RETIRED! Exam
AAA stands for Authentication, Authorization, and Accounting.
Four important aspects of security are authentication, authorization, integrity, and non-repudiation.
Authentication: Authentication provides the method of identifying users, primarily using login and password. The communication is usually encrypted. Authentication is the way a user is identified prior to being allowed access to the network and network services. Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.
Authorization: Authorization provides authorization for access to network resources. Remote security servers, such as RADIUS and TACACS+, authorize users for accessing specific resources by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity. Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.
Accounting: Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.
By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users. The solution to this is AAA, an acronym for Authentication, Authorization and Accounting. This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the "aaa new-model" command.
Integrity: Integrity ensures that the data is not compromised. A simple integrity checker is parity. By ensuring that the parity of a transmitted message is correct, you can accept the message. For complex systems, where confidential information is involved, encryption is used for verifying the integrity of a transmitted message.
Non-repudiation: Non-repudiation ensures that the sender, as well as the receiver cannot refute having sent or received a message. For example, you receive an email from your perspective employer. By using an unsigned email, it might so happen that your employer later denies having sent any such email. Non-repudiation ensures that neither the sender nor the receiver can deny the transmission or the reception of a message respectively.
Given below are the steps in brief that one needs to go through for configuring AAA.
On the client side:
1. Configure AAA
aaa new model
2. Specify AAA server to be accessed by the client
tacacs-server host 192.168.1.2 key cisco@123
3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want.
aaa authentication login MYAUTHLIST group tacacs+ local
4. Create authorization method list to apply on users that have been authenticated.
aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local
5. Apply the method lists to a device interface
line vty 0 4
login authentication MYAUTHLIST
authorization exec MYUAUTHORIZATIONLIST
The given command is: aaa authentication login CONSOLE line
In the above command:
i) The named list is CONSOLE.
ii) There is only one authentication method (line).
Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:
line con
0
exec-timeout 0 0
password cisco
login authentication CONSOLE
You need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.
The syntax for a method list is as follows:
aaa type { default | list-name} method-1 [ method-2 method-3 method-4]
Given the AAA command:
aaa authentication login default group radius local
In the above command:
1. AAA type is authentication login
2. The named list is the default one (default).
3. There are two authentication methods (group radius and local).
All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username name and password:username xxx password yyy
Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)
Example1: Creating the method list.
R1(config)# aaa authentication login AUTHLIST local
! Applying the method list to the VTY lines 0-4
R1(config)# line vty 0 4
R1(config-line)# login authentication AUTHLIST
R1(config-line)# exit
If you want to see which method lists were applied to your vty lines, just navigate to Configure > Router > Router Access > VTY
Example2: The sequence of steps in creating and applying a method list on a router are:
1. Enable AAA
2. Create method lists for authentication. You may create more than one method. The second method (local) is used only when the first method fails.
3. Apply the method lists per line/ per interface
The following security measures are appropriate for each plane in Network Foundation Protection strategy:
1. Management Plane: AAA; Authenticated Network Time Protocol (NTP); SSH, SSL/TLS, Protected syslog, SNMPv3, TACACS+, VTY ACLs
2. Control Plane: Control plane policing (CoPP), and control plane protection (CPPr), Authenticated routing protocol updates
3. Data plane: ACLs, Layer 2 controls, such as private VLANs, Spanning Tree Protocol (STP) guards IOS IPS, Zone-Based Firewall
4. TCP Intercept: protect servers and other resources from denial of service (DoS) attacks, specifically TCP SYN attacks
5. Unicast Reverse Path Forwarding: limit the appearance of spoofed addresses on a network
6. IOS IPS: uses signature matches to look for malicious traffic.
7. ACLs: filters traffic based on pre-determined rules
For the authentication method list and authorization method list to be used we need to apply these method lists to the VTY lines.
The following security measures may be applied to Management Plane:
1. Authentication, Authorization, and Accounting (AAA)
2. Network Time Protocol (NTP)
3. Secure Shell (SSH)
4. SSL/TLS
5. Protected syslog
6. SNMPv3
7. Parser views
Below is the configuration steps to apply the authentication and authorization method list to first 5 vty lines
R1>enable
R1#configure terminal
R1(config)#line vty 0 4
R1(config-line)#login authentication
authentest
R1(config-line)#authorization exec
authortest
TACACS+ Technology:TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. We must have access to and must configure a TACACS+ server before the configured TACACS+ features on a network access server are available. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.
Syntax: Router(config)# tacacs-server host <ip-address> key <keyname>
Ex: Router(config)#tacacs-server host 192.168.10.1 key cisco123
Feature of TACACS+ Server
1. Granular control: TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. TACACS+ is very commonly used for device administration.
2. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.
3. TACACS+ is a Cisco proprietary protocol (later became an Open standard), and very widely supported by various vendors offering AAA servers. Note that RADIUS is an Open Standard and widely supported too.
4. TACACS+ uses TCP port (port #49) to communicate between the server and the client.
Example: With respect to the given command " test aaa group tacacs+ admin Frisco123 legacy ", the following are true:
1. It enables you to verify that the ACS to router authentication component is working
2. Frisco123 is the shared secret that has been configured on the ACS server
3. It tests the reachability of ACS server
4. tacacs+ is the group name
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server the commands that are allowed, on a per-user or per-group basis. TACACS offers multiprotocol support.
RADIUS Server:
The following are the important features of RADIUS server:
1. Open standard, and widely supported. Note that TACACS+ is a Cisco proprietary standard, but well supported too.
2. Use UDP port
3. Provides extensive accounting capability when compared with TACACS+ server
4. Only the password is encrypted in packets transiting between the RADIUS server and the client (any device acting as client, such as a router or a switch or a host computer). On the other hand, TACACS+ provides complete encryption for communication between the TACACS+ server and the client.
5. There is a new upgrade expected, named Diameter.
6. RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
7. RADIUS messages are sent as User Datagram Protocol (UDP) messages. Only one RADIUS message is included in the UDP payload of a RADIUS packet. RADIUS does not support these protocols:
Authentication and Authorization using ACS:
Cisco Access Control Server uses several components as described below:
Cisco Identity Services Engine (ISE) provides context-aware identity management in the following areas:
Cisco ISE functions include the following:
