Router AAA Configuration Quiz

Questions and Answers

What is the primary purpose of authentication?

Ensuring a device or end-user is legitimate (correct)

To allow or disallow users access to certain areas and programs on the network

Separating authentication from authorization

To configure routers to restrict user functions

How does TACACS+ differ from RADIUS in terms of authentication and authorization?

RADIUS separates authentication from authorization

RADIUS and TACACS+ have the same authentication and authorization process

TACACS+ uses combined authentication and authorization processes

TACACS+ does not separate authentication from authorization (correct)

What can a router be configured to do after successful authentication?

Control the functions a user can perform on the network (correct)

Prevent user access to the network

Allow all users unlimited access

Restrict users from authenticating again

Which protocol allows for the separation of authentication and authorization?

TACACS+

What does AAA stand for in the context of network security?

Authentication, Authorization, Accounting

What does the 'default' keyword do in the context of authentication methods?

Applies the authentication method to all lines unless specifically overridden

How is case sensitivity handled in authentication using the localcase keyword?

Both passwords and usernames are case-sensitive

What does the 'named list' refer to in authentication methods?

A character string used to name the list of custom authentication methods for users logging in

What happens if the first listed authentication method fails during a login attempt?

The next listed authentication method is attempted

In what scenario would an admin apply a special login for SSH while keeping the default login method for console?

To provide different authentication for different users

How can different method lists be applied to different interfaces and lines?

login authentication listname line configuration command

What command is used to remove a custom authentication method list from an interface and return to the default method list?

no aaa authentication login

How can additional security be implemented to secure AAA user accounts by locking out users with excessive failed attempts?

aaa local authentication attempts max-fail command

What happens when a user account is locked due to excessive failed authentication attempts?

The account stays locked until cleared by an administrator

What command is used to clear a locked-out user account by an administrator?

clear aaa local user lockout

How is the 'login delay' command different from locking a user account due to failed attempts?

'login delay' only introduces a delay between login attempts without locking the account

What unique action occurs when a user logs into a Cisco router using AAA authentication?

A unique session ID is assigned to the user's session

What command is used to enable AAA?

aaa new-model

Which command is used to globally enable 802.1X port-based authentication?

dot1x system-auth-control

What is the purpose of the 'dot1x pae' command?

Configure the interface as an authenticator

Which AAA method allows devices to validate users against a local database?

Local database authentication

Why is it important to separate authentication, authorization, and accounting in a network?

To enhance network security

What is the main advantage of TACACS+ over RADIUS?

Encrypts all exchanges

Which protocol is more commonly used by VoIP service providers for passing login credentials of a SIP endpoint?

RADIUS

What does the DIAMETER protocol use as a transport protocol?

SCTP

Which authentication protocol is planned as a replacement for RADIUS?

DIAMETER

Which server can be configured to handle authentication and authorization on Cisco devices?

Microsoft Active Directory only

Which protocol uses UDP port 1646 or 1813 for accounting purposes?

RADIUS

What kind of authentication does RADIUS combine into one process?

Authentication and Authorization

Which protocol provides separate AAA services, allowing implementation flexibility?

TACACS+

What is one feature of Cisco Secure ACS regarding device administration?

Flexible and detailed administration with full auditing and reporting capabilities

What server is Microsoft's implementation of a AAA server using RADIUS called?

NPS (Network Policy Server)

Study Notes

AAA (Authentication, Authorisation, and Accounting)

• AAA is used to secure a network, allowing all devices to refer to a central database and separating authentication, authorisation, and accounting.

Authentication

• Authentication ensures a device or end-user is legitimate.
• Authorisation allows or disallows authenticated users access to certain areas and programs on the network.
• Routers can be configured to restrict the user to performing only certain functions after successful authentication.

TACACS+ vs. RADIUS

• TACACS+ separates authentication from authorisation.
• RADIUS does not separate authentication from authorisation.
• TACACS+ is considered more secure because all exchanges are encrypted.
• RADIUS only encrypts user passwords, but does not encrypt user names, accounting information, or any other info carried in radius message.

Configuring Server-Based Authentication

• Four basic steps to configure server-based authentication:
• Identify the TACACS+ and RADIUS server(s) the AAA service should consult when authenticating and authorising users.
• Configure the router to use the TACACS+ or RADIUS server for authentication.
• Use the aaa commands to enable AAA and specify the authentication methods.
• Troubleshoot server-based AAA authentication.

Cisco Secure ACS

• The Cisco Secure Access Control System (ACS) is a centralised solution that ties together an enterprise’s network access policy and identity strategy.
• Supports TACACS+ and RADIUS protocols.
• Features include:
  • Distributed architecture for medium and large-scale deployments
  • Intuitive, lightweight web-based GUI
  • Administrator authentication through Microsoft Active Directory and LDAP
  • Automated reports sent through email
  • Integrated advanced monitoring, reporting, and troubleshooting capabilities using SNMP traps for Cisco Secure ACS health status
  • Encrypted (secure) syslogs
  • Flexible and detailed device administration in with full auditing and reporting capabilities

Integrating AAA with Active Directory

• Microsoft Active Directory (AD) is a directory service for Windows domain networks and part of most Windows Server OS’s.
• AD domain controller used to enforce security policies by authenticating and authorising users logging into the Windows domain.
• Can be used to handle authentication and authorisation on Cisco devices.

802.1X Port-Based Authentication

• A method list can be applied to different interfaces and lines using the aaa authentication login command.
• Named list must be explicitly enabled on the line using the login authentication command.
• To remove a custom authentication method list from an interface and return to the default method list, use the no authentication login command.

Description

Test your knowledge on configuring AAA (Authentication, Authorization, and Accounting) on a local router, including adding user credentials, enabling AAA globally, setting parameters, and troubleshooting configurations. Learn about the aaa authentication login command and the use of default keywords.