rich ccna security 03 (1)
TRANSCRIPT
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 1/30
CATC
Birmingham City University
CCNA Security
Chapter Three
Authentication, Authorization,and Accounting
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 2/30
AAA Access Security
AccountingWhat did you spend it on?
AuthenticationWho are you?
AuthorizationWhich resources the user is allowed to access?
Which operations the user is allowed to perform?
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 3/30
Access Methods
o User requests to establish
Character Mode• an EXEC mode process for administrative purposes
Packet Mode• a connection through to a device on the network
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 4/30
Local AAA Authentication
o Used for small networks
o Stores usernames and passwords locally in the Cisco router
o Authorisation to access the network based on information in the local
database.
1. Client establishes connection.
2. Router prompts for username andpassword.
3. Router authenticates against the localdatabase.
2
1
3
Perimeterrouter
Remote client
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 5/30
Server-Based AAA Authentication
o Uses an external database server Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express
o More appropriate if there are multiple routers
1. Client establishes connection.
2. Router prompts for username and password.
3. Router communicates with the Cisco Secure ACS (server or appliance).
4. The Cisco Secure ACS authenticates the user.
5. Authorisation to access the network based on information in the CiscoSecure ACS database.
13
Perimeterrouter
Remote client
Cisco SecureACS
Cisco Secure
ACS appliance
4
2
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 6/30
AAA Authorization
o Typically implemented using an AAA server-based
solution
o Uses a set of attributes that describes user access to the
network
1. Once authenticated, a session is established with an AAA server.
2. Router requests authorisation for the requested service.
3. The AAA server returns a PASS/FAIL for authorisation.
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 7/30
AAA Accounting
o Implemented using an AAA server-based solution
o Keeps a detailed log of what an authenticated user does
on a device
1. Once authenticated, the AAA accounting process generates a start
message to begin the accounting process.
2. When the user finishes, a stop message is recorded ending the
accounting process.
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 8/30
Overview of TACACS+ and RADIUS
PerimeterRouter
Remote User
Cisco Secure ACS forWindows Server
Cisco Secure
ACS Express
TACACS+ or RADIUS protocols areused to communicate between theclients and AAA security servers.
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 9/30
TACACS+/RADIUS Comparison
TACACS+ RADIUS
Functionality Separates AAA according to the AAAarchitecture, allowing modularity ofthe security server implementation
Combines authentication andauthorization but separatesaccounting, allowing less flexibility inimplementation than TACACS+.
Standard Mostly Cisco supported Open/RFC standard
Transport Protocol TCP UDP
CHAP Bidirectional challenge and responseas used in Challenge Handshake Authentication Protocol (CHAP)
Unidirectional challenge and responsefrom the RADIUS security server tothe RADIUS client.
Protocol Support Multiprotocol support No ARA, no NetBEUI
Confidentiality Entire packet encrypted Password encrypted
Customization Provides authorization of routercommands on a per-user orper-group basis.
Has no option to authorize routercommands on a per-user orper-group basis
Confidentiality Limited Extensive
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 10/30
TACACS+ Authentication Process
o Provides separate AAA services
o Uses TCP port 49
Connection request1
Remoteclient
ACSSTART2
REPLY Username? 3Username? 4
Admin015CONTINUE Admin016
REPLY Password?7Password?8
Admin01pa55 9CONTINUE Admin01pa55 10
REPLY PASS/FAIL11
AAA Client
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 11/30
Connection request1
Remoteclient
ACSUsername? 2
Admin013
Password?4
Admin01pa55 5 Access-Request
(“Admin01”, “Admin01pa55”) 6
Access-Accept/Access-Reject7
AAA Client
RADIUS Authentication Process
o Works in both local and roaming situations
o UDP ports 1645 or 1812 for authentication
o UDP ports 1646 or 1813 for accounting
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 12/30
Cisco Secure ACS Benefits
o Extends access security by combining
authentication, user access, and
administrator access with policy control
o Allows greater flexibility and mobility,
increased security, and user-productivity
gains
o Enforces a uniform security policy for all
users
o Reduces the administrative and
management efforts
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 13/30
Cisco Secure ACS Advanced Features
o Automatic service monitoringo Database synchronization
importing of tools for large-scale deployments
o Lightweight Directory Access Protocol(LDAP) user authentication support
o User and administrative access reporting
o Restrictions to network access based oncriteriao User and device group profiles
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 14/30
Cisco Secure ACS Overview
o Centrally manages access to network resources for a
growing variety of access types, devices, and user
groups
o Addresses the following:
