Scribd
Upload
11 views54 pages

CCNASv2 InstructorPPT CH3

Chapter 3 covers Authentication, Authorization, and Accounting (AAA) and its importance in network security. It details local and server-based AAA authentication methods, including configuration and troubleshooting steps for both. The chapter also discusses the differences between TACACS+ and RADIUS protocols, as well as server-based authorization and accounting processes.

Uploaded by

AIC Best
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
11 views54 pages

CCNASv2 InstructorPPT CH3

Chapter 3 covers Authentication, Authorization, and Accounting (AAA) and its importance in network security. It details local and server-based AAA authentication methods, including configuration and troubleshooting steps for both. The chapter also discusses the differences between TACACS+ and RADIUS protocols, as well as server-based authorization and accounting processes.

Uploaded by

AIC Best
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 54

Chapter 3:

Authentication, Authorization,
and Accounting
3.0 Introduction

3.1 Purpose of the AAA

3.2 Local AAA Authentication

Chapter Outline 3.3 Server-Based AAA

3.4 Server-Based AAA Authentication

3.5 Server-Based Authorization and Accounting

3.6 Summary

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Section 3.1:
Purpose of the AAA
Upon completion of this section, you should be able to:
• Explain why AAA is critical to network security.

• Describe the characteristics of AAA.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Topic 3.1.1:
AAA Overview

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Authentication without AAA
Telnet is Vulnerable to Brute-Force Attacks

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Authentication without AAA (Cont.)
SSH and Local Database Method

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
AAA Components

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Topic 3.1.2:
AAA Characteristics

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Authentication Modes

Local AAA
Authentication

Server-Based
AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Authorization

AAA Authorization

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Accounting
Types of accounting information:
• Network

• Connection

• EXEC AAA Accounting


• System

• Command

• Resource

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Section 3.2:
Local AAA Authentication
Upon completion of this section, you should be able to:
• Configure AAA authentication, using the CLI, to validate users against a local
database.
• Troubleshoot AAA authentication that validates users against a local database.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Topic 3.2.1:
Configuring Local AAA Authentication with CLI

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Authenticating Administrative Access
1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
2. Enable AAA globally on the router.
3. Configure AAA parameters on the router.
4. Confirm and troubleshoot the AAA configuration.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Authentication Methods

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Default and Named Methods
Example Local AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Fine-Tuning the Authentication Configuration

Command
Syntax

Display Locked
Out Users

Show Unique ID
of a Session

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Topic 3.2.2:
Troubleshooting Local AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Debug Options
Debug Local AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Debugging AAA Authentication

Understanding Debug Output

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Section 3.3:
Server-Based AAA
Upon completion of this section, you should be able to:
• Describe the benefits of server-based AAA.

• Compare the TACACS+ and RADIUS authentication protocols.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Topic 3.3.1:
Server-Based AAA Characteristics

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Comparing Local AAA and Server-Based AAA
Implementations
Local authentication:

1. User establishes a connection


with the router.

2. Router prompts the user for a


username and password,
authentication the user using a
local database.

Server-based authentication:

1. User establishes a connection


with the router.

2. Router prompts the user for a


username and password.

3. Router passes the username and


password to the Cisco Secure
ACS (server or engine)

4. The Cisco Secure ACS


authenticates the user.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Introducing Cisco Secure Access Control System

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Topic 3.3.2:
Server-Based AAA Communication Protocols

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Introducing TACACS+ and RADIUS

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
TACACS+ Authentication
TACACS+ Authentication Process

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
RADIUS Authentication

RADIUS Authentication Process

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Integration of TACACS+ and ACS

Cisco Secure ACS

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Integration of AAA with Active Directory

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Section 3.4:
Server-Based AAA Authentication
Upon completion of this section, you should be able to:
• Configure server-based AAA authentication, using the CLI, on Cisco routers.

• Troubleshoot server-based AAA authentication.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Topic 3.4.1:
Configuring Server-Based Authentication with CLI

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Steps for Configuring Server-Based AAA
Authentication with CLI
1. Enable AAA.
2. Specify the IP address of the ACS server.
3. Configure the secret key.
4. Configure authentication to use either the RADIUS or
TACACS+ server.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Configuring the CLI with TACACS+ Servers

Server-Based AAA
Reference Topology

Configure a AAA
TACACS+ Server

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Configuring the CLI for RADIUS Servers

Configure a AAA RADIUS Server

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Configure Authentication to Use the AAA Server

Command Syntax

Configure Server-Based
AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Topic 3.4.2:
Troubleshooting Server-Based AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Monitoring Authentication Traffic

Troubleshooting Server-Based AAA Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Debugging TACACS+ and RADIUS

Troubleshooting RADIUS

Troubleshooting TACACS+

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Debugging TACACS+ and RADIUS (Cont.)

AAA Server-Based
Authentication Success

AAA Server-Based
Authentication Failure

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Section 3.5:
Server-Based AAA Authorization
and Accounting
Upon completion of this section, you should be able to:
• Configure server-based AAA authorization.

• Configure server-based AAA accounting.

• Explain the functions of 802.1x components.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Topic 3.5.1:
Configuring Server-Based AAA Authorization

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Introduction to Server-Based AAA Authorization
Authentication vs. Authorization
• Authentication ensures a device or end-user is legitimate
• Authorization allows or disallows authenticated users access to certain
areas and programs on the network.

TACACS+ vs. RADIUS


• TACACS+ separates authentication from authorization
• RADIUS does not separate authentication from authorization

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
AAA Authorization Configuration with CLI

Command Syntax

Authorization Method Lists

Example AAA Authorization

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Topic 3.5.2:
Configuring Server-Based AAA Accounting

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Introduction to Server-Based AAA Accounting

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
AAA Accounting Configuration with CLI

Command Syntax

Accounting Method Lists

Example AAA Accounting

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Topic 3.5.3:
802.1X Authentication

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Security Using 802.1X Port-Based Authentication

802.1X Roles

802.1X Message Exchange

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
802.1X Port Authorization State

Command Syntax for dot1x port-control

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Configuring 802.1X

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Section 3.6:
Summary
Chapter Objectives:
• Explain how AAA is used to secure a network.

• Implement AAA authentication that validates users against a local database.

• Implement server-based AAA authentication using TACACS+ and RADIUS


protocols.
• Configure server-based AAA authorization and accounting.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Thank you.
Instructor Resources

• Remember, there are


helpful tutorials and user
guides available via your
NetSpace home page. 1
(https://www.netacad.com) 2
• These resources cover a
variety of topics including
navigation, assessments,
and assignments.
• A screenshot has been
provided here highlighting
the tutorials related to
activating exams, managing
assessments, and creating
quizzes.

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy