8/2/2019 CAPITULO3- AAA
1/15
3. AUTHENTICATION, AUTHORIZATION, AND ACCOUNTING
3.1 AAA OVERVIEW
To help provide accountability, local database authentication may be implemented using one of
the following commands:
- username username password password- username username secret password
The username secret combination is highly recommended because it provides MD5-style
encryption. The local database method has some limitations. The user accounts must be
configured locally on each device.
AAA is a way to control who is permitted to access a network (authenticate), what they can do
while they are there (authorize), and to audit what actions they performed while accessing the
network (accounting). It provides a higher degree of scalability than the con, aux, vty andprivileged EXEC authentication commands alone.
Accountability responsabiblidad
Network and administrative AAA security in the Cisco environment has several functional
components:
Environment entorno challenge desafio
Authentication - Users and administrators must prove that they are who they say they are.
Authentication can be established using username and password combinations, challenge andresponse questions, token cards, and other methods. For example: "I am user 'student'. I know
the password to prove that I am user 'student'."
Authorization - After the user is authenticated, authorization services determine which resources
the user can access and which operations the user is allowed to perform. An example is "User
'student' can access host serverXYZ using Telnet only."
Allow permitir perform realizar
Accounting and auditing - Accounting records what the user does, including what is accessed, the
amount of time the resource is accessed, and any changes that were made. Accounting keeps
track of how network resources are used. An example is "User 'student' accessed host serverXYZ
using Telnet for 15 minutes."
Accounting contabilizacin auditing autoria
3.1.2 AAA CHARACTERISTICS
AAA AUTHENTICATION
AAA can be used to authenticate users for administrative access or it can be used to authenticate
users for remote network access. These two access methods use different modes to request AAA
services:
8/2/2019 CAPITULO3- AAA
2/15
Character mode - A user sends a request to establish an EXEC mode process with the router for
administrative purposes.
Packet mode - A user sends a request to establish a connection through the router with a device
on the network.
Cisco provides two common methods of implementing AAA services.
Local AAA Authentication
Local AAA uses a local database for authentication. This method stores usernames and passwords
locally in the Cisco router, and users authenticate against the local database. This database is the
same one required for establishing role-based CLI. Local AAA is ideal for small networks.
Server-Based AAA Authentication
The server-based method uses an external database server resource that leverages RADIUS orTACACS+ protocols. Examples include Cisco Secure Access Control Server (ACS) for Windows
Server, Cisco Secure ACS Solution Engine, or Cisco Secure ACS Express. If there are multiple
routers, server-based AAA is more appropriate.
Leverages aprovecha
Prompts pedira, aviso
8/2/2019 CAPITULO3- AAA
3/15
3.1.2 AAA CHARACTERISTICS
AAA AUTHORIZATION
after users are successfully authenticated against the selected AAA data source (local or server-
based), they are then authorized for specific network resources. Authorization is basically what a
user can and cannot do on the network after that user is authenticated, similar to how privilege
levels and role-based CLI give users specific rights and privileges to certain commands on the
router.
AAAACCOUNTING
Accounting collects and reports usage data so that it can be employed for purposes such as
auditing or billing. The collected data might include the start and stop connection times, executed
commands, number of packets, and number of bytes.
8/2/2019 CAPITULO3- AAA
4/15
Accounting is implemented using a AAA server-based solution. This service reports usage statistics
back to the ACS server. These statistics can be extracted to create detailed reports about the
configuration of the network.
Billing facturacion
AAA ACCOUNTING FUNCTION
Outbound de salida reboots se reinicia
3.2.1 CONFIGURING LOCAL AAA AUTHENTICATION WITH CLI
Local AAA Authentication, also referred to as self-contained authentication, should be configured
for smaller networks. Smaller networks are those networks that have one or two routers thatprovide access to a limited number of users. This method uses the local usernames and passwords
8/2/2019 CAPITULO3- AAA
5/15
stored on a router. configuring local AAA services to authenticate administrator access (character
mode access) requires a few basic steps:
- Step 1. Add usernames and passwords to the local router database for users that needadministrative access to the router.
- Step 2. Enable AAA globally on the router.- Step 3. Configure AAA parameters on the router.- Step 4. Confirm and troubleshoot the AAA configuration.
