Textbook Notes

Question 1

Device Administration AAA

Answer 1

Device administration is a method of AAA for controlling access to a network device console, Telnet session, Secure Shell session, or device operating system for purpose of configuration

Question 2

AAA

Answer 2

AAA (Authentication, Authorization, and Accounting)

• Authentication: Who the entity actually is. Involves validating an identity or credential
• Authorization: Is the entity authorized to perform that action
• Accounting: Logs of what action the entity performed

Question 3

TACACS+

Answer 3

TACACS+

• Terminal Access Controller Access Control Systems
• TACACS+ was created by Cisco and is not backward compatible with the original TACACS
• Was not supported by Cisco ISE until version 2.0
• Was designed for device administration AAA, to authenticate and authorize users into mainframe and UNIX terminals and other terminals or consoles
• TACACS+ is mainly used for device administration AAA
• Uses port 49 and TCP
• Encrypts the entire packet
• Able to separate authentication, authorization, and accounting as separate and independent functions. This is why TACACS+ is so commonly used for device administration, even though RADIUS is still certainly capable of providing device administration AAA
• TACACS+ uses TCP port 49 to communicate between the TACACS+ client and the TACACS+ server

Question 4

RADIUS

Answer 4

RADIUS

• Client/server-based model, where the client initiates requests to the server. RADIUS is the protocol of choice for network access AAA. If you connect to a secure wireless network regularly, RADIUS is most likely being used between the wireless device and the AAA server because RADIUS is the transport protocol for Extensible Authentication Protocol (EAP), as well as for many other authentications protocols.
• Authentication and authorization are not separated in a RADIUS transaction
• UDP 1812 (authentication) and 1813 (accounting)
• IETF standard for AAA
• Carries authentication traffic from the network device to the authentication server
• With IEEE 802.1X, RADIUS is used to extend the Layer 2 EAP from the end user to the authentication server

Question 5

Extensible Authentication Protocol (EAP)

Answer 5

• IEEE standardized on a method to use Extensible Authentication Protocol (EAP) over local-area networks (IEEE 802.1X) using RADIUS to carry the authentication traffic. In fact, IEEE 802.1X cannot use TACACS; it must use RADIUS

Question 6

TACACS+ Authentication Messages

Answer 6

Question 7

Attribute/Value Pair (AV Pair)

Answer 7

When communicating with an AAA protocol, many attributes can be referenced to clearly indicate answers or results. A RADIUS server may assign an attribute to the authentication session, such as for a VLAN. In this case, the VLAN placeholder is the attribute, and the assigned VLAN number is the value for that placeholder. The attribute in the AAA communication and its assigned value are paired together and referred to as an attribute/value pair (AV pair). Figure 1-9 illustrates the concept of AV pairs by using a table with attribute and value columns to represent the pairings.

Question 8

Change of Authorization (CoA)

Answer 8

• RFC 5176 Dynamic Authorization Extensions to RADIUS (a/k/a CoA)
• CoA allows a RADIUS server to initiate a conversation with a network device and disconnect a user’s session, bounce the port, or even tell the device re-authentic ate the user

Question 9

What AAA protocol is best suited for device administration?

Answer 9

TACACS+

Question 10

Which AAA protocol supported by ISE combines authentication and authorization in a single transaction?

Answer 10

RADIUS

Question 11

Which AAA protocol supported by ISE uses TCP for transport?

Answer 11

TACACS+

Question 12

In AAA communication, what is the name of the combination of an attribute and its assigned value?

Answer 12

Attribute/value (AV) pair

Question 13

What is the common name for the technology extension to RADIUS that allows communication to be initiated from the authentication server to the authenticator (the NAD)?

Answer 13

Change of Authorization (CoA)

Question 14

Describe an Identity Store

Answer 14

An identity store is basically a database that houses the credentials of users or endpoints. Because it contains those values, it can be used to authenticate the identity of a user or an endpoint. The identity store could be an internal database that resides on the AAA server or an external database that houses the identities.

Identity stores can also be used for the retrieval of the user or machine attributes used in authorization policies. Each individual identity store is referred to as an identity source.

ISE referees to Active Directory (and similar) as External Identity Stores

Question 15

What is EAP

Answer 15

• Extensible Authentication Protocol (EAP) is an authentication framework that defines the transport and usage of identity credentials.
• EAP encapsulates the usernames, passwords, certificates, tokens, one-time passwords, and so on that a client is sending for purposes of authentication.

Question 16

What is a supplicant?

Answer 16

Supplicant

Software on the endpoint (which the IETF also calls a peer) that communicates with EAP at Layer 2. This software responds to the authenticator and provides the identity credentials with the EAP communication.

Question 17

What is an authenticator in relation to ISE?

Answer 17

Authenticator

The network device that controls physical access to the network, based on the authentication status of the endpoint. The authenticator acts as the middleman, encapsulating Layer 2 EAP communication from the supplicant in RADIUS, directed at the active authentication server. The most common authenticators with a Cisco ISE deployment are LAN switches and wireless LAN controllers (WLCs). Cisco ISE refers to these authenticators generically as network access devices (NADs).

Question 18

What is an authentication server?

Answer 18

Authentication server

The server that is performing the authentication of the client. The authentication server validates the identity of the endpoint and provides the authenticator with a result, such as accept or deny. Cisco ISE is an authentication server.

Question 19

Inner and outer EAP tunnel

*Note for reading purposes only

Answer 19

Tunneled EAP involves the concept of inner and outer identities. The inner identity is easier to explain. It is the user’s or device’s actual credentials, sent with the native EAP or authentication protocol. The outer identity, which is typically set to anonymous, is the identity that is used between the supplicant and the authentication server for the initial TLS tunnel setup.

Cisco ISE is able to read that outer identity and use it to help make identity store selection decisions. Put simply, that outer identity may contain information (such as the domain name) that tells Cisco ISE to submit the credentials to Active Directory or LDAP or some other identity store.

Most supplicants hide this option from the end user, and only administrators see the outer identity. However, one supplicant that does expose it to the end user is the native Android supplicant (see Figure 3-5). Note that the Android supplicant refers to the outer identity as the “anonymous identity”—an amusing oxymoron.

Question 20

Network Access Devices

*Notes just to read over

Answer 20

Cisco ISE refers to the authenticator role as a network access device (NAD). The NAD serves multiple roles. It is an authenticator for 802.1X, and it proxies EAP communications from a supplicant to the authentication server. A NAD is also commonly referred to as a policy enforcement point.

The NAD is responsible for enforcing whatever authorization result it receives from the authentication server (for example, Cisco ISE).

In simple terms, a NAD is an access-layer device but can be any device that is going to send RADIUS authentication requests to Cisco ISE. Common NAD types include the following:

• Wired Ethernet switch
• Wireless LAN Controller (WLC)
• Cisco Adaptive Security Appliance (ASA)
• Cisco Firepower device
• Load balancer
• Software application that uses ISE for AAA