Enviar búsqueda
Cargar
CCNA Security - Chapter 3
•
30 recomendaciones
•
7,670 vistas
Irsandi Hasan
Seguir
Denunciar
Compartir
Denunciar
Compartir
1 de 65
Recomendados
CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
TACACS Protocol
TACACS Protocol
Netwax Lab
Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
AAA Implementation
AAA Implementation
Ahmad El Tawil
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Tacacs
Tacacs
1 2d
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
Recomendados
CCNA Security - Chapter 2
CCNA Security - Chapter 2
Irsandi Hasan
TACACS Protocol
TACACS Protocol
Netwax Lab
Radius vs. Tacacs+
Radius vs. Tacacs+
Netwax Lab
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
Harris Andrea
AAA Implementation
AAA Implementation
Ahmad El Tawil
Vulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Tacacs
Tacacs
1 2d
CCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
10 palo alto nat policy concepts
10 palo alto nat policy concepts
Mostafa El Lathy
Access Control List & its Types
Access Control List & its Types
Netwax Lab
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)
newbie2019
Cisco Commands
Cisco Commands
Fredrick Hall
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCP
Vuz Dở Hơi
Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE
Dhruv Sharma
Fortigate Training
Fortigate Training
NCS Computech Ltd.
Nmap Hacking Guide
Nmap Hacking Guide
Aryan G
Switch security
Switch security
nullowaspmumbai
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
Introduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
Dhruv Sharma
Firewall and its purpose
Firewall and its purpose
Rohit Phulsunge
Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
CCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 Vlans
Vuz Dở Hơi
CNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
F5 Solutions for Service Providers
F5 Solutions for Service Providers
BAKOTECH
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
Irsandi Hasan
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
Más contenido relacionado
La actualidad más candente
10 palo alto nat policy concepts
10 palo alto nat policy concepts
Mostafa El Lathy
Access Control List & its Types
Access Control List & its Types
Netwax Lab
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Nil Menon
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)
newbie2019
Cisco Commands
Cisco Commands
Fredrick Hall
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCP
Vuz Dở Hơi
Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE
Dhruv Sharma
Fortigate Training
Fortigate Training
NCS Computech Ltd.
Nmap Hacking Guide
Nmap Hacking Guide
Aryan G
Switch security
Switch security
nullowaspmumbai
CCNA Security - Chapter 4
CCNA Security - Chapter 4
Irsandi Hasan
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
NetProtocol Xpert
Introduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
Dhruv Sharma
Firewall and its purpose
Firewall and its purpose
Rohit Phulsunge
Intrusion Detection System using Snort
Intrusion Detection System using Snort
webhostingguy
CCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 Vlans
Vuz Dở Hơi
CNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
Anwesh Dixit
F5 Solutions for Service Providers
F5 Solutions for Service Providers
BAKOTECH
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
NetProtocol Xpert
La actualidad más candente
(20)
10 palo alto nat policy concepts
10 palo alto nat policy concepts
Access Control List & its Types
Access Control List & its Types
CCNA 2 Routing and Switching v5.0 Chapter 5
CCNA 2 Routing and Switching v5.0 Chapter 5
Ccna rse chp7 Access Control List (ACL)
Ccna rse chp7 Access Control List (ACL)
Cisco Commands
Cisco Commands
CCNAv5 - S2: Chapter10 DHCP
CCNAv5 - S2: Chapter10 DHCP
Tacacs+ with ise 2.4_ CCIE
Tacacs+ with ise 2.4_ CCIE
Fortigate Training
Fortigate Training
Nmap Hacking Guide
Nmap Hacking Guide
Switch security
Switch security
CCNA Security - Chapter 4
CCNA Security - Chapter 4
IPSec VPN & IPSec Protocols
IPSec VPN & IPSec Protocols
Introduction to nexux from zero to Hero
Introduction to nexux from zero to Hero
Firewall and its purpose
Firewall and its purpose
Intrusion Detection System using Snort
Intrusion Detection System using Snort
CCNAv5 - S2: Chapter3 Vlans
CCNAv5 - S2: Chapter3 Vlans
CNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
F5 Solutions for Service Providers
F5 Solutions for Service Providers
GRE (Generic Routing Encapsulation)
