Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Authentication,
Authorization, and
Accounting
CCNA-Security
Presentation_ID
Chapter 3: Objectives
In this chapter you will:
Configure AAA authentication, using the CLI, to validate users against a local database.
Configure AAA authentication, using CCP, to validate users against a local database.
Presentation_ID
Chapter 3
3.0 Introduction
3.1 Purpose of AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
Presentation_ID
Presentation_ID
AAA Overview
Presentation_ID
AAA Overview
AAA Components
Network and administrative AAA security in the Cisco environment
has several functional components:
Authentication- Users and administrators must prove that they
are who they say they are. Authentication can be established using
username and password combinations, challenge and response
questions, token cards, and other methods.
Authorization- After the user is authenticated, authorization
services determine which resources the user can access and
which operations the user is allowed to perform.
Accounting and auditing- Accounting records what the user
does, including what is accessed, the amount of time the resource
is accessed, and any changes that were made.
Presentation_ID
AAA Characteristics
Authentication Modes
AAA can be used to authenticate users for administrative access or to
authenticate users for remote network access. These two access
methods use different modes to request AAA services.
Presentation_ID
AAA Characteristics
Authorization
Authorization is what a user can and cannot do on the network after
that user is authenticated.
Presentation_ID
AAA Characteristics
Accounting
Accounting collects and reports usage data so that it can be employed
for purposes such as auditing or billing.
Presentation_ID
Presentation_ID
10
Presentation_ID
11
Authentication Methods
To enable AAA, use the aaa new-model global configuration mode
command.
To configure authentication on vty ports, asynchronous lines (tty), the
auxiliary port, or the console port, define a named list of
authentication methods and then apply that list to the various
interfaces.
To define a named list of authentication methods, use the aaa
authentication login command.
Presentation_ID
12
13
Presentation_ID
14
Presentation_ID
15
Presentation_ID
16
Step 5. If views have been defined, click the Associate a View with
the user check box and select a view from the View Name list
associated with a user.
Step 6. Click OK.
Presentation_ID
17
Debug Options
The debug aaa
authentication comman
d is instrumental when
troubleshooting AAA
problems.
Look specifically for
GETUSER and
GETPASS status
messages. These
messages are helpful
when identifying which
method list is
referenced.
Presentation_ID
18
Presentation_ID
19
Presentation_ID
20
Presentation_ID
21
Presentation_ID
22
TACACS+ Authentication
TACACS+ is an entirely new protocol that is incompatible with any
previous version of TACACS. TACACS+ is supported by the Cisco
family of routers and access servers.
TACACS+ offers multiprotocol support.
TACACS+ operation encrypts the entire body of the packet.
Presentation_ID
23
RADIUS Authentication
RADIUS is an open IETF standard AAA protocol for applications such
as network access or IP mobility.
RADIUS works in both local and roaming situations, and is commonly
used for accounting purposes.
RADIUS hides passwords during transmission.
RADIUS combines authentication and authorization as one process.
RADIUS is widely used by VoIP service providers.
Presentation_ID
24
Presentation_ID
25
26
Presentation_ID
27
Presentation_ID
28
Presentation_ID
29
Presentation_ID
30
Presentation_ID
31
Presentation_ID
32
Presentation_ID
33
Presentation_ID
34
Presentation_ID
35
Presentation_ID
36
Presentation_ID
37
Presentation_ID
38
Presentation_ID
39
Presentation_ID
40
Presentation_ID
41
Presentation_ID
42
Presentation_ID
43
Presentation_ID
44
45
Presentation_ID
46
47
Presentation_ID
48
Presentation_ID
49
Presentation_ID
50
Presentation_ID
51
From the CCP home page, Configure > Router > AAA > Authorization
Policies > EXEC Command Mode.
Presentation_ID
52
From the CCP home page, click Configure > Router > AAA > Authorization
Policies > Network.
Presentation_ID
53
Presentation_ID
54
Presentation_ID
55
3.6 Summary
Presentation_ID
56
Chapter 3
Summary
The AAA protocol provides a scalable framework for enabling
administrative access.
AAA controls who is allowed to connect to the network, what they are
allowed to do, and tracks records of what was done.
In small or simple networks, AAA authentication can be implemented
using the local database.
In larger or complex networks, AAA authentication should be
implemented using server-based AAA.
AAA servers can use RADIUS or TACACS+ protocols to communicate
with client routers.
The Cisco ACS can be used to provide AAA server services.
Local AAA and server-based AAA authentication can be configured
using the CLI or CCP.
Presentation_ID
57
Presentation_ID
58