Sunday, April 25, 2010

CCNA Security 06

In AAA (Authentication, Authorization, Accounting), the first A (Authentication) is the most commonly tested in the CCNA Security exam. Authorization and Accounting are mostly tested in CCIE Security.
AAA is enabled using:
aaa new-model

The three parts of AAA are:
Authentication - Who can access the system?
Authorization - What resources can he access?
Accounting - What did they use and how did they use it?

Creating a user account in a local database and using it for AAA authentication results in a self-contained AAA deployment. External AAA can be done through the following protocols:
-RADIUS - Cisco Proprietary, TCP-based (49)
-TACACS+ - Open Standard, UDP-based (1812 or 1645 (Old))

TACACS+ encrypts the entire packet, while RADIUS only encrypts the password fields. RADIUS combines the authentication and authorization process. TACACS+ considers Authentication, Authorization and Accounting to be separate processes. You can use them separately in a TACACS+ implementation.

RADIUS does not support NASI (Novell Async Services Interface) protocol, NetBIOS Frame Protocol Control protocol, X.25 Packet Assembler/Disassembler (PAD), AppleTalk Remote Access Protocol (ARA or ARAP). TACACS+ supports all of these. RADIUS can't control authorization level of users and router commands, but TACACS+ can.

In a TACACS+ authentication process, the router asks the TACACS+ server what credentials to ask for. For example, when a user tries to authenticate, the router asks the server what to ask for. The server then tells the router to ask for username, and the request is passed through the router to the user. After the user supplies the password, the server then tells the router to ask for the password.

The TACACS+ server can then choose one of four replies: ACCEPT, REJECT, CONTINUE or ERROR. ACCEPT or REJECT is self-explanatory. CONTINUE means that some more information is required. ERROR means that there is some form of communication error.

To configure the server to use a TACACS+ server, use:
tacacs-server host key cisco

You can also set up RADIUS authentication like this:
radius-server host key cisco

We can set it up to use the RADIUS server first, then the TACACS+server if the RADIUS is down. Finally if both are down, forward the request to the local database. To do this, type:
aaa authentication login default group radius group tacacs+ local

The default group is used for every authentication that does not refer to a named list. Authentication lists are also known as method lists in the examination. You can use 4 different methods for authentication per list.

AAA new-model overrides every previously configured authentication method for router lines (VTY, etc). If AAA new-model is not entered, you would have to choose between "local" and "tacacs" when setting up login method in VTY lines. When AAA new-model is set, you would have to choose a method list.

Note that typing aaa new-model would automatically use the local database for authentication. Any line password previously set would not work. You would be locked out if your local database is empty. The following is an AAA implementation with a named list:
aaa authentication login AAA_VTY local
user cisco pass cisco
line vty 0 4
login authentication AAA_VTY

You can password-protect AAA by setting the "aaa authentication enable" option. You can only make a default list here. You can also set authentication lists for ppp like this:
aaa authentication ppp default group radius

In this case, the RADIUS server would need to have both router's credentials for authentication to work.

AAA Accounting allows tracking of EXEC commands, EXEC logins, outbound connections, network resources, system, etc. Commands logs information about EXEC commands issued by a user. Connection logs all outbound telnet connections from the router. EXEC logs information about exec terminal sessions. Network logs all PPP, ARAP and SLIP sessions. Resource logs authentications and system logs system-level events.

If we want to enable auditing of EXEC commands, use:
aaa accounting commands 15 default start-stop group radius

AAA Accounting is rarely used in production networks, but it will be tested in the examination.

User mode privilege level is 1, and exec mode is 15. To show the privilege level, use:
show privilege

There is a level 0 which allows only four commands: exit, logout, disable, enable. Levels 2-14 are custom levels which can be defined by the administrator. We can do things like restrict ping to only level 5 and above. To do this, we need to use the privilege command like this:
privilege exec level 5 ping

Ping commands are allowed to be executed by users in privilege level 5 and above.

Configuration of AAA in SDM are done from Configure > Additional Tasks > AAA. From the AAA Servers section, we can add RADIUS and TACACS+ servers. AAA Server Groups require AAA servers to be set up first. Login, NAC and 802.1x method lists can be configured in their respective sections. Default Local is the default for Login.

No comments :

Post a Comment