Mohamed Loey, profile picture
Uploaded byMohamed Loey
1,172 views

Computer Security - CCNA Security - Lecture 2

The document covers various aspects of network security, specifically focusing on authentication, authorization, and accounting (AAA) processes essential for effective network management. It discusses methods for implementing AAA, including local and server-based authentication, and explains protocols like TACACS+ and RADIUS used in these processes. Additionally, it highlights best practices for configuring AAA in different network environments, emphasizing the importance of securing access to network resources.

Embed presentation

Downloaded 86 times
CCNA Security AAA
CCNA Security Chapter 1: Modern Network Security Threats Chapter 2: Securing Network Devices Chapter 3: Authentication, Authorization, and Accounting Chapter 4: Implementing Firewall Technologies Chapter 5: Implementing Intrusion Prevention Chapter 6: Securing the Local-Area Network Chapter 7: Cryptographic Systems Chapter 8: Implementing Virtual Private Networks Chapter 9: Implementing the Cisco Adaptive Security Appliance Chapter 10: Advanced Cisco Adaptive Security Appliance Chapter 11: Managing a Secure Network
CCNA Security
CCNA Security Classical Security Methods
CCNA Security  Uses a login and password combination on access lines  Easiest to implement, but most unsecure method  Vulnerable to brute-force attacks  Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
CCNA Security  Creates individual user account/password on each device  Provides accountability  User accounts must be configured locally on each device  Provides no fallback authentication method Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
CCNA Security AAA
CCNA Security Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary. These combined processes are considered important for effective network management and security.
CCNA Security AAA Authentication Authorization Accounting
CCNA Security Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
CCNA Security Authentication
CCNA Security  Authentication is the process that determines whether a client (a person, a device, or a software process) is a legal or valid user of the system. Cisco provides two common methods of implementing AAA services:  Local AAA Authentication  Server-Based AAA Authentication
CCNA Security Local AAA uses a local database for authentication. This method is sometimes known as self-contained authentication.
CCNA Security 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA RouterRemote Client 1 2 3
CCNA Security Server-based method, uses a server database for authentication. The router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS).
CCNA Security 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
CCNA Security Authorization
CCNA Security  After the user is authenticated, Authorization is the process that determines which resources the user can access and which operations the user is allowed to perform.
CCNA Security 1.When a user has been authenticated, a session is established with an AAA server. 2.The router requests authorization for the requested service from the AAA server. 3.The AAA server returns a PASS/FAIL for authorization.
CCNA Security Accounting
CCNA Security  Accounting is the process of monitoring and recording a client's use of the network. Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.
CCNA Security 1.When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2.When the user finishes, a stop message is recorded ending the accounting process.
CCNA Security
CCNA Security Local Based AAA
CCNA Security Local AAA Authentication should be configured for smaller networks. Smaller networks are those networks that have one or two routers that provide access to a limited number of users. This method uses the local usernames and passwords stored on a router.
CCNA Security Configuring local AAA services to authenticate administrator access requires a few basic steps: 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration
CCNA Security R1 R2 R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
CCNA Security The AAA authentication login command in the figure allows the ADMIN and JR-ADMIN users to log into the router via the console or vty terminal lines. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd
CCNA Security To enable AAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
CCNA Security The default keyword means that the authentication method applies to all lines, except those for which a specific line configuration overrides the default. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
CCNA Security The authentication is case-sensitive, indicated by the local- case keyword. This means that both the password and the username are case sensitive. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
CCNA Security Server Based AAA
CCNA Security Most corporate environments have multiple Cisco routers, switches, and other infrastructure devices, multiple router administrators, and hundreds or thousands of users needing access to the corporate LAN. Local implementations of AAA are acceptable in very small networks. However, local authentication does not scale well.
CCNA Security R2 R3 R1 Cisco Secure ACS Server Based AAA
CCNA Security 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4
CCNA Security The Cisco Secure Access Control System (ACS) is a centralized solution that ties together an enterprise’s network access policy and identity strategy. Cisco Secure ACS supports both TACACS+ and RADIUS protocols
CCNA Security TACACS+ and RADIUS are both authentication protocols that are used to communicate with AAA servers. While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol.
CCNA Security Protocol TACACS+ RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Protocol Support Multiprotocol support Not support Multiprotocol Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis
CCNA Security RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. RADIUS is widely used by VoIP service providers.
CCNA Security  Works in both local and roaming situations  Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0r d Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
CCNA Security TACACS+ is a Cisco enhancement to the original TACACS protocol. TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.
CCNA Security Provides separate AAA services Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
CCNA Security  Step 1. Globally enable AAA to allow the use of all AAA elements.  Step 2. Specify the AAA Server (ex. Cisco Secure ACS) that will provide AAA services for the router.  Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server.  Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.
CCNA Security To enable AAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
CCNA Security To configure a RADIUS server, use the radius server name command. This puts you into radius server configuration mode. R1(config)# radius server Server-R
CCNA Security RADIUS protocol has reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port. R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
CCNA Security  To configure the shared secret key for encrypting the password, use the key command. This key must be configured exactly the same way on the router and the RADIUS server. R1(config)# key RADIUS-Pa55w0rd
CCNA Security R1(config)# aaa new-model R1(config)# radius server Server-R R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 R1(config)# key RADIUS-Pa55w0rd R1(config)# exit
CCNA Security How to Configure Server-Based AAA Authentication Using TACACS+ ?
CCNA Security  Use MS Word  Send me mail to mloey@live.com with email subject “AAA“  Put your name on Arabic with department and section on word and email body  Finally, press Send  Deadline Next Lecture
CCNA Security facebook.com/mloey mohamedloey@gmail.com twitter.com/mloey linkedin.com/in/mloey mloey@fci.bu.edu.eg mloey.github.io
CCNA Security www.YourCompany.com © 2020 Companyname PowerPoint Business Theme. All Rights Reserved. THANKS FOR YOUR TIME

