CCNA Security 1.

1
Instructional Resource
Chapter 3 – Authentication, Authorization and Accounting

© 2012 Cisco and/or its affiliates. All rights reserved. 1

• Explain the function and operation of the authentication,
authorization, and accounting (AAA) protocol.
• Configure a Cisco router to perform AAA authentication with a
local database.
• Describe how to configure Cisco ACS to support AAA for Cisco
IOS routers.
• Configure server-based AAA.

© 2012 Cisco and/or its affiliates. All rights reserved. 2

3.0 Implementing AAA on Cisco Devices
3.1 Implement AAA (authentication, authorization, accounting)
3.1.1 AAA using CCP on routers
3.1.2 AAA using CLI on routers and switches
3.1.3 AAA on ASA
3.2 Describe TACACS+
3.3 Describe RADIUS
3.4 Describe AAA
3.4.1 Authentication
3.4.2 Authorization
3.4.3 Accounting
3.5 Verify AAA functionality

© 2012 Cisco and/or its affiliates. All rights reserved. 3

• AAA is a critical task that involves securing network devices to limit who
can access them and how they can access them, as well as to account
for the actions taken while accessing them.
• Local AAA authentication is configured on a device-by-device basis and
has some advantages over basic authentication against the local
database (local authentication). Centralized or server-based AAA is a
scalable enterprise solution for AAA.
• The Cisco solution for server-based AAA is Cisco Secure Access Control
Server (CSACS).
• Server-based AAA can be implemented with RADIUS (standards-based
protocol) or TACACS+ (Cisco-proprietary protocol). Each option has a
number of defining qualities that differentiate one from the other.
• AAA can be configured using the CLI or CCP.

• AAA technology is required for the implementation of several other

features, such as Cisco Easy VPN for remote-access.
© 2012 Cisco and/or its affiliates. All rights reserved. 4
• Chapter 3 Lab: Securing Administrative Access Using AAA and
RADIUS
Part 1: Basic Network Device Configuration
Part 2: Configure Local Authentication
Part 3: Configure Local Authentication Using AAA
Part 4: Configure Centralized Authentication Using AAA and RADIUS

© 2012 Cisco and/or its affiliates. All rights reserved. 5

 AAA Authentication, authorization, and accounting

Authentication Means of verifying approved person or device

Authorization Delineation of resources available upon authentication

Logging or documentation of actions taken by individual during

Accounting
authenticated session
AAA access mode specified for accessing an EXEC mode
Character mode
process with the networking device for administrative purposes
AAA access mode for accessing network resources through
Packet mode
the networking device
AAA solution whereby a user is authenticated against the local
username database – local AAA authentication is distinguished
Local AAA authentication
from local authentication in that it can be applied to all lines at
once
Server-based AAA
AAA authentication relying on a RADIUS or TACACS+ server
authentication

© 2012 Cisco and/or its affiliates. All rights reserved. 6

 Method of authentication, such as the enable password, the
Authentication method local username database, or an authentication server; the
default method applies to all lines

Method list List of authentication, authorization, or accounting methods

Cisco Secure Access Control Server; Cisco-proprietary

CSACS software used on a network server to provide an enterprise
AAA solution, supporting both TACACS+ and RADIUS
Terminal Access Control Access Control Server Plus; Cisco-
proprietary TCP-based protocol used in conjunction with a
TACACS+ TACACS+ server for AAA support; uses TCP port 49;
separates authentication and authorization; supports limited
accounting
Remote Authentication Dial-in User Service; standards-based
UDP-based protocol used in conjunction with a RADIUS
server for AAA support; UDP ports 1645 or 1812 for
RADIUS
authentication; UDP ports 1646 or 1813 for accounting;
combines authentication and authorization into one process;
supports extensive accounting
AAA protocol; planned replacement for RADIUS; utilizes
Diameter
Stream Control Transmission Protocol (SCTP)

© 2012 Cisco and/or its affiliates. All rights reserved. 7

 Challenge-Handshake Authentication Protocol; more secure
CHAP than PAP; requires both peers to know the secret; uses MD5
to avoid having to send the plaintext secret over the network
Password Authentication Protocol; validates users to allow
PAP access to network resources; plaintext password is sent over
the network
Lightweight Director Access Protocol; application protocol for
LDAP
maintaining distributed directory information over IP
Cisco architecture designed to enforce security policies across
SecureX a distributed network, using Cisco Security Intelligence
Operation (SIO)
Security Intelligence Operations; Cisco early warning
SIO intelligence, threat and vulnerability analysis system, with
mitigation solutions to protect networks
Cisco solution to enable organizations to secure networks and
services through identity-based access control; provides data
TrustSec integrity, confidentiality services, policy-based governance,
and centralized monitoring, troubleshooting, and reporting
services

© 2012 Cisco and/or its affiliates. All rights reserved. 8

 IEEE standard for port-based network access control; provides
802.1X authentication mechanism for devices attaching to a LAN or
WLAN
Feature designed to restrict access to network based on
NAC identity or security posture; can be configured for switches,
routers, access points, or DHCP servers
1U rack-mountable, security-hardened appliance with pre-
CSACS Solution Engine installed CSACS license used in organizations with more than
350 users

