AAA Services

• Authentication- Who ?- Management of the user’s identity

• Authorization- What can the user do?- Management of the granted services

• Accounting- What did the user do?- Logging of activities and auditing

Uses of AAA

• Two modes:– The character mode access

AAA services are used to control administrative access such as Telent or Console access to network devices

– The packet mode accessAAA services are used to manage remote user network access such as dialup clients or VPN clients

T. A. Yang Network Security 2

c.f., Alternative methods to AAA

• Examples:– Password-based authentication– Challenge-response authentication

• Incomplete access management– Limited to authentication only

Local vs Centralized Databases in AAA

Features Local dB Centralized dB

Location of user data local on the deviceIn a central authentication server (remote to the device)

Copies of user data Multiple copies (one per device)

Single copy

Scalability Poor (Given a change, each copy needs to be updated.)

Single-point failure ? Depends (possibly no) Yes

Recommended ? Only for very small networks

Yes (especially for larger networks)

Authentication Protocols in AAA

• RADIUS vs TACACS+• RADIUS

– Remote Authentication Dial In User Service– An IETF standard (RFC 2865)– Open source s/w– Interoperability among RADIUS-based products– Client/server authentication btwn a NAS (e.g., a

router) and a RADIUS server• A shared secret btwn the client and the server

– on UDP (port 1812 for authentication and authorization; port 1813 for accounting)

RADIUS • RFC 2865 (2000): http://www.ietf.org/rfc/rfc2865.txt

The Authenticator field• Request Authenticator

– The authenticator in the Access-Request packets– Rqts: The value SHOULD be unpredictable and unique

over the lifetime of a shared secret• Repetition of a request value in conjunction with the same secret

would permit an attacker to reply with a previously intercepted response.

• Response Authenticator– The authenticator in the Access-Accept, Access- Reject,

and Access-Challenge packets– ResponseAuth =

MD5(Code+ID+Length+RequestAuth+Attributes+Secret) T. A. Yang Network Security 7

• http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

RADIUS

• Example Clients: router, switch, PIX/ASA, VPN3000

• The Access-Request: contains username, encrypted password, NAS IP address, NAS port number, and session information.

RADIUS authentication• Note: Both authentication and authorization information

are combined in a single Access-Request packet.

• Upon receiving an Access-Request, the RADIUS server

1. Validates the shared secret

2. Validates the username and passwordIf not validated, sends an Access-Reject response;

3. Authorizes the userIf authorization fails, sends an Access-Reject response;

Otherwise, sends an Access-Accept response;

Security mechanisms in RADIUS

• Shared secret btwn the client and the server• In the Access-Request packet, the password is

encrypted. MD5 (shared secret + Request Authenticator)

XOR the-first-16-octets-of-the-password16-octet encrypted password

• Q: How would the RADIUS server authenticate the encrypted password?

TACACS+

• TACACS: Terminal Access Controller Access Control System

• A Cisco proprietary client/server authentication protocol

• A shared secret btwn the client & the server• Can encrypt the entire body of the packet (as

indicated by the flags field)• On TCP

TACACS+

• http://tools.ietf.org/html/draft-grant-tacacs-02

• Example interactions: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

TACACS+

TACACS+ vs RADIUS

• Shared:– Client/server based– Authentication btwn a NAS and an authentication

server– Shared secret

• Differences ?

TACACS+ vs RADIUSsource:

http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/

Criterion TACACS+ RADIUS

TransportTCP (reliable; more overhead)

UDP (unreliable; higher performance)

Authentication and Authorization

Can be separated (more flexible)

Combined

Multiprotocol Support

Supported (IP, Apple, NetBIOS, Novell, X.25)

IP only

Access to Router CLI Commands

Supports two methods to control the authorization of router commands on a per-user or per-group basis

Not supported

Encryption Packet payload Passwords only

AAA Services

Documents

Transcript of AAA Services

Pioneer Valley - · PDF file6 AAA Premier Membership Covered Services TRAVEL INSURANCE AND ASSISTANCE SERVICES Pioneer Valley’s AAA Premier Trip Interruption, Vehicle Return and

COUNTY OF SAN BERNARDINO General Fund...Real Estate Services - Utilities AAA UTL Regional Parks AAA CCP Registrar of Voters AAA ROV Sheriff/Coroner/Public Administrator AAA SHR Sheriff/Coroner/Public

GEORGIA IN PERSPECTIVE 2013 *29(5125·62)),&( PLANNING & … · Moody Investor Services Aaa Standard and Poor’s AAA Fitch’s Investor’s Service AAA Without GARVEEs* With GARVEEs*Planning

AAA Services Limited ETS - Testconsult Limited Asbestos ...

Gauging the Value of AAA Services: Results from a …...2018/08/07 · Gauging the Value of AAA Services: Results from a New Poll & AAA Perspectives Part of the Aging and Disability

AA A A (AAA) A A - iowaaging.gov · The AAA shall promote its services to ensure that consumers are aware of their availability. The AAA shall consider the number of individuals in

(Un-)Certainties in SABR · Dose (cGy) Volume (%) AAA Acuros AAA Acuros AAA Acuros AAA Acuros AAA Acuros AAA Acuros AAA Acuros AAA Acuros 9.3 cm3 7.1 cm3 1.6 cm3 11.4 cm 3 5.5 cm3

AAA (All Aviation Abbreviations) AAA · AAA (All Aviation Abbreviations)

AAA Services. 2 è Authentication è Authorization è Accounting.

AAA WARRANTY SERVICES – M.E. OPERATION

AAA Property Inspection Services · AAA Property Inspection Services Where IntegrityCounts CONFIDENTIAL INSPECTION REPORT PREPARED FOR: Mr. Sample Report _____ INSPECTION ADDRESS

AAA Network Security Services

Member Benefits Services - AAA Auto Club South

AAA Home Repair: Home Services Industry Landscapescet.berkeley.edu/wp-content/uploads/Control-Tower-Presentation.pdf · AAA Home Repair: Home Services Industry Landscape Kristyn Kadala

Association...2020 EGUE TES sdas Ma aaa Ma Monona Ma aaa Ma Monona n aaa n Monona n aaa n Monona n aaa o in, TBA aaa Monona aaa s Monona s aaa s

Bibliography - heuristscholar.orgheuristscholar.org/APPLICATIONS/understanding_mapinfo/Bibliography... · Bibliography AAAA A AAA A AAA A AAA A AAA A AAA A AAA A ... MapInfo Inc.

Measuring the Value of AAA Services - ADvancing …...Measuring the Value of AAA Services: Making the Case to Health Care Partners 5 with an additional 18 percent reporting that they

Elevation - Amazon Web Services...On the Road - Assistance AAA Arizona provides mobile EV charging services for AAA me mbers in the Phoenix and Tucson metro areas. Call 1- 800-AAA-HELP.

AAA Community Assessment Two approaches: Multnomah Aging & Disability Services, and Central Oregon Council on Aging SUA/AAA Webinar January 19, 2011.

2007 AAA/CAA Four Diamond Lodgings - Amazon Web Services · 2007 AAA/CAA Four Diamond Lodgings Number indicates consecutive years as a AAA Four Diamond Award Winner. List published

GEORGIA IN PERSPECTIVE 2013 29(5125·62)),&( PLANNING & … · Moody Investor Services Aaa Standard and Poor’s AAA Fitch’s Investor’s Service AAA Without GARVEEs With GARVEEs*Planning