More Related Content

PPTX
AAA Implementation
byAhmad El Tawil
 
PDF
TACACS Protocol
byNetwax Lab
 
PPTX
Dhcp
byChinmoy Jena
 
PPT
Osi , tcp/ip protocol and Addressing
bymarwan aldulaimy
 
PPTX
CoAP Course for m2m and Internet of Things scenarios
bycarlosralli
 
PPTX
802.1x
byakruthi k
 
PDF
Radius vs. Tacacs+
byNetwax Lab
 
PDF
PCRF-Policy Charging System-Functional Analysis
byBiju M R
 
AAA Implementation
byAhmad El Tawil
 
TACACS Protocol
byNetwax Lab
 
Dhcp
byChinmoy Jena
 
Osi , tcp/ip protocol and Addressing
bymarwan aldulaimy
 
CoAP Course for m2m and Internet of Things scenarios
bycarlosralli
 
802.1x
byakruthi k
 
Radius vs. Tacacs+
byNetwax Lab
 
PCRF-Policy Charging System-Functional Analysis
byBiju M R
 

What's hot

PPT
Radius1
bybalamurugan.k Kalibalamurugan
 
PDF
Tacacs
by1 2d
 
PPTX
Wpa vs Wpa2
byNzava Luwawa
 
PPTX
GSM Radio interface
byRUpaliLohar
 
PDF
Spanning-Tree
byThomas Moegli
 
PDF
Radius Protocol
byNetwax Lab
 
PPTX
RTP
byTarek Nader
 
PPTX
SIP security in IP telephony
byPaloSanto Solutions
 
PPTX
Dc fabric path
byASHISH SEHGAL
 
PPT
CCNA Basic Switching and Switch Configuration
byDsunte Wilson
 
PPTX
WPA 3
bydiggu22
 
PPT
Transport layer (computer networks)
byFatbardh Hysa
 
PPT
Vlan
byilias ahmed
 
PDF
Troubleshooting BGP
byDuane Bodle
 
PPTX
Igmp presentation
bySamreenAkhtar8
 
PDF
Kamailio with Docker and Kubernetes
byPaolo Visintin
 
PDF
Dynamic routing
byajeela mushtaq
 
PPTX
Ppt of routing protocols
byBhagyashri Dhoke
 
PPTX
Protocole ARP/RARP
byHayder Gallas
 
PPT
Bgp
byFebrian ‎
 
Radius1
bybalamurugan.k Kalibalamurugan
 
Tacacs
by1 2d
 
Wpa vs Wpa2
byNzava Luwawa
 
GSM Radio interface
byRUpaliLohar
 
Spanning-Tree
byThomas Moegli
 
Radius Protocol
byNetwax Lab
 
RTP
byTarek Nader
 
SIP security in IP telephony
byPaloSanto Solutions
 
Dc fabric path
byASHISH SEHGAL
 
CCNA Basic Switching and Switch Configuration
byDsunte Wilson
 
WPA 3
bydiggu22
 
Transport layer (computer networks)
byFatbardh Hysa
 
Vlan
byilias ahmed
 
Troubleshooting BGP
byDuane Bodle
 
Igmp presentation
bySamreenAkhtar8
 
Kamailio with Docker and Kubernetes
byPaolo Visintin
 
Dynamic routing
byajeela mushtaq
 
Ppt of routing protocols
byBhagyashri Dhoke
 
Protocole ARP/RARP
byHayder Gallas
 
Bgp
byFebrian ‎
 

Similar to Computer Security - CCNA Security - Lecture 2

PPTX
en_CCNAS_v11_Ch03(Authentication, Authorization, and Accounting).pptx
byMadideNtavhanyeniJak
 
PPT
redes telematicas CISCO para ingenieros pre
byVictorTonio
 
PPT
CCNA_Security_03.ppt
byveracru1
 
PPT
CCNA Security 06- AAA
byAhmed Habib
 
PDF
Ch3-Authentication, Authorization, and Accounting.pdf
byOhmRon
 
PPT
Chapter 3 overview
byali raza
 
PPTX
Ccna sv2 instructor_ppt_ch3
bySalmenHAJJI1
 
DOCX
AAA server
byhetvi naik
 
PPTX
Network Security v1.0 -network Module 7.pptx
byroanmhammed
 
PPTX
Securing management, control & data plane
byNetProtocol Xpert
 
PDF
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
PDF
5 ip security ipsec gre
bySagarR24
 
PPT
Curso de Seguridad de Redes Inalambricas CCNA
byVictorTonio
 
PPT
CCNA_Security_02.ppt
byveracru1
 
PDF
5 ip security dataplace security
bySagarR24
 
PDF
5 ip security urpf
bySagarR24
 
PPTX
access controtggffffffffffffffdddddl.pptx
byt01151009418
 
PPT
Implementing Cisco AAA
bydkaya
 
PDF
5 ip security asa-partb
bySagarR24
 
PDF
5 ip security copp-mpp
bySagarR24
 
en_CCNAS_v11_Ch03(Authentication, Authorization, and Accounting).pptx
byMadideNtavhanyeniJak
 
redes telematicas CISCO para ingenieros pre
byVictorTonio
 
CCNA_Security_03.ppt
byveracru1
 
CCNA Security 06- AAA
byAhmed Habib
 
Ch3-Authentication, Authorization, and Accounting.pdf
byOhmRon
 
Chapter 3 overview
byali raza
 
Ccna sv2 instructor_ppt_ch3
bySalmenHAJJI1
 
AAA server
byhetvi naik
 
Network Security v1.0 -network Module 7.pptx
byroanmhammed
 
Securing management, control & data plane
byNetProtocol Xpert
 
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
5 ip security ipsec gre
bySagarR24
 
