56 Chapter 2 Introduction to AAA Security
Summary
As security needs become more complex in your networking environments, Cisco continues to extend its features to meet demands. Cisco’s AAA (Authentication, Authorization, and Accounting) services provide control over user access, what those users are permitted to do once they’re authorized to get into your network, and records the tasks they perform during their sessions. AAA provides great techniques for network authentication, granting permissions (authorization), and keeping records of activity (accounting).
In addition, RADIUS and TACACS+ security servers allow you to implement a centralized security plan.
The configuration of AAA on the Cisco NAS (Network Access Server) using a local database is important for smaller networks. In Chapter 3, you’ll learn how to move the local database to a Cisco NAS.
Exam Essentials
Remember which authentication method is the most secure. Token cards/soft tokens are the most secure method of authentication.
Know what the AAA command wait-start radius provides. The wait-start radius command means that a requested service cannot start until the acknowledgment has been received from the RADIUS server.
Be able to read the output of a debug aaa authentication command. In the debug aaa authentication output, you need to find the username and the method, and see if it was successful.
Be able to read the output of a debug ppp authentication command. In the debug ppp authentication output, you need to understand what interface the challenge is coming from.
Remember the command to enable AAA globally on the NAS. The aaa new-model command is used to start AAA on the NAS.
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Commands Used in This Chapter |
57 |
Key Terms
Before you take the exam, be certain you are familiar with the following terms:
accounting |
network access server (NAS) |
authentication |
packet-mode access |
Authentication, Authorization, and |
PAP (Password Authentication Protocol) |
Accounting (AAA) |
|
authorization |
PPP (Point-to-Point Protocol) |
bastion hosts |
RADIUS (Remote Authentication Dial-In User |
|
Service) |
CHAP (Challenge Handshake |
sacrificial hosts |
Authentication Protocol) |
|
character-mode access |
Syslog |
dirty DMZ |
TACACS+ (Terminal Access Controller Access |
|
Control System) |
Kerberos |
token cards/soft tokens |
line authentication |
|
Commands Used in This Chapter
Here is the list of commands used in this chapter:
Command |
Meaning |
(config)#line con 0 |
Chooses the line configuration of the |
|
console port. |
(config-line)#login |
Tells the router to look in the line |
|
configuration for the password. |
(config-line)#password password |
Sets the line password. |
(config-line)#line vty 0 4 |
Chooses the Telnet lines. |
(config-line)#line aux 0 |
Chooses the AUX line. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
58 Chapter 2 Introduction to AAA Security
Command |
Meaning |
(config)#enable secret password |
Sets the enable secret password. |
(config)#enable password password |
Sets the enable password. |
(config)#service password-encryption |
Encrypts the enable password and the line |
|
passwords. |
(config)#username username password |
Creates a username and password. |
password |
|
(config-line)#login local |
Designates that the username will use the |
|
local line password for authentication. |
(config)#aaa new-model |
Enables the AAA process on the NAS. |
(config)#aaa authentication login |
Tells the router to authenticate using the |
default local |
local username and password. |
(config-line)#login authentication |
Places the authentication login default |
default |
command under the lines. |
(config)#aaa authentication login |
Enables a command set on the BRI |
dial-in local |
interface so that the local lines will be |
|
used for authentication. |
(config)#int bri0/0 |
Chooses the BRI interface. |
(config-if)#ppp encapsulation |
Sets the interface encapsulation to PPP. |
(config-if)#ppp authentication chap |
Sets the interface to use CHAP |
dial-in |
authentication. |
(config)#aaa authorization commands 1 |
Sets a level 1 configuration to use the local |
begin local |
line passwords. |
(config)#aaa authorization commands 15 |
Sets a level 15 configuration to use the local |
end local |
line passwords. |
(config)#aaa #authorization network |
Performs authorization security on all |
admin local none |
network services. |
#debug aaa authentication |
Turns on debugging for AAA |
|
authentication. |
#no debug aaa authentication |
Turns off debugging for AAA |
|
authentication. |
#debug aaa authorization |
Turns on debugging for AAA |
|
authorization. |
#debug aaa accounting |
Turns on debugging for AAA accounting. |
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
Written Lab |
59 |
Written Lab
This section asks you 10 write-in-the-answer questions to help you understand the technology that you need to know in order to pass the SECUR exam.
1.List three packet-mode access methods.
2.List three character-mode access methods.
3.List the least secure authentication method.
4.List the most secure authentication method.
5.What is the command that enables AAA globally on the NAS?
6.What are the three AAA components?
7.Which AAA component controls user privileges?
8.True/False: Authorization servers can be used to authenticate users remotely.
9.Which AAA component identifies users?
10.Which AAA component limits a user’s ability on a network?
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |