Implementing AAA in Cisco IOS Flashcards

1
Q

The 3 As of AAA

A

Authentication - who is allowed
Authorization - what are they allowed to
Accounting - what did they do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

2 methods of implementing AAA on cisco

A
  1. Local AAA Authentication

2. Server-Based AAA Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Local AAA Authentication

A

Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the cisco router ASA
-aka self-contained authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Server-based AAA Authentication

A

The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols.
Examples include Cisco secure access control server (ACS) for windows server, Cisco secure ACS solution engine, or cisco secure ACS express. If there are multiple routers, server-based AAA is more appropriate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access Types/Modes

A

Character Mode/Remote administrative access:
A user sends a request to establish an EXEC mode process with the router for administrative purposes.

Packet Mode/Remote Network Access:
A user sends a request to establish a connection through the router with a device on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AAA Authorization

A

after a user has been authenticated a session is established with the AAA server and the router requests authorization for the requested service from the AAA server. The AAA server returns a PASS/FAIL for authorization.

Basically what users can and cannot do on the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

AAA Accounting

A

When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. when the user finishes a stop message is recorded and the accounting process ends.

Accounting provides more security than just authentication. The AAA servers keep a detailed log of exactly what the authenticated user does on the device

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

AAA Accounting Functions

A
Network accounting
connection accounting
EXEC accounting
System accounting
Command Accounting
Resource Accounting
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Resource Accounting

A

The Cisco implementation of AAA accounting captures “start” and “stop” record support for calls that have passed user authentication. The additional feature of generating “stop” records for calls that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Command Accounting

A

Command accounting captures information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

System Accounting

A

System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

EXEC Accounting

A

EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Connection Accounting

A

Connection accounting captures information about all outbound connections made from the AAA client, such as Telnet or SSH.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Network Accounting

A

Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Enable AAA locally on a Cisco router

A
  • Secure access to privileged-EXEC mode.
  • Enable AAA globally on the perimeter router with the “AAA new-model” command
  • configure AAA authentication lists
  • configure AAA authorization to use after the user has passed authentication
  • configure the AAA accounting options for how you want to write accounting records
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Commands on Cisco router to enable AAA Locally

A
#username **** secret ***
#username ***** secret ****
#aaa new-model
#aaa authentication login default local-case
#aaa local authentication attempts max-fail 10
17
Q

Cisco secret levels

A

0 - specifies unencrypted password will follow
5 - specifies a MD5 hashed secret will follow
8 - specififes a PBKDF2 Hashed secret will follow
9 - specifies a Scrypt hashed secret will follow

18
Q

algorithm-type command

A

username ** algorithm-type scrypt secret P@55w0rd

19
Q

Method Lists

A
  • Is a sequential list that defines the authentication methods used to authenticate a user
  • Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication.
20
Q

aaa authentication login default enable

A

specify the enable password as the login authentication method

21
Q

aaa authentication login default local

A

specify that the Cisco router or access server will use the local username database for authentication

22
Q

aaa authentication login console-in local

A

this command specifies the login authentication method list named “console-in” using the local username-password database on the router

23
Q

aaa authentication enable default group tacacs+

A

specifies tacacs+ as the login authentication method

24
Q

aaa authorization commands 1 alpha local

A

The local username database is used to authorize all level 1 commands for the alpha method list

25
Q

aaa authorization commands 15 bravo local

A

The local username database is used to authorize all level 15 commands for the bravo method list

26
Q

aaa authorization network charlie local none

A

The local username database is used to authorize all network services, such as SLIP, PPP, and ARAP (Apple), for the method list charlie. If no local username is defined, this command does not perform authorization, and the user can access all network services.

27
Q

aaa author exec delta if-authenticated

A

If the user has already been authenticated, this command allows the user to run the EXEC process

28
Q

AAA accounting command

A

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}

29
Q

Troubleshooting aaa using debug commands

A
#debug aaa authentication
#debug aaa authorization
#debug aaa accounting
30
Q

3 critical factors for TACACS+

A
  • seperates authentication and authorization
  • encrypts all communication
  • utilizes TCP port 49
31
Q

4 critical factors for radius

A
  • radius combines authentication and authorization as one process
  • encrypts only the password
  • utilizes udp
  • supports remote-access technologies, 802.1x and session initiation protocol(sip)
32
Q

RADIUS protocol

A
  • Combines authentication and authorization
  • udp ports 1645 or 1812 for authentication
  • udp ports 1646 or 1813 for accounting
33
Q

4 features of Cisco Identity Services Engine (ISE)

A
  1. Guest Management - grants and enforces temporary access for guest users
  2. AAA - combines authentication, authorization, accounting into one appliance with device profiling, posture assessment and guest management capability.
  3. Device profiling - this can be used to determine whether it is a personal or corporate device
  4. Posture assessment - determines if the device is clean of viruses and suspicious application before entering the network. Posture assessment can also make sure that a device’s antivirus software s up to date
34
Q

Configuring server-based AAA authentication

A

1 Globally enable AA to allow the use of all AAA elements (#aaa new-model)
2. Specify the Cisco secure ACS that whill provide AAA services for the router
3. configure the encryption key needed to encrypt the data transfer between the network access server and cisco secure acs
4 configure the aaa authentication method list to reder to the TACACS+ or RADIUS server

35
Q

configuring Radius Server

A
#aaa new-model
#radius server *SERVER-R*
#address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
#key *RADIUS-password*
#exit