrative Access Using AAA and RADIUS
Part 1: Basic Network Device Configuration
Part 2: Configure Local Authentication
Part 3: Configure Local Authentication Using AAA
Part 4: Configure Centralized Authentication Using AAA and RADIUS
© 2012 Cisco and/or its affiliates. All rights reserved. 6
AAA Authentication, authorization, and accounting
Authentication Means of verifying approved person or device
Authorization Delineation of resources available upon authentication
Accounting Logging or documentation of actions taken by individual during
authenticated session
Character mode AAA access mode specified for accessing an EXEC mode
process with the networking device for administrative purposes
Packet mode AAA access mode for accessing network resources through
the networking device
Local AAA authentication
AAA solution whereby a user is authenticated against the local
username database – local AAA authentication is distinguished
from local authentication in that it can be applied to all lines at
once
Server-based AAA
authentication AAA authentication relying on a RADIUS or TACACS+ server
© 2012 Cisco and/or its affiliates. All rights reserved. 7
Authentication method
Method of authentication, such as the enable password, the
local username database, or an authentication server; the
default method applies to all lines
Method list List of authentication, authorization, or accounting methods
CSACS
Cisco Secure Access Control Server; Cisco-proprietary
software used on a network server to provide an enterprise
AAA solution, supporting both TACACS+ and RADIUS
TACACS+
Terminal Access Control Access Control Server Plus; Cisco-
proprietary TCP-based protocol used in conjunction with a
TACACS+ server for AAA support; uses TCP port 49;
separates authentication and authorization; supports limited
accounting
RADIUS
Remote Authentication Dial-in User Service; standards-based
UDP-based protocol used in conjunction with a RADIUS
server for AAA support; UDP ports 1645 or 1812 for
authentication; UDP ports 1646 or 1813 for accounting;
combines authentication and authorization into one process;
supports extensive accounting
Diameter AAA protocol; planned replacement for RADIUS; utilizes
Stream Control Transmission Protocol (SCTP)
© 2012 Cisco and/or its affiliates. All rights reserved. 8
CHAP Challenge-Handshake Authentication Protocol; more secure
than PAP; requires both peers to know the secret; uses MD5
to avoid having to send the plaintext secret over the network
PAP
Password Authentication Protocol; validates users to allow
access to network resources; plaintext password is sent over
the network
LDAP Lightweight Director Access Protocol; application protocol for
maintaining distributed directory information over IP
SecureX Cisco architecture designed to enforce security policies across
a distributed network, using Cisco Security Intelligence
Operation (SIO)
SIO Security Intelligence Operations; Cisco early warning
intelligence, threat and vulnerability analysis system, with
mitigation solutions to protect networks
TrustSec
Cisco solution to enable organizations to secure networks and
services through identity-based access control; provides data
integrity, confidentiality services, policy-based governance,
and centralized monitoring, troubleshooting, and reporting
services
© 2012 Cisco and/or its affiliates. All rights reserved. 9
802.1X IEEE standard for port-based network access control; provides
authentication mechanism for devices attaching to a LAN or
WLAN
NAC Feature designed to restrict access to network based on
identity or security posture; can be configured for switches,
routers, access points, or DHCP servers
CSACS Solution Engine
1U rack-mountable, security-hardened appliance with pre-
installed CSACS license used in organizations with more than
350 users
CSACS Express 1U rack-mountable unit intended for 350 or less users
RSA Rivest-Shamir-Adleman; algorithm for public-key cryptography
RSA SecurID Two-factor authentication based on password or PIN and an
authenticator
LEAP
Lightweight Extensible Authentication Protocol; Cisco-
proprietary wireless authentication protocol; relies on RADIUS
server
ODBC Open Database Connectivity; standard C programming
interface for database management
© 2012 Cisco and/or its affiliates. All rights reserved. 10
• Cisco Configuration Professional (CCP) has replaced SDM to do the following:
To configure AAA local authentication
To configure centralized authentication with AAA and RADIUS
© 2012 Cisco and/or its affiliates. All rights reserved. 11
• The chapter 3 lab introduces the major options for AAA configuration. Students use CLI and CCP tools to implement authentication both locally and centrally. Debug options for AAA are explored.
