Authentication, Authorization, and Accounting

Questions and Answers

Which of these is the correct order of AAA elements?

• Authorization, Authentication, Accounting
• Accounting, Authorization, Authentication
• Authentication, Accounting, Authorization
• Authentication, Authorization, Accounting (correct)

What is the primary function of the 'Authentication' component in AAA?

• Reviewing log files for compliance
• Verifying the user's identity (correct)
• Defining allowed resource access
• Logging user activities

How does the 'Accounting' component of AAA contribute to network security?

• By preventing unauthorized access
• By defining access privileges
• By tracking resource usage (correct)
• By encrypting sensitive data

What security risk is present when using Telnet without AAA?

Vulnerability to brute-force attacks (C)

In local AAA authentication, where is the user's credentials database stored?

Locally, on the network device (C)

What is the purpose of the command aaa new-model in a Cisco router configuration?

To enable AAA functionality (D)

When configuring local AAA authentication, which command is used to specify the authentication method list to be used?

aaa authentication login (C)

Which of the following AAA characteristics describes claiming an identity when attempting to access a secured area or system?

Identification (A)

What protocol is commonly used for server-based AAA?

TACACS+ (C)

Which of the following best describes server-based AAA?

Centralized authentication using protocols like RADIUS or TACACS+ (A)

A network administrator wants to implement a solution that separates authentication and authorization. Which AAA protocol should they choose?

TACACS+ (B)

Which protocol uses UDP as its transport protocol?

RADIUS (A)

Which AAA function involves defining the allows and denials of resource and object access for a specific identity?

Authorization (A)

Which command is used to display locked out users in local AAA?

show aaa local user lockout (A)

What type of information is NOT typically included in AAA accounting?

User's favorite color (C)

What is the main function of authentication in network security?

Verifying the identity of a user or device (C)

In AAA, what does 'authorization' primarily control?

What resources a user can access (C)

Assume you have configured server-based AAA using TACACS+ for device administration. Users report inability to authenticate. Which step would MOST quickly identify if the router is even reaching the TACACS+ server?

Use show tacacs servers to verify the configured server IP address and monitor the 'Flags' field for connectivity status. Focus on successful probes to the AAA server IP. (A)

An engineer configures local AAA on a router but forgets to enable AAA globally using aaa new-model. What is the likely outcome?

AAA configuration will be ignored; authentication will revert to local line passwords. (C)

A network security architect is designing an AAA infrastructure for a highly sensitive environment. They must ensure that even if a malicious insider gains access to network device configurations, they cannot easily decipher the AAA shared secret. Which approach provides BEST protection for the AAA shared secret to prevent its disclosure and misuse?

Utilize a hardware security module (HSM) to store and manage the AAA shared secret, preventing it from being stored in the device configuration at all. (B)

AAA is a framework for controlling network access and managing user activities.

True (A)

Identification in AAA involves proving you are who you claim to be.

False (B)

Authorization determines what a user can do on the network after successful authentication.

True (A)

Accounting in AAA only tracks login and logout times of users.

False (B)

Using AAA makes a network more vulnerable to brute-force attacks.

False (B)

When configuring local AAA, usernames and passwords are added to a remote database.

False (B)

The command aaa new-model enables AAA globally on a Cisco router.

True (A)

The none keyword for authentication means using the enable password for authentication.

False (B)

Local AAA authentication is more scalable than Server-Based AAA.

False (B)

TACACS+ encrypts the entire packet, providing better security compared to RADIUS which only encrypts the password.

True (A)

RADIUS uses TCP as its transport protocol.

False (B)

TACACS+ combines authentication and authorization into a single process.

False (B)

The command aaa authentication login default group tacacs+ group radius local-case configures the router to first try TACACS+, then RADIUS, and finally the local database for authentication.

True (A)

Authentication verifies the identity of a user, while authorization determines what the user is permitted to do.

True (A)

Accounting provides the ability to record what a user is doing while authenticated to the network.

True (A)

The aaa accounting exec default start-stop broadcast group tacacs+ command configures real-time accounting updates to be sent to the TACACS+ server.

True (A)

Implementating AAA with local user accounts negates the need for complex password policies.

False (B)

AAA architecture mandates that authorization must precede authentication for optimal security.

False (B)

In the context of AAA, TACACS+ relies on the reliable UDP transport protocol for all communications, ensuring minimal overhead.

False (B)

Assuming a network administrator configured aaa authentication login default group radius local enable, and the RADIUS server is unreachable, successful login requires an account in the enable password database, bypassing the local user database entirely.

True (A)

Flashcards

What is Authentication?

Verifying the identity of a user or device trying to access a network.

What is Authorization?

Determining what a user is allowed to do on the network after authentication.

What is Accounting?

Tracking network usage and activities for auditing and billing purposes.

What is Identification?

Claiming an identity when attempting to access a secured area or system.

What is Authentication?

Proving that you are that identity.

What is Authorization?

Defining the allows and denials of resource and object access for a specific identity.

What is Auditing?

Recording a log of the events and activities related to the system and subjects.

What is Accounting?

Reviewing log files to check for compliance and violations in order to hold subjects accountable for their actions.

What is local AAA?

Uses the local username database for authentication

How does local AAA work?

The client establishes a connection with the router, the AAA router prompts the user for a username and password and the router authenticates the username and password using the local database

What is server-based AAA?

Uses an external server to authenticate users, providing centralized management and scalability.

What is TACACS+?

A protocol for AAA that separates authentication, authorization, and accounting, using TCP.

What is RADIUS?

An AAA protocol that combines authentication and authorization, and uses UDP.

What does Authentication do?

Ensures a device or end-user is legitimate.

