Podcast
Questions and Answers
Which of the following is the correct order of AAA elements?
Which of the following is the correct order of AAA elements?
- Authentication, Auditing, Authorization
- Identification, Authentication, Authorization (correct)
- Accounting, Authorization, Authentication
- Authorization, Authentication, Identification
Which element of the AAA framework involves verifying a user's claimed identity?
Which element of the AAA framework involves verifying a user's claimed identity?
- Authorization
- Accounting
- Authentication (correct)
- Identification
In the context of network security, what is the primary purpose of 'authorization' within the AAA framework?
In the context of network security, what is the primary purpose of 'authorization' within the AAA framework?
- Tracking resource consumption.
- Logging user actions for compliance.
- Verifying user identity.
- Granting or denying access to specific resources. (correct)
Which AAA component is responsible for tracking network usage and generating reports for capacity planning?
Which AAA component is responsible for tracking network usage and generating reports for capacity planning?
What is a significant vulnerability when using Telnet for network device access without AAA?
What is a significant vulnerability when using Telnet for network device access without AAA?
Which of the following is a key security advantage of using SSH over Telnet for remote access?
Which of the following is a key security advantage of using SSH over Telnet for remote access?
When configuring local AAA authentication on a Cisco router, which command enables AAA globally?
When configuring local AAA authentication on a Cisco router, which command enables AAA globally?
When configuring local AAA, what does the aaa authentication login default local-case command accomplish?
When configuring local AAA, what does the aaa authentication login default local-case command accomplish?
What command is used to specify the maximum number of failed login attempts before a user account is locked locally?
What command is used to specify the maximum number of failed login attempts before a user account is locked locally?
When configuring AAA, what is the purpose of defining a 'named method list'?
When configuring AAA, what is the purpose of defining a 'named method list'?
In server-based AAA, which protocol encapsulates the entire packet for enhanced security?
In server-based AAA, which protocol encapsulates the entire packet for enhanced security?
A network administrator needs to implement server-based AAA. Which step is essential in this process?
A network administrator needs to implement server-based AAA. Which step is essential in this process?
What is a key difference between TACACS+ and RADIUS regarding their functionality?
What is a key difference between TACACS+ and RADIUS regarding their functionality?
A network engineer is configuring a Cisco router to use an external RADIUS server for AAA. Which of the following commands is required to specify the IP address of the RADIUS server?
A network engineer is configuring a Cisco router to use an external RADIUS server for AAA. Which of the following commands is required to specify the IP address of the RADIUS server?
In the context of AAA accounting, what type of information cannot be tracked?
In the context of AAA accounting, what type of information cannot be tracked?
Which protocol commonly integrates AAA with Microsoft's Active Directory?
Which protocol commonly integrates AAA with Microsoft's Active Directory?
Which of the following is a valid parameter used when configuring AAA authorization with the CLI?
Which of the following is a valid parameter used when configuring AAA authorization with the CLI?
Which AAA component verifies the actions a user is allowed to perform?
Which AAA component verifies the actions a user is allowed to perform?
A network admin configures local AAA on a router with the command aaa authentication login default local-case enable. What happens if the local database is unavailable?
A network admin configures local AAA on a router with the command aaa authentication login default local-case enable. What happens if the local database is unavailable?
Insanely Difficult: A complex network uses a combination of TACACS+ and RADIUS for different services. All administrative access relies on TACACS+ and all user network access uses RADIUS. A recent network security audit reveals a vulnerability where users are inadvertently gaining administrative privileges after initial network access. After gaining layer two access to the network, a specific DHCP exploit allows them to query the TACACS+ server directly. No ACLs are present on the workstations and network switches. Given this rare scenario, what single mitigation step would be MOST effective in immediately preventing further privilege escalation without disrupting network services or completely re-architecting the AAA infrastructure? Assume all AAA servers are hardened and secured and fully up to date in terms of software versions.
Insanely Difficult: A complex network uses a combination of TACACS+ and RADIUS for different services. All administrative access relies on TACACS+ and all user network access uses RADIUS. A recent network security audit reveals a vulnerability where users are inadvertently gaining administrative privileges after initial network access. After gaining layer two access to the network, a specific DHCP exploit allows them to query the TACACS+ server directly. No ACLs are present on the workstations and network switches. Given this rare scenario, what single mitigation step would be MOST effective in immediately preventing further privilege escalation without disrupting network services or completely re-architecting the AAA infrastructure? Assume all AAA servers are hardened and secured and fully up to date in terms of software versions.
AAA is critical to network security because it only focuses on accounting.
AAA is critical to network security because it only focuses on accounting.
Identification in AAA involves proving you are who you say you are.
Identification in AAA involves proving you are who you say you are.
Authorization defines the allowed and denied resource access for a specific identity.
Authorization defines the allowed and denied resource access for a specific identity.
Auditing is the process of reviewing log files to enforce accountability for actions.
Auditing is the process of reviewing log files to enforce accountability for actions.
Accounting in AAA is responsible for recording a log of network events and activities.
Accounting in AAA is responsible for recording a log of network events and activities.
Telnet, by itself, is inherently secure against brute-force attacks without AAA.
Telnet, by itself, is inherently secure against brute-force attacks without AAA.
When configuring local AAA, usernames and passwords must be added to a centralized database.
When configuring local AAA, usernames and passwords must be added to a centralized database.
The aaa new-model command is optional when configuring AAA on a Cisco router.
The aaa new-model command is optional when configuring AAA on a Cisco router.
The enable keyword in AAA authentication uses the enable password for authentication.
The enable keyword in AAA authentication uses the enable password for authentication.
The aaa authentication login default local-case command enables case-sensitive local username authentication.
The aaa authentication login default local-case command enables case-sensitive local username authentication.
The none keyword in AAA authentication means that password authentication is required.
The none keyword in AAA authentication means that password authentication is required.
Server-based AAA offers the benefit of centralized management compared to local AAA.
Server-based AAA offers the benefit of centralized management compared to local AAA.
TACACS+ combines authentication, authorization, and accounting into a single process.
TACACS+ combines authentication, authorization, and accounting into a single process.
RADIUS uses TCP as its transport protocol.
RADIUS uses TCP as its transport protocol.
RADIUS encrypts the entire packet for confidentiality, including the username and password.
RADIUS encrypts the entire packet for confidentiality, including the username and password.
TACACS+ offers more extensive accounting capabilities compared to RADIUS.
TACACS+ offers more extensive accounting capabilities compared to RADIUS.
A router will always prioritize local AAA authentication over server-based AAA if both are configured.
A router will always prioritize local AAA authentication over server-based AAA if both are configured.
Accounting, in the context of AAA, is primarily concerned with preventing unauthorized access attempts to the network.
Accounting, in the context of AAA, is primarily concerned with preventing unauthorized access attempts to the network.
In AAA, authorization always precedes authentication to verify user permissions before login.
In AAA, authorization always precedes authentication to verify user permissions before login.
If local AAA authentication fails on a router and no fallback method is configured, access to the router's privileged EXEC mode is automatically granted to anyone.
If local AAA authentication fails on a router and no fallback method is configured, access to the router's privileged EXEC mode is automatically granted to anyone.
Flashcards
What is Authentication?
What is Authentication?
Verifying the identity of a user or device.
What is Authorization?
What is Authorization?
Determining what a user or device is allowed to do.
What is Accounting?
What is Accounting?
Tracking user or device activity and resource consumption.
What is Identification?
What is Identification?
Signup and view all the flashcards
What is the purpose of Authentication?
What is the purpose of Authentication?
Signup and view all the flashcards
What is the purpose of Authorization?
What is the purpose of Authorization?
Signup and view all the flashcards
What is the role of Accounting?
What is the role of Accounting?
Signup and view all the flashcards
What is Auditing?
What is Auditing?
Signup and view all the flashcards
What is Local AAA Authentication?
What is Local AAA Authentication?
Signup and view all the flashcards
What does the 'default' command do?
What does the 'default' command do?
Signup and view all the flashcards
What authentication does 'enable' use?
What authentication does 'enable' use?
Signup and view all the flashcards
What are the steps for configuring server-based AAA with CLI?
What are the steps for configuring server-based AAA with CLI?
Signup and view all the flashcards
What does TACACS+ separate?
What does TACACS+ separate?
Signup and view all the flashcards
What transport protocol does TACACS+ use?
What transport protocol does TACACS+ use?
Signup and view all the flashcards
What does RADIUS combine?
What does RADIUS combine?
Signup and view all the flashcards
What transport protocol does RADIUS use?
What transport protocol does RADIUS use?
Signup and view all the flashcards
What does Authentication ensure?
What does Authentication ensure?
Signup and view all the flashcards
What does Authorization control?
What does Authorization control?
Signup and view all the flashcards
What authentication does 'local-case' use?
What authentication does 'local-case' use?
Signup and view all the flashcards
What authentication does 'none' use?
What authentication does 'none' use?
Signup and view all the flashcards
What authentication does 'group radius' use?
What authentication does 'group radius' use?
Signup and view all the flashcards
What authentication does 'group tacacs+' use?
What authentication does 'group tacacs+' use?
Signup and view all the flashcards
What does 'aaa local authentication attempts max-fail' define?
What does 'aaa local authentication attempts max-fail' define?
Signup and view all the flashcards
What is a 'list-name'?
What is a 'list-name'?
Signup and view all the flashcards
What does RADIUS not separate?
What does RADIUS not separate?
Signup and view all the flashcards
Describe local AAA authentication.
Describe local AAA authentication.
Signup and view all the flashcards
Describe server-based AAA authentication.
Describe server-based AAA authentication.
Signup and view all the flashcards
Study Notes
Chapter 3: Authentication, Authorization, and Accounting
- AAA is covered in CCNA Security v2.0
Chapter Outline
- Introduction to AAA
- Purpose of the AAA
- Local AAA Authentication
- Server-Based AAA
- Server-Based AAA Authentication
- Server-Based Authorization and Accounting
- Summary
Purpose of the AAA
- Learning objectives include explaining why AAA is critical to network security and describing its characteristics
AAA Overview
- AAA involves Identification, Authentication, Authorization, Auditing, and Accounting
AAA Elements:
- Identification: claiming an identity when attempting to access a secured area or system.
- Authentication: proving you are that identity.
- Authorization: defining resource and object access allowances/denials for a specific identity.
- Auditing: recording a log of system events and activities related to the system and subjects.
- Accounting: reviewing log files to check compliance and hold subjects accountable for actions
AAA Components
- Authentication: Verifying the identity (Who are you?)
- Authorization: Determining allowed actions (How much can you spend?)
- Accounting: Tracking resource usage. (What did you spend it on?)
Authentication Without AAA
- Telnet is vulnerable to brute-force attacks due to its lack of security features
- Authentication is possible using SSH and a local database method
AAA Characteristics
- AAA has different authentication modes, including a local AAA and server-based AAA
Local AAA Authentication
- Client establishes connection with the router, which then prompts the user for credentials.
- Router authenticates credentials using a local database.
- User accesses the network based on information in the local database.
Server-Based AAA Authentication
- Authentication flows to a server
- Client connects to the router and is prompted to enter login information
- Router authenticates credentials using a remote AAA server.
- User is authorized to access the network based on information on the remote AAA server.
Authorization
- Session occurs with the AAA server once user is authenticated
- Router requests authorization for service from the authentication service
- Result is pass or fail for authentication
Accounting
- Accounting information types include Network, Connection, EXEC, System, Command, and Resource
AAA process
- Start message generated once a user authenticates for the accounting process
- Stop message recorded at the end of the process.
Local AAA Authentication
- Objectives include configuring using the CLI to validate users against a local database, and troubleshooting
Configuring Local AAA Authentication with CLI
- Administrative access is authenticated by adding usernames and passwords to the local router database
- AAA can be enabled on the router
- AAA parameters can be configured
- AAA configuration can be confirmed and troubleshooted
Authenticating Administrative Access Steps
- Add usernames and passwords to the local router database for users needing administrative access
- Enable AAA globally
- Configure AAA parameters
- Confirm and troubleshoot the AAA config
Authentication Methods
- Enable: Uses the enable password for authentication
- Local: Uses the local username database for authentication.
- Local-case: Uses case-sensitive local username authentication.
- None: Uses no authentication
Group radius and Tacacs
- Group radius uses the list of all RADIUS servers for authentication
- Group tacacs uses the list of all TACACS+ servers for authentication
Group name
- Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
AAA authentication login
- Configured using the CLI: aaa authentication login (default | list-name} method1... [method4]
Command Description
- Default: Uses the listed authentication methods as the default when a user logs in.
- List-name: Names the list of authentication methods activated when a user logs in.
