Podcast
Questions and Answers
Which of the following is the FIRST step in the AAA process?
Which of the following is the FIRST step in the AAA process?
- Authorization
- Accounting
- Identification (correct)
- Authentication
What aspect of AAA involves defining the level of access a user has to network resources?
What aspect of AAA involves defining the level of access a user has to network resources?
- Auditing
- Authentication
- Authorization (correct)
- Accounting
Which AAA element is responsible for tracking user activities and recording network events?
Which AAA element is responsible for tracking user activities and recording network events?
- Authorization
- Accounting
- Authentication
- Auditing (correct)
What function does the 'accounting' element of AAA provide?
What function does the 'accounting' element of AAA provide?
Why is AAA critical for network security?
Why is AAA critical for network security?
Which protocol is vulnerable to brute-force attacks when used without AAA?
Which protocol is vulnerable to brute-force attacks when used without AAA?
Which of the following is a step in configuring local AAA on a router?
Which of the following is a step in configuring local AAA on a router?
What is the function of the aaa new-model command?
What is the function of the aaa new-model command?
What does the login authentication default command do in AAA configuration?
What does the login authentication default command do in AAA configuration?
What is the purpose of the command aaa local authentication attempts max-fail?
What is the purpose of the command aaa local authentication attempts max-fail?
What is a key benefit of using server-based AAA over local AAA?
What is a key benefit of using server-based AAA over local AAA?
Which of the following protocols separates authentication and authorization, providing greater modularity?
Which of the following protocols separates authentication and authorization, providing greater modularity?
Which protocol uses UDP as its transport protocol?
Which protocol uses UDP as its transport protocol?
Which server-based AAA protocol encrypts the entire packet, providing enhanced security?
Which server-based AAA protocol encrypts the entire packet, providing enhanced security?
Which step is NOT part of configuring server-based AAA authentication?
Which step is NOT part of configuring server-based AAA authentication?
What command is used to specify the IP address of a TACACS+ server?
What command is used to specify the IP address of a TACACS+ server?
In the context of AAA, what is the key difference between authentication and authorization?
In the context of AAA, what is the key difference between authentication and authorization?
What is a primary function of 802.1x in the context of AAA?
What is a primary function of 802.1x in the context of AAA?
Which of the following commands configures AAA to use TACACS+ first, RADIUS second, and local authentication as a last resort?
Which of the following commands configures AAA to use TACACS+ first, RADIUS second, and local authentication as a last resort?
An engineer configures 'aaa accounting exec default start-stop group tacacs+' on a router. However, accounting records are not being sent to the TACACS+ server. Assuming the TACACS+ server is reachable and properly configured, what is the MOST likely cause? This is an insanely difficult question!
An engineer configures 'aaa accounting exec default start-stop group tacacs+' on a router. However, accounting records are not being sent to the TACACS+ server. Assuming the TACACS+ server is reachable and properly configured, what is the MOST likely cause? This is an insanely difficult question!
AAA is not critical to network security.
AAA is not critical to network security.
In AAA, identification involves proving you are who you say you are.
In AAA, identification involves proving you are who you say you are.
Authorization defines what a user can and cannot do on the network.
Authorization defines what a user can and cannot do on the network.
Accounting involves creating a system log of events and activities related to the system and the users.
Accounting involves creating a system log of events and activities related to the system and the users.
The AAA process starts with accounting followed by authentication and authorization.
The AAA process starts with accounting followed by authentication and authorization.
Brute-force attacks are not effective against Telnet because it is an encrypted protocol.
Brute-force attacks are not effective against Telnet because it is an encrypted protocol.
AAA must be enabled globally on a router before one can configure AAA parameters.
AAA must be enabled globally on a router before one can configure AAA parameters.
The aaa authentication login default local-case command will first attempt authentication against a remote AAA server before checking the local database.
The aaa authentication login default local-case command will first attempt authentication against a remote AAA server before checking the local database.
The enable keyword under authentication methods uses the enable secret password for authentication.
The enable keyword under authentication methods uses the enable secret password for authentication.
The command aaa local authentication attempts fail-max will immediately block an account after the first failed login attempt.
The command aaa local authentication attempts fail-max will immediately block an account after the first failed login attempt.
Server-based AAA offers centralized management of user authentication.
