Chapter 12. AAA. Upon completion of this chapter, you will be able to perform the following tasks:

Similar documents
Configuring Authorization

Access Service Security

Telnet, Console and AUX Port Passwords on Cisco Routers Configuration Example

Configuring Basic AAA on an Access Server

Configuring Authorization

AAA Authorization and Authentication Cache

Configuring Local Authentication

Cisco IOS Firewall Authentication Proxy

Resource: Installing Cisco Secure ACS 3.0 and greater for Windows 2000

PT Activity: Configure AAA Authentication on Cisco Routers

Configuring PPP Callback

Configuring Authentication Proxy

Configuring Switch-Based Authentication

CCNP 2: Remote Access

Configuring Virtual Asynchronous Traffic over ISDN

Configuring TACACS. Finding Feature Information. Prerequisites for Configuring TACACS

Configure ISDN Connectivity between Remote Sites

Securizarea Calculatoarelor și a Rețelelor 7. Implementarea scalabila a unei arhitecturi AAA

Upon completion of this chapter, you will be able to perform the following tasks: Describe the Features and Architecture of Cisco Secure ACS 3.

Access Server Dial In IP/PPP Configuration With Dedicated V.120 PPP

Radius, LDAP, Radius used in Authenticating Users

ppp accounting through quit

RADIUS Tunnel Attribute Extensions

Configuring Lock-and-Key Security (Dynamic Access Lists)

Configuring Authentication Proxy

Cisco Router Security: Principles and Practise. The foundation of network security is router security.

Configuring RADIUS Servers

CCNA 4 - Final Exam Answers

Passwords and Privileges Commands

Radius, LDAP, Radius, Kerberos used in Authenticating Users

aaa max-sessions maximum-number-of-sessions The default value for aaa max-sessions command is platform dependent. Release 15.0(1)M.

L2F Case Study Overview

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

Implementing ADSL and Deploying Dial Access for IPv6

Configuring PPP over Ethernet with NAT

Configuring Virtual Private Networks

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS

Configuring Authentication Proxy

Lab AAA Authorization and Accounting

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T

Examples of Cisco APE Scenarios

TACACS Device Access Control with Cisco Active Network Abstraction

AAA Configuration. Terms you ll need to understand:

Configuring Kerberos

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

CCNA relevante Befehle

Configuring Link Fragmentation and Interleaving for Multilink PPP

User Security Configuration Guide, Cisco IOS XE Fuji 16.8.x (Cisco ASR 920 Routers)

Understanding and Troubleshooting Idle Timeouts

Configuring Request Authentication and Authorization

Configuring Virtual Profiles

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Configuring RADIUS and TACACS+ Servers

Cisco Secure ACS 3.0+ Quick Start Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved

Configuring a Terminal/Comm Server

Configuração do laboratório de discagem de entrada de cliente (SÃO JOSÉ, USA)

Configuring RADIUS. Finding Feature Information. Prerequisites for RADIUS. Last Updated: November 2, 2012

Configuración del laboratorio de acceso telefónico de clientes (San José, Estados Unidos)

Lab 5.6b Configuring AAA and RADIUS

Virtual Private Networks (VPNs)

Configuring Authentication, Authorization, and Accounting

Configuring Client-Initiated Dial-In VPDN Tunneling

How to configure MB5000 Serial Port Bridge mode

Configuring Security for the ML-Series Card

Configuring Kerberos

The MSCHAP Version 2 feature (introduced in Cisco IOS Release 12.2(2)XB5) allows Cisco routers to

Configuring TACACS+ Information About TACACS+ Send document comments to CHAPTER

Configuration du laboratoire par accès téléphonique (San Jose, États-Unis)

Configuring BACP. Cisco IOS Dial Technologies Configuration Guide DC-667

Configuring Modem Transport Support for VoIP

Tactical Software requires that Cisco IOS Software Release 12.0(9) or later be installed on the NAS to interoperate with DialOut/EZ.

Configuring Virtual Template Interfaces

Configuring Legacy DDR Hubs

RADIUS - QUICK GUIDE AAA AND NAS?

Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

Configuring PPP over Ethernet with NAT

CCNA 4 - Final Exam (A)

pri-group timeslots pri-group timeslots range nfas_d [primary backup none] nfas_int number nfas_group group-id-number pri-group timeslots range

Vendor-Proprietary Attribute

CSN11111 Network Security

CCNP Switch Questions/Answers Securing Campus Infrastructure

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

Completing an ISDN BRI Call. 2000, Cisco Systems, Inc. 13-1

Configuring Security Features on an External AAA Server

Configuring AAA Services

DDR Routing Commands

Firewall Authentication Proxy for FTP and Telnet Sessions

IEEE 802.1X Multiple Authentication

L2TP IPsec Support for NAT and PAT Windows Clients

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 10 Authenticating Users

RADIUS Logical Line ID

RADIUS Attributes Overview and RADIUS IETF Attributes

RADIUS Commands. Cisco IOS Security Command Reference SR

Cisco PIX. Quick Start Guide. Copyright 2006, CRYPTOCard Corporation, All Rights Reserved

Configuring Dial-on-Demand Routing

Configuring AAA Services

Configuration of Cisco ACS 5.2 Radius authentication with comware v7 switches 2

Lab Configuring Dynamic and Static NAT (Solution)

RADIUS Configuration Guide Cisco IOS XE Release 2

Transcription:

Chapter 12. AAA 15-1 Objectives Upon completion of this chapter, you will be able to perform the following tasks: Describe CiscoSecure features and operations Configure a router with AAA commands Use a configured AAA server to control access in a remote access network 15-2 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 1 1

Chapter Activities Cisco 700 Async Multilink PPP, CHAP, DDR, PAT, DHCP Central site Cisco 3640 BRI Analog host-lan dialup AAA server Windows 95 PC Modem Small office Async ISDN/analog BRI PRI Multilink PPP, CHAP, DDR, NAT, Async Frame Relay Frame Relay service Frame Relay Cisco 1600 Branch office 15-3 BCRAN Using AAA to Scale Access Control in an Expanding Network AAA Advantages of using AAA for Authentication AAA provides scalability AAA supports standardized security protocols TACACS+, RADIUS, and Kerberos TACACS+ (Terminal Access Controller Access Control System Plus) RADIUS (Remote Authentication Dial-In User Service) AAA allows you to configure multiple backup systems 15-4 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 2 2

15-5 BCRAN Using AAA to Scale Access Control in an Expanding Network 15-6 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 3 3

security protocols: TACACS+ - A security application used with AAA that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. TACACS+ provides for separate and modular authentication, authorization, and accounting facilities. RADIUS -A distributed client/server system used with AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information. Kerberos -A secret-key network authentication protocol used with AAA that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos is based on the concept of a trusted third party that performs secure verification of users and services. The primary use of Kerberos is to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username and password authentication mechanism. 15-7 BCRAN Using AAA to Scale Access Control in an Expanding Network Cisco Security Options Overview Corporate/ resources Enterprise PIX firewall Internet ISDN PSTN Security server GUI admin Client(s) Client(s) Token cards Protocol(s) PPP CHAP PAP MS-CHAP Protocol(s) Access server Access server(s) Cisco IOS Dialer profiles ACL, NAT Per-user ACL Lock and Key L2F, L2TP Kerberos V Protocol(s) Protocol(s) TACACS+ RADIUS Kerberos V Security server Security server(s) CiscoSecure (AAA) Token card vendors Freeware Accounting/billing Firewalls 15-8 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 4 4

Part of the Solution PIX firewall CiscoSecure ACS (Access Control Server) Provides authentication, authorization, and accounting (AAA) for networks 15-9 BCRAN Using AAA to Scale Access Control in an Expanding Network CiscoSecure CiscoSecure Token card server RDBMS Database TACACS+/RADIUS Access Router Firewall server 15-10 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 5 5

GUI Client Supported CiscoSecure administrator GUI client Netscape Internet Explorer CiscoSecure ACS 15-11 BCRAN Using AAA to Scale Access Control in an Expanding Network AAA Overview and Configuration AAA definition AAA operation Router access modes 15-12 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 6 6

AAA Definition Authentication Who are you? Authorization What can you do? Accounting Who were you? What did you do and how long did you do it? 15-13 BCRAN Using AAA to Scale Access Control in an Expanding Network Router Access Modes Modes Router Ports AAA Command Element Character mode tty, vty, aux, con login, exec, nasi (line mode or connection, arap, interactive login) enable, command Packet mode async, group-async, ppp, network, arap (interface mode or BRI, PRI, serial, dialer link protocol session) profiles, dialer rotaries 15-14 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 7 7