Curso de Seguridad de Redes Inalambricas CCNA
byVictorTonio
 
CCNA_Security_02.ppt
byveracru1
 
5 ip security dataplace security
bySagarR24
 
5 ip security urpf
bySagarR24
 
access controtggffffffffffffffdddddl.pptx
byt01151009418
 
Implementing Cisco AAA
bydkaya
 
5 ip security asa-partb
bySagarR24
 
5 ip security copp-mpp
bySagarR24
 

More from Mohamed Loey

PDF
Lecture 6: Deep Learning Applications
byMohamed Loey
 
PDF
Lecture 5: Convolutional Neural Network Models
byMohamed Loey
 
PDF
Lecture 4: Deep Learning Frameworks
byMohamed Loey
 
PDF
Lecture 4: How it Works: Convolutional Neural Networks
byMohamed Loey
 
PPTX
Lecture 3: Convolutional Neural Networks
byMohamed Loey
 
PDF
Lecture 2: Artificial Neural Network
byMohamed Loey
 
PDF
Lecture 1: Deep Learning for Computer Vision
byMohamed Loey
 
PDF
Design of an Intelligent System for Improving Classification of Cancer Diseases
byMohamed Loey
 
PDF
Computer Security - CCNA Security - Lecture 1
byMohamed Loey
 
PDF
Algorithms Lecture 8: Pattern Algorithms
byMohamed Loey
 
PDF
Algorithms Lecture 7: Graph Algorithms
byMohamed Loey
 
PDF
Algorithms Lecture 6: Searching Algorithms
byMohamed Loey
 
PDF
Algorithms Lecture 5: Sorting Algorithms II
byMohamed Loey
 
PDF
Algorithms Lecture 4: Sorting Algorithms I
byMohamed Loey
 
PDF
Algorithms Lecture 3: Analysis of Algorithms II
byMohamed Loey
 
PDF
Algorithms Lecture 2: Analysis of Algorithms I
byMohamed Loey
 
PDF
Algorithms Lecture 1: Introduction to Algorithms
byMohamed Loey
 
PDF
Convolutional Neural Network Models - Deep Learning
byMohamed Loey
 
PDF
Deep Learning - Overview of my work II
byMohamed Loey
 
PDF
Computer Security Lecture 7: RSA
byMohamed Loey
 
Lecture 6: Deep Learning Applications
byMohamed Loey
 
Lecture 5: Convolutional Neural Network Models
byMohamed Loey
 
Lecture 4: Deep Learning Frameworks
byMohamed Loey
 
Lecture 4: How it Works: Convolutional Neural Networks
byMohamed Loey
 
Lecture 3: Convolutional Neural Networks
byMohamed Loey
 
Lecture 2: Artificial Neural Network
byMohamed Loey
 
Lecture 1: Deep Learning for Computer Vision
byMohamed Loey
 
Design of an Intelligent System for Improving Classification of Cancer Diseases
byMohamed Loey
 
Computer Security - CCNA Security - Lecture 1
byMohamed Loey
 
Algorithms Lecture 8: Pattern Algorithms
byMohamed Loey
 
Algorithms Lecture 7: Graph Algorithms
byMohamed Loey
 
Algorithms Lecture 6: Searching Algorithms
byMohamed Loey
 
Algorithms Lecture 5: Sorting Algorithms II
byMohamed Loey
 
Algorithms Lecture 4: Sorting Algorithms I
byMohamed Loey
 
Algorithms Lecture 3: Analysis of Algorithms II
byMohamed Loey
 
Algorithms Lecture 2: Analysis of Algorithms I
byMohamed Loey
 
Algorithms Lecture 1: Introduction to Algorithms
byMohamed Loey
 
Convolutional Neural Network Models - Deep Learning
byMohamed Loey
 
Deep Learning - Overview of my work II
byMohamed Loey
 
Computer Security Lecture 7: RSA
byMohamed Loey
 

Recently uploaded

PPTX
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
PDF
The Pity of War: Form, Fragment, and the Artificial Echo | Understanding War ...
byNidhi Pandya
 
PDF
Handwritten notes of Toxicity 1. Genotoxicity 2 Carcinogenicity 3 Teratogenic...
byjagdeepsinghynr7
 
PPTX
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
PPTX
What is the Post load hook in Odoo 18
byCeline George
 
PPTX
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
PPTX
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
PDF
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
PPTX
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
PPTX
Pain. definition, causes, factor influencing pain & pain assessment.pptx
byPompi Begum
 
