CCNA Security Chapter 3 Authentication, Authorization, and Accounting

3.0.1

3.1.1.1 3.1.1.1 3.1.1.2

Where can you find the design specifications on who is allowed to connect to the network and what they are allowed to do when they are connected? What is the simplest form of authentication on a Cisco router? To help provide greater accountability, what Cisco IOS commands can be used to create a local database for authentication? Describe the components of AAA security in the Cisco environment:

In the network security policy

Password only logins. username username password password username username secret password Authentication: Users/admins must prove they are who they say they are. Established using username/password combinations, challenge/response questions, and token cards. Authorization: Determine resources a user can access and operations a user is allowed to perform. Accounting and auditing: Records what the user is doing, what is accessed, amount of time its accessed for, and any changes made. Character Mode: User sends request to establish an EXEC mode process with the router for administrative purposes. Packet Mode: User sends request to establish a connection through the router with a device on the network. Local AAA Authentication: Uses local database for authentication. Stores usernames and passwords locally on the Cisco router. Users authenticate against the local database. Server-Based AAA Authentication: Uses an external database server resource that leverages RADIUS or TACACS+ protocols. More appropriate with multiple routers. Ex. Cisco Secure Access Control Server (ACS) for Windows Server, Cisco Secure ACS Solution Enging, or Cisco Secure ACS Express. Immediately after users are successfully authenticated against the selected AAA data source. Start and stop connection times, executed commands, number of packets, and number of bytes. 1. Add usernames/passwords to the local router database. 2. Enable AAA on the router 3. Configure AAA parameters 4. Confirm and troubleshoot AAA configuration aaa new-model in global config mode aaa authentication login list-name method1 [method4] in global config mode aaa login authentication list-name in line config mode aaa local authentication attempts max-fail number-ofattempts in global config mode. show aaa user [all | unique-ID] in privileged EXEC mode

3.1.2.1

What two AAA access methods can be used to authenticate users for administrative access or for remote network access? What are two common methods of implementing AAA services?

3.1.2.1

3.1.2.2 3.1.2.3 3.2.1.1

When is user authorization implemented? What data might be collected for Accounting? Describe the basic steps to authenticate administrator access using self-contained authentication: What command will enable AAA on a Cisco router? What command will define a named list of authentication methods? What command will enable a specific defined list name? What command will lock out AAA user accounts that have excessive failed login attempts? What command will display the attributes that are collected for an AAA session?

3.2.1.2 3.2.1.2 3.2.1.3 3.2.1.4 3.2.1.4

Page 1 of 3

CCNA Security Chapter 3 Authentication, Authorization, and Accounting

3.2.1.4 3.2.2.1 3.2.3.1 3.3.1.2 3.3.2.1

What command will show the unique ID of a session. What steps will verify that AAA is enabled in Cisco Security Device Manager (SDM)? What commands could you use for troubleshooting authentication issues? What are the two predominant protocols used by Cisco security appliances, routers, and switches for implementing AAA. Describe the differences between the TACACS+ and RADIUS protocols.