Troubleshoot solucionar problemas
To enable AAA, use the aaa new-model global configuration command. To disable AAA, use the no
form of this command.
After AAA is enabled, to configure authentication on vty ports, asynchronous lines (tty), the
auxiliary port, or the console port, define a named list of authentication methods and then apply
that list to the various interface. To define a named list of authentication methods, use the aaa
authentication login command. This command requires a list name and the authentication
methods. The list name identifies the list of authentication methods activated when a user logs in.
The method list is a sequential list describing the authentication methods to be queried for
authenticating a user. Method lists enable an administrator to designate one or more security
protocols for authentication. Using more than one protocol provides a backup system for
authentication in case the initial method fails.
The difference between the two options is that local accepts a username regardless of case, and
local-case is case-sensitive. To specify that a user can authenticate using the enable password, use
the enable keyword. To ensure that the authentication succeeds even if all methods return an
error, specify none as the final method.
Sensitive mayusculas y minusculas
aaa authentication login TELNET-ACCESS local enable
- regardless tener en cuenta succeeds xito- even incluso
8/2/2019 CAPITULO3- AAA
6/15
Additional security can be implemented on the line using the aaa local authentication attempts
max-fail number-of-unsuccessful-attempts command in global configuration mode. This command
secures AAA user accounts by locking out accounts that have excessive failed attempts.
To display a list of all locked-out users, use the show aaa local user lockout command in privileged
EXEC mode. Use the clear aaa local user lockout {username username | all} command inprivileged EXEC mode to unlock a specific user or to unlock all locked users.
the aaa local authentication attempts max-fail command differs from the login delay command in
how it handles failed attempts. The aaa local authentication attempts max-fail command locks the
user account if the authentication fails. This account stays locked until it is cleared by an
administrator. The login delay command introduces a delay between failed login attempts
without locking the account.
The first task when using CCP to configure AAA services for local authentication is to create
users:
Step 1. Choose Configure > Router > Router Access > User Accounts/View.
AA can be enabled using CCP. To verify the AAA configuration and to enable or disable AAA,
choose Configure > Router > AAA > AAA Summary.
The option also exists to configure a default list name. When AAA is first enabled, the default
method list named "default" is automatically applied to all interfaces and lines, but it has no
authentication methods defined. To assign multiple authentication methods to the default list,
use the command aaa authentication login default method1...[method2].For example, the enable
method could be configured as a fallback mechanism in case the username and password is
forgotten.
The first task when using CCP to configure AAA services for local authentication is to create
users:
8/2/2019 CAPITULO3- AAA
7/15
- Step 1. Choose Configure > Router > Router Access > User Accounts/View.- Step 2. Click Add to add a new user.- Step 3. In the Add an Account window, enter the username and password in the
appropriate fields to define the user account.
- Step 4. From the Privilege Level drop-down list, choose 15, unless there are lesserprivilege levels defined.
- Step 5. If views have been defined, check the Associate a View with the user check boxand choose a view from the View Name list that is associated with a user.
- Step 6. Click OK.The CLI command that CCP generates is username AAAadmin privilege 15 secret 5
$1$f16u$uKOO6J/UnojZ0bCEzgnQi1 view root.
- Step 1. Choose Configure > Router > AAA > Authentication Policies > Login. Any definedmethod lists will be displayed.
- Step 2. To view the options for a method list, select the list name and click Edit.- Step 3. From the Edit a Method List for Authentication Login window, click Add.- Step 4. From the Select Method List(s) for Authentication Login window, choose local
from the method list if it is not already selected.
- - Step 5. Click OK.3.3.1 SERVER-BASED AAA CHARACTERISTICS
Local implementations of AAA do not scale well. Most corporate environments have multiple
Cisco routers with multiple router administrators and hundreds or thousands of users needing
access to the corporate LAN. Maintaining a local database for each Cisco router for this size ofnetwork is not feasible.
To solve this challenge, one or more AAA servers, such as Cisco Secure ACS, can be used to
manage the user and administrative access needs for an entire corporate network.
8/2/2019 CAPITULO3- AAA
8/15
The Cisco Secure ACS family of products supports both Terminal Access Control A Whether
TACACS+ or RADIUS is selected depends on the needs of the organization. For example, a large ISP
might select RADIUS because it supports detailed accounting required for billing users. An
organization with various user groups might select TACACS+ because it requires select
authorization policies to be applied on a per-user or per-group basis. ccess Control Server Plus
(TACACS+) and Remote Authentication Dial-In User Services (RADIUS) protocols, which are the
two predominant protocols used by Cisco security appliances, routers, and switches for
implementing AAA. While both protocols can be used to communicate between client and AAA
servers, TACACS+ is considered the more secure protocol. This is because all TACACS + protocol
exchanges are encrypted; RADIUS only encrypts the user password. It does not encrypt user
names, accounting information, or any other information carried in the RADIUS message.
It is important to understand the many differences between the TACACS+ and RADIUS protocols.
Critical factors for TACACS+ include:
- Is incompatible with its predecessors TACACS and XTACACS- Separates authentication and authorization- Encrypts all communication- Utilizes TCP port 49
Critical factors for RADIUS include:
- Uses RADIUS proxy servers for scalability- Combines RADIUS authentication and authorization as one process- Encrypts only the password- Utilizes UDP
3.3.2 SERVER-BASED AAA COMUNICATION PROTOCOLS
The extensions to the TACACS+ protocol provide more types of authentication requests and
response codes than were in the original TACACS specification. TACACS+ offers multiprotocol
support, such as IP and AppleTalk. Normal TACACS+ operation encrypts the entire body of thepacket for more secure communications and utilizes TCP port 49.
8/2/2019 CAPITULO3- AAA
9/15
RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for
applications such as network access or IP mobility. RADIUS works in both local and roaming
situations and is commonly used for accounting purposes. RADIUS is currently defined by RFCs
2865, 2866, 2867, and 2868.
The RADIUS protocol hides passwords during transmission, even with the Password
Authentication Protocol (PAP), using a rather complex operation that involves Message Digest 5
(MD5) hashing and a shared secret. However, the rest of the packet is sent in plaintext.
RADIUS is widely used by VoIP service providers. It passes login credentials of a SIP endpoint, such
as a broadband phone, to a SIP registrar using digest authentication, and then to a RADIUS server
using RADIUS. RADIUS is also a common authentication protocol that is utilized by the 802.1X
security standard.
3.3.3 CISCO SECURE ACS
Fortunately, Cisco Secure ACS for Windows Server is a single solution that offers AAA for both
TACACS+ and RADIUS.
The Cisco ACS family of products are highly scalable, high-performance access control servers that
can be leveraged to control administrator access and configuration for all network devices in a
network supporting RADIUS or TACACS+ or both. Cisco Secure ACS offers several benefits:
- Extends access security by combining authentication, user access, and administratoraccess with policy control within a centralized identity networking solution.
- Allows greater flexibility and mobility, increased security, and user-productivity gains.- Enforces a uniform security policy for all users, regardless of how they access the
network.
- Reduces the administrative and management burden when scaling user and networkadministrator access to the network.
Cisco Secure ACS can authenticate users against an internal Cisco Secure user database, or it can
be configured to leverage external databases that can be centrally managed. This centralizes the
control of all user privileges and distributes them to access points throughout the network. Cisco
Secure ACS provides detailed reporting and monitoring capabilities of user behavior, access
connections, and device configuration changes.
Cisco Secure ACS provides a variety of advanced features:
- Automatic service monitoring- Database synchronization and importing of tools for large-scale deployments- LDAP user authentication support- User and administrative access reporting- Restrictions to network access based on criteria such as the time of day and the day of
week
- User and device group profilesCisco Secure ACS has many high-performance and scalability features:
8/2/2019 CAPITULO3- AAA
10/15
Ease of use - A web-based user interface simplifies and distributes the configuration for user
profiles, group profiles, and Cisco Secure ACS configuration.
Scalability - Cisco Secure ACS is built to provide large networked environments with support for
redundant servers, remote databases, and database replication and backup services.
Extensibility - LDAP authentication forwarding supports the authentication of user profiles that
are stored in directories from leading directory vendors, including Sun, Novell, and Microsoft.
Management - Microsoft Windows Active Directory support consolidates Windows username and
password management and uses the Windows Performance Monitor for real-time statistics
viewing.
Administration - Different access levels for each Cisco Secure ACS administrator and the ability to
group network devices together make it easier and more flexible to control the enforcement and
changes of security policy administration for all devices in a network.