GRE (Generic Routing Encapsulation)
Destacado
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
Irsandi Hasan
CCNA Security - Chapter 6
CCNA Security - Chapter 6
Irsandi Hasan
CCNA Security - Chapter 8
CCNA Security - Chapter 8
Irsandi Hasan
CCNA Security - Chapter 7
CCNA Security - Chapter 7
Irsandi Hasan
OSPF v3
OSPF v3
Irsandi Hasan
ITE - Chapter 9
ITE - Chapter 9
Irsandi Hasan
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
Ahmed Habib
CCNA Security - Chapter 9
CCNA Security - Chapter 9
Irsandi Hasan
CCNA Security - Chapter 5
CCNA Security - Chapter 5
Irsandi Hasan
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
Ahmed Habib
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7
Irsandi Hasan
ITE - Chapter 7
ITE - Chapter 7
Irsandi Hasan
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
Ahmed Habib
ITE - Chapter 2
ITE - Chapter 2
Irsandi Hasan
CCNA Security 06- AAA
CCNA Security 06- AAA
Ahmed Habib
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1
Irsandi Hasan
CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4
Irsandi Hasan
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8
Irsandi Hasan
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
Ahmed Habib
VMware vShield - Overview
VMware vShield - Overview
Irsandi Hasan
Destacado
(20)
CCNA RS_NB - Chapter 8
CCNA RS_NB - Chapter 8
CCNA Security - Chapter 6
CCNA Security - Chapter 6
CCNA Security - Chapter 8
CCNA Security - Chapter 8
CCNA Security - Chapter 7
CCNA Security - Chapter 7
OSPF v3
OSPF v3
ITE - Chapter 9
ITE - Chapter 9
CCNA Security 09- ios firewall fundamentals
CCNA Security 09- ios firewall fundamentals
CCNA Security - Chapter 9
CCNA Security - Chapter 9
CCNA Security - Chapter 5
CCNA Security - Chapter 5
CCNA Security 012- cryptographic systems
CCNA Security 012- cryptographic systems
CCNA Exploration 4 - Chapter 7
CCNA Exploration 4 - Chapter 7
ITE - Chapter 7
ITE - Chapter 7
CCNA Security 011- implementing ios-based ips
CCNA Security 011- implementing ios-based ips
ITE - Chapter 2
ITE - Chapter 2
CCNA Security 06- AAA
CCNA Security 06- AAA
CCNA Discovery 1 - Chapter 1
CCNA Discovery 1 - Chapter 1
CCNA RS_ITN - Chapter 4
CCNA RS_ITN - Chapter 4
CCNA Exploration 4 - Chapter 8
CCNA Exploration 4 - Chapter 8
CCNA Security 010-configuring cisco asa
CCNA Security 010-configuring cisco asa
VMware vShield - Overview
VMware vShield - Overview
Similar a CCNA Security - Chapter 3
Chapter 3 overview
Chapter 3 overview
ali raza
CCNA_Security_02.ppt
CCNA_Security_02.ppt
veracru1
CCNA_Security_03.ppt
CCNA_Security_03.ppt
veracru1
Chapter 2 overview
Chapter 2 overview
ali raza
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Prathan Phongthiproek
Ccnas v11 ch02_eb
Ccnas v11 ch02_eb
Edgar Benavente
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Risk Analysis Consultants, s.r.o.
Oracle 4월 20일
Oracle 4월 20일
Cana Ko
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
QConLondon2008
Dave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
deimos
Chapter 5 overview
Chapter 5 overview
ali raza
Cisco cme gui features
Cisco cme gui features
Fares Ryan
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
Novell
network security
network security
Dayanna Moyano
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Amazon Web Services
Gaurav security profile_5_years_experience
Gaurav security profile_5_years_experience
gaurav sharma
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Cloudyn
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
MongoDB
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Luca Bongiorni
Similar a CCNA Security - Chapter 3
(20)
Chapter 3 overview
Chapter 3 overview
CCNA_Security_02.ppt
CCNA_Security_02.ppt
CCNA_Security_03.ppt
CCNA_Security_03.ppt
Chapter 2 overview
Chapter 2 overview
Cyber Kill Chain: Web Application Exploitation
Cyber Kill Chain: Web Application Exploitation
Ccnas v11 ch02_eb
Ccnas v11 ch02_eb
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
QualysGuard InfoDay 2012 - Secure Digital Vault for Qualys
Oracle 4월 20일
Oracle 4월 20일
Application Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
Dave Carroll Application Services Salesforce
Dave Carroll Application Services Salesforce
Chapter 5 overview
Chapter 5 overview
Cisco cme gui features
Cisco cme gui features
Troubleshooting Novell Access Manager 3.1
Troubleshooting Novell Access Manager 3.1
network security
network security
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gain visibility & real-time actionable security alerts with VPC Flow Logs & A...