CSACS Express 1U rack-mountable unit intended for 350 or less users

RSA Rivest-Shamir-Adleman; algorithm for public-key cryptography

Two-factor authentication based on password or PIN and an

RSA SecurID
authenticator
Lightweight Extensible Authentication Protocol; Cisco-
LEAP proprietary wireless authentication protocol; relies on RADIUS
server
Open Database Connectivity; standard C programming
ODBC
interface for database management

© 2012 Cisco and/or its affiliates. All rights reserved. 9

• Cisco Configuration Professional (CCP) has replaced SDM to do
the following:
To configure AAA local authentication
To configure centralized authentication with AAA and RADIUS

© 2012 Cisco and/or its affiliates. All rights reserved. 10

• The chapter 3 lab introduces the major options for AAA
configuration. Students use CLI and CCP tools to implement
authentication both locally and centrally. Debug options for AAA
are explored.
• This lab is divided into four parts. The local authentication part,
the local authentication with AAA part, and the centralized
authentication with RADIUS can be administered individually or in
combination with the other parts as time permits. The main goal is
to configure various types of user access authentication. R1 and
R3 are on separate networks and communicate through R2,
which simulates a connection to an ISP. Students can work in
teams of two for router authentication configuration, one student
configuring R1 and the other student configuring R3.
• Although switches are shown in the topology, students can omit
the switches and use crossover cables between the PCs and
routers R1 and R3.

© 2012 Cisco and/or its affiliates. All rights reserved. 11

• When introducing AAA, point out that there are a wide variety of
methods of authentication people and devices. Security protocols
and security technologies are changing rapidly. The focus is on
local authentication, local authentication with AAA, and
centralized authentication with CSACS and RADIUS servers. A
large organization requires a centralized mechanism for AAA.
• Use the Who, How, What mnemonic to explain AAA.

• Time permitting, discuss authentication options in general:

biometrics, single sign-on, one-time password, PKI and digital
certificates, security tokens, and smart cards. Many of these
options are discussed at various points in the course.

© 2012 Cisco and/or its affiliates. All rights reserved. 12

• Emphasize that local AAA authentication has some advantages
over local authentication.
Ask the students “What can be done with local AAA authentication that cannot
be done with local authentication?”
Explain that local AAA authentication gives one the ability to configure all or
multiple lines at one time.

• Make sure to clarify the difference between character mode and

packet mode. Character mode is used with tty, vty, auxiliary, and
console access, while packet mode is used with dial-up and VPN
access.
Character mode uses the login, exec, and enable commands.
Packet mode uses the ppp and network commands.

• Emphasize that centralized or server-based AAA is scalable. It is

not practical to replicate a local database on 100 networking
devices.

© 2012 Cisco and/or its affiliates. All rights reserved. 13

• Compare and contrast TACACS+ and RADIUS:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094
e99.shtml

• Emphasize that when using method lists with AAA, the methods
are accessed in sequence only if an error occurs. If there is an
authentication failure, the next method is NOT invoked.
• The aaa new-model command enables AAA. All subsequent
commands depend on this first step.
• The AAA syntax is inherently difficult to understand and the
implementation is awkward. Make a point that the main idea is to
provide flexibility with authentication and authorization options.

© 2012 Cisco and/or its affiliates. All rights reserved. 14

• To illustrate the power of AAA, conduct a demo with local AAA
authentication to show how the vty and console lines are
automatically secured with the default option.
Note that a named list must be applied to a particular line before that method
works for that line; the default method applies to that line in the mean time.

• Demonstrate how incorrect AAA configuration can lock you out of

a router:
Enable AAA local authentication prior to configuring a local username
database.

• Show the AAA page in CCP to illustrate that AAA is enabled by

default on CCP.
• Installing and configuring CSACS can be overwhelming. Use the
two VoD’s under Tools for this course at cisco.netacad.net to see
how an expert makes it easy for you.

© 2012 Cisco and/or its affiliates. All rights reserved. 15

• Ask students what they think the advantages to centralized
authentication are?
Possible answers include saving time over the long term, enhanced security,
scalability, and ease of control and management.

• Discuss authentication methods in general and ask an open-

ended question to students about what can be done to enhance
authentication, especially given that more of our lives are
connected with the Internet over time.
See http://www.csoonline.com/article/655483/report-breaches-in-the-cloud-
illustrate-need-for-stronger-authentication for discussion points.

© 2012 Cisco and/or its affiliates. All rights reserved. 16

• There are many examples of security breaches that have
occurred in the news lately. Ask students to research some of
these and report back on how they could have been deterred
better.
http://en.wikipedia.org/wiki/Password#Incidents

• Lead by example as a network engineer. Use sophisticated

password rules and ask users to do the same.
• Every protocol that has an MD5 option or stronger (RIPv2, NTP,
etc.), should implement that option. If there is an option for
authentication and encryption, use both.
• Wireless LANs are the ideal stage for authentication scenarios
because they are the most vulnerable. Secure your network as if
it were as vulnerable as a WLAN.

© 2012 Cisco and/or its affiliates. All rights reserved. 17

• http://en.wikipedia.org/wiki/AAA_protocol

• http://www.nytimes.com/2010/01/21/technology/21password.html

• http://www.cisco.com/en/US/docs/ios-
xml/ios/sec_usr_aaa/configuration/15-2mt/sec-usr-aaa-15-2mt-
book.html
• https://www.infosecisland.com/blogview/14756-AAA-Security-
Troubleshooting.html

© 2012 Cisco and/or its affiliates. All rights reserved. 18

© 2011 Cisco and/or its affiliates. All rights reserved. 19