KEMBAR78
Computer Security - CCNA Security - Lecture 2 | PDF
Mohamed Loey, profile picture
Uploaded byMohamed Loey
1,143 views

Computer Security - CCNA Security - Lecture 2

The document covers various aspects of network security, specifically focusing on authentication, authorization, and accounting (AAA) processes essential for effective network management. It discusses methods for implementing AAA, including local and server-based authentication, and explains protocols like TACACS+ and RADIUS used in these processes. Additionally, it highlights best practices for configuring AAA in different network environments, emphasizing the importance of securing access to network resources.

Education
In this document
Powered by AI

Introduction to the CCNA Security course and the concept of AAA.

Overview of chapters covering network security threats, device security, AAA, firewall technologies, IPS, and cryptographic systems.

Description of the basic password-only method for authentication and its vulnerabilities.

Details on the local database authentication method including accountability and configuration steps.

Explanation of AAA principles: Authentication, Authorization, and Accounting for network management.

Defines authentication and discusses local vs server-based AAA methods.

Steps involved in local AAA authentication process and its configuration.

Steps involved in server-based AAA authentication process, utilizing Cisco Secure ACS.

Explanation of authorization post-authentication and how resource access is granted.

Description of the accounting process for monitoring network resource usage.

Configuration steps for local based AAA authentication for small networks.

Discussion of server-based AAA for larger environments and its benefits.

Comparison of TACACS+ and RADIUS protocols in terms of functionality, security, and usage.

Steps to configure a RADIUS server within a network environment.

Instructions for students regarding an assignment related to AAA.

Providing contact details for further inquiries and connections.

Thank you note and conclusion of the CCNA Security presentation.

