ccna security section 3b

8/20/2019 Ccna Security Section 3b

1/21

Local Versus Server-BasedAuthentication

1. The user establishes a connection with the router.

2. The router prompts the user for a username and password.

3. The router passes the username and password to the Cisco Secure ACS (server or engine).

. The Cisco Secure ACS authenticates the user. The user is authori!ed to access the router (administrative access) or the

networ" based on information found in the Cisco Secure ACS database.

Perimeter Router

Remote User

Cisco Secure ACSfor Windows Server

1

2

3

4

Server#$ased Authentication

1. The user establishes a connection with the router.

2. The router prompts the user for a username and password authenticating

the user using a local database.

%ocal Authentication


2/21

Overview of TACACS+ andRADIUS

Perimeter Router

Remote User

Cisco Secure ACS forWindows Server

Cisco Secure

ACS Express

TACACS& or 'A*S protocols are used tocommunicate between the clients and AAAsecurit+ servers.


3/21

+Co!"arison

TACACS+ RA!US

"unction#$it% Separates AAA according to the AAAarchitecture, allowing modularit+ ofthe securit+ server implementation

Combines authentication andauthori!ation but separatesaccounting, allowing less fle-ibilit+ inimplementation than TACACS&.

St#nd#rd ostl+ Cisco supported /pen0'C standard

Tr#nsport Protoco$ TC *

C&AP $idirectional challenge and responseas used in Challenge andsha"e Authentication rotocol (CA)

*nidirectional challenge and responsefrom the 'A*S securit+ server tothe 'A*S client.

Protoco$ Support ultiprotocol support 4o A'A, no 4et$5*

Confidenti#$it% 5ntire pac"et encr+pted assword encr+pted

Customi'#tion rovides authori!ation of routercommands on a per#user orper#group basis.

as no option to authori!e routercommands on a per#user orper#group basis

Confidenti#$it% %imited 5-tensive


4/21

+ u en ca on#rocess

6 #rovides se"arate AAA services

6 Utili$es TC# "ort %&

Connect Usern#me prompt(

Usern#me( Use )Usern#me*

R,A-!. R,A-!.

P#ssword(

P#ssword prompt(

)Str/n0P#w/rd*

Use )P#ssword*

AcceptReect

)Str/n0P#w/rd*


5/21

u en ca on#rocess

6 'or(s in )oth local and roa!in* situations

6 Uses UD# "orts ,% or ./ for authenticationand UD# "orts ,%, or .0 for accountin*

Usern#me(

cisco1

P#ssword(

cisco123

Access,Reuest5cisco16 )cisco123*7

Access,Accept


6/21

Cisco Secure ACS Bene1ts

6 23tends access securit4 )4co!)inin* authentication5 useraccess5 and ad!inistrator access

with "olic4 control

6 Allows *reater 6e3i)ilit4 and !o)ilit45increased securit45 and user-

"roductivit4 *ains6 2nforces a unifor! securit4 "olic4 for

all users

6 Reduces the ad!inistrative and


7/21

Advanced 8eatures

6 Auto!atic service !onitorin*6 Data)ase s4nchroni$ation and i!"ortin* of tools

for lar*e-scale de"lo4!ents6 Li*htwei*ht Director4 Access #rotocol 9LDA#: user

authentication su""ort6 User and ad!inistrative access re"ortin*6 Restrictions to networ( access )ased on criteria6 User and device *rou" "ro1les


8/21

Installation O"tionsCisco Secure ACS for Windows can be installed on7

- 8indows 2999 Server with Service ac"

- 8indows 2999 Advanced Server with Service ac"

- 8indows Server 2993 Standard 5dition

- 8indows Server 2993 5nterprise 5dition

Cisco Secure ACS So$ution En0ine

- A highl+ scalable dedicated platform that serves as a high#performance ACS

- 1'*, rac"#mountable

- reinstalled with a securit+#hardened 8indows software, CiscoSecure ACS software

-Support for more than 3:9 users

Cisco Secure ACS Express 8/

- 5ntr+#level ACS with simplified feature set

- Support for up to :9 AAA device and up to 3:9 uni;ue user loginsin a 2#hour period