• This lab is divided into four parts. The local authentication part, the local authentication with AAA part, and the centralized authentication with RADIUS can be administered individually or in combination with the other parts as time permits. The main goal is to configure various types of user access authentication. R1 and R3 are on separate networks and communicate through R2, which simulates a connection to an ISP. Students can work in teams of two for router authentication configuration, one student configuring R1 and the other student configuring R3.
• Although switches are shown in the topology, students can omit the switches and use crossover cables between the PCs and routers R1 and R3.
© 2012 Cisco and/or its affiliates. All rights reserved. 12
• When introducing AAA, point out that there are a wide variety of methods of authentication people and devices. Security protocols and security technologies are changing rapidly. The focus is on local authentication, local authentication with AAA, and centralized authentication with CSACS and RADIUS servers. A large organization requires a centralized mechanism for AAA.
• Use the Who, How, What mnemonic to explain AAA.
• Time permitting, discuss authentication options in general: biometrics, single sign-on, one-time password, PKI and digital certificates, security tokens, and smart cards. Many of these options are discussed at various points in the course.
© 2012 Cisco and/or its affiliates. All rights reserved. 13
• Emphasize that local AAA authentication has some advantages over local authentication.
Ask the students “What can be done with local AAA authentication that cannot be done with local authentication?”
Explain that local AAA authentication gives one the ability to configure all or multiple lines at one time.
• Make sure to clarify the difference between character mode and packet mode. Character mode is used with tty, vty, auxiliary, and console access, while packet mode is used with dial-up and VPN access.
Character mode uses the login, exec, and enable commands.
Packet mode uses the ppp and network commands.
• Emphasize that centralized or server-based AAA is scalable. It is not practical to replicate a local database on 100 networking devices.
© 2012 Cisco and/or its affiliates. All rights reserved. 14
• Compare and contrast TACACS+ and RADIUS:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
• Emphasize that when using method lists with AAA, the methods are accessed in sequence only if an error occurs. If there is an authentication failure, the next method is NOT invoked.
• The aaa new-model command enables AAA. All subsequent
commands depend on this first step.
• The AAA syntax is inherently difficult to understand and the implementation is awkward. Make a point that the main idea is to provide flexibility with authentication and authorization options.
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• To illustrate the power of AAA, conduct a demo with local AAA authentication to show how the vty and console lines are automatically secured with the default option.
Note that a named list must be applied to a particular line before that method works for that line; the default method applies to that line in the mean time.
• Demonstrate how incorrect AAA configuration can lock you out of a router:
Enable AAA local authentication prior to configuring a local username database.
• Show the AAA page in CCP to illustrate that AAA is enabled by default on CCP.
• Installing and configuring CSACS can be overwhelming. Use the two VoD’s under Tools for this course at cisco.netacad.net to see how an expert makes it easy for you.
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• Ask students what they think the advantages to centralized authentication are?
Possible answers include saving time over the long term, enhanced security, scalability, and ease of control and management.
• Discuss authentication methods in general and ask an open-ended question to students about what can be done to enhance authentication, especially given that more of our lives are connected with the Internet over time.
See http://www.csoonline.com/article/655483/report-breaches-in-the-cloud-illustrate-need-for-stronger-authentication for discussion points.
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• There are many examples of security breaches that have occurred in the news lately. Ask students to research some of these and report back on how they could have been deterred better.
http://en.wikipedia.org/wiki/Password#Incidents
• Lead by example as a network engineer. Use sophisticated password rules and ask users to do the same.
• Every protocol that has an MD5 option or stronger (RIPv2, NTP, etc.), should implement that option. If there is an option for authentication and encryption, use both.
• Wireless LANs are the ideal stage for authentication scenarios because they are the most vulnerable. Secure your network as if it were as vulnerable as a WLAN.
© 2012 Cisco and/or its affiliates. All rights reserved. 18
• http://en.wikipedia.org/wiki/AAA_protocol
• http://www.nytimes.com/2010/01/21/technology/21password.html
• http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-usr-aaa-15-2mt-book.html
• https://www.infosecisland.com/blogview/14756-AAA-Security-Troubleshooting.html