Downloaded 82 times
CCNA Security AAA
CCNA Security Chapter 1: Modern Network Security Threats Chapter 2: Securing Network Devices Chapter 3: Authentication, Authorization, and Accounting Chapter 4: Implementing Firewall Technologies Chapter 5: Implementing Intrusion Prevention Chapter 6: Securing the Local-Area Network Chapter 7: Cryptographic Systems Chapter 8: Implementing Virtual Private Networks Chapter 9: Implementing the Cisco Adaptive Security Appliance Chapter 10: Advanced Cisco Adaptive Security Appliance Chapter 11: Managing a Secure Network
CCNA Security
CCNA Security Classical Security Methods
CCNA Security  Uses a login and password combination on access lines  Easiest to implement, but most unsecure method  Vulnerable to brute-force attacks  Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
CCNA Security  Creates individual user account/password on each device  Provides accountability  User accounts must be configured locally on each device  Provides no fallback authentication method Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
CCNA Security AAA
CCNA Security Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary. These combined processes are considered important for effective network management and security.
CCNA Security AAA Authentication Authorization Accounting
CCNA Security Accounting What did you spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
CCNA Security Authentication
CCNA Security  Authentication is the process that determines whether a client (a person, a device, or a software process) is a legal or valid user of the system. Cisco provides two common methods of implementing AAA services:  Local AAA Authentication  Server-Based AAA Authentication
CCNA Security Local AAA uses a local database for authentication. This method is sometimes known as self-contained authentication.
CCNA Security 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA RouterRemote Client 1 2 3
CCNA Security Server-based method, uses a server database for authentication. The router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS).
CCNA Security 1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
CCNA Security Authorization
CCNA Security  After the user is authenticated, Authorization is the process that determines which resources the user can access and which operations the user is allowed to perform.
CCNA Security 1.When a user has been authenticated, a session is established with an AAA server. 2.The router requests authorization for the requested service from the AAA server. 3.The AAA server returns a PASS/FAIL for authorization.
CCNA Security Accounting
CCNA Security  Accounting is the process of monitoring and recording a client's use of the network. Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.
CCNA Security 1.When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2.When the user finishes, a stop message is recorded ending the accounting process.
CCNA Security
CCNA Security Local Based AAA
CCNA Security Local AAA Authentication should be configured for smaller networks. Smaller networks are those networks that have one or two routers that provide access to a limited number of users. This method uses the local usernames and passwords stored on a router.
CCNA Security Configuring local AAA services to authenticate administrator access requires a few basic steps: 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration
CCNA Security R1 R2 R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
CCNA Security The AAA authentication login command in the figure allows the ADMIN and JR-ADMIN users to log into the router via the console or vty terminal lines. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd
CCNA Security To enable AAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
CCNA Security The default keyword means that the authentication method applies to all lines, except those for which a specific line configuration overrides the default. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
CCNA Security The authentication is case-sensitive, indicated by the local- case keyword. This means that both the password and the username are case sensitive. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
CCNA Security Server Based AAA
CCNA Security Most corporate environments have multiple Cisco routers, switches, and other infrastructure devices, multiple router administrators, and hundreds or thousands of users needing access to the corporate LAN. Local implementations of AAA are acceptable in very small networks. However, local authentication does not scale well.
CCNA Security R2 R3 R1 Cisco Secure ACS Server Based AAA
CCNA Security 1. The user establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4
CCNA Security The Cisco Secure Access Control System (ACS) is a centralized solution that ties together an enterprise’s network access policy and identity strategy. Cisco Secure ACS supports both TACACS+ and RADIUS protocols
CCNA Security TACACS+ and RADIUS are both authentication protocols that are used to communicate with AAA servers. While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol.
CCNA Security Protocol TACACS+ RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Protocol Support Multiprotocol support Not support Multiprotocol Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis
CCNA Security RADIUS, developed by Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. RADIUS is widely used by VoIP service providers.
CCNA Security  Works in both local and roaming situations  Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0r d Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
CCNA Security TACACS+ is a Cisco enhancement to the original TACACS protocol. TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.
CCNA Security Provides separate AAA services Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
CCNA Security  Step 1. Globally enable AAA to allow the use of all AAA elements.  Step 2. Specify the AAA Server (ex. Cisco Secure ACS) that will provide AAA services for the router.  Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server.  Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.
CCNA Security To enable AAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
CCNA Security To configure a RADIUS server, use the radius server name command. This puts you into radius server configuration mode. R1(config)# radius server Server-R
CCNA Security RADIUS protocol has reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port. R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
CCNA Security  To configure the shared secret key for encrypting the password, use the key command. This key must be configured exactly the same way on the router and the RADIUS server. R1(config)# key RADIUS-Pa55w0rd
CCNA Security R1(config)# aaa new-model R1(config)# radius server Server-R R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 R1(config)# key RADIUS-Pa55w0rd R1(config)# exit
CCNA Security How to Configure Server-Based AAA Authentication Using TACACS+ ?
CCNA Security  Use MS Word  Send me mail to mloey@live.com with email subject “AAA“  Put your name on Arabic with department and section on word and email body  Finally, press Send  Deadline Next Lecture
CCNA Security facebook.com/mloey mohamedloey@gmail.com twitter.com/mloey linkedin.com/in/mloey mloey@fci.bu.edu.eg mloey.github.io
CCNA Security www.YourCompany.com © 2020 Companyname PowerPoint Business Theme. All Rights Reserved. THANKS FOR YOUR TIME

