Explain the funtion and operation of the
authentication, authorization, and accounting
(AAA) protocol.
• Configure a Cisco router to perform AAA
authentication with a local database.
• Describe how to configure Cisco ACS to
support AAA for Cisco IOS routers.
• Configure server-base AAA
78 trang |
Chia sẻ: phuongt97 | Lượt xem: 488 | Lượt tải: 1
Bạn đang xem trước 20 trang nội dung tài liệu Bài giảng CCNA Security - Chapter 3: Authentication, Authorization, and Accounting, để xem tài liệu hoàn chỉnh bạn click vào nút DOWNLOAD ở trên
ponse status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS
login activity
• For successful TACACS+ login attempts, a status message
of PASS results
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Debug RADIUS, TACACS
• R1# debug radius ?
• accounting RADIUS accounting packets only
• authentication RADIUS authentication packets only
• brief Only I/O transactions are recorded
• elog RADIUS event logging
• failover Packets sent upon fail-over
• local-server Local RADIUS server
• retransmit Retransmission of packets
• verbose Include non essential RADIUS debugs
•
• R1# debug radius
R1# debug tacacs ?
accounting TACACS+ protocol accounting
authentication TACACS+ protocol authentication
authorization TACACS+ protocol authorization
events TACACS+ protocol events
packet TACACS+ packets
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Debug RADIUS, TACACS
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Server-Based AAA Authorization
show version
Display “show
version” output
configure terminal
Do not permit
“configure terminal”
Command authorization for user
JR-ADMIN, command “show version”?
Accept
Command authorization for user
JR-ADMIN, command “config terminal”?
Reject
.The TACACS+ protocol allows the separation of authentication from
authorization.
.Can be configured to restrict the user to performing only certain functions
after successful authentication.
.Authorization can be configured for
- character mode (exec authorization)
- packet mode (network authorization)
.RADIUS does not separate the authentication from the authorization
process
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Refer: 3.5.1.1
Configuring Server-Based AAA Authorization
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group
tacacs+
R1(config)# aaa authentication login TELNET-LOGIN
local-case
R1(config)# aaa authorization exec default group
tacacs+
• To configure command authorization, use:
aaa authorization service-type {default | list-name} method1 [method2] [method3] [method4]
• Service types of interest include:
– commands level For exec (shell) commands
– exec For starting an exec (shell)
– network For network services. (PPP, SLIP, ARAP)
R1(config)# aaa authorization network default group
tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SDM to Configure Authorization Character Mode
• 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec
2. Click Add
3. Choose Default
4. Click Add
5. Choose group tacacs+ from the list
6. Click OK
7. Click OK to return to the Exec Authorization window
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SDM to Configure Authorization Packet Mode
• 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network
2. Click Add
3. Choose Default
4. Click Add
5. Choose group tacacs+ from the list
6. Click OK
7. Click OK to return to
the Exec Authorization
pane
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: Configure Authorization
• Requirement:
– Assign the privilege level=5 for remote users, using the
Telnet service
– The users can use the show, router and interface with
all sub-option commands
– Do not authenticate for console access
Example: Configure Authorization
• Router#show run | section aaa
aaa new-model
aaa authentication login AUTHEN group tacacs+ local
aaa authentication login NO-AUTHEN none
aaa authorization exec EXEC-AUTHO group tacacs+
aaa authorization commands 5 COM-AUTHO group tacacs+
• Router#show run | section tacacs-server
tacacs-server host 192.168.220.133 key cisco123
• Router#show run | section privilege
username student privilege 15 password 0 cisco
privilege configure all level 5 router
privilege configure all level 5 interface
privilege exec level 5 configure terminal
privilege exec level 5 configure
Example: Configure Authorization
• Router#show run | begin line con 0
line con 0
logging synchronous
login authentication NO-AUTHEN
line aux 0
line vty 0 4
authorization commands 5 COM-AUTHO
authorization exec EXEC-AUTHO
login authentication AUTHEN
Example: Configure Authorization
Example: Configure Authorization
Example: Configure Authorization
Example: Configure Authorization
Example: Configure Authorization
Configuring Server-Based AAA Accounting
• Provides the ability to track usage, such as dial-in access; the ability to
log the data gathered to a database; and the ability to produce reports
on the data gathered
• To configure AAA accounting using named method lists:
aaa accounting {system | network | exec | connection | commands
level} {default | list-name} {start-stop | wait-start | stop-only | none}
[method1 [method2]]
• Supports 6 different types of accounting: network, connection, exec,
system, commands level, and resource.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Server-Based AAA Accounting
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-
case
R1(config)# aaa authorization exec group tacacs+
R1(config)# aaa authorization network group tacacs+
R1(config)# aaa accounting exec start-stop group tacacs+
R1(config)# aaa accounting network start-stop group tacacs+
• aaa accounting exec default start-stop group tacacs+
Defines a AAA accounting policy that uses TACACS+ for logging both
start and stop records for user EXEC terminal sessions.
• aaa accounting network default start-stop group tacacs+
Defines a AAA accounting policy that uses TACACS+ for logging both
start and stop records for all network-related service requests.
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: Configure Accounting
• aaa accounting exec default start-stop group tacacs+
• aaa accounting commands 5 default start-stop group
tacacs+
Example: Configure Accounting
Chapter Summary
• The Authencation, Authorization, and Accounting (AAA) protocol
provides a scalable framework for enabling access security.
• AAA controls who is allowed to connect to the network, what they are
allowed to do, and keeps records of what was done.
• In small or simple networks, AAA authentication can be implemented
using a local database.
• Local AAA can be configured using CLI and SDM.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Chapter Summary
• In large or complex networks, AAA authentication can be
implemented using server-based AAA.
• AAA servers can use RADIUS or TACACS+ protocols to
communicate with client routers.
• The Cisco Access Control Server (ACS) can be used to
provide AAA server services.
• Server-based AAA authentication can be configured using
CLI or SDM.
• Server-based AAA authorization and accounting can be
configured using CLI or SDM.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Các file đính kèm theo tài liệu này:
- bai_giang_ccna_security_chapter_3_authentication_authorizati.pdf