Network Security v1.0 - Module 7 (Authentication, Authorization, and Accounting)

Module 7: Authentication, Authorization, and Accounting (AAA)

Module Objectives:

• Configure AAA to secure a network.

7.1 AAA Characteristics

AAA Overview:

• AAA refers to Authentication, Authorization, and Accounting in network security.

• Authentication: Users must prove their identity to access network resources.

• Authorization: After authentication, the system determines what resources and actions are available to the user.

• Accounting: Tracks what the user does after authentication, including time spent on resources and the actions performed.

Authentication without AAA:

• Basic method: username and password on console, vty, and aux ports.

• More secure method: SSH (Secure Shell) which requires both a username and password, with encrypted transmission.

AAA Components:

1. Authentication: Verifying the identity of users.

2. Authorization: Determining the level of access for authenticated users.

3. Accounting: Monitoring the usage of network resources by users.

Authentication Modes:

• Local AAA Authentication: Uses a local database for authentication.

• Server-Based AAA Authentication: Uses a central AAA server (e.g., TACACS+ or RADIUS) to authenticate users.

7.2 Configure Local AAA Authentication

Steps for Configuring Local AAA Authentication:

1. Add usernames and passwords to the router’s local database.

2. Enable AAA globally on the router.

3. Configure AAA parameters on the router.

4. Verify and troubleshoot the configuration.

Authentication Methods:

• Use the aaa authentication login command to apply authentication to various lines (console, vty, aux).

• Up to four authentication methods can be specified, providing fallback options if one method fails.

Default and Named Authentication Methods:

• Custom authentication lists can be configured and applied to specific interfaces using the aaa authentication login command.

Fine-Tuning:

• Set the maximum number of failed attempts with the aaa local authentication attempts max-fail command.

• Locked accounts can be cleared using clear aaa local user lockout.

7.3 Server-Based AAA Characteristics and Protocols (Optional)

Local vs Server-Based AAA:

• Server-based AAA provides central management for users and administrative access across multiple devices.

• It works with external databases like Active Directory or LDAP for centralized account management.

TACACS+ and RADIUS:

• TACACS+: Cisco-proprietary, supports separate authentication, authorization, and accounting.

• RADIUS: Open IETF standard, combines authentication and authorization into a single process.

Cisco Identity Services Engine (ISE):

• A platform that combines policy definition, control, and reporting for end devices, including BYOD (Bring Your Own Device).

7.4 Configure Server-Based Authentication (Optional)

Steps to Configure Server-Based AAA Authentication:

1. Globally enable AAA on the router.

2. Specify the AAA server (e.g., TACACS+ or RADIUS).

3. Configure the shared secret key for encrypted communication between the router and AAA server.

4. Configure the AAA authentication method list to refer to the server.

7.5 Configure Server-Based Authorization and Accounting (Optional)

Authorization:

• Ensures users have access to the appropriate functions based on their role.

• TACACS+: Separates authentication from authorization, offering more granular control.

• RADIUS: Does not separate authentication and authorization.

Accounting:

• Tracks the actions performed by users, including session duration and accessed resources.

• The aaa accounting command configures accounting for services such as network or exec sessions.

7.6 AAA Summary

Key Takeaways:

• AAA provides a structured framework for managing user access and activity on a network.

  • Authentication verifies identity.

  • Authorization controls resource access.

  • Accounting tracks usage.

• Local AAA is suitable for small networks, while Server-Based AAA is ideal for larger, enterprise-level networks.

• TACACS+ and RADIUS are the protocols used for communication with AAA servers.

• The process for configuring server-based AAA involves enabling AAA, specifying the server, setting encryption keys, and configuring method lists.