More Related Content

PPT
RADIUS
byamogh_ubale
 
PPT
Radius1
bybalamurugan.k Kalibalamurugan
 
PPT
Authentication Application in Network Security NS4
bykoolkampus
 
PDF
6 pan-os software update & downgrade instruction
byMostafa El Lathy
 
PDF
Nmap basics
byitmind4u
 
PPT
Cnn method
byAmirSajedi1
 
PPT
Cloud architecture
byAdeel Javaid
 
PDF
Cloud Security: A New Perspective
byWen-Pai Lu
 
RADIUS
byamogh_ubale
 
Radius1
bybalamurugan.k Kalibalamurugan
 
Authentication Application in Network Security NS4
bykoolkampus
 
6 pan-os software update & downgrade instruction
byMostafa El Lathy
 
Nmap basics
byitmind4u
 
Cnn method
byAmirSajedi1
 
Cloud architecture
byAdeel Javaid
 
Cloud Security: A New Perspective
byWen-Pai Lu
 

What's hot

PPTX
Radius server,PAP and CHAP Protocols
byDhananjay Aloorkar
 
PDF
Radius vs. Tacacs+
byNetwax Lab
 
PPTX
Viruses, worms, and trojan horses
byEILLEN IVY PORTUGUEZ
 
PPTX
AAA Implementation
byAhmad El Tawil
 
PPT
Cryptography and Network Security William Stallings Lawrie Brown
byInformation Security Awareness Group
 
PPTX
Microsoft Offical Course 20410C_02
bygameaxt
 
PDF
Nmap Hacking Guide
byAryan G
 
PDF
Introduction to foot printing
byCHETAN THAKRE
 
PPT
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
PDF
An introduction to SSH
bynussbauml
 
PPTX
Cloud security Presentation
byAjay p
 
PPTX
El Gamal Cryptosystem
byAdri Jovin
 
PPT
Implementing Cisco AAA
bydkaya
 
PPTX
Paas
byNikunjPansari
 
PDF
History of cloud computing
bysankalp810108
 
PPTX
IP Security
byKeshab Nath
 
PDF
Presentation on Domain Name System
byChinmay Joshi
 
PPTX
Linux distributions
byRJ Mehul Gadhiya
 
PPTX
History of Windows Server
bysundas Shabbir
 
PPT
Security and Linux Security
byRizky Ariestiyansyah
 
Radius server,PAP and CHAP Protocols
byDhananjay Aloorkar
 
Radius vs. Tacacs+
byNetwax Lab
 
Viruses, worms, and trojan horses
byEILLEN IVY PORTUGUEZ
 
AAA Implementation
byAhmad El Tawil
 
Cryptography and Network Security William Stallings Lawrie Brown
byInformation Security Awareness Group
 
Microsoft Offical Course 20410C_02
bygameaxt
 
Nmap Hacking Guide
byAryan G
 
Introduction to foot printing
byCHETAN THAKRE
 
Ch12 Cryptographic Protocols and Public Key Infrastructure
byInformation Technology
 
An introduction to SSH
bynussbauml
 
Cloud security Presentation
byAjay p
 
El Gamal Cryptosystem
byAdri Jovin
 
Implementing Cisco AAA
bydkaya
 
Paas
byNikunjPansari
 
History of cloud computing
bysankalp810108
 
IP Security
byKeshab Nath
 
Presentation on Domain Name System
byChinmay Joshi
 
Linux distributions
byRJ Mehul Gadhiya
 
History of Windows Server
bysundas Shabbir
 
Security and Linux Security
byRizky Ariestiyansyah
 

Similar to Computer Security - CCNA Security - Lecture 2

PPTX
en_CCNAS_v11_Ch03(Authentication, Authorization, and Accounting).pptx
byMadideNtavhanyeniJak
 
PPT
CCNA_Security_03.ppt
byveracru1
 
PPT
redes telematicas CISCO para ingenieros pre
byVictorTonio
 
PPT
CCNA Security 06- AAA
byAhmed Habib
 
PDF
Ch3-Authentication, Authorization, and Accounting.pdf
byOhmRon
 
PPT
Chapter 3 overview
byali raza
 
PPTX
Ccna sv2 instructor_ppt_ch3
bySalmenHAJJI1
 
DOCX
AAA server
byhetvi naik
 
PPTX
Network Security v1.0 -network Module 7.pptx
byroanmhammed
 
PPTX
Securing management, control & data plane
byNetProtocol Xpert
 
PDF
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
PDF
5 ip security ipsec gre
bySagarR24
 