Server-based AAA offers centralized management of user authentication.
With local AAA, user credentials and access policies are stored directly on the network device requesting authentication.
With local AAA, user credentials and access policies are stored directly on the network device requesting authentication.
TACACS+ combines authentication and authorization into a single process.
TACACS+ combines authentication and authorization into a single process.
RADIUS uses the TCP protocol for transport, ensuring reliable communication.
RADIUS uses the TCP protocol for transport, ensuring reliable communication.
In TACACS+, only the password portion of the packet is encrypted for confidentiality.
In TACACS+, only the password portion of the packet is encrypted for confidentiality.
RADIUS is better than TACACS+ because it provides router command authorization on a per-user basis, improving network security granularity.
RADIUS is better than TACACS+ because it provides router command authorization on a per-user basis, improving network security granularity.
When configuring a TACACS+ server, the single-connection option forces the router to establish a new TCP connection for each authentication attempt.
When configuring a TACACS+ server, the single-connection option forces the router to establish a new TCP connection for each authentication attempt.
AAA accounting can track network connections, system events, and commands executed by users.
AAA accounting can track network connections, system events, and commands executed by users.
802.1x is only used for wired connections.
802.1x is only used for wired connections.
Insanely Difficult: The passwd-expiry option alongside aaa authentication login default group will cause login failures if both TACACS+ and RADIUS return incorrect attribute-value pairs (AVPs) related to password aging, even if standard authentication is successful.
Insanely Difficult: The passwd-expiry option alongside aaa authentication login default group will cause login failures if both TACACS+ and RADIUS return incorrect attribute-value pairs (AVPs) related to password aging, even if standard authentication is successful.
Flashcards
Authentication
Authentication
Verifying the identity of a user or device.
Authorization
Authorization
Granting or denying specific access rights and permissions.
Accounting
Accounting
Tracking user activity for auditing and billing.
Identification
Identification
Signup and view all the flashcards
Authentication
Authentication
Signup and view all the flashcards
Authorization
Authorization
Signup and view all the flashcards
Auditing
Auditing
Signup and view all the flashcards
Accounting
Accounting
Signup and view all the flashcards
Local AAA Authentication
Local AAA Authentication
Signup and view all the flashcards
Server-Based AAA
Server-Based AAA
Signup and view all the flashcards
Brute-Force Attacks
Brute-Force Attacks
Signup and view all the flashcards
TACACS+
TACACS+
Signup and view all the flashcards
RADIUS
RADIUS
Signup and view all the flashcards
Authentication
Authentication
Signup and view all the flashcards
Authorization
Authorization
Signup and view all the flashcards
AAA Accounting
AAA Accounting
Signup and view all the flashcards
aaa new-model
aaa new-model
Signup and view all the flashcards
aaa authentication login
aaa authentication login
Signup and view all the flashcards
AAA Accounting
AAA Accounting
Signup and view all the flashcards
Server-Based Authentication
Server-Based Authentication
Signup and view all the flashcards
AAA Authorization
AAA Authorization
Signup and view all the flashcards
enable
enable
Signup and view all the flashcards
local-case
local-case
Signup and view all the flashcards
none
none
Signup and view all the flashcards
group radius
group radius
Signup and view all the flashcards
group tacacs+
group tacacs+
Signup and view all the flashcards
group group-name
group group-name
Signup and view all the flashcards
Study Notes
Chapter 3: Authentication, Authorization, and Accounting
- This chapter covers AAA, local AAA authentication, server-based AAA, server-based AAA authentication, server-based authorization and accounting
Purpose of AAA
- AAA is critical to network security
- AAA includes Identification, Authentication, and Authorization
AAA Elements
- Identification claims an identity when attempting to access a secured area or system
- Authentication proves the presented identity
- Authorization defines the allowed and denied resource and object access for a specific identity
- Auditing records a log of events and activities related to the system and subjects
- Accounting reviews log files to check compliance and provides accountability
Authentication without AAA
- Telnet is more vulnerable to brute-force attacks than SSH configured with a local database
AAA Characteristics
- This section is all about AAA characteristics
Authentication Modes
- Local AAA authenticates against a local database on the router
- Server-based AAA uses a remote AAA server for authentication
AAA Authorization
- After a user has been authenticated, a session gets established with the AAA server
- The router requests authorization for the requested service from the AAA server
- The AAA server will return a PASS or FAIL for authorization
Accounting
- Begins the accounting process when a user has been authenticated, the accounting process generates a start message.