Gaurav security profile_5_years_experience
Gaurav security profile_5_years_experience
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Leveraging the Cloud - Getting the Most Bang for your Buck ( presentation by ...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Securing MongoDB to Serve an AWS-Based, Multi-Tenant, Security-Fanatic SaaS A...
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Introduction to Mobile Application Security - Techcity 2015 (Vilnius)
Más de Irsandi Hasan
CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11
Irsandi Hasan
CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 10
Irsandi Hasan
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
Irsandi Hasan
CCNA v6.0 ITN - Chapter 08
CCNA v6.0 ITN - Chapter 08
Irsandi Hasan
CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07
Irsandi Hasan
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06
Irsandi Hasan
CCNA v6.0 ITN - Chapter 05
CCNA v6.0 ITN - Chapter 05
Irsandi Hasan
CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04
Irsandi Hasan
CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 03
Irsandi Hasan
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
Irsandi Hasan
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
Irsandi Hasan
CCNA RS_NB - Chapter 11
CCNA RS_NB - Chapter 11
Irsandi Hasan
CCNA RS_NB - Chapter 10
CCNA RS_NB - Chapter 10
Irsandi Hasan
CCNA RS_NB - Chapter 9
CCNA RS_NB - Chapter 9
Irsandi Hasan
CCNA RS_NB - Chapter 7
CCNA RS_NB - Chapter 7
Irsandi Hasan
CCNA RS_NB - Chapter 6
CCNA RS_NB - Chapter 6
Irsandi Hasan
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5
Irsandi Hasan
CCNA RS_NB - Chapter 4
CCNA RS_NB - Chapter 4
Irsandi Hasan
CCNA RS_NB - Chapter 3
CCNA RS_NB - Chapter 3
Irsandi Hasan
CCNA RS_NB - Chapter 2
CCNA RS_NB - Chapter 2
Irsandi Hasan
Más de Irsandi Hasan
(20)
CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 11
CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 10
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 09
CCNA v6.0 ITN - Chapter 08
CCNA v6.0 ITN - Chapter 08
CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 07
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 06
CCNA v6.0 ITN - Chapter 05
CCNA v6.0 ITN - Chapter 05
CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 04
CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 03
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 02
CCNA v6.0 ITN - Chapter 01
CCNA v6.0 ITN - Chapter 01
CCNA RS_NB - Chapter 11
CCNA RS_NB - Chapter 11
CCNA RS_NB - Chapter 10
CCNA RS_NB - Chapter 10
CCNA RS_NB - Chapter 9
CCNA RS_NB - Chapter 9
CCNA RS_NB - Chapter 7
CCNA RS_NB - Chapter 7
CCNA RS_NB - Chapter 6
CCNA RS_NB - Chapter 6
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 5
CCNA RS_NB - Chapter 4
CCNA RS_NB - Chapter 4
CCNA RS_NB - Chapter 3
CCNA RS_NB - Chapter 3
CCNA RS_NB - Chapter 2
CCNA RS_NB - Chapter 2
CCNA Security - Chapter 3
1.
CCNA Security
Chapter Three Authentication, Authorization, and Accounting © 2009 Cisco Learning Institute. 1
2.
Lesson Planning
• This lesson should take 3-6 hours to present • The lesson should include lecture, demonstrations, discussion and assessment • The lesson can be taught in person or using remote instruction © 2009 Cisco Learning Institute. 2
3.
Major Concepts
• Local Authentication • Enhancements to Local Authentication • Describe the purpose of AAA and the various implementation techniques • Implement AAA using the local database • Implement AAA using TACACS+ and RADIUS protocols • Implement AAA Authorization and Accounting © 2009 Cisco Learning Institute. 3
4.
Lesson Objectives
Upon completion of this lesson, the successful participant will be able to: 1. Describe the importance of AAA as it relates to authentication, authorization, and accounting 2. Configure AAA authentication using a local database 3. Configure AAA using a local database in SDM 4. Troubleshoot AAA using a local database 5. Explain server-based AAA 6. Describe and compare the TACACS+ and RADIUS protocols © 2009 Cisco Learning Institute. 4
5.