PPT
Curso de Seguridad de Redes Inalambricas CCNA
byVictorTonio
 
PPT
CCNA_Security_02.ppt
byveracru1
 
PDF
5 ip security dataplace security
bySagarR24
 
PDF
5 ip security urpf
bySagarR24
 
PPTX
access controtggffffffffffffffdddddl.pptx
byt01151009418
 
PDF
5 ip security asa-partb
bySagarR24
 
PDF
5 ip security copp-mpp
bySagarR24
 
PPT
Chapter 2 overview
byali raza
 
en_CCNAS_v11_Ch03(Authentication, Authorization, and Accounting).pptx
byMadideNtavhanyeniJak
 
CCNA_Security_03.ppt
byveracru1
 
redes telematicas CISCO para ingenieros pre
byVictorTonio
 
CCNA Security 06- AAA
byAhmed Habib
 
Ch3-Authentication, Authorization, and Accounting.pdf
byOhmRon
 
Chapter 3 overview
byali raza
 
Ccna sv2 instructor_ppt_ch3
bySalmenHAJJI1
 
AAA server
byhetvi naik
 
Network Security v1.0 -network Module 7.pptx
byroanmhammed
 
Securing management, control & data plane
byNetProtocol Xpert
 
Ch2 - Securing Network Devices - CCNA Security.pdf
byOhmRon
 
5 ip security ipsec gre
bySagarR24
 
Curso de Seguridad de Redes Inalambricas CCNA
byVictorTonio
 
CCNA_Security_02.ppt
byveracru1
 
5 ip security dataplace security
bySagarR24
 
5 ip security urpf
bySagarR24
 
access controtggffffffffffffffdddddl.pptx
byt01151009418
 
5 ip security asa-partb
bySagarR24
 
5 ip security copp-mpp
bySagarR24
 
Chapter 2 overview
byali raza
 

More from Mohamed Loey

PDF
Lecture 6: Deep Learning Applications
byMohamed Loey
 
PDF
Lecture 5: Convolutional Neural Network Models
byMohamed Loey
 
PDF
Lecture 4: Deep Learning Frameworks
byMohamed Loey
 
PDF
Lecture 4: How it Works: Convolutional Neural Networks
byMohamed Loey
 
PPTX
Lecture 3: Convolutional Neural Networks
byMohamed Loey
 
PDF
Lecture 2: Artificial Neural Network
byMohamed Loey
 
PDF
Lecture 1: Deep Learning for Computer Vision
byMohamed Loey
 
PDF
Design of an Intelligent System for Improving Classification of Cancer Diseases
byMohamed Loey
 
PDF
Computer Security - CCNA Security - Lecture 1
byMohamed Loey
 
PDF
Algorithms Lecture 8: Pattern Algorithms
byMohamed Loey
 
PDF
Algorithms Lecture 7: Graph Algorithms
byMohamed Loey
 
PDF
Algorithms Lecture 6: Searching Algorithms
byMohamed Loey
 
PDF
Algorithms Lecture 5: Sorting Algorithms II
byMohamed Loey
 
PDF
Algorithms Lecture 4: Sorting Algorithms I
byMohamed Loey
 
PDF
Algorithms Lecture 3: Analysis of Algorithms II
byMohamed Loey
 
PDF
Algorithms Lecture 2: Analysis of Algorithms I
byMohamed Loey
 
PDF
Algorithms Lecture 1: Introduction to Algorithms
byMohamed Loey
 
PDF
Convolutional Neural Network Models - Deep Learning
byMohamed Loey
 
PDF
Deep Learning - Overview of my work II
byMohamed Loey
 
PDF
Computer Security Lecture 7: RSA
byMohamed Loey
 
Lecture 6: Deep Learning Applications
byMohamed Loey
 
Lecture 5: Convolutional Neural Network Models
byMohamed Loey
 
Lecture 4: Deep Learning Frameworks
byMohamed Loey
 
Lecture 4: How it Works: Convolutional Neural Networks
byMohamed Loey
 
Lecture 3: Convolutional Neural Networks
byMohamed Loey
 
Lecture 2: Artificial Neural Network
byMohamed Loey
 
Lecture 1: Deep Learning for Computer Vision
byMohamed Loey
 
Design of an Intelligent System for Improving Classification of Cancer Diseases
byMohamed Loey
 