- Once the user finishes, stop message recorded, and the auditing process ends
- Accounting information includes network, connection, EXEC, system, command, and resource usage
Local AAA Authentication
- You can configure AAA authentication, using the CLI, to validate users against a local database
- You can troubleshoot AAA authentication that validates users against a local database
Authenticating Administrative Access
- Add usernames and passwords to the local router database for users that need administrative access to the router
- Enable AAA globally on the router
- Configure AAA parameters on the router
- Confirm and troubleshoot the AAA configuration
Authentication Methods
| Method Type | Keywords | Description |
|---|---|---|
| Enable | Uses the enable password for authentication | |
| Local | Uses the local username database for authentication | |
| Local-case | Uses case-sensitive local username authentication | |
| None | Uses no authentication | |
| Group | Radius | Uses the list of all RADIUS servers for authentication |
| Group | tacacs+ | Uses the list of all TACACS+ servers for authentication |
| Group | groupname | Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the "aaa group server radius" or "aaa group server tacacs+" command. |
Local AAA Authentication Configuration
- "aaa local authentication attempts max-fail [number-of-unsuccessful-attempts]" to configure max failed attempts
Local AAA Verification
- "show aaa local user lockout" to show locked out users and when they will be able to attempt login again
- "show aaa sessions" will show all active AAA sessions
Server-Based AAA
- Includes the benefits of using one
- Explains the TACACS+ and RADIUS authentication protocols
Local vs Server Based AAA:
- Local authentication means the user establishes a connection with the router, the router prompts the user, then authenticates them
- Server authentication means the user establishes a connection with the router, the router prompts the user, and then authentication happens via an outside server
Cisco Secure Access Control System
- TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers
Server-Based AAA Communication Protocols
- Includes information about the communication protocols
| TACACS+ | RADIUS | |
|---|---|---|
| Functionality | Separates AAA | Combines authentication/authorization but separates accounting |
| Standard | Mostly Cisco Supported | Open/RFC Standard |
| Transport Protocol | TCP | UDP |
| CHAP | Bidirectional | Unidirectional |
| Protocol Support | Multiprotocol Support | No ARA, No NetBEUI |
| Confidentiality | Entire Packet Encrypted | Password Encrypted |
| Customization | Per-user and per-group basis | No option for router commands |
| Accounting | Limited | Extensive |
TACACS+ Authentication Process
- The client connects to the router.
- The Router prompts for a username.
- The client sends a username to the router who passes it to the AAA server
- The AAA Server prompts for a password.
- The router passes the password from the client to the AAA Server
- The AAA Server accepts or rejects the authentication.
RADIUS Authentication Process
- The client sends the username and password to the router. -The router creates an "Access-Request" message using the Username and Password then sends it to the AAA Server.
- The AAA Server either accepts or rejects the authentication based on the credentials.
Integration of AAA with Active Directory
- RADIUS enables communication between clients and Microsoft Windows Server NPS (IAS) AAA servers, which authenticate access to the router
Server-Based AAA Authentication
- Can be configured using the CLI on Cisco routers
- Troubleshooting steps are available
CLI Configuration Steps:
- Enable AAA
- Specify the IP address of the ACS server
- Configure the secret key
- Configure authentication to use either the RADIUS or TACACS+ server
Configuring the CLI with TACACS+ Servers :
- Includes CLI outputs for configuring a TACACS+ server
Configuring the CLI for RADIUS Servers
- Includes CLI outputs for configuring a RADIUS server
Configure Authentication to Use the AAA Server
- Includes details of how to configure authentication to use the AAA server
Server-Based AAA Authorization and Accounting
- Configure authorization
- Configure accounting
- Explains the functions of 802.1x components
Introduction to Server-Based AAA Authorization
- Authentication ensures legitimacy of device or end-user
- Authorization controls access to network areas and programs for authenticated users
- TACACS+ separates authentication from authorization but RADIUS does not
AAA Authorization Configuration with CLI
- Includes command syntax and authorization method lists
AAA Accounting Configuration with CLI
- Includes command syntax, accounting method lists and an example
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