Lesson Objectives
7. Describe the Cisco Secure ACS for Windows software 8. Describe how to configure Cisco Secure ACS for Windows as a TACACS+ server 9. Configure server-based AAA authentication on Cisco Routers using CLI 10. Configure server-based AAA authentication on Cisco Routers using SDM 11. Troubleshoot server-based AAA authentication using Cisco Secure ACS 12. Configure server-based AAA Authorization using Cisco Secure ACS 13. Configure server-based AAA Accounting using Cisco Secure ACS © 2009 Cisco Learning Institute. 5
6.
AAA Access Security
Authorization which resources the user is allowed to access and which operations the user is allowed to perform? Authentication Who are you? Accounting What did you spend it on? © 2009 Cisco Learning Institute. 6
7.
Authentication – Password-Only
User Access Verification Password-Only Method Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Internet R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login • Uses a login and password combination on access lines • Easiest to implement, but most unsecure method • Vulnerable to brute-force attacks • Provides no accountability © 2009 Cisco Learning Institute. 7
8.
Authentication – Local
Database • Creates individual user account/password on each device • Provides accountability • User accounts must be configured locally on each device • Provides no fallback authentication method R1(config)# username Admin secret User Access Verification Str0ng5rPa55w0rd Username: Admin R1(config)# line vty 0 4 Password: cisco1 R1(config-line)# login local % Login invalid Username: Admin Password: cisco12 Internet % Login invalid Local Database Method © 2009 Cisco Learning Institute. 8
9.
Local Versus Remote
Access Local Access Remote Access LAN 2 R1 R1 Firewall R2 LAN 1 Internet Internet LAN 3 Console Port Administrator Requires a direct connection to a Management console port using a computer LAN running terminal emulation software Administration Logging Host Host Uses Telnet, SSH HTTP or SNMP connections to the router from a computer © 2009 Cisco Learning Institute. 9
10.
Password Security
To increase the security of passwords, use additional configuration parameters: - Minimum password lengths should be enforced - Unattended connections should be disabled - All passwords in the configuration file should be encrypted R1(config)# service password-encryption R1(config)# exit R1# show running-config line con 0 exec-timeout 3 30 password 7 094F471A1A0A login line aux 0 exec-timeout 3 30 password 7 094F471A1A0A login © 2009 Cisco Learning Institute. 10
11.
Passwords
An acceptable password length is 10 or more characters Complex passwords include a mix of upper and lowercase letters, numbers, symbols and spaces Avoid any password based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, or biographical information Deliberately misspell a password (Security = 5ecur1ty) Change passwords often Do not write passwords down and leave them in obvious places © 2009 Cisco Learning Institute. 11
12.
Access Port Passwords
Command to restrict access to R1(config)# enable secret cisco privileged EXEC mode Commands to establish a Commands to establish a login login password for dial-up password on incoming Telnet sessions modem connections R1(config)# line vty 0 4 R1(config)# line aux 0 R1(config-line)# password cisco R1(config-line)# password cisco R1(config-line)# login R1 R1(config-line)# login R1(config)# line con 0 R1(config-line)# password cisco R1(config-line)# login Commands to establish a login password on the console line © 2009 Cisco Learning Institute. 12
13.
Creating Users
username name secret {[0]password|5encrypted-secret} Parameter Description name This parameter specifies the username. 0 (Optional) This option indicates that the plaintext password is to be hashed by the router using MD5. password This parameter is the plaintext password to be hashed using MD5. 5 This parameter indicates that the encrypted-secret password was hashed using MD5. encrypted-secret This parameter is the MD5 encrypted-secret password that is stored as the encrypted user password. © 2009 Cisco Learning Institute. 13
14.
Enhanced Login Features The
following commands are available to configure a Cisco IOS device to support the enhanced login features: © 2009 Cisco Learning Institute. 14
15.
login block-for Command
All login enhancement features are disabled by default. The login block-for command enables configuration of the login enhancement features. - The login block-for feature monitors login device activity and operates in two modes: o Normal-Mode (Watch-Mode) —The router keeps count of the number of failed login attempts within an identified amount of time. o Quiet-Mode (Quiet Period) — If the number of failed logins exceeds the configured threshold, all login attempts made using Telnet, SSH, and HTTP are denied. © 2009 Cisco Learning Institute. 15
16.
