Cisco® CCNA Security Exam Notes : Aaa Concepts(authentication, Authorization, And Accounting)


Go to latest CCNA Exam Cram

2. Secure Access

2.2 AAA Concepts

AAA stands for Authentication, Authorization, and Accounting.

Four important aspects of security are authentication, authorization, integrity, and non-repudiation.

Authentication: Authentication provides the method of identifying users, primarily using login and password. The communication is usually encrypted. Authentication is the way a user is identified prior to being allowed access to the network and network services. Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.

Authorization: Authorization provides authorization for access to network resources. Remote security servers, such as RADIUS and TACACS+, authorize users for accessing specific resources by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. The authorization process determines whether the user has the authority to issue such commands. Simply put, authorization is the process of enforcing policies: determining what types or qualities of activities, resources, or services a user is permitted. Usually, authorization occurs within the context of authentication. Once you have authenticated a user, they may be authorized for different types of access or activity. Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.

Accounting: Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities. Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.

By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users. The solution to this is AAA, an acronym for Authentication, Authorization and Accounting. This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the "aaa new-model" command.

Integrity: Integrity ensures that the data is not compromised. A simple integrity checker is parity. By ensuring that the parity of a transmitted message is correct, you can accept the message. For complex systems, where confidential information is involved, encryption is used for verifying the integrity of a transmitted message.

Non-repudiation: Non-repudiation ensures that the sender, as well as the receiver cannot refute having sent or received a message. For example, you receive an email from your perspective employer. By using an unsigned email, it might so happen that your employer later denies having sent any such email. Non-repudiation ensures that neither the sender nor the receiver can deny the transmission or the reception of a message respectively.

Given below are the steps in brief that one needs to go through for configuring AAA.

On the client side:

1. Configure AAA

aaa new model

2. Specify AAA server to be accessed by the client

tacacs-server host key cisco@123

3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want.

aaa authentication login MYAUTHLIST group tacacs+ local

4. Create authorization method list to apply on users that have been authenticated.

aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local

5. Apply the method lists to a device interface

line vty 0 4

login authentication MYAUTHLIST


The given command is: aaa authentication login CONSOLE line

In the above command:

i) The named list is CONSOLE.

ii) There is only one authentication method (line).

Once a named list (in this example, CONSOLE) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:

line con 0
exec-timeout 0 0
password cisco
login authentication CONSOLE

You need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.

The syntax for a method list is as follows:

aaa type { default | list-name} method-1 [ method-2 method-3 method-4]

Given the AAA command:

aaa authentication login default group radius local

In the above command:

1. AAA type is authentication login

2. The named list is the default one (default).

3. There are two authentication methods (group radius and local).

All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username name and password:username xxx password yyy

Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)

Example1: Creating the method list.

R1(config)# aaa authentication login AUTHLIST local

! Applying the method list to the VTY lines 0-4

R1(config)# line vty 0 4

R1(config-line)# login authentication AUTHLIST

R1(config-line)# exit

If you want to see which method lists were applied to your vty lines, just navigate to Configure > Router > Router Access > VTY

Example2: The sequence of steps in creating and applying a method list on a router are:

1. Enable AAA

2. Create method lists for authentication. You may create more than one method. The second method (local) is used only when the first method fails.

3. Apply the method lists per line/ per interface

The following security measures are appropriate for each plane in Network Foundation Protection strategy:

1. Management Plane: AAA; Authenticated Network Time Protocol (NTP); SSH, SSL/TLS, Protected syslog, SNMPv3, TACACS+, VTY ACLs

2. Control Plane: Control plane policing (CoPP), and control plane protection (CPPr), Authenticated routing protocol updates

3. Data plane: ACLs, Layer 2 controls, such as private VLANs, Spanning Tree Protocol (STP) guards IOS IPS, Zone-Based Firewall

4. TCP Intercept: protect servers and other resources from denial of service (DoS) attacks, specifically TCP SYN attacks

5. Unicast Reverse Path Forwarding: limit the appearance of spoofed addresses on a network

6. IOS IPS: uses signature matches to look for malicious traffic.

7. ACLs: filters traffic based on pre-determined rules

For the authentication method list and authorization method list to be used we need to apply these method lists to the VTY lines.

