Professional Documents
Culture Documents
Authentication, Authorization,
and Accounting
3.6 Summary
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Upon completion of this section, you should be able to:
• Explain why AAA is critical to network security.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Telnet is Vulnerable to Brute-Force Attacks
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
SSH and Local Database Method
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Local AAA
Authentication
Server-Based
AAA Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
AAA Authorization
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Types of accounting information:
• Network
• Connection
• Command
• Resource
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Upon completion of this section, you should be able to:
• Configure AAA authentication, using the CLI, to validate users against a local
database.
• Troubleshoot AAA authentication that validates users against a local database.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
2. Enable AAA globally on the router.
3. Configure AAA parameters on the router.
4. Confirm and troubleshoot the AAA configuration.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Example Local AAA Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Command
Syntax
Display Locked
Out Users
Show Unique ID
of a Session
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Debug Local AAA Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Understanding Debug Output
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Upon completion of this section, you should be able to:
• Describe the benefits of server-based AAA.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Local authentication:
Server-based authentication:
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
TACACS+ Authentication Process
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
RADIUS Authentication Process
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Cisco Secure ACS
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Upon completion of this section, you should be able to:
• Configure server-based AAA authentication, using the CLI, on Cisco routers.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
1. Enable AAA.
2. Specify the IP address of the ACS server.
3. Configure the secret key.
4. Configure authentication to use either the RADIUS or
TACACS+ server.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Server-Based AAA
Reference Topology
Configure a AAA
TACACS+ Server
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Configure a AAA RADIUS Server
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Command Syntax
Configure Server-Based
AAA Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Troubleshooting Server-Based AAA Authentication
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Troubleshooting RADIUS
Troubleshooting TACACS+
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
AAA Server-Based
Authentication Success
AAA Server-Based
Authentication Failure
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Upon completion of this section, you should be able to:
• Configure server-based AAA authorization.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Authentication vs. Authorization
• Authentication ensures a device or end-user is legitimate
• Authorization allows or disallows authenticated users access to certain
areas and programs on the network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Command Syntax
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Command Syntax
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
802.1X Roles
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Command Syntax for dot1x port-control
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Chapter Objectives:
• Explain how AAA is used to secure a network.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Thank you.
• Remember, there are
helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54