Академический Документы
Профессиональный Документы
Культура Документы
CCNA Security
Chapter Three Authentication, Authorization, and Accounting
Accounting
What did you spend it on?
Access Methods
Packet Mode
a connection through to a device on the network
Perimeter router
Remote client
1.
2.
3. 4. 5.
o
AAA Authorization
o Typically implemented using an AAA server-based solution o Uses a set of attributes that describes user access to the network
1. Once authenticated, a session is established with an AAA server. 2. Router requests authorisation for the requested service. 3. The AAA server returns a PASS/FAIL for authorisation.
AAA Accounting
o Implemented using an AAA server-based solution o Keeps a detailed log of what an authenticated user does on a device
1. Once authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.
Remote User
TACACS+/RADIUS Comparison
TACACS+
Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Mostly Cisco supported TCP Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP) Multiprotocol support Entire packet encrypted Provides authorization of router commands on a per-user or per-group basis. Limited
RADIUS
Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Open/RFC standard UDP Unidirectional challenge and response from the RADIUS security server to the RADIUS client. No ARA, no NetBEUI Password encrypted Has no option to authorize router commands on a per-user or per-group basis Extensive
Confidentiality
1 Connection request
2 START
4 Username?
3 REPLY Username?
ACS
Remote client
5 Admin01
8 Password? 9 Admin01pa55
ACS
3 Admin01
Remote client
7 Access-Accept/Access-Reject
o Works in both local and roaming situations o UDP ports 1645 or 1812 for authentication o UDP ports 1646 or 1813 for accounting
Cisco Secure ACS Benefits o Extends access security by combining authentication, user access, and administrator access with policy control o Allows greater flexibility and mobility, increased security, and user-productivity gains o Enforces a uniform security policy for all users o Reduces the administrative and management efforts
Cisco Secure ACS Advanced Features o Automatic service monitoring o Database synchronization
importing of tools for large-scale deployments
o User and administrative access reporting o Restrictions to network access based on criteria o User and device group profiles
o Centrally manages access to network resources for a growing variety of access types, devices, and user groups o Addresses the following:
Support for a range of protocols including Extensible Authentication Protocol (EAP) and non-EAP Integration with Cisco products for device administration access control allows for centralized control and auditing of administrative actions Support for external databases, posture brokers, and audit servers centralizes access policy control
o Deploying ACS o Cisco Secure ACS Homepage o Network Configuration o Interface Configuration o External User Database o Windows User Database Configuration
add, delete, modify settings for AAA clients (routers) set menu display options for TACACS and RADIUS
Network Configuration
1. Click Network Configuration on the navigation bar
3. Enter the hostname 4. Enter the IP address 5. Enter the secret key
6. Choose the appropriate protocols 7. Make any other necessary selections and click Submit and Apply
Interface Configuration
The selection made in the Interface Configuration window controls the display of options in the user interface
4. Click configure
5. Configure options
o Configuring the Unknown User Policy o Configuring Database Group Mappings o Configuring Users
4. Choose the database in from the list and click the right arrow to move it to the Selected list 5. Manipulate the databases to reflect the order in which each will be checked
6. Click Submit
Group Setup
Database group mappings - Control authorizations for users authenticated by the Windows server in one group and those authenticated by the LDAP server in another
1. Click Group Setup on the navigation bar
User Setup
1. Click User Setup on the navigation bar 2. Enter a username and click Add/Edit
4. Click Submit
1. Globally enable AAA 2. Specify the Cisco Secure ACS for the network access server 3. Configure the encryption key between the network access server and the Cisco Secure ACS 4. Configure the AAA authentication method list
Sample Configuration
o Multiple RADIUS servers
identified by entering separate radius-server commands
TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers.
Reject
o RADIUS combines the authentication and authorization process o TACACS+ allows the separation of authentication from authorization. Can restrict the user to performing only certain functions after successful authentication. o Authorization can be configured for character mode (exec authorization) packet mode (network authorization)
o To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]]
www.catcemea.org.uk catc@bcu.ac.uk