The following security measures may be applied to Management Plane:

1. Authentication, Authorization, and Accounting (AAA)

2. Network Time Protocol (NTP)

3. Secure Shell (SSH)


5. Protected syslog

6. SNMPv3

7. Parser views

Below is the configuration steps to apply the authentication and authorization method list to first 5 vty lines

R1#configure terminal
R1(config)#line vty
0 4
R1(config-line)#login authentication authentest
R1(config-line)#authorization exec authortest

TACACS+ Technology:TACACS+ is a security application that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation. We must have access to and must configure a TACACS+ server before the configured TACACS+ features on a network access server are available. It provides for separate and modular authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service authentication, authorization, and accounting independently. Each service can be tied into its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon. The goal of TACACS+ is to provide a methodology for managing multiple network access points from a single management service. The Cisco family of access servers and routers and the Cisco IOS user interface (for both routers and access servers) can be network access servers.

Syntax: Router(config)# tacacs-server host <ip-address> key <keyname>

Ex: Router(config)#tacacs-server host key cisco123

Feature of TACACS+ Server

1. Granular control: TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. TACACS+ is very commonly used for device administration.

2. TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header.

3. TACACS+ is a Cisco proprietary protocol (later became an Open standard), and very widely supported by various vendors offering AAA servers. Note that RADIUS is an Open Standard and widely supported too.

4. TACACS+ uses TCP port (port #49) to communicate between the server and the client.

Example: With respect to the given command " test aaa group tacacs+ admin Frisco123 legacy ", the following are true:

1. It enables you to verify that the ACS to router authentication component is working

2. Frisco123 is the shared secret that has been configured on the ACS server

3. It tests the reachability of ACS server

4. tacacs+ is the group name

TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server the commands that are allowed, on a per-user or per-group basis. TACACS offers multiprotocol support.

RADIUS Server:

The following are the important features of RADIUS server:

1. Open standard, and widely supported. Note that TACACS+ is a Cisco proprietary standard, but well supported too.

2. Use UDP port

3. Provides extensive accounting capability when compared with TACACS+ server

4. Only the password is encrypted in packets transiting between the RADIUS server and the client (any device acting as client, such as a router or a switch or a host computer). On the other hand, TACACS+ provides complete encryption for communication between the TACACS+ server and the client.

5. There is a new upgrade expected, named Diameter.

6. RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.

7. RADIUS messages are sent as User Datagram Protocol (UDP) messages. Only one RADIUS message is included in the UDP payload of a RADIUS packet. RADIUS does not support these protocols:

  • AppleTalk Remote Access (ARA) protocol
  • NetBIOS Frame Protocol Control protocol
  • Novell Asynchronous Services Interface (NASI)
  • X.25 PAD connection

Authentication and Authorization using ACS:

Cisco Access Control Server uses several components as described below:

  • Network device groups: Groups of network devices consisting of routers and switches
  • Network devices: The individual network devices such as routers and switches that go into the device groups.
  • Identity groups: user/admin groups
  • User accounts: Individual administrator/user accounts that are associated with identity groups.
  • Authorization profiles: control the permitted rights given to user/admin groups and/or the network device groups.

Cisco Identity Services Engine (ISE) provides context-aware identity management in the following areas:

  • Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
  • Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
  • Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role, location,device type, and so on).
  • Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.

Cisco ISE functions include the following:

  • Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
  • Enforces endpoint compliance, including 802.1X environments
  • Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
  • Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
  • ISR (Integrated Services Router): Provides WAN and Internet access to branch offices and home offices. They can provide VPN connectivity to BYOD devices while accessing the Corporate network.
  • ASR (Aggregation Services Router): Provides WAN and Internet access at Corporate campus, and also work as aggregation point for home and branch offices connecting back to the Corporate network.
  • CWS (Cloud Web Security): Provides enhanced security to BYOD devices while accessing the Internet.
  • ASA (Adaptive Security Appliance): Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.

Previous   Contents   Next