PPTX
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
PPTX
Vitamins and mineral deficiency , signs and symptoms associated with exercise
byvirupa chandrika reddy
 
PDF
Principles and Practices of GST 2.0 Study material
bySri Ramakrishna College of Arts and science
 
PDF
Nutrients & Role in Horticulture.pdf, Dr. Sharad Bisen Horticulture
bybisensharad
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PDF
Types of Vegetable Gardens, College of Agriculture Balaghat.pdf
bybisensharad
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PPTX
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
PDF
“RF-MEMS: Technologies, Components, Challenges and Modern Applications”
byGS Virdi
 
PPTX
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 
Accounting Skills Paper-II (Registers of PACs and Credit Co-operative Societies)
byDr. Sushil Bansode
 
The Pity of War: Form, Fragment, and the Artificial Echo | Understanding War ...
byNidhi Pandya
 
Handwritten notes of Toxicity 1. Genotoxicity 2 Carcinogenicity 3 Teratogenic...
byjagdeepsinghynr7
 
The Art Pastor's Guide to the Liturgical Calendar
bySteve Thomason
 
What is the Post load hook in Odoo 18
byCeline George
 
Details of Epithelial and Connective Tissue.pptx
byAshish Umale
 
10-12-2025 Francois Staring How can Researchers and Initial Teacher Educators...
byEduSkills OECD
 
Digital Wellness in University Communities: Libraries as Guardians of Healthy...
bySylvester Ebhonu
 
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
Pain. definition, causes, factor influencing pain & pain assessment.pptx
byPompi Begum
 
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
Vitamins and mineral deficiency , signs and symptoms associated with exercise
byvirupa chandrika reddy
 
Principles and Practices of GST 2.0 Study material
bySri Ramakrishna College of Arts and science
 
Nutrients & Role in Horticulture.pdf, Dr. Sharad Bisen Horticulture
bybisensharad
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
Types of Vegetable Gardens, College of Agriculture Balaghat.pdf
bybisensharad
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
“RF-MEMS: Technologies, Components, Challenges and Modern Applications”
byGS Virdi
 
York "Collaboration for Research Support at U-M Library"
byNational Information Standards Organization (NISO)
 