Product flexibility - Because Cisco IOS software has embedded support for AAA, Cisco Secure ACS
can be used across virtually any network access server that Cisco sells (the Cisco IOS software
release must support RADIUS or TACACS+). Cisco Secure ACS is available in three options: Cisco
Secure ACS Solution Engine, Cisco Secure ACS Express, and Cisco Secure ACS for Windows.
Integration - Tight coupling with Cisco IOS routers and VPN solutions provides features such as
multi-chassis multilink PPP and Cisco IOS software command authorization.
Third-party support - Cisco Secure ACS offers token server support for any one-time password
(OTP) vendor that provides an RFC-compliant RADIUS interface, such as RSA, PassGo, SecureComputing, ActiveCard, Vasco, or CryptoCard.
Control - Cisco Secure ACS provides dynamic quotas to restrict access based on the time of day,
network use, number of logged sessions, and the day of the week.
8/2/2019 CAPITULO3- AAA
11/15
3.3 SERVER-BASED AAA
3.3.4 CONFIGURIG CISCO SECURE ACS
Before installing the Cisco Secure ACS, it is important to prepare the server. Third-party software
requirements and the network and port requirements of the server and AAA devices must beconsidered.
Network and Port Prerequisites
- The network should meet specified requirements before administrators begin deployingCisco Secure ACS:
- For full TACACS+ and RADIUS support on Cisco IOS devices, AAA clients must run Cisco IOSRelease 11.2 or later.
- Cisco devices that are not Cisco IOS AAA clients must be configured with TACACS+,RADIUS, or both.
- Dial-in, VPN, or wireless clients must be able to connect to the applicable AAA clients.- The computer running Cisco Secure ACS must be able to reach all AAA clients using ping.- Gateway devices between the Cisco Secure ACS and other network devices must permit
communication over the ports that are needed to support the applicable feature or
protocol.
- A supported web browser must be installed on the computer running Cisco Secure ACS.For the most recent information about tested browsers, see the release notes for the
Cisco Secure ACS product on Cisco.com.
All NICs in the computer running Cisco Secure ACS must be enabled. If there is a disabled network
card on the computer running Cisco Secure ACS, installing Cisco Secure ACS might proceed slowly
because of delays caused by the Microsoft CryptoAPI.
The home page of the Cisco Secure ACS contains a navigation bar with buttons that represent
functions that can be configured:
- User Setup- Group Setup- Shared Profile Components- Network Configuration- System Configuration- Interface Configuration- Administration Control- External User Databases- Posture Validation- Network Access Profiles- Reports and Activity- Online Documentation
The Interface Configuration page allows the administrator to control the display of properties on
the User Setup page. The specific options displayed depend on whether TACACS+ or RADIUSclients have been added to the server:
8/2/2019 CAPITULO3- AAA
12/15
- User Data Configuration- TACACS+ (Cisco IOS)- RADIUS (Microsoft)- RADIUS (Ascend)- RADIUS (IETF)- RADIUS (IOS/PIX)- Advanced Options
cisco Secure ACS can be configured to forward authentication of users to one or more external
user databases. Support for external user databases means that Cisco Secure ACS does not
require duplicate user entries to be created in the Cisco Secure user database
The Database Configuration screen is used to define the parameters of the external server.
Options include:
- RSA SecurID Token Server- RADIUS Token Server- External ODBC Database- Windows Database- LEAP Proxy RADIUS Server- - Generic LDAP
3.3.5 CONFIGURINF CISCO SECURE ACS USER AND GROUPS
When Cisco Secure ACS is configured to communicate with an external user database, it can beconfigured to authenticate users with the external user database in one of two ways:
By specific user assignment - Authenticate specific users with an external user database.
By unknown user policy - Use an external database to authenticate users not found in the Cisco
Secure user database. This method does not require administrators to define users in the Cisco
Secure user database.
3.4.1 CONFIGURING SEVER-BASED AAA AUTHENTICATION WITH CLI
nlike Local AAA Authentication, server-based AAA must identify various TACACS+ and RADIUSservers that the AAA service should consult when authenticating and authorizing users.
