![AAA authentication Login Command
aaa authentication login {default | list-name}
method1 [method2...]
router(config)#
router(config)# aaa authentication login default enable
router(config)# aaa authentication login console-in local
router(config)# aaa authentication login tty-in line](https://image.slidesharecdn.com/aaa-171113204739/85/AAA-Implementation-18-320.jpg)
![AAA authentication PPP Command
aaa authentication ppp {default | list-name}
method1 [method2...]
router(config)#
router(config)# aaa authen ppp default local
router(config)# aaa authen ppp dial-in local none](https://image.slidesharecdn.com/aaa-171113204739/85/AAA-Implementation-19-320.jpg)
![AAA authentication Enable Default Command
aaa authentication enable default method1
[method2...]
router(config)#
router(config)# aaa authentication enable default group
tacacs+ enable none](https://image.slidesharecdn.com/aaa-171113204739/85/AAA-Implementation-20-320.jpg)
![aaa authorization {network | exec | commands level |
reverse-access | configuration} {default | list-name}
method1 [method2...]
router(config)#
router(config)# aaa authorization commands 1 alpha local
router(config)# aaa authorization commands 15 bravo local
router(config)# aaa authorization network charlie local none
router(config)# aaa authorization exec delta if-authenticated
router(config)# aaa authorization commands 15 default local](https://image.slidesharecdn.com/aaa-171113204739/85/AAA-Implementation-22-320.jpg)
![AAA ACCOUNTING COMMAND
aaa accounting {auth-proxy | system | network | exec |
connection | commands level} {default | list-name} [vrf vrf-
name] {start-stop | stop-only | none} [broadcast] group
groupname
router(config)#
router(config)# aaa accounting commands 15 default stop-only
group tacacs+
router(config)# aaa accounting auth-proxy default start-stop
group tacacs+](https://image.slidesharecdn.com/aaa-171113204739/85/AAA-Implementation-23-320.jpg)
![AAA authentication Login Command
aaa authentication login {default | list-name}
method1 [method2...]
router(config)#
router(config)# aaa authentication login default enable
router(config)# aaa authentication login console-in local
router(config)# aaa authentication login tty-in line](https://image.slidesharecdn.com/aaa-171113204739/75/AAA-Implementation-18-2048.jpg)
![AAA authentication PPP Command
aaa authentication ppp {default | list-name}
method1 [method2...]
router(config)#
router(config)# aaa authen ppp default local
router(config)# aaa authen ppp dial-in local none](https://image.slidesharecdn.com/aaa-171113204739/75/AAA-Implementation-19-2048.jpg)
![AAA authentication Enable Default Command
aaa authentication enable default method1
[method2...]
router(config)#
router(config)# aaa authentication enable default group
tacacs+ enable none](https://image.slidesharecdn.com/aaa-171113204739/75/AAA-Implementation-20-2048.jpg)
![aaa authorization {network | exec | commands level |
reverse-access | configuration} {default | list-name}
method1 [method2...]
router(config)#
router(config)# aaa authorization commands 1 alpha local
router(config)# aaa authorization commands 15 bravo local
router(config)# aaa authorization network charlie local none
router(config)# aaa authorization exec delta if-authenticated
router(config)# aaa authorization commands 15 default local](https://image.slidesharecdn.com/aaa-171113204739/75/AAA-Implementation-22-2048.jpg)
![AAA ACCOUNTING COMMAND
aaa accounting {auth-proxy | system | network | exec |
connection | commands level} {default | list-name} [vrf vrf-
name] {start-stop | stop-only | none} [broadcast] group
groupname
router(config)#
router(config)# aaa accounting commands 15 default stop-only
group tacacs+
router(config)# aaa accounting auth-proxy default start-stop
group tacacs+](https://image.slidesharecdn.com/aaa-171113204739/75/AAA-Implementation-23-2048.jpg)
More Related Content
AAA Implementation
- 1. AAA Implementation Presenter: AhmadAli Al Taweel Doctor: Kasem Ahmad
- 2. Outline – Introduction ofAAA – Identification of each A – Implementing Authentication – TACACS+ and RADIUS AAA Protocols – Authenticating Router Access – Configuring AAA for Cisco Routers – Troubleshooting AAA on Cisco Routers – Configuring AAA with Cisco SDM – Summary
- 3. INTRODUCTION OF AAA Sometimes referred to as “ triple-A” or just AAA, A- Authentication A- Authorization A- Accounting Represent the big tree in terms of IP based network management & policy administration.
- 4. AUTHENTICATION Authenticationis a process that ensures & confirms a user’s identity. Authentication begins when a user tries to access information. The user must prove his access rights & identity. This login combination, which must be assigned to each user, authenticates access.
- 5. AUTHORIZATION Authorizationis the process of granting or denying a user access to network resources once the user has been authenticated through the username & password. The amount of information & the amount of services the user has access to depend on the user’s authorization level.