Computer Security - CCNA Security - Lecture 1
byMohamed Loey
 
Algorithms Lecture 8: Pattern Algorithms
byMohamed Loey
 
Algorithms Lecture 7: Graph Algorithms
byMohamed Loey
 
Algorithms Lecture 6: Searching Algorithms
byMohamed Loey
 
Algorithms Lecture 5: Sorting Algorithms II
byMohamed Loey
 
Algorithms Lecture 4: Sorting Algorithms I
byMohamed Loey
 
Algorithms Lecture 3: Analysis of Algorithms II
byMohamed Loey
 
Algorithms Lecture 2: Analysis of Algorithms I
byMohamed Loey
 
Algorithms Lecture 1: Introduction to Algorithms
byMohamed Loey
 
Convolutional Neural Network Models - Deep Learning
byMohamed Loey
 
Deep Learning - Overview of my work II
byMohamed Loey
 
Computer Security Lecture 7: RSA
byMohamed Loey
 

Recently uploaded

PPTX
DO 34 s 2025 - ammendment of DO 24 s 2025.pptx
byJeanalynEstrellado3
 
PPTX
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PDF
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
PDF
BD1TL - TNTEU - Teaching and Learning - Unit - 2.pdf
byDr Raja Mohammed T
 
PPTX
Exploring Entrepreneurial Qualities: A Curated Presentation for Grade 11 Busi...
bySamanthaNkoana
 
PPTX
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
PPTX
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
PPTX
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
PPTX
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
PPTX
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
PDF
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
PPTX
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
PDF
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
PDF
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PDF
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
PDF
Admin Slides for Oct'25 semester - PB1_MC5.pdf
byGreat Files
 
PDF
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 
DO 34 s 2025 - ammendment of DO 24 s 2025.pptx
byJeanalynEstrellado3
 
Basics for Conducting Bibliometric Analysis - Dr Ahsan Riaz
bySystematic Reviews Network (SRN)
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
History of Department of AIHC and Archaeology_BHU
byBanaras Hindu University
 
BD1TL - TNTEU - Teaching and Learning - Unit - 2.pdf
byDr Raja Mohammed T
 
Exploring Entrepreneurial Qualities: A Curated Presentation for Grade 11 Busi...
bySamanthaNkoana
 
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
Common problems or challenges faced by Indian adolescents
byDr. Harpal Kaur
 
DBP - BITA Introduction Slides Oct 202526
byGreat Files
 
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
THERAPEUTIC ENVIORNMENT.............pptx
byAneetaSharma15
 
Admin Slides for Oct'25 semester - PBO - MC1.pdf
byMark Kor
 
ILA 2025 Prague CLS Presentation of Leadership journal
byjohanalvehus
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
Admin Slides for Oct'25 semester (Progression)
byGreat Files
 
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
Total Quality Management : A presentation by a third year student.
byMbalenhle Ndlovu
 