9/21

De"lo4in* ACS

6 Consider Third-#art4 Software Re;uire!ents6 Verif4 atewa4 devices !ust "er!it co!!unication over the

"orts that are needed to su""ort the a""lica)le feature or"rotocol=

< A su""orted we) )rowser !ust )e installed on theco!"uter runnin* ACS=

< All


10/21

Cisco Secure ACS?o!e"a*e

add, delete, modif+ settings for AAA clients (routers)

set menu displa+ options for TACACS and 'A*S

configure database settings


11/21


12/21

Interface Con1*uration

The selection !ade in the Interface Con1*urationwindow controls the dis"la4 of o"tions in the userinterface


13/21

23ternal User Data)ase

1. Clic" the 5-ternal *ser atabases button on the navigation bar

2. Clic" atabase Configuration

3. Clic" 8indows atabase


14/21

'indows User Data)ase

Con1*uration

. Clic" configure

:. Configure options


15/21

Con1*urin* the Un(nown User

#olic41. Clic" 5-ternal *ser atabases on the navigation bar

2. Clic" *n"nown *ser olic+

3. lace a chec" in the bo-

. Choose the database in from the list and clic" the right arrow to move it to the Selected list

=. Clic" Submit:. anipulate the databases to reflect the order

in which each will be chec"ed


16/21

>rou" Setu"

Data)ase *rou" !a""in*s - Control authori$ationsfor users authenticated )4 the 'indows server inone *rou" and those authenticated )4 the LDA#server in another

1. Clic" ?roup Setup on the navigation bar

2. Choose thegroup to edit

and clic" 5dit Settings

3. Clic" ermit in the *nmatched Cisco /S commands option

. Chec" the Command chec" bo-and select an argument

:. or the *nlisted Arguments option, clic" ermit


17/21

User Setu"1. Clic" *ser Setup on the navigation bar

2. 5nter a username and clic" Add05dit

3. 5nter the data to define the user account

. Clic" Submit


18/21

Con1*urin* Server-Based AAAAuthentication

= >lo)all4 ena)le AAA to allow the user of all AAAele!ents 9a "rere;uisite:

/= S"ecif4 the Cisco Secure ACS that will "rovideAAA services for the networ( access server

0= Con1*ure the encr4"tion (e4 that will )e used toencr4"t the data transfer )etween the networ(access server and the Cisco Secure ACS

%= Con1*ure the AAA authentication !ethod list


19/21

aaa authenticationCo!!and

R1(config)# aaa authentication type { default | list-name } method1 … [method4]

R1(config)# aaa authentication login default ?

enable Use enable password for authentication.

group Use er!er"group

rb$ Use %erberos $ authentication.

rb$"telnet &llow logins onl' if alread' authenticated !ia %erberos

elnet.

line Use line password for authentication.

local Use local userna*e authentication.

local"case Use case"sensiti!e local userna*e authentication.

none +, authentication.

passwd"e-pir' enable the login list to pro!ide password aging support

R1(config)# aaa authentication login default group ?

,R/ er!er"group na*e

radius Use list of all Radius hosts.

tacacs0 Use list of all acacs0 hosts.

R1(config)# aaa authentication login default group


20/21

Sa!"le Con1*uration

6 @ulti"le RADIUS servers can )eidenti1ed )4 enterin* a radius-server co!!and for each

6 8or TACACS+5 the sin*le-connection co!!and !aintains

a sin*le TC# connection for thelife of the session

R1

TACACS& or 'A*S protocols areused to communicate between theclients and AAA securit+ servers.

1;281


21/21

Sa!"le Con1*uration

aaa new-!odelaaa authentication lo*in default *rou" tacacs+ local-caseaaa authentication ena)le default *rou" tacacs+ ena)leaaa authori$ation console

aaa authori$ation con1*-co!!andsaaa authori$ation e3ec default *rou" tacacs+ localaaa authori$ation co!!ands default *rou" tacacs+ localaaa authori$ation co!!ands default *rou" tacacs+localaaa accountin* e3ec default start-sto" *rou" tacacs+aaa accountin* co!!ands default sto"-onl4 *rou"tacacs+aaa accountin* co!!ands default start-sto" *rou"tacacs+

ccna security section 3b

Documents