Computer Security - CCNA Security - Lecture 2

  • 1.
  • 2.
    CCNA Security Chapter 1:Modern Network Security Threats Chapter 2: Securing Network Devices Chapter 3: Authentication, Authorization, and Accounting Chapter 4: Implementing Firewall Technologies Chapter 5: Implementing Intrusion Prevention Chapter 6: Securing the Local-Area Network Chapter 7: Cryptographic Systems Chapter 8: Implementing Virtual Private Networks Chapter 9: Implementing the Cisco Adaptive Security Appliance Chapter 10: Advanced Cisco Adaptive Security Appliance Chapter 11: Managing a Secure Network
  • 3.
  • 4.
  • 5.
    CCNA Security  Usesa login and password combination on access lines  Easiest to implement, but most unsecure method  Vulnerable to brute-force attacks  Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
  • 6.
    CCNA Security  Createsindividual user account/password on each device  Provides accountability  User accounts must be configured locally on each device  Provides no fallback authentication method Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
  • 7.
  • 8.
    CCNA Security Authentication, authorization,and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary. These combined processes are considered important for effective network management and security.
  • 9.
  • 10.
    CCNA Security Accounting What didyou spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
  • 11.
  • 12.
    CCNA Security  Authenticationis the process that determines whether a client (a person, a device, or a software process) is a legal or valid user of the system. Cisco provides two common methods of implementing AAA services:  Local AAA Authentication  Server-Based AAA Authentication
  • 13.
    CCNA Security Local AAAuses a local database for authentication. This method is sometimes known as self-contained authentication.
  • 14.
    CCNA Security 1. Theclient establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA RouterRemote Client 1 2 3
  • 15.
    CCNA Security Server-based method,uses a server database for authentication. The router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS).
  • 16.
    CCNA Security 1. Theclient establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
  • 17.
  • 18.
    CCNA Security  Afterthe user is authenticated, Authorization is the process that determines which resources the user can access and which operations the user is allowed to perform.
  • 19.
    CCNA Security 1.When auser has been authenticated, a session is established with an AAA server. 2.The router requests authorization for the requested service from the AAA server. 3.The AAA server returns a PASS/FAIL for authorization.
  • 20.
  • 21.
    CCNA Security  Accountingis the process of monitoring and recording a client's use of the network. Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.
  • 22.
    CCNA Security 1.When auser has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2.When the user finishes, a stop message is recorded ending the accounting process.
  • 23.
  • 24.
  • 25.
    CCNA Security Local AAAAuthentication should be configured for smaller networks. Smaller networks are those networks that have one or two routers that provide access to a limited number of users. This method uses the local usernames and passwords stored on a router.
  • 26.
    CCNA Security Configuring localAAA services to authenticate administrator access requires a few basic steps: 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration
  • 27.
    CCNA Security R1 R2 R1#conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  • 28.
    CCNA Security The AAAauthentication login command in the figure allows the ADMIN and JR-ADMIN users to log into the router via the console or vty terminal lines. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd
  • 29.
