AAA: Authentication, Authorization, and Accounting

Questions and Answers

Which of the following is the first step in the AAA process?

• Auditing
• Accounting
• Authorization
• Identification (correct)

What is the primary function of the 'Authentication' element within the AAA framework?

• Recording a log of events related to system activity.
• Verifying the identity of a user. (correct)
• Tracking network usage for billing purposes.
• Defining the allowed and denied resource access.

Which AAA element is responsible for granting or denying access to specific resources after a user has been authenticated?

• Authorization (correct)
• Auditing
• Accounting
• Authentication

Which of the following best defines the purpose of the 'Accounting' element in AAA?

Tracking resource consumption for monitoring or billing. (B)

What is a key vulnerability when using Telnet without AAA?

Vulnerability to brute-force attacks due to lack of security features. (D)

Which security protocol is used alongside a local database method to enhance authentication security compared to Telnet?

SSH (D)

What command is used to enable AAA globally on a Cisco router?

aaa new-model (B)

Which command configures the router to authenticate users against a local database?

aaa authentication login default local (C)

What does the aaa local authentication attempts max-fail command control?

The number of failed login attempts before locking an account. (A)

In server-based AAA, what are the two primary protocols used for communication with AAA security servers?

RADIUS and TACACS+ (B)

What is a primary benefit of using server-based AAA over local AAA?

Centralized management of user authentication and authorization. (B)

Which protocol, RADIUS or TACACS+, separates authentication and authorization?

TACACS+ (A)

Which transport protocol does TACACS+ use?

TCP (B)

What information is encrypted by TACACS+?

The entire packet. (A)

What command is used to specify the IP address of the ACS server when configuring server-based AAA?

address ipv4 (C)

After configuring AAA with TACACS+ or RADIUS, which command is essential to apply the authentication method to the login process?

aaa authentication login default group tacacs+ local (D)

Besides TACACS+ what can be used communicate between clients and AAA security servers in Cisco Secure ACS?

RADIUS (A)

Which of the following is true about RADIUS in the context of authentication and authorization?

RADIUS does not separate authentication from authorization, which can limit flexibility compared to TACACS+. (C)

Consider a network where both RADIUS and TACACS+ servers are configured for AAA. The network administrator intends to prioritize TACACS+ for all authentication requests, but in case the TACACS+ server is unreachable, RADIUS should be used as a fallback. Which of the following configurations would achieve this?

aaa authentication login default group tacacs+ group radius (D)

A network engineer is troubleshooting a network where users are failing to authenticate. AAA is configured to use TACACS+ as the primary authentication method and local authentication as a backup. Local authentication is configured, but to the engineer's surprise, it is never used even when the TACACS+ server is completely unreachable and local users exist in the router's configuration. Why might the local authentication not be functioning as expected?

The command aaa authentication login default group tacacs+ enable was used. (A)

AAA is concerned with identification, authentication, authorization, and auditing, but not accounting.

False (B)

Identification in AAA involves validating a claimed identity before granting network access.

False (B)

Authorization determines the level of access a validated user has to network resources.

True (A)

Accounting in AAA is solely concerned with billing users based on their network usage.

False (B)

Telnet, without AAA, is not susceptible to brute-force attacks due to its strong encryption.

False (B)

When configuring local AAA, usernames and passwords must be added to a central external database.

False (B)

The aaa new-model command is optional when enabling AAA on a Cisco router.

False (B)

The enable keyword, in authentication methods, uses the enable password for authentication.

True (A)

Local AAA is best suited for large networks with hundreds of devices.

False (B)

AAA cannot be configured to lock out a user account after a specified number of failed login attempts.

False (B)

Server-based AAA offers centralized management compared to local AAA.

True (A)

TACACS+ and RADIUS are AAA protocols that are used to communicate between the clients and AAA security servers.

True (A)

TACACS+ uses UDP for transport, while RADIUS uses TCP.

False (B)

RADIUS encrypts the entire packet, while TACACS+ only encrypts the password.

False (B)

In TACACS+, authorization and authentication are combined into a single process.

False (B)

auth-port and acct-port are configurable parameters in RADIUS, specifying the authentication and accounting port numbers, respectively.

True (A)

Microsoft's Network Policy Server (NPS) cannot be used as a RADIUS server for AAA.

False (B)

AAA authorization is always required after successful authentication, since authentication does not imply levels of permissions.

True (A)

In AAA accounting, a 'start' message indicates the end of a user's session.

False (B)

To configure AAA accounting to use the RADIUS protocol on a Cisco router, the command aaa accounting exec default group radius must be used.

True (A)

Flashcards

Authentication

Verifying a user's identity to grant network access.

Authorization

Determining what a user can access on the network.

Accounting

Tracking network usage for auditing and billing.

AAA

A security framework controlling network access.

Authentication Purpose

Ensuring the device or user is legitimate.

Authorization Purpose

Allows or disallows access to network resources.

Accounting Purpose

Tracks network resource usage for auditing and billing.

Local AAA Authentication

Router authenticates using a local database.

Server-Based AAA

Router authenticates using a remote AAA server.

