Scribd
Upload
76 views8 pages

Session 06

The document discusses AAA protocols including RADIUS, TACACS+, and Diameter. It covers their features and functions for authentication, authorization, and accounting. It also discusses implementing AAA on Cisco devices using RADIUS or TACACS+ servers.

Uploaded by

bouzid.salim47
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views8 pages

Session 06

The document discusses AAA protocols including RADIUS, TACACS+, and Diameter. It covers their features and functions for authentication, authorization, and accounting. It also discusses implementing AAA on Cisco devices using RADIUS or TACACS+ servers.

Uploaded by

bouzid.salim47
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Session 06

• AAA PROTOCOLS
• Provide authentication, authorization, and accounting.
• The most well-known AAA protocols are RADIUS, TACACS+, and Diameter.

• Remote Authentication Dial-In User Service (RADIUS).


• An AAA protocol mainly used to provide network access services.
• Support several types of authentication mechanisms, such as PPP PAP, CHAP, and EAP.
• Allows protocol extension via the attribute field.

• Operates over UDP protocol port 1812 for authentication and authorization, port 1813 for accounting.
• In earlier, RADIUS operated over UDP 1645 for authentication & authorization, and 1646 for accounting.

SCOR Page 1
• The accounting exchange consists of: ACCOUNTING-REQUEST and ACCOUNTING-RESPONSE.
• The RADIUS exchange is protected by a secret key between the access server and the RADIUS server.
• Only the user password information in the ACCESS-REQUEST is encrypted; the rest of the packets are sent in
plaintext.

• Terminal Access Controller Access Control System Plus (TACACS+)


• A proprietary protocol developed by Cisco.
• Uses TCP 49 as the transport protocol

SCOR Page 2

• The full body of the packet can be encrypted.

SCOR Page 3
• Diameter.
• Protects the exchange of messages by using TLS or DTLS.
• Uses TCP or SCTP as the transport protocol.
• Enables dynamic peer discovery via DNS.

SCOR Page 4

Implementing AAA for device access in Cisco IOS


• Administrative access methods.
• Password only.
• Local database.
• AAA Local Authentication (self-contained AAA).
• AAA Server-based.
• AAA provides:
• Authentication.
• Who is permitted to access a network.
• Authorization.
• What they can do while they are there.

SCOR Page 5
• What they can do while they are there.
• Accounting.
• Records in details what they did.
• Methods of implementing AAA services.
• Local AAA Authentication.
- Uses a local database stored in the router for authentication.
• Server-Based AAA Authentication.
- Uses an external database server that leverages RADIUS or TACACS+ protocols.
- Preferred in large environment.
• Server-Based Authentication
• The user establishes a connection with the router.
• The router prompts the user for a username and password.
• The router passes the username and password to the Cisco Secure ACS.
• The ACS authenticates and authorizes the user based on its database.
• RADIUS (Remote Authentication Dial-In User Service).
• Open standard, RFCs 2865, 2866, 2867, and 2868.
• Combines authentication & authorization, but separates accounting.
• Supports detailed accounting required for billing users, so preferred by ISPs.
• Encrypts only the password.
• Does not encrypt user name, or any other data in the message.
• Uses UDP port 1812 for authentication & authorization. (was 1645)
• Uses UDP port 1813 for accounting. (was 1646)
• Supports remote-access technologies, 802.1X, and SIP.

• TACACS+ (Terminal Access Control Access Control Server).


• Cisco proprietary.
• Separates authentication and authorization.
• Provides limited detailed accounting.
• Encrypts all packet not only the password.
• Utilizes TCP port 49.
• Multiprotocol support, such as IP and AppleTalk.
• Incompatible with any previous version of TACACS.

SCOR Page 6

• AAA clients must run Cisco IOS Release 11.2 or later.


• Login method types:
• Enable.
• Uses the enable password for authentication.
• Line.
• Uses the line password for authentication.
• Local.
• Uses the local username database for authentication.
• Local-case.
• Uses case-sensitive local username authentication.
• Group radius.
• Uses the list of all RADIUS servers for authentication.
• Group tacacs+.
• Uses the list of all TACACS+ servers for authentication.
• Group group-name.
• Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or
aaa group server tacacs+ command.
• None.
• To ensure that the authentication succeeds even if all methods return an error.
• AAA lists.
• When AAA is enabled, the default list is automatically applied to all interfaces and lines but with no methods
defined unless a predefined list is assigned.
• If the default method list is not set and there is no other list, only the local user database is checked.
• Authorization.
• What a user can and cannot do on the network after that user is authenticated.
• Implemented using a AAA server-based solution.
• When a user has been authenticated, a session is established with the AAA server.
• The router requests authorization for the requested service from the AAA server.
• The AAA server returns a PASS/FAIL for authorization.
• TACACS+ establishes a new TCP session for every authorization request.
• When AAA authorization is not enabled, all users are allowed full access.
• To enable AAA.
• R(config)# aaa new-model
• To Configure Authentication to Use the AAA Server.
• R(config)# aaa authentication login list-name|default method method method [maximum 4 methods]
• R(config)# aaa authentication login default group radius group tacacs+ local …..
• Methods are used in order, if no response from one, the next is used.
• To specify the number of unsuccessful login attempts (then the user will be locked out).
SCOR Page 7
• To specify the number of unsuccessful login attempts (then the user will be locked out).
• R(config)# aaa local authentication attempts max-fail n
• The account (non priv 15) will stay locked until it is cleared by an administrator.
• To display a list of all locked-out users.
• R# show aaa local user lockout
• To unlock a specific user or to unlock all locked users.
• R# clear aaa local user lockout all | username name
• To display the attributes that are collected for a AAA session.
• R# show aaa user all | unique-id
• To show the unique ID of a session.
• R# show aaa sessions
• For vty lines.
• R(config)# line vty 0 4
• R(config-line)# login authentication name|default
• R(config-line)# authorization exec name|default
• To debug aaa authentication.
• R# debug aaa authentication|authorization
• Look specifically for GETUSER and GETPASS status messages.
• To configure AAA with CCP.
• CCP, Configure, Router, AAA,…...
• To create a local user account.
• CCP > Router > Router Access > User Accounts/View > Add
• AAA Authorization (Router)
• To get the priviege level that should be given to user from the local user database.
• R(config)# aaa authorization exec default local
• To get the priviege level that should be given to user from the tacacs server.
• R(config)# aaa authorization exec default group tacacs+
• To enable command authorization on the console.
• R(config)# aaa authorization console
• AAA Accounting
• Each session established through the server can be fully accounted for and stored on the server.
• To configure AAA accounting.
• R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 …
• To configure AAA accounting.
• R(config)# aaa accounting exec default|list-name start-stop|stop-only method1 method2 …
• R(config)#aaa accounting commands 1 default start-stop group tacacs+

SCOR Page 8

You might also like