System Logging Messages
• To generate log messages for successful/failed logins: - login on-failure log - login on-success log • To generate a message when failure rate is exceeded: - security authentication failure rate threshold- rate log • To verify that the login block-for command is configured and which mode the router is currently in: - show login • To display more information regarding the failed attempts: - show login failures © 2009 Cisco Learning Institute. 16
17.
Access Methods • Character
Mode A user sends a request to establish an EXEC mode process with the router for administrative purposes • Packet Mode A user sends a request to establish a connection through the router with a device on the network © 2009 Cisco Learning Institute. 17
18.
Self-Contained AAA Authentication
Remote Client AAA 1 Router 2 3 Self-Contained AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. • Used for small networks • Stores usernames and passwords locally in the Cisco router © 2009 Cisco Learning Institute. 18
19.
Server-Based AAA Authentication
• Uses an external database server - Cisco Secure Access Control Server (ACS) for Windows Server - Cisco Secure ACS Solution Engine - Cisco Secure ACS Express • More appropriate if there are multiple routers AAA Cisco Secure Remote Client Router ACS Server 1 2 3 4 Server-Based AAA 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server. © 2009 Cisco Learning Institute. 19
20.
AAA Authorization
• Typically implemented using an AAA server-based solution • Uses a set of attributes that describes user access to the network 1. W h e n a © 2009 Cisco Learning Institute. 20 u
21.
AAA Accounting
• Implemented using an AAA server-based solution • Keeps a detailed log of what an authenticated user does on a device 1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process. © 2009 Cisco Learning Institute. 21
22.
Local AAA Authentication
Commands R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case R1(config)# aaa local authentication attempts max-fail 10 To authenticate administrator access (character mode access) 1.Add usernames and passwords to the local router database 2.Enable AAA globally 3.Configure AAA parameters on the router 4.Confirm and troubleshoot the AAA configuration © 2009 Cisco Learning Institute. 22
23.
Additional Commands
• aaa authentication enable Enables AAA for EXEC mode access • aaa authentication ppp Enables AAA for PPP network access © 2009 Cisco Learning Institute. 23
24.
AAA Authentication Command Elements
router(config)# aaa authentication login {default | list-name} method1… [method4] Command Description Uses the listed authentication methods that follow this default keyword as the default list of methods when a user logs in list-name Character string used to name the list of authentication methods activated when a user logs in password- Enables password aging on a local authentication list. expiry method1 Identifies the list of methods that the authentication [method2... algorithm tries in the given sequence. You must enter at ] least one method; you may enter up to four methods. © 2009 Cisco Learning Institute. 24
25.
Method Type Keywords
Keywords Description enable Uses the enable password for authentication. This keyword cannot be used. krb5 Uses Kerberos 5 for authentication. krb5-telnet Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. line Uses the line password for authentication. local Uses the local username database for authentication. local-case Uses case-sensitive local username authentication. none Uses no authentication. cache group-name Uses a cache server group for authentication. group radius Uses the list of all RADIUS servers for authentication. group tacacs+ Uses the list of all TACACS+ servers for authentication. group group-name Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command. © 2009 Cisco Learning Institute. 25
26.
Additional Security
router(config)# aaa local authentication attempts max-fail [number-of- unsuccessful-attempts] R1# show aaa local user lockout Local-user Lock time JR-ADMIN 04:28:49 UTC Sat Dec 27 2008 R1# show aaa sessions Total sessions since last reload: 4 Session Id: 1 Unique Id: 175 User Name: ADMIN IP Address: 192.168.1.10 Idle Time: 0 CT Call Handle: 0 © 2009 Cisco Learning Institute. 26
27.
Sample Configuration
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case enable R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN © 2009 Cisco Learning Institute. 27
28.
Verifying AAA Authentication
• AAA is enabled by default in SDM • To verify or enable/disable AAA, choose Configure > Additional Tasks > AAA © 2009 Cisco Learning Institute. 28
29.
Using SDM
Select Configure > Additional Tasks > Router Access > User Accounts/View 2. Click Add 3. Enter username and password 4. Choose 15 5. Check the box and select a view 6. Click OK © 2009 Cisco Learning Institute. 29
30.