TACACS+

A protocol for AAA, separating authentication and authorization.

RADIUS

An AAA protocol combining authentication and authorization.

Cisco Secure ACS

A system offering centralized AAA services.

AAA with Active Directory

AAA integrated with Microsoft's directory service.

Authentication

Ensures legitimate devices or end-users access the network.

Authorization Definition

Allows or disallows access to specific areas or programs.

AAA Accounting tracking

Provides comprehensive network usage data.

Identification (AAA)

Claiming an identity when trying to enter a secured area or system.

AAA Auditing

The component of AAA, which records a log of events and activities related to the system and subjects.

AAA Accounting (Reviewing Logs)

Reviewing log files to check compliance and violations, holding subjects accountable for their actions.

Telnet Vulnerability

When Telnet is directly exposed to the internet, it's susceptible to having passwords cracked by repeated login attempts.

SSH Authentication

A more secure method which uses encryption and a local database, like SSH.

AAA Max-Fail Attempts

A configuration mode command used to limit the number of failed login attempts before a user account is locked out.

Show AAA Local User Lockout

The command used to display locked-out local users.

Show AAA Sessions

The command used to view active AAA sessions.

Server-Based AAA Authentication

User establishes a connection with the router, and the AAA server validates access based on the remote server's information.

Server-Based AAA Configuration

It includes the AAA server's IP address and a shared secret key for secure communication.

TACACS+ Encryption

It uses TCP for reliable communication and encrypts the entire packet for enhanced security.

RADIUS Encryption

It typically uses UDP, encrypts only the password, and combines authentication and authorization.

Study Notes

Chapter 3 Overview: Authentication, Authorization, and Accounting (AAA)

• AAA is critical to network security.
• The main elements consist of identification, authentication, authorization, auditing, and accounting.

AAA Elements

• Identification involves claiming an identity to access a secured area or system.
• Authentication is proving you are that identity.
• Authorization defines the allows and denials of resource and object access for a specific identity.
• Auditing involves recording a log of events and activities related to the system and subjects.
• Accounting is reviewing log files to check for compliance and violations to hold subjects accountable.

Authentication without AAA

• Telnet is vulnerable to brute-force attacks.

Authentication Modes

• Local AAA authentication involves the router authenticating users against a local database.
• Server-Based AAA utilizes a remote AAA server for authentication.

Authorization

• Once a user is authenticated, the router requests authorization from the AAA server for requested services.
• The AAA server then returns a pass or fail.

Accounting

• Accounting tracks network connections, EXEC sessions, system commands, and resource usage.
• The AAA accounting process generates a start and stop message to record when the process began and ended, respectively.

Local AAA Authentication

• AAA can be configured via the CLI to validate users against a local database.
• Troubleshooting validates users against a local database.

Authenticating Administrative Access

• Add usernames and passwords to the local router database for users that need administrative access.
• Enable AAA globally on the router and configure AAA parameters.
• Confirm and troubleshoot the AAA configuration.

Authentication Methods

• 'enable' uses the enable password. ‘local’ uses the local username database for authentication.
• 'local-case' uses case-sensitive local username authentication, and 'none' indicates no authentication.
• 'group radius' utilizes the list of all RADIUS servers.
• 'group tacacs+' uses the list of all TACACS+ servers for authentication.
• 'group group-name' uses a subset of RADIUS or TACACS+ defined by specific commands.

Server-Based AAA

• Server-based AAA centralizes user management, which is beneficial for scalability and consistency.
• TACACS+ and RADIUS are compared as server-based AAA authentication protocols.

Local vs Server-Based AAA

• Local authentication involves the user establishing a connection and being authenticated against a local database.
• Server-based authentication also involves establishing a connection, but it is passed to a Cisco Secure ACS for authentication

Introducing Cisco Secure Access Control System

• TACACS+ or RADIUS protocols communicate between clients and AAA security servers.

TACACS+ vs. RADIUS Protocols

• TACACS+ separates AAA, provides router command authorization, and encrypts the entire packet with TCP.
• RADIUS combines authentication and authorization, encrypts only the password via UDP, and has extensive accounting capabilities.

TACACS+ Authentication process

• The message flow is in its name and password exchange with the TACACS+ server.
• TACACS+ authentication uses a bidirectional challenge and response.

RADIUS Authentication process

• RADIUS Authentication packages the username and password.
• RADIUS authentication uses a unidirectional challenge and response.

Integration With Active Directory

• RADIUS communicates between clients and Microsoft Windows Server NPS (IAS) AAA server.

Server-Based AAA Authentication

• AAA can be configured using the CLI on Cisco routers.
• Troubleshooting server-based AAA authentication can be performed.

Steps for Configuring Server-Based AAA

• Enable AAA, specify the IP address of the ACS server, and configure the secret key and authentication either the RADIUS or TACACS+ server.

Server-Based AAA Authorization

• Authentication ensures a device or user is legitimate.
• Authorization allows or disallows authenticated users access to certain areas and programs.
• TACACS+separates authentication from authorization
• RADIUS does not separate authentication from authorization

Introduction to Server-Based AAA Accounting

• The configuration involves using the CLI to define accounting parameters.