CCNP (Cisco Certified Network Professional) Route Certification Exam Cram Notes

5. Infrastructure Security

5.1 AAA

AAA stands for Authentication, Authorization, and Accounting.

Authentication: Authentication provides the method of identifying users, primarily using login and password. The communication is usually encrypted. Authentication is the way a user is identified prior to being allowed access to the network and network services.

Authorization: Authorization provides authorization for access to network resources. Remote security servers, such as RADIUS and TACACS+, authorize users for accessing specific resources by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity.

Accounting: Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.

Given below are the steps in brief that one needs to go through for configuring AAA.

On the client side:

1. Configure AAA : aaa new model

2. Specify AAA server to be accessed by the client:

acacs-server host 192.168.1.2 key cisco@123

3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want.

aaa authentication login MYAUTHLIST group tacacs+ local

4. Create authorization method list to apply on users that have been authenticated.

aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local

5. Apply the method lists to a device interface

line vty 0 4
login authentication MYAUTHLIST
authorization exec MYUAUTHORIZATIONLIST

Example:The given command is:

aaa authentication login CONSOLE line

In the above command:

i) The named list is CONSOLE.

ii) There is only one authentication method (line).

Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:

line con 0
exec-timeout 0 0
password cisco
login authentication CONSOLE

You need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.

The syntax for a method list is as follows:

aaa type { default | list-name} method-1 [ method-2 method-3 method-4]

Given the AAA command:

aaa authentication login default group radius local

In the above command:

1. AAA type is authentication login

2. The named list is the default one (default).

3. There are two authentication methods (group radius and local).

All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username name and password:

username xxx password yyy

Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)

! Creating the method list.
R1(config)# aaa authentication login AUTHLIST local

! Applying the method list to the VTY lines 0-4

R1(config)# line vty 0 4
R1(config-line)# login authentication AUTHLIST
R1(config-line)# exit

The sequence of steps in creating and applying a method list on a router are:

a. Enable AAA

b. Create method lists for authentication. You may create more than one method. The second method (local) is used only when the first method fails.

c. Apply the method lists per line/per interface

Typical configuration commands for enabling AAA, and creating a list method AUTHLIST, and applying the same on vty lines is given below:

Frisco(config)# aaa new-model
Frisco(config)# aaa authentication login AUTHLIST local
Frisco(config)# line vty 0 4
Frisco(config-line)# login authentication AUTHLIST

Previous   Contents   Next


CCNP Route Cram Notes Contents certexams.com ad