There are a few basic steps to configure server-based authentication:
Step 1. Globally enable AAA to allow the use of all AAA elements. This step is a prerequisite for all
other AAA commands.
Step 2. Specify the Cisco Secure ACS that will provide AAA services for the router. This can be a
TACACS+ or RADIUS server.
8/2/2019 CAPITULO3- AAA
13/15
Step 3. Configure the encryption key needed to encrypt the data transfer between the network
access server and Cisco Secure ACS.
Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.
For redundancy, it is possible to configure more than one server.
If using CCP for TACACS+ support, it is necessary to specify a list of available Cisco Secure ACS
servers that provide TACACS+ services for the router:
Step 1. From the CCP home page, choose Configure > Router > AAA > AAA Servers and Groups >
Servers.
Step 2. From the AAA Servers pane, click Add. The Add AAA Server window appears. Choose
TACACS+ from the Server Type list box.
Step 3. Enter the IP address or host name of the AAA server in the Server IP or Host field. If the
router has not been configured to use a DNS server, enter a DNS server IP address.
Step 4. The router can be configured to maintain a single open connection to the TACACS+ server
rather than opening and closing a TCP connection each time it communicates with the server. To
do so, check the Single connection to server(for CiscoSecure) check box.
Step 5. To override AAA server global settings and specify a server-specific timeout value in the
Server-Specific Setup section, enter a value in the Timeout (seconds) field. This field determines
how long the router waits for a response from this server before going on to the next server in the
group list. If a value is not entered, the router uses the value that is configured in the AAA Servers
Global Settings window. The default setting is five seconds.
Step 6. To configure a server-specific key, check the Configure Key check box and enter the key
that is used to encrypt traffic between the router and this server in the New Key field. Re-enter
the key in the Confirm Key field for confirmation. If this option is not checked and a value is not
entered, the router uses the value that was configured in the AAA Servers Global Settingswindow.
8/2/2019 CAPITULO3- AAA
14/15
Step 7. Click OK.
he debug aaa authentication command is a useful AAA troubleshooting command because it
provides a high-level view of login activity.
The command indicates a status message of PASS when a TACACS+ login attempt is successful. Ifthe status message returned is FAIL, verify the secret key and troubleshoot as necessary.
3.5.1 CONFIGURING SERVER-BASED AAA AUTHORIZATION
he TACACS+ protocol allows the separation of authentication from authorization. A router can be
configured to restrict the user to performing only certain functions after successful
authentication. Authorization can be configured for both character mode (exec authorization) and
packet mode (network authorization). Keep in mind that RADIUS does not separate the
authentication from the authorization process.
Another important aspect of authorization is the ability to control user access to specific services.Controlling access to configuration commands greatly simplifies the infrastructure security in
large enterprise networks. Per-user permissions on the Cisco Secure ACS simplify network device
configuration.
By default, TACACS+ establishes a new TCP session for every authorization request, which can
lead to delays when users enter commands. Cisco Secure ACS supports persistent TCP sessions to
improve performance
To configure command authorization, use the aaa authorization {network | exec | commands
level} {default | list-name} method1...[method4] command. The service type can specify the typesof commands or services:
- commands level - for exec (shell) commands- exec - for starting an exec (shell)- network - for network services (PPP, SLIP, ARAP)
3.5.2 CONFIGURING SERVER-BASED AAA ACCOUNTING
To configure AAA accounting, use the aaa accounting {network | exec | connection} {default | list-
name} {start-stop | stop-only | none} [broadcast] method1...[method4] global configuration
mode command. The network, exec, and connection parameters are commonly used keywords.
Network - Runs accounting for all network-related service requests, including Serial Line Internet
Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs).
Exec - Runs accounting for the EXEC shell session.
Connection - Runs accounting on all outbound connections made from the network access server,
such as Telnet or local-area transport (LAT).
Default - Uses the listed accounting methods that follow this keyword as the default list of
methods.
8/2/2019 CAPITULO3- AAA
15/15
List-name - Character string used to name a custom accounting method list.
Start-stop - Sends a "start" accounting notice at the beginning of a process and a "stop"
accounting notice at the end of a process.
Stop-only - Sends a "stop" accounting record for all cases including authentication failures.
None - Disables accounting services on a line or interface.
Broadcast - (Optional) Enables sending accounting records to multiple AAA servers.
Top Related