Implementing AAA in Cisco IOS

Question 1

The 3 As of AAA

Answer 1

Authentication - who is allowed
Authorization - what are they allowed to
Accounting - what did they do

Question 2

2 methods of implementing AAA on cisco

Answer 2

1. Local AAA Authentication

2. Server-Based AAA Authentication

Question 3

Local AAA Authentication

Answer 3

Local AAA uses a local database for authentication. This method stores usernames and passwords locally in the cisco router ASA
-aka self-contained authentication

Question 4

Server-based AAA Authentication

Answer 4

The server-based method uses an external database server resource that leverages RADIUS or TACACS+ protocols.
Examples include Cisco secure access control server (ACS) for windows server, Cisco secure ACS solution engine, or cisco secure ACS express. If there are multiple routers, server-based AAA is more appropriate

Question 5

Access Types/Modes

Answer 5

Character Mode/Remote administrative access:
A user sends a request to establish an EXEC mode process with the router for administrative purposes.

Packet Mode/Remote Network Access:
A user sends a request to establish a connection through the router with a device on the network.

Question 6

AAA Authorization

Answer 6

after a user has been authenticated a session is established with the AAA server and the router requests authorization for the requested service from the AAA server. The AAA server returns a PASS/FAIL for authorization.

Basically what users can and cannot do on the network.

Question 7

AAA Accounting

Answer 7

When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. when the user finishes a stop message is recorded and the accounting process ends.

Accounting provides more security than just authentication. The AAA servers keep a detailed log of exactly what the authenticated user does on the device

Question 8

AAA Accounting Functions

Answer 8

Network accounting
connection accounting
EXEC accounting
System accounting
Command Accounting
Resource Accounting

Question 9

Resource Accounting

Answer 9

The Cisco implementation of AAA accounting captures “start” and “stop” record support for calls that have passed user authentication. The additional feature of generating “stop” records for calls that fail to authenticate as part of user authentication is also supported. Such records are necessary for users employing accounting records to manage and monitor their networks.

Question 10

Command Accounting

Answer 10

Command accounting captures information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.

Question 11

System Accounting

Answer 11

System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).

Question 12

EXEC Accounting

Answer 12

EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.

Question 13

Connection Accounting

Answer 13

Connection accounting captures information about all outbound connections made from the AAA client, such as Telnet or SSH.

Question 14

Network Accounting

Answer 14

Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.

Question 15

Enable AAA locally on a Cisco router

Answer 15

• Secure access to privileged-EXEC mode.
• Enable AAA globally on the perimeter router with the “AAA new-model” command
• configure AAA authentication lists
• configure AAA authorization to use after the user has passed authentication
• configure the AAA accounting options for how you want to write accounting records

Question 16

Commands on Cisco router to enable AAA Locally

Answer 16

#username **** secret ***
#username ***** secret ****
#aaa new-model
#aaa authentication login default local-case
#aaa local authentication attempts max-fail 10

Question 17

Cisco secret levels

Answer 17

0 - specifies unencrypted password will follow
5 - specifies a MD5 hashed secret will follow
8 - specififes a PBKDF2 Hashed secret will follow
9 - specifies a Scrypt hashed secret will follow

Question 18

algorithm-type command

Answer 18

username ** algorithm-type scrypt secret P@55w0rd

Question 19

Method Lists

Answer 19

• Is a sequential list that defines the authentication methods used to authenticate a user
• Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication.

Question 20

aaa authentication login default enable

Answer 20

specify the enable password as the login authentication method

Question 21

aaa authentication login default local

Answer 21

specify that the Cisco router or access server will use the local username database for authentication

Question 22

aaa authentication login console-in local

Answer 22

this command specifies the login authentication method list named “console-in” using the local username-password database on the router

Question 23

aaa authentication enable default group tacacs+

Answer 23

specifies tacacs+ as the login authentication method

Question 24

aaa authorization commands 1 alpha local

Answer 24

The local username database is used to authorize all level 1 commands for the alpha method list

Question 25

aaa authorization commands 15 bravo local

Answer 25

The local username database is used to authorize all level 15 commands for the bravo method list

Question 26

aaa authorization network charlie local none

Answer 26

The local username database is used to authorize all network services, such as SLIP, PPP, and ARAP (Apple), for the method list charlie. If no local username is defined, this command does not perform authorization, and the user can access all network services.

Question 27

aaa author exec delta if-authenticated

Answer 27

If the user has already been authenticated, this command allows the user to run the EXEC process

Question 28

AAA accounting command

Answer 28

aaa accounting {auth-proxy | system | network | exec | connection | commands level | dot1x} {default | list-name | guarantee-first} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] {radius | group group-name}

Question 29

Troubleshooting aaa using debug commands

Answer 29

#debug aaa authentication
#debug aaa authorization
#debug aaa accounting

Question 30

3 critical factors for TACACS+

Answer 30

• seperates authentication and authorization
• encrypts all communication
• utilizes TCP port 49

Question 31

4 critical factors for radius

Answer 31

• radius combines authentication and authorization as one process
• encrypts only the password
• utilizes udp
• supports remote-access technologies, 802.1x and session initiation protocol(sip)

Question 32

RADIUS protocol

Answer 32

• Combines authentication and authorization
• udp ports 1645 or 1812 for authentication
• udp ports 1646 or 1813 for accounting

Question 33

4 features of Cisco Identity Services Engine (ISE)

Answer 33

1. Guest Management - grants and enforces temporary access for guest users
2. AAA - combines authentication, authorization, accounting into one appliance with device profiling, posture assessment and guest management capability.
3. Device profiling - this can be used to determine whether it is a personal or corporate device
4. Posture assessment - determines if the device is clean of viruses and suspicious application before entering the network. Posture assessment can also make sure that a device’s antivirus software s up to date

Question 34

Configuring server-based AAA authentication

Answer 34

1 Globally enable AA to allow the use of all AAA elements (#aaa new-model)
2. Specify the Cisco secure ACS that whill provide AAA services for the router
3. configure the encryption key needed to encrypt the data transfer between the network access server and cisco secure acs
4 configure the aaa authentication method list to reder to the TACACS+ or RADIUS server

Question 35

configuring Radius Server

Answer 35

#aaa new-model
#radius server *SERVER-R*
#address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
#key *RADIUS-password*
#exit