32 Questions
What is the primary purpose of authentication?
Ensuring a device or end-user is legitimate
How does TACACS+ differ from RADIUS in terms of authentication and authorization?
TACACS+ does not separate authentication from authorization
What can a router be configured to do after successful authentication?
Control the functions a user can perform on the network
Which protocol allows for the separation of authentication and authorization?
TACACS+
What does AAA stand for in the context of network security?
Authentication, Authorization, Accounting
What does the 'default' keyword do in the context of authentication methods?
Applies the authentication method to all lines unless specifically overridden
How is case sensitivity handled in authentication using the localcase keyword?
Both passwords and usernames are case-sensitive
What does the 'named list' refer to in authentication methods?
A character string used to name the list of custom authentication methods for users logging in
What happens if the first listed authentication method fails during a login attempt?
The next listed authentication method is attempted
In what scenario would an admin apply a special login for SSH while keeping the default login method for console?
To provide different authentication for different users
How can different method lists be applied to different interfaces and lines?
login authentication listname
line configuration command
What command is used to remove a custom authentication method list from an interface and return to the default method list?
no aaa authentication login
How can additional security be implemented to secure AAA user accounts by locking out users with excessive failed attempts?
aaa local authentication attempts max-fail command
What happens when a user account is locked due to excessive failed authentication attempts?
The account stays locked until cleared by an administrator
What command is used to clear a locked-out user account by an administrator?
clear aaa local user lockout
How is the 'login delay' command different from locking a user account due to failed attempts?
'login delay' only introduces a delay between login attempts without locking the account
What unique action occurs when a user logs into a Cisco router using AAA authentication?
A unique session ID is assigned to the user's session
What command is used to enable AAA?
aaa new-model
Which command is used to globally enable 802.1X port-based authentication?
dot1x system-auth-control
What is the purpose of the 'dot1x pae' command?
Configure the interface as an authenticator
Which AAA method allows devices to validate users against a local database?
Local database authentication
Why is it important to separate authentication, authorization, and accounting in a network?
To enhance network security
What is the main advantage of TACACS+ over RADIUS?
Encrypts all exchanges
Which protocol is more commonly used by VoIP service providers for passing login credentials of a SIP endpoint?
RADIUS
What does the DIAMETER protocol use as a transport protocol?
SCTP
Which authentication protocol is planned as a replacement for RADIUS?
DIAMETER
Which server can be configured to handle authentication and authorization on Cisco devices?
Microsoft Active Directory only
Which protocol uses UDP port 1646 or 1813 for accounting purposes?
RADIUS
What kind of authentication does RADIUS combine into one process?
Authentication and Authorization
Which protocol provides separate AAA services, allowing implementation flexibility?
TACACS+
What is one feature of Cisco Secure ACS regarding device administration?
Flexible and detailed administration with full auditing and reporting capabilities
What server is Microsoft's implementation of a AAA server using RADIUS called?
NPS (Network Policy Server)
Study Notes
AAA (Authentication, Authorisation, and Accounting)
- AAA is used to secure a network, allowing all devices to refer to a central database and separating authentication, authorisation, and accounting.
Authentication
- Authentication ensures a device or end-user is legitimate.
- Authorisation allows or disallows authenticated users access to certain areas and programs on the network.
- Routers can be configured to restrict the user to performing only certain functions after successful authentication.
TACACS+ vs. RADIUS
- TACACS+ separates authentication from authorisation.
- RADIUS does not separate authentication from authorisation.
- TACACS+ is considered more secure because all exchanges are encrypted.
- RADIUS only encrypts user passwords, but does not encrypt user names, accounting information, or any other info carried in radius message.
Configuring Server-Based Authentication
- Four basic steps to configure server-based authentication:
- Identify the TACACS+ and RADIUS server(s) the AAA service should consult when authenticating and authorising users.
- Configure the router to use the TACACS+ or RADIUS server for authentication.
- Use the
aaa
commands to enable AAA and specify the authentication methods. - Troubleshoot server-based AAA authentication.
Cisco Secure ACS
- The Cisco Secure Access Control System (ACS) is a centralised solution that ties together an enterprise’s network access policy and identity strategy.
- Supports TACACS+ and RADIUS protocols.
- Features include:
- Distributed architecture for medium and large-scale deployments
- Intuitive, lightweight web-based GUI
- Administrator authentication through Microsoft Active Directory and LDAP
- Automated reports sent through email
- Integrated advanced monitoring, reporting, and troubleshooting capabilities using SNMP traps for Cisco Secure ACS health status
- Encrypted (secure) syslogs
- Flexible and detailed device administration in with full auditing and reporting capabilities
Integrating AAA with Active Directory
- Microsoft Active Directory (AD) is a directory service for Windows domain networks and part of most Windows Server OS’s.
- AD domain controller used to enforce security policies by authenticating and authorising users logging into the Windows domain.
- Can be used to handle authentication and authorisation on Cisco devices.
802.1X Port-Based Authentication
- A method list can be applied to different interfaces and lines using the
aaa authentication login
command. - Named list must be explicitly enabled on the line using the
login authentication
command. - To remove a custom authentication method list from an interface and return to the default method list, use the
no authentication login
command.
Test your knowledge on configuring AAA (Authentication, Authorization, and Accounting) on a local router, including adding user credentials, enabling AAA globally, setting parameters, and troubleshooting configurations. Learn about the aaa authentication login command and the use of default keywords.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free