    CCNA Security To enableAAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
  • 30.
    CCNA Security The defaultkeyword means that the authentication method applies to all lines, except those for which a specific line configuration overrides the default. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  • 31.
    CCNA Security The authenticationis case-sensitive, indicated by the local- case keyword. This means that both the password and the username are case sensitive. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  • 32.
  • 33.
    CCNA Security Most corporateenvironments have multiple Cisco routers, switches, and other infrastructure devices, multiple router administrators, and hundreds or thousands of users needing access to the corporate LAN. Local implementations of AAA are acceptable in very small networks. However, local authentication does not scale well.
  • 34.
    CCNA Security R2 R3 R1 CiscoSecure ACS Server Based AAA
  • 35.
    CCNA Security 1. Theuser establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4
  • 36.
    CCNA Security The CiscoSecure Access Control System (ACS) is a centralized solution that ties together an enterprise’s network access policy and identity strategy. Cisco Secure ACS supports both TACACS+ and RADIUS protocols
  • 37.
    CCNA Security TACACS+ andRADIUS are both authentication protocols that are used to communicate with AAA servers. While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol.
  • 38.
    CCNA Security Protocol TACACS+RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Protocol Support Multiprotocol support Not support Multiprotocol Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis
  • 39.
    CCNA Security RADIUS, developedby Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. RADIUS is widely used by VoIP service providers.
  • 40.
    CCNA Security  Worksin both local and roaming situations  Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0r d Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
  • 41.
    CCNA Security TACACS+ isa Cisco enhancement to the original TACACS protocol. TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.
  • 42.
    CCNA Security Provides separateAAA services Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
  • 43.
    CCNA Security  Step1. Globally enable AAA to allow the use of all AAA elements.  Step 2. Specify the AAA Server (ex. Cisco Secure ACS) that will provide AAA services for the router.  Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server.  Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.
  • 44.
    CCNA Security To enableAAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
  • 45.
    CCNA Security To configurea RADIUS server, use the radius server name command. This puts you into radius server configuration mode. R1(config)# radius server Server-R
  • 46.
    CCNA Security RADIUS protocolhas reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port. R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
  • 47.
    CCNA Security  Toconfigure the shared secret key for encrypting the password, use the key command. This key must be configured exactly the same way on the router and the RADIUS server. R1(config)# key RADIUS-Pa55w0rd
  • 48.
    CCNA Security R1(config)# aaanew-model R1(config)# radius server Server-R R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 R1(config)# key RADIUS-Pa55w0rd R1(config)# exit
  • 49.
    CCNA Security How toConfigure Server-Based AAA Authentication Using TACACS+ ?
  • 50.
    CCNA Security  UseMS Word  Send me mail to mloey@live.com with email subject “AAA“  Put your name on Arabic with department and section on word and email body  Finally, press Send  Deadline Next Lecture
  • 51.
  • 52.
    CCNA Security www.YourCompany.com © 2020Companyname PowerPoint Business Theme. All Rights Reserved. THANKS FOR YOUR TIME