Configure Login Authentication
1. Select Configure > Additional Tasks > AAA > Authentication Policies > Login and click Add 2. Verify that Default is selected 3. Click Add 4. Choose local 5. Click OK 6. Click OK © 2009 Cisco Learning Institute. 30
31.
Troubleshooting
• The debug aaa Command • Sample Output © 2009 Cisco Learning Institute. 31
32.
The debug aaa
Command R1# debug aaa ? accounting Accounting administrative Administrative api AAA api events attr AAA Attr Manager authentication Authentication authorization Authorization cache Cache activities coa AAA CoA processing db AAA DB Manager dead-criteria AAA Dead-Criteria Info id AAA Unique Id ipc AAA IPC mlist-ref-count Method list reference counts mlist-state Information about AAA method list state change and notification per-user Per-user attributes pod AAA POD processing protocol AAA protocol processing server-ref-count Server handle reference counts sg-ref-count Server group handle reference counts sg-server-selection Server Group Server Selection subsys AAA Subsystem testing Info. about AAA generated test packets R1# debug aaa © 2009 Cisco Learning Institute. 32
33.
Sample Output
R1# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS © 2009 Cisco Learning Institute. 33
34.
Local Versus Server-Based Authentication
Local Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password authenticating the user using a local database. Cisco Secure ACS for Windows Server Perimeter 1 Router 3 2 4 Remote User Server-Based Authentication 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. © 2009 Cisco Learning Institute. 34
35.
Overview of TACACS+
and RADIUS TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers. Cisco Secure ACS for Windows Server Perimeter Router Remote User Cisco Secure ACS Express © 2009 Cisco Learning Institute. 35
36.
TACACS+/RADIUS Comparison
TACACS+ RADIUS Functionality Separates AAA according to the AAA Combines authentication and architecture, allowing modularity of authorization but separates the security server implementation accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP CHAP Bidirectional challenge and response Unidirectional challenge and response as used in Challenge Handshake from the RADIUS security server to Authentication Protocol (CHAP) the RADIUS client. Protocol Support Multiprotocol support No ARA, no NetBEUI Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router Has no option to authorize router commands on a per-user or commands on a per-user or per-group basis. per-group basis Confidentiality Limited Extensive © 2009 Cisco Learning Institute. 36
37.
TACACS+ Authentication Process
Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password prompt? Password? Use “Password” “Str0ngPa55w0rd” “Str0ngPa55w0rd” Accept/Reject • Provides separate AAA services • Utilizes TCP port 49 © 2009 Cisco Learning Institute. 37
38.
RADIUS Authentication Process
Access-Request Username? (JR_ADMIN, “Str0ngPa55w0rd”) JR-ADMIN Access-Accept Password? Str0ngPa55w0rd • Works in both local and roaming situations • Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting © 2009 Cisco Learning Institute. 38
39.
Cisco Secure ACS
Benefits • Extends access security by combining authentication, user access, and administrator access with policy control • Allows greater flexibility and mobility, increased security, and user-productivity gains • Enforces a uniform security policy for all users • Reduces the administrative and management efforts © 2009 Cisco Learning Institute. 39
40.
Advanced Features
• Automatic service monitoring • Database synchronization and importing of tools for large-scale deployments • Lightweight Directory Access Protocol (LDAP) user authentication support • User and administrative access reporting • Restrictions to network access based on criteria • User and device group profiles © 2009 Cisco Learning Institute. 40
41.
Installation Options
Cisco Secure ACS for Windows can be installed on: - Windows 2000 Server with Service Pack 4 - Windows 2000 Advanced Server with Service Pack 4 - Windows Server 2003 Standard Edition - Windows Server 2003 Enterprise Edition Cisco Secure ACS Solution Engine - A highly scalable dedicated platform that serves as a high- performance ACS - 1RU, rack-mountable - Preinstalled with a security-hardened Windows software, Cisco Secure ACS software - Support for more than 350 users Cisco Secure ACS Express 5.0 - Entry-level ACS with simplified feature set - Support for up to 50 AAA device and up to 350 unique user ID logins in a 24-hour period © 2009 Cisco Learning Institute. 41
42.
Deploying ACS
• Consider Third-Party Software Requirements • Verify Network and Port Prerequisites - AAA clients must run Cisco IOS Release 11.2 or later. - Cisco devices that are not Cisco IOS AAA clients must be configured with TACACS+, RADIUS, or both. - Dial-in, VPN, or wireless clients must be able to connect to AAA clients. - The computer running ACS must be able to reach all AAA clients using ping. - Gateway devices must permit communication over the ports that are needed to support the applicable feature or protocol. - A supported web browser must be installed on the computer running ACS. - All NICs in the computer running Cisco Secure ACS must be enabled. • Configure Secure ACS via the HTML interface © 2009 Cisco Learning Institute. 42
43.
Cisco Secure ACS
Homepage add, delete, modify settings for AAA clients (routers) set menu display options for TACACS and RADIUS configure database settings © 2009 Cisco Learning Institute. 43
44.
Network Configuration
1. Click Network Configuration on the navigation bar 2. Click Add Entry 3. Enter the hostname 4. Enter the IP address 5. Enter the secret key 6. Choose the appropriate protocols 7. Make any other necessary selections and click Submit and Apply © 2009 Cisco Learning Institute. 44
45.
Interface Configuration
The selection made in the Interface Configuration window controls the display of options in the user interface © 2009 Cisco Learning Institute. 45
46.
External User Database
1. Click the External User Databases button on the navigation bar 2. Click Database Configuration 3. Click Windows Database © 2009 Cisco Learning Institute. 46
47.
Windows User Database
Configuration 4. Click configure 5. Configure options © 2009 Cisco Learning Institute. 47
48.
Configuring the Unknown
User Policy 1. Click External User Databases on the navigation bar 2. Click Unknown User Policy 3. Place a check in the box 4. Choose the database in from the list and click the right arrow to move it to the Selected list 5. Manipulate the databases to reflect the order 6. Click Submit in which each will be checked © 2009 Cisco Learning Institute. 48
49.
Group Setup
Database group mappings - Control authorizations for users authenticated by the Windows server in one group and those authenticated by the LDAP server in another 1. Click Group Setup on the navigation bar 2. Choose the 3. Click Permit in the Unmatched group to edit Cisco IOS commands option and click 4. Check the Command check box Edit Settings and select an argument 5. For the Unlisted Arguments option, click Permit © 2009 Cisco Learning Institute. 49
50.
User Setup
1. Click User Setup on the navigation bar 2. Enter a username and click Add/Edit 3. Enter the data to define the user account 4. Click Submit © 2009 Cisco Learning Institute. 50
51.
Configuring Server-Based AAA Authentication
1. Globally enable AAA to allow the user of all AAA elements (a prerequisite) 2. Specify the Cisco Secure ACS that will provide AAA services for the network access server 3. Configure the encryption key that will be used to encrypt the data transfer between the network access server and the Cisco Secure ACS 4. Configure the AAA authentication method list © 2009 Cisco Learning Institute. 51
52.
aaa authentication Command
R1(config)# aaa authentication type { default | list-name } method1 … [method4] R1(config)# aaa authentication login default ? enable Use enable password for authentication. group Use Server-group krb5 Use Kerberos 5 authentication. krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet. line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. passwd-expiry enable the login list to provide password aging support R1(config)# aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)# aaa authentication login default group © 2009 Cisco Learning Institute. 52
53.
Sample Configuration
• Multiple RADIUS servers can be TACACS+ or RADIUS protocols are identified by entering a radius-server used to communicate between the clients and AAA security servers. command for each • For TACACS+, the single-connection command maintains a single TCP 192.168.1.100 connection for the life of the session R1 Cisco Secure ACS for Windows using RADIUS R1(config)# aaa new-model R1(config)# R1(config)# radius-server host 192.168.1.100 R1(config)# radius-server key RADIUS-Pa55w0rd R1(config)# R1(config)# tacacs-server host 192.168.1.101 R1(config)# tacacs-server key TACACS+Pa55w0rd single-connection R1(config)# 192.168.1.101 R1(config)# aaa authentication login default group tacacs+ group radius local-case Cisco Secure ACS R1(config)# Solution Engine using TACACS+ © 2009 Cisco Learning Institute. 53
54.
Add TACACS Support 1.
Choose Configure > Additional Tasks > AAA > AAA Servers and Groups > AAA Servers 2. Click Add 3. Choose TACACS+ 192.168.1.101 4. Enter the IP address (or hostname) of the AAA server 5. Check the Single Connection check box to maintain a single connection 6. Check the Configure Key 7. Click OK to encrypt traffic © 2009 Cisco Learning Institute. 54
55.
