The document discusses authentication, authorization, and accounting (AAA) and provides instructions for configuring AAA on Cisco routers. It begins with an introduction to the three A's of AAA - authentication, authorization, and accounting. It then covers identifying each component and implementing authentication using local services or external servers like TACACS+ and RADIUS. The document also discusses authenticating router access, configuring AAA on Cisco routers including enabling AAA globally and setting authentication lists, and troubleshooting AAA using debug commands.
2. Outline
– Introduction of AAA
– Identification of each A
– Implementing Authentication
– TACACS+ and RADIUS AAA Protocols
– Authenticating Router Access
– Configuring AAA for Cisco Routers
– Troubleshooting AAA on Cisco Routers
– Configuring AAA with Cisco SDM
– Summary
3. INTRODUCTION OF AAA
Sometimes referred to as “ triple-A” or just
AAA,
A- Authentication
A- Authorization
A- Accounting
Represent the big tree in terms of IP based
network management & policy administration.
4. AUTHENTICATION
Authentication is a process that ensures &
confirms a user’s identity.
Authentication begins when a user tries to
access information.
The user must prove his access rights &
identity.
This login combination, which must be
assigned to each user, authenticates access.
5. AUTHORIZATION
Authorization is the process of granting or
denying a user access to network resources
once the user has been authenticated
through the username & password.
The amount of information & the amount of
services the user has access to depend on
the user’s authorization level.
6. ACCOUNTING
Accounting is the process of keeping track of
a user’s activity while accessing the network
resources, including the amount of time
spent in the network, the services accessed
while there & the amount of data transferred
during the session.
Accounting data is used for trend analysis,
capacity planning, billing auditing & cost
allocation.
7. AAA MODEL—NETWORK SECURITY
ARCHITECTURE
• Authentication
– Who are you?
– “I am user student and my password validateme proves it.”
• Authorization
– What can you do? What can you access?
– “User student can access host serverXYZ using Telnet.”
• Accounting
– What did you do? How long did you do it?
How often did you do it?
– “User student accessed host serverXYZ using Telnet for
15 minutes.”
8. IMPLEMENTING AUTHENTICATION USING LOCAL
SERVICES
1. The client establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router authenticates the username and password in the local
database. The user is authorized to access the network based on
information in the local database.
Perimeter
Router
Remote Client
1
2
3
9. IMPLEMENTING AUTHENTICATION USING
EXTERNAL SERVERS
1. The client establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or
engine).
4. The Cisco Secure ACS authenticates the user. The user is authorized to access
the router (administrative access) or the network based on information found in
the Cisco Secure ACS database.
Perimeter
Router
Remote Client
Cisco Secure
ACS for
Windows Server
Cisco Secure
ACS Solution
Engine
1
2
3
4
10. TACACS+ AND RADIUS AAA PROTOCOLS
• Two different protocols are
used to communicate between
the AAA security servers and
authenticating devices.
• Cisco Secure ACS supports
both TACACS+ and RADIUS:
– TACACS+ remains more
secure than RADIUS.
– RADIUS has a robust
application programming
interface and strong
accounting.
Cisco Secure ACS
Firewall
Router Network
Access
Server
TACACS+ RADIUS
Security Server
11.
12. Microsoft Windows dial-up
networking connection:
Username and Password fields
Security
Server
Microsoft Windows
Remote PC
NAS
Username and password (TCP/IP PPP)
PSTN or ISDN
13. PPP , ISDN , PSTN
Point-to-Point Protocol (PPP) is a data link (layer
2) protocol used to establish a direct connection between
two nodes. It connects two routers directly without any host
or any other networking device in between. It can provide
connection authentication,transmission encryption (using E
CP, RFC 1968), and compression.
Integrated Services Digital Network (ISDN) is a set of
communication standards for
simultaneous digital transmission of voice, video, data.
Public Switched Telephone Network (PSTN) is the world's
collection of interconnected voice-oriented public telephone
networks.
15. ROUTER LOCAL AUTHENTICATION
CONFIGURATION PROCESS
Here are the general steps required to configure a Cisco router
for local authentication:
• Step 1: Secure access to privileged EXEC mode.
• Step 2: Enable AAA globally on the perimeter router with the
aaa new-model command.
• Step 3: Configure AAA authentication lists.
• Step 4: Configure AAA authorization for use after the user
has passed authentication.
• Step 5: Configure the AAA accounting options for how you
want to write accounting records.
• Step 6: Verify the configuration.
16. ENABLE AAA GLOBALLY USING THE
AAA NEW-MODEL COMMAND
aaa new-model
router(config)#
router(config)# aaa new-model
username username password password
router(config)#
router(config)# username Joe106 password 1MugOJava
• Establishes AAA section in configuration file
• Sets username and password
aaa authentication login default local
• Helps prevent administrative access lockout while configuring AAA
router(config)#
17. AAA AUTHENTICATION COMMANDS
• These aaa authentication commands are available in Cisco IOS
Releases 12.2 and later.
• Each of these commands has its own syntax and options
(methods).
aaa authentication arap
aaa authentication banner
aaa authentication enable default
aaa authentication fail-message
aaa authentication local-override
aaa authentication login
aaa authentication nasi
aaa authentication password-prompt
aaa authentication ppp
aaa authentication username-prompt
router(config)#
21. Apply Authentication Commands to Lines
and Interfaces
• Authentication commands can be applied to lines or interfaces.
router(config)# line console 0
router(config-line)# login authentication console-in
router(config)# int s3/0
router(config-if)# ppp authentication chap dial-in
Note: It is recommended that you always define a default list for AAA to provide “last resort”
authentication on all lines and interfaces protected by AAA.
24. TROUBLESHOOTING AAA USING DEBUG
COMMANDS
debug aaa authentication
router#
• Use this command to help troubleshoot AAA authentication
problems
debug aaa accounting
router#
• Use this command to help troubleshoot AAA accounting
problems
debug aaa authorization
router#
• Use this command to help troubleshoot AAA authorization
problems
25. router# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN
priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1'
list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default"
list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS