Authentication without AAA:
The simplest form of authentication involves a login and password combination, usually on console, vty, or aux ports. However, this method lacks accountability, meaning anyone with the password can access and modify configurations.
SSH provides a more secure form of remote access, where both the username and password are encrypted during transmission.
AAA Components:
Authentication: Users must prove their identity before accessing network resources. Methods can include username/password, challenge-response questions, and token cards.
Authorization: After authentication, this determines what resources the user can access and which operations they can perform (e.g., user ‘student’ can access serverXYZ via SSH).
Accounting: Records activities performed by the user, such as what resources were accessed, the time spent on them, and any changes made.
Authentication Modes:
Local AAA Authentication: Uses a local database for user credentials. It is self-contained and doesn't require an external server.
Server-Based AAA Authentication: Involves connecting to a central AAA server (using protocols like RADIUS or TACACS+) to authenticate users. This is useful for larger networks where central management is required.
Authenticate Administrative Access:
Add usernames and passwords to the local router database.
Enable AAA globally on the router.
Configure the required AAA parameters.
Troubleshoot and confirm the AAA configuration.
Authentication Methods:
The aaa authentication login
command enables authentication on various lines (console, vty, aux).
Methods like local
, enable
, or custom method lists can be defined to authenticate users. These methods provide fallback options if one method fails.
Advanced Configuration:
Use the aaa local authentication attempts max-fail
command to lock out accounts after a certain number of failed login attempts.
The show aaa user
command allows you to display the attributes collected for a specific AAA session.
TACACS+:
A Cisco-specific protocol that separates AAA functions. It allows different authentication, authorization, and accounting methods to be used independently.
Authentication Process: The router authenticates the user via the TACACS+ server.
RADIUS:
An open IETF standard protocol, commonly used for network access control and accounting. RADIUS combines authentication and authorization in one process, unlike TACACS+.
RADIUS Authentication Process: The user's credentials are sent to the RADIUS server, which performs the authentication and authorization in one step.
Cisco Identity Services Engine (ISE):
A platform for enforcing security policies across an organization, providing a centralized location for user management and compliance enforcement.
←—————————————————OPTIONAL—————————————————>
Enable AAA globally on the device.
Specify the AAA server (RADIUS or TACACS+) that will handle authentication.
Configure encryption keys to secure data transfer between the router and the AAA server.
Set up the AAA authentication method list to reference the chosen server.
Authorization: After authentication, this determines which actions the user is allowed to perform (e.g., which commands or services they can access). The aaa authorization
command is used to define these permissions.
Accounting: This tracks the activities of users and records usage data for auditing purposes. Configurations can track network, connection, EXEC session, system, or command-level activities.
Use the aaa accounting
command to enable accounting services.
Triggers: You can specify the triggers for accounting, such as "start-stop" (which logs the beginning and end of a session) or "stop-only" (which logs when the session ends, even in the case of failed authentication).
Local vs Server-Based Authentication: Local AAA is suitable for smaller networks, while server-based AAA is ideal for larger networks needing centralized management.
TACACS+ and RADIUS: These are the key protocols used to communicate with AAA servers. The choice between the two depends on network needs, with TACACS+ offering more granular control over authentication and authorization.