Admin Slides for Oct'25 semester - PB1_MC5.pdf
byGreat Files
 
Slit lamp parts 2/ppt/notes/download.pdf
byAnmol Singh
 

Computer Security - CCNA Security - Lecture 2

  • 1.
  • 2.
    CCNA Security Chapter 1:Modern Network Security Threats Chapter 2: Securing Network Devices Chapter 3: Authentication, Authorization, and Accounting Chapter 4: Implementing Firewall Technologies Chapter 5: Implementing Intrusion Prevention Chapter 6: Securing the Local-Area Network Chapter 7: Cryptographic Systems Chapter 8: Implementing Virtual Private Networks Chapter 9: Implementing the Cisco Adaptive Security Appliance Chapter 10: Advanced Cisco Adaptive Security Appliance Chapter 11: Managing a Secure Network
  • 3.
  • 4.
  • 5.
    CCNA Security  Usesa login and password combination on access lines  Easiest to implement, but most unsecure method  Vulnerable to brute-force attacks  Provides no accountability R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login Internet User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords Password-Only Method
  • 6.
    CCNA Security  Createsindividual user account/password on each device  Provides accountability  User accounts must be configured locally on each device  Provides no fallback authentication method Internet User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid Local Database Method R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
  • 7.
  • 8.
    CCNA Security Authentication, authorization,and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary. These combined processes are considered important for effective network management and security.
  • 9.
  • 10.
    CCNA Security Accounting What didyou spend it on? Authentication Who are you? Authorization which resources the user is allowed to access and which operations the user is allowed to perform?
  • 11.
  • 12.
    CCNA Security  Authenticationis the process that determines whether a client (a person, a device, or a software process) is a legal or valid user of the system. Cisco provides two common methods of implementing AAA services:  Local AAA Authentication  Server-Based AAA Authentication
  • 13.
    CCNA Security Local AAAuses a local database for authentication. This method is sometimes known as self-contained authentication.
  • 14.
    CCNA Security 1. Theclient establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database. AAA RouterRemote Client 1 2 3
  • 15.
    CCNA Security Server-based method,uses a server database for authentication. The router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS).
  • 16.
    CCNA Security 1. Theclient establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server AAA Router Remote Client 1 2 4 Cisco Secure ACS Server 3
  • 17.
  • 18.
    CCNA Security  Afterthe user is authenticated, Authorization is the process that determines which resources the user can access and which operations the user is allowed to perform.
  • 19.
    CCNA Security 1.When auser has been authenticated, a session is established with an AAA server. 2.The router requests authorization for the requested service from the AAA server. 3.The AAA server returns a PASS/FAIL for authorization.
  • 20.
  • 21.
    CCNA Security  Accountingis the process of monitoring and recording a client's use of the network. Accounting records what the user does, including what is accessed, the amount of time the resource is accessed, and any changes that were made. Accounting keeps track of how network resources are used.
  • 22.
    CCNA Security 1.When auser has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2.When the user finishes, a stop message is recorded ending the accounting process.
  • 23.
  • 24.
  • 25.
    CCNA Security Local AAAAuthentication should be configured for smaller networks. Smaller networks are those networks that have one or two routers that provide access to a limited number of users. This method uses the local usernames and passwords stored on a router.
  • 26.
    CCNA Security Configuring localAAA services to authenticate administrator access requires a few basic steps: 1. Add usernames and passwords to the local router database 2. Enable AAA globally 3. Configure AAA parameters on the router 4. Confirm and troubleshoot the AAA configuration
  • 27.
    CCNA Security R1 R2 R1#conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  • 28.
    CCNA Security The AAAauthentication login command in the figure allows the ADMIN and JR-ADMIN users to log into the router via the console or vty terminal lines. R1# conf t R1(config)# username JR-ADMIN secret Str0ngPa55w0rd R1(config)# username ADMIN secret Str0ng5rPa55w0rd
  • 29.
    CCNA Security To enableAAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
  • 30.