What does Authorization control?

Allows or disallows authenticated users access to certain areas and programs on the network.

Authentication vs Authorization

TACACS+ separates , RADIUS does not

Configuring AAA with CLI

Specify IP, configure secret key, choose RADIUS or TACACS+

RADIUS

Is used to communicate between clients and the Microsoft Windows Server NPS (IAS) AAA server.

Local AAA Authentication

A method of authentication that relies on usernames and passwords stored directly on the network device.

Server-Based AAA

Uses an external server to authenticate users, providing centralized management and scalability.

AAA

A security system that provides a centralized framework for controlling access to network resources.

Administrative access to router DB

Adding usernames and passwords to the local router database for users that need administrative access to the router.

Enable Authentication

Uses the enable password for authentication. It is the simplest form of authentication but is not secure.

AAA Max-Fail Attempts

The number of unsuccessful authentication attempts allowed before a connection is dropped or the user account is locked.

Local Authentication

A network configuration where the client establishes a connection with the router.

Authentication process

Router passes username and password to the Cisco Secure ACS (server/engine) during server based authentication.

Protocols Used

TACACS+ or RADIUS are communication protocols used between the clients and AAA security servers.

Choosing a Server

Configures authentication to the use RADIUS or TACACS+ server.

AAA Security

Ensures the users, sessions, and network services remain secure and operate as expected.

Local-case Authentication

Local username authentication that is case sensitive.

Study Notes

Chapter 3: Authentication, Authorization, and Accounting

• AAA refers to Authentication, Authorization, and Accounting.
• AAA is critical to network security.

AAA Elements

• Identification is claiming an identity when attempting to access a secured area or system.
• Authentication is about proving that you are that identity.
• Authorization defines the allows and denials of resource and object access for a specific identity.
• Auditing involves recording a log of the events and activities related to the system and subjects.
• Accounting is about reviewing log files to check for compliance and violations to hold subjects accountable for their actions.

Authentication without AAA

• Telnet is vulnerable to brute-force attacks without AAA.
• Using SSH and a local database improves authentication over Telnet.

Authentication Modes

• Local AAA Authentication involves the router authenticating username and password using a local database allowing network access based on the local database content.
• Server-Based AAA Authentication involves a remote AAA server for authenticating username and password, authorizing network assess base on the remote AAA server information.

Authorization Defined

• After user Authentication a session is established with the AAA server.
• The router requests authorization for the requested service from the AAA server.
• AAA server returns a PASS/FAIL for authorization.

Accounting information categories

• Network
• Connection
• EXEC
• System
• Command
• Resource

Local AAA Authentication Configuration

• Add username and passwords for administrative access to the local router database for users.
• Activate AAA globally on the router.
• Parameters for AAA must be configured on the router.
• The AAA configuration can then be reviewed and fixed.

Authentication Methods

• enable uses the enable password.
• local accesses the local username database.
• local-case uses case-sensitive local username authentication.
• none indicates no authentication.
• group radius accesses all RADIUS servers.
• group tacacs+ accesses all TACACS+ servers.
• group group-name accesses RADIUS or TACACS+ servers defined by the aaa group server radius/tacacs+ command.

Server-Based AAA Characteristics

• Server-based AAA provide centralized administration.

Local AAA vs Server-Based AAA

• Local authentication uses the router's database for username and passwords which are authenticated by the local database.
• Server-based AAA uses Cisco secures ACS, the router authenticates the username and password using a remote AAA serve.

AAA Communication Protocols

• TACACS+ and RADIUS protocols communicate between clients and AAA security servers.
• Cisco secure Access Control System is used for this communication.

TACACS+ and RADIUS protocol Differences

• TACACS+ separates AAA, providing modularity, and is mostly Cisco supported.
• RADIUS combines authentication and authorization but separates accounting, and conforms to open/RFC standards.
• TACACS+ uses TCP, RADIUS uses UDP.
• TACACS+ encrypts the entire packet, RADIUS only encrypts the password.

TACACS+ Process

• The client connection is initiated.
• The router prompts for a username and the client sends the username to the router.
• The username is sent to the ACS.
• The ACS prompts the router for the password and the sends itACS to the client.
• ACS approves or rejects the authentication.

RADIUS process

• The client prompts the user for credentials.
• The credentials are packaged into an Access-Request message and sent to the RADIUS server.
• The RADIUS server authenticates the credentials.
• If successful, the RADIUS server transmits an Access-Accept message back to the client, potentially including configuration information for the user's session.

Server-Based AAA with CLI

• Enable AAA.
• Specify the IP address of the ACS server.
• Configure the secret key.
• Configure authentication to use either the RADIUS or TACACS+ server.

CLI Configuration with TACACS+ servers

• Begin by enabling AAA new model.
• Define a TACACS+ server, including its IPv4 address.
• Set up a single connection and configure a key, then exit config mode.

CLI configuring RADIUS server

• Begin by enabling the AAA new model.
• Set up a RADIUS server, specifying its IPv4 address and the authentication and accounting ports.
• Configure a key for encryption, then exit config mode.

Authentication and Authorization

• Authentication confirms the legitimacy of a user or device seeking network access.
• Authorization dictates what authenticated users can access within the network.
• TACACS+ and RADIUS handle authentication and authorization differently: TACACS+ separates these functions, while RADIUS combines them.

AAA Authorization CLI configurations

• AAA authorization is configured via the command: aaa authorization (network | exec | commands level} {default | list-name) method1... [method4]

AAA ACC Configuration with CLI

• AAA accounting is configured via the command: aaa accounting (network | exec | connection) (default | list-name} {start-stop | stop-only | none } (broadcast) method1... [method4]