show aaa sessions in privileged EXEC mode Choose Configure > Additional Tasks > AAA debug aaa privileged EXEC mode command debug aaa authentication privileged EXEC mode command Terminal Access Control Access Control Server Plus (TACACS+) Remote Dial-in User Services (RADIUS) TACACS+ is incompatible with its predecessors, separates authentication and authorization, encrypts all communication, uses TCP port 49, and is mostly Cisco supported. Provides limited accounting. RADIUS combines authentication and authorization, encrypts only the password, uses UDP, and is an open/RFC standard. Provides extensive accounting. The DIAMETER protocol. Combines authentication, user access, and administrator access with policy control within a centralized identity networking solution to extend access security. Allows greater flexibility and mobility, increased security, user-productivity gains, uniform security policy for all users, and reduces the administrative/management burden when scaling user/network administrator access to the network. Automatic service monitoring, database synchronization/importing of tools for large-scale deployments, LDAP user authentication, user/administrative access reporting, user/device group profiles, and restrictions to network access based on criteria such as the time of day and the day of week. Industry initiative sponsored by Cisco. Uses the network infrastructure to enforce security-policy compliance on all devices seeking to access network computing resources. The for Windows option allows the AAA services on a router to contact an external Cisco Secure ACS installed on a Windows server for user and administrator authentication. Cisco Secure ACS Solution Engine is a 1U rack-mountable unit, security-hardened appliance with pre-installed Cisco Secure ACS license. Used in large organizations to support more than 350 users. Reduces total cost of ownership by eliminating need to install/maintain a Microsoft Windows server machine. Cisco Secure ACS Express is a 1U rack-mountable unit, security-hardened appliance with a pre-installed Cisco Secure ACS Express license. Intended for commercial (less than 350 users) retail and enterprise branch office deployments. Comprehensive simplified feature set, userfriendly GUI, and a lower price allowing admins to deploy where the other 2 options might not be suitable. For full TACACS+/RADIUS support on IOS devices, clients must run IOS release 11.2 or newer. Cisco devices that arent AAA clients must be configured

3.3.2.3 3.3.3.1

What protocol is the planned replacement for RADIUS? Describe some of the benefits of Cisco Secure Access Control Server (ACS) for Windows:

3.3.3.2

List some of the advanced features of Cisco Secure ACS:

3.3.3.3 3.3.3.5

Describe Cisco Network Admission Control (NAC): Describe the differences between: *The Cisco Secure ACS for Windows *Cisco Secure ACS Solution Engine *Cisco Secure ACS Express

3.3.4.1

Describe the requirements which must be met before administrators begin deploying Cisco Secure ACS

Page 2 of 3

CCNA Security Chapter 3 Authentication, Authorization, and Accounting

3.3.4.2

List the areas or functions of Cisco Secure ACS that can be configured:

3.3.4.3 3.3.5.1

What must be done before configuring a router, switch, or firewall as a TACACS+ or RADIUS client? Describe two ways that Cisco Secure ACS can be configured to communicate with an external user database:

with TACACS+/RADIUS or both. Dial-in/VPN/wireless clients must be able to connect to applicable AAA clients. Cisco Secure ACS must be able to reach all AAA clients with ping. Gateways between ACS and other devices must permit communication over ports needed to support features/protocols. ACS must have supported web browser. All ACS NICS must be enabled. Disabled card can cause major delays. User setup, Group setup, Shared Profile components, Network config, system config, interface config, administration control, external user databases, posture validation, network access profiles, reports and activity, and online documentation. AAA client to the server must be added and the IP address and encryption key specified. By specific user assignment: Authenticate specific users with an external user database. By unknown user policy: Use external database to authenticate users not found in Cisco Secure user database. Does not require admins to define users in Cisco Secure user database. 1. Enable AAA 2. Specify Cisco Secure ACS (TACACS+/RADIUS server) 3. Configure encryption key to encrypt data transfer between network access server and Cisco Secure ACS 4. Configure AAA authentication method list to refer to TACACS+/RADIUS server. Possible to configure redundant servers. tacacs-server host ip-address [single-connection] tacacs-server key key radius-server host ip-address radius-server key key aaa authentication login default group [tacacs+ | radius] aaa authorization [network | exec | commands level] [default | list-name] method1 [method4] aaa accounting [network | exec | connection] [default | listname] [start-stop | stop-only | none] [broadcast] method1.[method4] global config command.

3.4.1.1

Describe the basic steps to configure serverbased authentication:

3.4.1.2 3.4.1.2 3.4.1.2 3.5.1.2 3.5.2.2

What commands are used to configure a TACACS+ server and to configure the shared secret key to encrypt the data transfer? What commands are used to configure a RADIUS server and to configure the shared secret key for encrypting the password? What command will include the AAA security servers in the method list of the aaa authentication login command? What command is used to configure AAA authorization? What command is used to configure AAA accounting?

Page 3 of 3