CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting

Chapter Outline: 

3.0 Introduction
3.1 Purpose of the AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based Authorization and Accounting
3.6 Summary

Section 3.1: Purpose of the AAA

Upon completion of this section, you should be able to:

  • Explain why AAA is critical to network security.
  • Describe the characteristics of AAA.

Topic 3.1.1: AAA Overview

Authentication without AAA

Telnet is Vulnerable to Brute-Force Attacks

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 46

SSH and Local Database Method

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 47

AAA Components

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 48

Topic 3.1.2: AAA Characteristics

Authentication Modes

Local AAA Authentication

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 49

Server-Based AAA Authentication

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 50

Authorization

AAA Authorization

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 51

Accounting

Types of accounting information:

  • Network
  • Connection
  • EXEC
  • System
  • Command
  • Resource

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 52

Section 3.2: Local AAA Authentication

Upon completion of this section, you should be able to:

  • Configure AAA authentication, using the CLI, to validate users against a local database.
  • Troubleshoot AAA authentication that validates users against a local database.

Topic 3.2.1: Configuring Local AAA Authentication with CLI

Authenticating Administrative Access

  1. Add usernames and passwords to the local router database for users that need administrative access to the router.
  2. Enable AAA globally on the router.
  3. Configure AAA parameters on the router.
  4. Confirm and troubleshoot the AAA configuration.

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 53

Authentication Methods

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 54

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 55

Default and Named Methods

Example Local AAA Authentication

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 56

Fine-Tuning the Authentication Configuration

Command Syntax

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 57

Display Locked Out Users

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 58

Show Unique ID of a Session

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 59

Topic 3.2.2: Troubleshooting Local AAA Authentication

Debug Options

Debug Local AAA Authentication

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 60

Debugging AAA Authentication

Understanding Debug Output

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 61

Section 3.3: Server-Based AAA

Upon completion of this section, you should be able to:

  • Describe the benefits of server-based AAA.
  • Compare the TACACS+ and RADIUS authentication protocols.

Topic 3.3.1: Server-Based AAA Characteristics

Comparing Local AAA and Server-Based AAA Implementations

Local authentication:

  1. User establishes a connection with the router.
  2. Router prompts the user for a username and password, authentication the user using a local database.

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 62

Server-based authentication:

  1. User establishes a connection with the router.
  2. Router prompts the user for a username and password.
  3. Router passes the username and password to the Cisco Secure ACS (server or engine)
  4. The Cisco Secure ACS authenticates the user.

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 63

Introducing Cisco Secure Access Control System

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 64

Topic 3.3.2: Server-Based AAA Communication Protocols

Introducing TACACS+ and RADIUS

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 65

TACACS+ Authentication

TACACS+ Authentication Process

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 66

RADIUS Authentication

RADIUS Authentication Process

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 67

Integration of TACACS+ and ACS

Cisco Secure ACS

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 68

Integration of AAA with Active Directory

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 69

Section 3.4: Server-Based AAA Authentication

Upon completion of this section, you should be able to:

  • Configure server-based AAA authentication, using the CLI, on Cisco routers.
  • Troubleshoot server-based AAA authentication.

Topic 3.4.1: Configuring Server-Based Authentication with CLI

Steps for Configuring Server-Based AAA Authentication with CLI

  1. Enable AAA.
  2. Specify the IP address of the ACS server.
  3. Configure the secret key.
  4. Configure authentication to use either the RADIUS or TACACS+ server.

Configuring the CLI with TACACS+ Servers

Server-Based AAA Reference Topology

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 70

Configure a AAA TACACS+ Server

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 71

Configuring the CLI for RADIUS Servers

Configure a AAA RADIUS Server

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 72

Configure Authentication to Use the AAA Server

Command Syntax

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 73

Configure Server-Based AAA Authentication

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 74

Topic 3.4.2: Troubleshooting Server-Based AAA Authentication

Monitoring Authentication Traffic

Troubleshooting Server-Based AAA Authentication

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 75

Debugging TACACS+ and RADIUS

Troubleshooting RADIUS

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 76

Troubleshooting TACACS+

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 77

AAA Server-Based Authentication Success

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 78

AAA Server-Based Authentication Failure

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 79

Section 3.5: Server-Based AAA Authorization and Accounting

Upon completion of this section, you should be able to:

  • Configure server-based AAA authorization.
  • Configure server-based AAA accounting.
  • Explain the functions of 802.1x components.

Topic 3.5.1: Configuring Server-Based AAA Authorization

Introduction to Server-Based AAA Authorization

Authentication vs. Authorization

  • Authentication ensures a device or end-user is legitimate
  • Authorization allows or disallows authenticated users access to certain areas and programs on the network.

TACACS+ vs. RADIUS

  • TACACS+ separates authentication from authorization
  • RADIUS does not separate authentication from authorization

AAA Authorization Configuration with CLI

Command Syntax

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 80

Authorization Method Lists

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 81

Example AAA Authorization

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 82

Topic 3.5.2: Configuring Server-Based AAA Accounting

Introduction to Server-Based AAA Accounting

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 83

AAA Accounting Configuration with CLI

Command Syntax

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 84

Accounting Method Lists

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 85

Example AAA Accounting

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 86

Topic 3.5.3: 802.1X Authentication

Security Using 802.1X Port-Based Authentication

802.1X Roles

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 87

802.1X Message Exchange

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 88

802.1X Port Authorization State

Command Syntax for dot1x port-control

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 89

Configuring 802.1X

CCNA Security 2.0 Study Material – Chapter 3: Authentication, Authorization, and Accounting 90

Section 3.6: Summary

Chapter Objectives:

  • Explain how AAA is used to secure a network.
  • Implement AAA authentication that validates users against a local database.
  • Implement server-based AAA authentication using TACACS+ and RADIUS protocols.
  • Configure server-based AAA authorization and accounting.

Download Slide PowerPoint (pptx):


Related Articles

guest
0 Comments
Inline Feedbacks
View all comments