Enabling AAA and Identifying the Server Router(config)#aaa new-model Router(config)#tacacs-server host 192.168.229.76 single-connection Router(config)#tacacs-server key shared1 or Router(config)#aaa new-model Router(config)#radius-server host 192.168.229.76 Router(config)#radius-server key shared1 TACACS+ or RADIUS 15-15 BCRAN Using AAA to Scale Access Control in an Expanding Network 15-16 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 8 8

15-17 BCRAN Using AAA to Scale Access Control in an Expanding Network 15-18 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 9 9

15-19 BCRAN Using AAA to Scale Access Control in an Expanding Network 15-20 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 10 10

AAA Authentication Commands Router(config)#aaa authentication {login enable arap ppp nasi} default list-name} method1 [method2 [method3 [method4]]] enable line local none tacacs+ radius enable line none tacacs+ radius guest auth-guest line local tacacs+ if-needed krb5 local none tacacs+ radius enable line local none tacacs+ 15-21 BCRAN Using AAA to Scale Access Control in an Expanding Network Character Mode Login Example Router(config)#aaa authentication login default tacacs+ local Router(config)#aaa authentication login user tacacs+ local Router(config)line con 0 Router(config-line)#login authentication user Router(config-line)#line 1 48 Router(config-line)#login authentication user Router(config-line)#line vty 0 4 (this implies default list) Authentication commands 15-22 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 11 11

AAA Authorization Commands Network access server CiscoSecure ACS server Router(config)#aaa authorization {network exec commands level config-commands reverse-access} {if-authenticated local none radius tacacs+ krb5-instance} 15-23 BCRAN Using AAA to Scale Access Control in an Expanding Network Character Mode with Authorization Example Router(config)#aaa new-model Router(config)#aaa authen login default local Router(config)#aaa authen enable default tacacs+ enable Router(config)#aaa authorization exec tacacs+ local Router(config)#aaa authorization command 1 tacacs+ local Router(config)#aaa authorization command 15 tacacs+ local 15-24 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 12 12

Packet Mode Example Router(config)#username admin password xxxxx Router(config)#aaa authentication ppp default if-needed tacacs+ Router(config)#aaa authentication ppp user if-needed tacacs+ Router(config)#aaa authorization network tacacs+ if-authenticated Router(config)#interface groupasync1 Router(config-if)#ppp authentication chap (default list implied) Router(config-if)#interface async16 Router(config-if)#ppp authentication chap user Router(config-if)#line 1 16 15-25 BCRAN Using AAA to Scale Access Control in an Expanding Network AAA Accounting Commands Network access server CiscoSecure ACS server Router(config)#aaa accounting {command level connection exec network system} {start-stop stop-only wait-start} {tacacs+ radius} 15-26 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 13 13

Accounting Example Router(config)#aaa accounting network start-stop tacacs+ Router(config)#aaa accounting exec start-stop tacacs+ Router(config)#aaa accounting command 15 start-stop tacacs+ Router(config)#aaa accounting connection start-stop tacacs+ Router(config)#aaa accounting system wait-start tacacs+ 15-27 BCRAN Using AAA to Scale Access Control in an Expanding Network Virtual Profiles Remote LAN bridge/router 1 AAA server Single-user client with ISDN card ISDN Analog Physical interface 2 5 4 Virtual template interface 3 Single-user client with ISDN BRI TA or modem Network access server Virtual access interface Profiles stored in centralized server 15-28 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 14 14

Building a Virtual Profile Physical interface Generic information from virtual template in network access server User-specific information from configuration in AAA server Virtual access interface Components of a virtual access interface 15-29 BCRAN Using AAA to Scale Access Control in an Expanding Network Laboratory Exercise: Visual Objective Async Central site AAA server PRI ISDN/analog 15-30 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 15 15

Summary After completing this chapter, you should be able to perform the following tasks: Describe CiscoSecure features and operations Configure a router with AAA commands Use a configured AAA server to control access in a remote access network 15-31 BCRAN Using AAA to Scale Access Control in an Expanding Network Review Questions What is authentication? What is authorization? What is accounting in regard to a dialup networking environment? 15-32 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 16 16

Blank Page For IG Pagination 15-33 BCRAN Using AAA to Scale Access Control in an Expanding Network Page 17 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback