Implementing AAA in Cisco IOS Flashcards
The 3 As of AAA
Authentication - who is allowed
Authorization - what are they allowed to
Accounting - what did they do
2 methods of implementing AAA on cisco
- Local AAA Authentication
2. Server-Based AAA Authentication
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the cisco router ASA
-aka self-contained authentication
Server-based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols.
Examples include Cisco secure access control server (ACS) for windows server, Cisco secure ACS solution engine, or cisco secure ACS express. If there are multiple routers, server-based AAA is more appropriate
Access Types/Modes
Character Mode/Remote administrative access:
A user sends a request to establish an EXEC mode process with the router for administrative purposes.
Packet Mode/Remote Network Access:
A user sends a request to establish a connection through the router with a device on the network.
AAA Authorization
after a user has been authenticated a session is established with the AAA server and the router requests authorization for the requested service from the AAA server. The AAA server returns a PASS/FAIL for authorization.
Basically what users can and cannot do on the network.
AAA Accounting
When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. when the user finishes a stop message is recorded and the accounting process ends.
Accounting provides more security than just authentication. The AAA servers keep a detailed log of exactly what the authenticated user does on the device
AAA Accounting Functions
Network accounting connection accounting EXEC accounting System accounting Command Accounting Resource Accounting
Resource Accounting
The Cisco implementation of AAA accounting captures “start” and “stop” record support for calls that have passed user authentication. The additional feature of generating “stop” records for calls that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.
Command Accounting
Command accounting captures information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.
System Accounting
System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
EXEC Accounting
EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.
Connection Accounting
Connection accounting captures information about all outbound connections made from the AAA client, such as Telnet or SSH.
Network Accounting
Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.
Enable AAA locally on a Cisco router
- Secure access to privileged-EXEC mode.
- Enable AAA globally on the perimeter router with the “AAA new-model” command
- configure AAA authentication lists
- configure AAA authorization to use after the user has passed authentication
- configure the AAA accounting options for how you want to write accounting records