- 6. ACCOUNTING Accountingis the process of keeping track of a user’s activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there & the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing auditing & cost allocation.
- 7. AAA MODEL—NETWORK SECURITY ARCHITECTURE •Authentication – Who are you? – “I am user student and my password validateme proves it.” • Authorization – What can you do? What can you access? – “User student can access host serverXYZ using Telnet.” • Accounting – What did you do? How long did you do it? How often did you do it? – “User student accessed host serverXYZ using Telnet for 15 minutes.”
- 8. IMPLEMENTING AUTHENTICATION USINGLOCAL SERVICES 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. Perimeter Router Remote Client 1 2 3
- 9. IMPLEMENTING AUTHENTICATION USING EXTERNALSERVERS 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote Client Cisco Secure ACS for Windows Server Cisco Secure ACS Solution Engine 1 2 3 4
- 10. TACACS+ AND RADIUSAAA PROTOCOLS • Two different protocols are used to communicate between the AAA security servers and authenticating devices. • Cisco Secure ACS supports both TACACS+ and RADIUS: – TACACS+ remains more secure than RADIUS. – RADIUS has a robust application programming interface and strong accounting. Cisco Secure ACS Firewall Router Network Access Server TACACS+ RADIUS Security Server
- 12. Microsoft Windows dial-up networkingconnection: Username and Password fields Security Server Microsoft Windows Remote PC NAS Username and password (TCP/IP PPP) PSTN or ISDN
- 13. PPP , ISDN, PSTN Point-to-Point Protocol (PPP) is a data link (layer 2) protocol used to establish a direct connection between two nodes. It connects two routers directly without any host or any other networking device in between. It can provide connection authentication,transmission encryption (using E CP, RFC 1968), and compression. Integrated Services Digital Network (ISDN) is a set of communication standards for simultaneous digital transmission of voice, video, data. Public Switched Telephone Network (PSTN) is the world's collection of interconnected voice-oriented public telephone networks.
- 14. AUTHENTICATING ROUTER ACCESS TelnetHost LAN Remote LAN Network Access Console Router Remote Router Administrative Access Internet
- 15. ROUTER LOCAL AUTHENTICATION CONFIGURATIONPROCESS Here are the general steps required to configure a Cisco router for local authentication: • Step 1: Secure access to privileged EXEC mode. • Step 2: Enable AAA globally on the perimeter router with the aaa new-model command. • Step 3: Configure AAA authentication lists. • Step 4: Configure AAA authorization for use after the user has passed authentication. • Step 5: Configure the AAA accounting options for how you want to write accounting records. • Step 6: Verify the configuration.
- 16. ENABLE AAA GLOBALLYUSING THE AAA NEW-MODEL COMMAND aaa new-model router(config)# router(config)# aaa new-model username username password password router(config)# router(config)# username Joe106 password 1MugOJava • Establishes AAA section in configuration file • Sets username and password aaa authentication login default local • Helps prevent administrative access lockout while configuring AAA router(config)#
- 17. AAA AUTHENTICATION COMMANDS •These aaa authentication commands are available in Cisco IOS Releases 12.2 and later. • Each of these commands has its own syntax and options (methods). aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication username-prompt router(config)#
- 18. AAA authentication LoginCommand aaa authentication login {default | list-name} method1 [method2...] router(config)# router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line
- 19. AAA authentication PPPCommand aaa authentication ppp {default | list-name} method1 [method2...] router(config)# router(config)# aaa authen ppp default local router(config)# aaa authen ppp dial-in local none
- 20. AAA authentication EnableDefault Command aaa authentication enable default method1 [method2...] router(config)# router(config)# aaa authentication enable default group tacacs+ enable none
- 21. Apply Authentication Commandsto Lines and Interfaces • Authentication commands can be applied to lines or interfaces. router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in Note: It is recommended that you always define a default list for AAA to provide “last resort” authentication on all lines and interfaces protected by AAA.
- 22. aaa authorization {network| exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...] router(config)# router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none router(config)# aaa authorization exec delta if-authenticated router(config)# aaa authorization commands 15 default local
- 23. AAA ACCOUNTING COMMAND aaaaccounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf- name] {start-stop | stop-only | none} [broadcast] group groupname router(config)# router(config)# aaa accounting commands 15 default stop-only group tacacs+ router(config)# aaa accounting auth-proxy default start-stop group tacacs+
- 24. TROUBLESHOOTING AAA USINGDEBUG COMMANDS debug aaa authentication router# • Use this command to help troubleshoot AAA authentication problems debug aaa accounting router# • Use this command to help troubleshoot AAA accounting problems debug aaa authorization router# • Use this command to help troubleshoot AAA authorization problems
- 25. router# debug aaaauthentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
- 26. router# debug aaaaccounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
- 27. CONFIGURING AAA WITHCISCO SDM 1 2 3
- 29.