- Method: Specifies authentication methods that the AAA authentication lists will query in sequence up to four methods
Default and Named Methods
- Local AAA Authentication can be configured via CLI using
aaa new-model,username <name> algorithm-type scrypt secret <password> aaa authentication login default local-case enablein the global configuration switches default authentication to local
Fine-Tuning the Authentication Configuration
- Configuring the maximum login failure attempts
aaa local authentication attempts max-fail [number-of-unsuccessful-attempts]
CLI Command for Authentication
- Displays locked out users: show aaa local user lockout
- Displays unique if of session: show aaa sessions
Server-Based AAA
- Objectives include benefits of server-based AAA, and comparing TACACS+ and RADIUS authentication protocols
Server-Based AAA Characteristics
- Comparing local and server-based AAA implementations
Local Authentication
- User establishes a connection with the router.
- Router prompts for username and password, authenticating using local database.
Server-Based Authentication
- User establishes a connection with the router.
- Router prompts for username and password
- Router authenticates using the remote AAA server
- Router passes the username and password to the Cisco Secure ACS.
- The Cisco Secure ACS authenticates the user.
Introducing Cisco Secure Access Control System
- TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers.
Server-Based AAA Communication Protocols
- Introducing TACACS+ and RADIUS
TACACS+ and RADIUS
- Protocols for implementing server-based AAA
TACACS+
- Separates AAA architecture, allowing modularity of security server implementation
- Mostly Cisco supported
- TCP transport protocol
- Bidirectional Challenge Handshake Authentication Protocol (CHAP)
- Multiprotocol support
- Entire packet encrypted
- Router command authorization per user or group
- Limited accounting
RADIUS
- Combines authentication and authorization, but separates accounting with less flexibility than TACACS+
- Open/RFC Standard
- UDP transport protocol
- Unidirectional challenge and response
- No ARA, no NetBEUI
- Password encrypted
- No option to authorize router commands on a per-user of group basis
- Extensive accounting
TACACS+ Authentication Process
- Client connects to R2
- Username is prompted to client and passed to R2
- Name is passed to the ACS
- It is checked, and the password prompt is sent back, process is again repeated if successful
RADIUS Authentication Process
- Client sends username and password to R2
- R2 bundles this request and asks ACS for the all clear
- ACS returns Access-Accept if it checks out
Integration of TACACS+ and ACS
- TACACS+ or RADIUS protocols are used to communicate between the clients and AAA security servers with Cisco Secure ACS
Integration of AAA with Active Directory
- RADIUS is used to communicate between users as clients and Windows Server NPS (IAS) AAA server
- Microsoft NPS is used to authenticate access to the router
Server-Based AAA Authentication
- Configuring and troubleshooting
Steps for Configuring Server-Based AAA Authentication with CLI
- Objectives involve configuring server-based AAA authentication, using the CLI, on Cisco routers, and troubleshooting
Steps:
- Enable AAA
- Specify the IP address of the ACS server
- Configure secret key
- Configure authentication to use either the RADIUS or TACACS+ server
Configuring the CLI with TACACS+ Servers
- Use these in global configuration
aaa new-model - Then enter TACACS server configuration with
tacacs server <name> - Specify the IPv4 address and the secret key
Configuring the CLI for RADIUS Servers
- Similar steps as TACACS, but for RADIUS
Configure Authentication to Use the AAA Server
- Commands for Authentication
aaa authentication login default group ?- Can specifiy word such as ldap, radius, tacacs+
AAA new-model
- Enables the AAA framework
- Use the tacacs server host command to define the TACACS+ servers
- The aaa authentication login method-list command configures a set of authentication methods
Server-Based AAA Authorization and Accounting
- Server-based AAA authorization and accounting
Introduction to Server-Based AAA Authorization
- Authentication confirms identity - making sure the end user or device is legitimate
- Authorization provides or restricts access to certain areas and or programs of a given network
TACACS+ vs. RADIUS:
- TACACS+ grants separate authentication from authorization
- RADIUS integrates authentication with authorization
AAA Authorization Configuration with CLI
- There are different types of authorization to implement with TACACS
aaa authorization (commands level)
- To apply authorization to commands used in the EXEC mode
level
- To apply authorization to commands with the specified privilege level
AAA Accounting Configuration with CLI
- Syntax
aaa accounting {network | exec | connection} {default | list-name}, and then can specify start-stop, stop-only, or none, and then the broadcast message and finally the method.
Summary
- Explain how AAA is used to secure a network
- Implement AAA authentication that validates users against a local database
- Implement server-based AAA authentication using TACACS+ and RADIUS protocols
- Configure server-based AAA authorization and accounting
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