    CCNA Security The defaultkeyword means that the authentication method applies to all lines, except those for which a specific line configuration overrides the default. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  • 31.
    CCNA Security The authenticationis case-sensitive, indicated by the local- case keyword. This means that both the password and the username are case sensitive. R1(config)# aaa new-model R1(config)# aaa authentication login default local-case
  • 32.
  • 33.
    CCNA Security Most corporateenvironments have multiple Cisco routers, switches, and other infrastructure devices, multiple router administrators, and hundreds or thousands of users needing access to the corporate LAN. Local implementations of AAA are acceptable in very small networks. However, local authentication does not scale well.
  • 34.
    CCNA Security R2 R3 R1 CiscoSecure ACS Server Based AAA
  • 35.
    CCNA Security 1. Theuser establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote User Cisco Secure ACS for Windows Server 1 2 3 4
  • 36.
    CCNA Security The CiscoSecure Access Control System (ACS) is a centralized solution that ties together an enterprise’s network access policy and identity strategy. Cisco Secure ACS supports both TACACS+ and RADIUS protocols
  • 37.
    CCNA Security TACACS+ andRADIUS are both authentication protocols that are used to communicate with AAA servers. While both protocols can be used to communicate between a router and AAA servers, TACACS+ is considered the more secure protocol.
  • 38.
    CCNA Security Protocol TACACS+RADIUS Functionality Separates AAA according to the AAA architecture, allowing modularity of the security server implementation Combines authentication and authorization but separates accounting, allowing less flexibility in implementation than TACACS+. Standard Mostly Cisco supported Open/RFC standard Transport Protocol TCP UDP Protocol Support Multiprotocol support Not support Multiprotocol Confidentiality Entire packet encrypted Password encrypted Customization Provides authorization of router commands on a per-user or per-group basis. Has no option to authorize router commands on a per-user or per-group basis
  • 39.
    CCNA Security RADIUS, developedby Livingston Enterprises, is an open IETF standard AAA protocol for applications such as network access or IP mobility. RADIUS is widely used by VoIP service providers.
  • 40.
    CCNA Security  Worksin both local and roaming situations  Uses UDP ports 1645 or 1812 for authentication and UDP ports 1646 or 1813 for accounting Username? JR-ADMIN Password? Str0ngPa55w0r d Access-Request (JR_ADMIN, “Str0ngPa55w0rd”) Access-Accept
  • 41.
    CCNA Security TACACS+ isa Cisco enhancement to the original TACACS protocol. TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.
  • 42.
    CCNA Security Provides separateAAA services Utilizes TCP port 49 Connect Username prompt? Username? Use “Username” JR-ADMIN JR-ADMIN Password? Password prompt? “Str0ngPa55w0rd” Use “Password” Accept/Reject “Str0ngPa55w0rd”
  • 43.
    CCNA Security  Step1. Globally enable AAA to allow the use of all AAA elements.  Step 2. Specify the AAA Server (ex. Cisco Secure ACS) that will provide AAA services for the router.  Step 3. Configure the encryption key needed to encrypt the data transfer between the network access server.  Step 4. Configure the AAA authentication method list to refer to the TACACS+ or RADIUS server.
  • 44.
    CCNA Security To enableAAA, the aaa new-model global configuration command must first be configured. R1(config)# aaa new-model
  • 45.
    CCNA Security To configurea RADIUS server, use the radius server name command. This puts you into radius server configuration mode. R1(config)# radius server Server-R
  • 46.
    CCNA Security RADIUS protocolhas reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port. R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813
  • 47.
    CCNA Security  Toconfigure the shared secret key for encrypting the password, use the key command. This key must be configured exactly the same way on the router and the RADIUS server. R1(config)# key RADIUS-Pa55w0rd
  • 48.
    CCNA Security R1(config)# aaanew-model R1(config)# radius server Server-R R1(config)# address ipv4 192.168.1.100 auth-port 1812 acct-port 1813 R1(config)# key RADIUS-Pa55w0rd R1(config)# exit
  • 49.
    CCNA Security How toConfigure Server-Based AAA Authentication Using TACACS+ ?
  • 50.
    CCNA Security  UseMS Word  Send me mail to mloey@live.com with email subject “AAA“  Put your name on Arabic with department and section on word and email body  Finally, press Send  Deadline Next Lecture
  • 51.
  • 52.
    CCNA Security www.YourCompany.com © 2020Companyname PowerPoint Business Theme. All Rights Reserved. THANKS FOR YOUR TIME