Create AAA Login
Method 1. Choose Configure>Additional Tasks>AAA>Authentication Policies>Login 2. Click Add 3. Choose User Defined 4. Enter the name 5. Click Add 6. Choose group tacacs+ from the list 7. Click OK 8. Click Add to add a backup method 9. Choose enable from the list Click OK twice © 2009 Cisco Learning Institute. 55
56.
Apply Authentication Policy
1. Choose Configure>Additional Tasks>Router Access>VTY 2. Click Edit 3. Choose the authentication policy to apply © 2009 Cisco Learning Institute. 56
57.
Sample Commands
R1# debug aaa authentication AAA Authentication debugging is on R1# 14:01:17: AAA/AUTHEN (567936829): Method=TACACS+ 14:01:17: TAC+: send AUTHEN/CONT packet 14:01:17: TAC+ (567936829): received authen response status = PASS 14:01:17: AAA/AUTHEN (567936829): status = PASS • The debug aaa authentication command provides a view of login activity • For successful TACACS+ login attempts, a status message of PASS results © 2009 Cisco Learning Institute. 57
58.
Sample Commands
R1# debug radius ? accounting RADIUS accounting packets only authentication RADIUS authentication packets only brief Only I/O transactions are recorded elog RADIUS event logging failover Packets sent upon fail-over local-server Local RADIUS server retransmit Retransmission of packets verbose Include non essential RADIUS debugs <cr> R1# debug radius R1# debug tacacs ? accounting TACACS+ protocol accounting authentication TACACS+ protocol authentication authorization TACACS+ protocol authorization events TACACS+ protocol events packet TACACS+ packets <cr> © 2009 Cisco Learning Institute. 58
59.
AAA Authorization Overview
Command authorization for user show version JR-ADMIN, command “show version”? Display “show Accept version” output Command authorization for user configure terminal JR-ADMIN, command “config terminal”? Do not permit Reject “configure terminal” • The TACACS+ protocol allows the separation of authentication from authorization. • Can be configured to restrict the user to performing only certain functions after successful authentication. • Authorization can be configured for - character mode (exec authorization) - packet mode (network authorization) • RADIUS does not separate the authentication from the authorization process © 2009 Cisco Learning Institute. 59
60.
AAA Authorization Commands
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec default group tacacs+ R1(config)# aaa authorization network default group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z • To configure command authorization, use: aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4] • Service types of interest include: - commands level For exec (shell) commands - exec For starting an exec (shell) - network For network services. (PPP, SLIP, ARAP) © 2009 Cisco Learning Institute. 60
61.
Using SDM to
Configure Authorization Character Mode 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec 2. Click Add 3. Choose Default 4. Click Add 5. Choose group tacacs+ from the list 6. Click OK 7. Click OK to return to the Exec Authorization window © 2009 Cisco Learning Institute. 61
62.
Using SDM to
Configure Authorization Packet Mode 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network 2. Click Add 3. Choose Default 4. Click Add 7. Click OK to return to 5. Choose group tacacs+ from the list the Exec Authorization pane 6. Click OK © 2009 Cisco Learning Institute. 62
63.
AAA Accounting Overview
• Provides the ability to track usage, such as dial-in access; the ability to log the data gathered to a database; and the ability to produce reports on the data gathered • To configure AAA accounting using named method lists: aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2]] • Supports six different types of accounting: network, connection, exec, system, commands level, and resource. © 2009 Cisco Learning Institute. 63
64.
AAA Accounting Commands
R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default group tacacs+ R1(config)# aaa authentication login TELNET-LOGIN local-case R1(config)# aaa authorization exec group tacacs+ R1(config)# aaa authorization network group tacacs+ R1(config)# aaa accounting exec start-stop group tacacs+ R1(config)# aaa accounting network start-stop group tacacs+ R1(config)# line vty 0 4 R1(config-line)# login authentication TELNET-LOGIN R1(config-line)# ^Z • aaa accounting exec default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for user EXEC terminal sessions. • aaa accounting network default start-stop group tacacs+ Defines a AAA accounting policy that uses TACACS+ for logging both start and stop records for all network-related service requests. © 2009 Cisco Learning Institute. 64
65.
© 2009 Cisco
Learning Institute. 65
Notas del editor
If there are user properties that you do not see, you may have to modify the interface configuration. Choose Interface Configuration > User Data Configuration to modify the user interface.