Implementing AAA in Cisco IOS Flashcards
The 3 As of AAA
Authentication - who is allowed
Authorization - what are they allowed to
Accounting - what did they do
2 methods of implementing AAA on cisco
- Local AAA Authentication
2. Server-Based AAA Authentication
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the cisco router ASA
-aka self-contained authentication
Server-based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols.
Examples include Cisco secure access control server (ACS) for windows server, Cisco secure ACS solution engine, or cisco secure ACS express. If there are multiple routers, server-based AAA is more appropriate
Access Types/Modes
Character Mode/Remote administrative access:
A user sends a request to establish an EXEC mode process with the router for administrative purposes.
Packet Mode/Remote Network Access:
A user sends a request to establish a connection through the router with a device on the network.
AAA Authorization
after a user has been authenticated a session is established with the AAA server and the router requests authorization for the requested service from the AAA server. The AAA server returns a PASS/FAIL for authorization.
Basically what users can and cannot do on the network.
AAA Accounting
When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. when the user finishes a stop message is recorded and the accounting process ends.
Accounting provides more security than just authentication. The AAA servers keep a detailed log of exactly what the authenticated user does on the device
AAA Accounting Functions
Network accounting connection accounting EXEC accounting System accounting Command Accounting Resource Accounting
Resource Accounting
The Cisco implementation of AAA accounting captures “start” and “stop” record support for calls that have passed user authentication. The additional feature of generating “stop” records for calls that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.
Command Accounting
Command accounting captures information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.
System Accounting
System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).
EXEC Accounting
EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.
Connection Accounting
Connection accounting captures information about all outbound connections made from the AAA client, such as Telnet or SSH.
Network Accounting
Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.
Enable AAA locally on a Cisco router
- Secure access to privileged-EXEC mode.
- Enable AAA globally on the perimeter router with the “AAA new-model” command
- configure AAA authentication lists
- configure AAA authorization to use after the user has passed authentication
- configure the AAA accounting options for how you want to write accounting records
Commands on Cisco router to enable AAA Locally
#username **** secret *** #username ***** secret **** #aaa new-model #aaa authentication login default local-case #aaa local authentication attempts max-fail 10
Cisco secret levels
0 - specifies unencrypted password will follow
5 - specifies a MD5 hashed secret will follow
8 - specififes a PBKDF2 Hashed secret will follow
9 - specifies a Scrypt hashed secret will follow
algorithm-type command
username ** algorithm-type scrypt secret P@55w0rd
Method Lists
- Is a sequential list that defines the authentication methods used to authenticate a user
- Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication.
aaa authentication login default enable
specify the enable password as the login authentication method
aaa authentication login default local
specify that the Cisco router or access server will use the local username database for authentication
aaa authentication login console-in local
this command specifies the login authentication method list named “console-in” using the local username-password database on the router
aaa authentication enable default group tacacs+
specifies tacacs+ as the login authentication method
aaa authorization commands 1 alpha local
The local username database is used to authorize all level 1 commands for the alpha method list
aaa authorization commands 15 bravo local
The local username database is used to authorize all level 15 commands for the bravo method list
aaa authorization network charlie local none
The local username database is used to authorize all network services, such as SLIP, PPP, and ARAP (Apple), for the method list charlie. If no local username is defined, this command does not perform authorization, and the user can access all network services.
aaa author exec delta if-authenticated
If the user has already been authenticated, this command allows the user to run the EXEC process
AAA accounting command
aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}
Troubleshooting aaa using debug commands
#debug aaa authentication #debug aaa authorization #debug aaa accounting
3 critical factors for TACACS+
- seperates authentication and authorization
- encrypts all communication
- utilizes TCP port 49
4 critical factors for radius
- radius combines authentication and authorization as one process
- encrypts only the password
- utilizes udp
- supports remote-access technologies, 802.1x and session initiation protocol(sip)
RADIUS protocol
- Combines authentication and authorization
- udp ports 1645 or 1812 for authentication
- udp ports 1646 or 1813 for accounting
4 features of Cisco Identity Services Engine (ISE)
- Guest Management - grants and enforces temporary access for guest users
- AAA - combines authentication, authorization, accounting into one appliance with device profiling, posture assessment and guest management capability.
- Device profiling - this can be used to determine whether it is a personal or corporate device
- Posture assessment - determines if the device is clean of viruses and suspicious application before entering the network. Posture assessment can also make sure that a device’s antivirus software s up to date
Configuring server-based AAA authentication
1 Globally enable AA to allow the use of all AAA elements (#aaa new-model)
2. Specify the Cisco secure ACS that whill provide AAA services for the router
3. configure the encryption key needed to encrypt the data transfer between the network access server and cisco secure acs
4 configure the aaa authentication method list to reder to the TACACS+ or RADIUS server
configuring Radius Server
#aaa new-model #radius server *SERVER-R* #address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 #key *RADIUS-password* #exit