Support for a range of protocols including Extensible
Authentication Protocol (EAP) and non-EAP
Integration with Cisco products for device administration access
control allows for centralized control and auditing of
administrative actions
Support for external databases, posture brokers, and audit
servers centralizes access policy control
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 15/30
Cisco Secure ACS Installation Options
Cisco Secure ACS for Windows can be installed on:
- Windows 2000 Server with Service Pack 4
- Windows 2000 Advanced Server with Service Pack 4
- Windows Server 2003 Standard Edition
- Windows Server 2003 Enterprise Edition
Cisco Secure ACS Solution Engine
- A highly scalable dedicated platform that serves as a high-performance ACS
- 1RU, rack-mountable
- Preinstalled with a security-hardened Windows software, CiscoSecure ACS software
- Support for more than 350 users
Cisco Secure ACS Express 5.0
- Entry-level ACS with simplified feature set
- Support for up to 50 AAA device and up to 350 unique user ID logins ina 24-hour period
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 16/30
Configuring Cisco Secure ACS
o Deploying ACS
o Cisco Secure ACS Homepage
o Network Configurationo Interface Configuration
o External User Database
o Windows User Database Configuration
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 17/30
Cisco Secure ACS Homepage
add, delete, modify settings for AAA clients (routers)
set menu display options for TACACS and RADIUS
configure database settings
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 18/30
Network Configuration
1. Click Network Configuration on the navigation bar
2. Click Add Entry
3. Enter the hostname
4. Enter the IP address
5. Enter the secret key
6. Choose the appropriat protocols
7. Make any other necessaryselections and click Submit
and Apply
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 19/30
Interface Configuration
The selection made in the Interface Configuration window
controls the display of options in the user interface
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 20/30
External User Database
1. Click the External User Databases button on the navigation bar
2. Click Database Configuration
3. Click Windows Database
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 21/30
Windows User Database Configuration
4. Click configure
5. Configure options
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 22/30
Configuring a TACACS+ Server
o Configuring the Unknown User Policy
o Configuring Database Group Mappingso Configuring Users
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 23/30
Configuring the Unknown User Policy
1. Click External User Databases on the navigation bar
2. Click Unknown User Policy
3. Place a check in the box
4. Choose the database in from the list and clickthe right arrow to move it to the Selected list
6. Click Submit5. Manipulate the databases to reflect the orderin which each will be checked
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 24/30
Group Setup
Database group mappings - Control authorizations for
users authenticated by the Windows server in one groupand those authenticated by the LDAP server in another
1. Click Group Setup on the navigation bar
2. Choose thegroup to edit
and clickEdit Settings
3. Click Permit in the Unmatche Cisco IOS commands option
4. Check the Command check boxand select an argument
5. For the Unlisted Arguments optio click Permit
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 25/30
User Setup
1. Click User Setup on the navigation bar
2. Enter a username and click Add/Edit
3. Enter the data to define the user account
4. Click Submit
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 26/30
Configuring Server-Based AAA Authentication
1. Globally enable AAA
2. Specify the Cisco Secure ACS for the
network access server3. Configure the encryption key between the
network access server and the CiscoSecure ACS
4. Configure the AAA authentication methodlist
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 27/30
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 28/30
AAA Authorization Overview
o RADIUS combines the authentication and authorization process
o TACACS+ allows the separation of authentication from authorization. Can restrict the user to performing only certain functions after
successful authentication.o Authorization can be configured for
character mode (exec authorization)
packet mode (network authorization)
show version
Command authorization for user
JR-ADMIN, command “show version”?
AcceptDisplay “show
version” output
configure terminal
Command authorization for user
JR-ADMIN, command “config terminal”?
RejectDo not permit
“configure terminal”
AAA A i O i
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 29/30
AAA Accounting Overview
o Provides the ability to
track usage such as dial-in access log the data gathered to a database
produce reports on the data gathered
o Supports six different types of accounting:
Network
Connection
Exec
System
commands level
resource
o To configure AAA accounting using named method lists:
aaa accounting {system | network | exec | connection
| commands level } {default | list-name} {start-stop |
wait-start | stop-only | none} [method1 [method2 ]]
CATC
8/13/2019 Rich CCNA Security 03 (1)
http://slidepdf.com/reader/full/rich-ccna-security-03-1 30/30
CATC
Birmingham City University
www.catcemea.org.uk