ccna security section 3b
TRANSCRIPT
-
8/20/2019 Ccna Security Section 3b
1/21
Local Versus Server-BasedAuthentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password.
3. The router passes the username and password to the Cisco Secure ACS (server or engine).
. The Cisco Secure ACS authenticates the user. The user is authori!ed to access the router (administrative access) or the
networ" based on information found in the Cisco Secure ACS database.
Perimeter Router
Remote User
Cisco Secure ACSfor Windows Server
1
2
3
4
Server#$ased Authentication
1. The user establishes a connection with the router.
2. The router prompts the user for a username and password authenticating
the user using a local database.
%ocal Authentication
-
8/20/2019 Ccna Security Section 3b
2/21
Overview of TACACS+ andRADIUS
Perimeter Router
Remote User
Cisco Secure ACS forWindows Server
Cisco Secure
ACS Express
TACACS& or 'A*S protocols are used tocommunicate between the clients and AAAsecurit+ servers.
-
8/20/2019 Ccna Security Section 3b
3/21
+Co!"arison
TACACS+ RA!US
"unction#$it% Separates AAA according to the AAAarchitecture, allowing modularit+ ofthe securit+ server implementation
Combines authentication andauthori!ation but separatesaccounting, allowing less fle-ibilit+ inimplementation than TACACS&.
St#nd#rd ostl+ Cisco supported /pen0'C standard
Tr#nsport Protoco$ TC *
C&AP $idirectional challenge and responseas used in Challenge andsha"e Authentication rotocol (CA)
*nidirectional challenge and responsefrom the 'A*S securit+ server tothe 'A*S client.
Protoco$ Support ultiprotocol support 4o A'A, no 4et$5*
Confidenti#$it% 5ntire pac"et encr+pted assword encr+pted
Customi'#tion rovides authori!ation of routercommands on a per#user orper#group basis.
as no option to authori!e routercommands on a per#user orper#group basis
Confidenti#$it% %imited 5-tensive
-
8/20/2019 Ccna Security Section 3b
4/21
+ u en ca on#rocess
6 #rovides se"arate AAA services
6 Utili$es TC# "ort %&
Connect Usern#me prompt(
Usern#me( Use )Usern#me*
R,A-!. R,A-!.
P#ssword(
P#ssword prompt(
)Str/n0P#w/rd*
Use )P#ssword*
AcceptReect
)Str/n0P#w/rd*
-
8/20/2019 Ccna Security Section 3b
5/21
u en ca on#rocess
6 'or(s in )oth local and roa!in* situations
6 Uses UD# "orts ,% or ./ for authenticationand UD# "orts ,%, or .0 for accountin*
Usern#me(
cisco1
P#ssword(
cisco123
Access,Reuest5cisco16 )cisco123*7
Access,Accept
-
8/20/2019 Ccna Security Section 3b
6/21
Cisco Secure ACS Bene1ts
6 23tends access securit4 )4co!)inin* authentication5 useraccess5 and ad!inistrator access
with "olic4 control
6 Allows *reater 6e3i)ilit4 and !o)ilit45increased securit45 and user-
"roductivit4 *ains6 2nforces a unifor! securit4 "olic4 for
all users
6 Reduces the ad!inistrative and
-
8/20/2019 Ccna Security Section 3b
7/21
Advanced 8eatures
6 Auto!atic service !onitorin*6 Data)ase s4nchroni$ation and i!"ortin* of tools
for lar*e-scale de"lo4!ents6 Li*htwei*ht Director4 Access #rotocol 9LDA#: user
authentication su""ort6 User and ad!inistrative access re"ortin*6 Restrictions to networ( access )ased on criteria6 User and device *rou" "ro1les
-
8/20/2019 Ccna Security Section 3b
8/21
Installation O"tionsCisco Secure ACS for Windows can be installed on7
- 8indows 2999 Server with Service ac"
- 8indows 2999 Advanced Server with Service ac"
- 8indows Server 2993 Standard 5dition
- 8indows Server 2993 5nterprise 5dition
Cisco Secure ACS So$ution En0ine
- A highl+ scalable dedicated platform that serves as a high#performance ACS
- 1'*, rac"#mountable
- reinstalled with a securit+#hardened 8indows software, CiscoSecure ACS software
-Support for more than 3:9 users
Cisco Secure ACS Express 8/
- 5ntr+#level ACS with simplified feature set
- Support for up to :9 AAA device and up to 3:9 uni;ue user loginsin a 2#hour period
-
8/20/2019 Ccna Security Section 3b
9/21
De"lo4in* ACS
6 Consider Third-#art4 Software Re;uire!ents6 Verif4 atewa4 devices !ust "er!it co!!unication over the
"orts that are needed to su""ort the a""lica)le feature or"rotocol=
< A su""orted we) )rowser !ust )e installed on theco!"uter runnin* ACS=
< All
-
8/20/2019 Ccna Security Section 3b
10/21
Cisco Secure ACS?o!e"a*e
add, delete, modif+ settings for AAA clients (routers)
set menu displa+ options for TACACS and 'A*S
configure database settings
-
8/20/2019 Ccna Security Section 3b
11/21
-
8/20/2019 Ccna Security Section 3b
12/21
Interface Con1*uration
The selection !ade in the Interface Con1*urationwindow controls the dis"la4 of o"tions in the userinterface
-
8/20/2019 Ccna Security Section 3b
13/21
23ternal User Data)ase
1. Clic" the 5-ternal *ser atabases button on the navigation bar
2. Clic" atabase Configuration
3. Clic" 8indows atabase
-
8/20/2019 Ccna Security Section 3b
14/21
'indows User Data)ase
Con1*uration
. Clic" configure
:. Configure options
-
8/20/2019 Ccna Security Section 3b
15/21
Con1*urin* the Un(nown User
#olic41. Clic" 5-ternal *ser atabases on the navigation bar
2. Clic" *n"nown *ser olic+
3. lace a chec" in the bo-
. Choose the database in from the list and clic" the right arrow to move it to the Selected list
=. Clic" Submit:. anipulate the databases to reflect the order
in which each will be chec"ed
-
8/20/2019 Ccna Security Section 3b
16/21
>rou" Setu"
Data)ase *rou" !a""in*s - Control authori$ationsfor users authenticated )4 the 'indows server inone *rou" and those authenticated )4 the LDA#server in another
1. Clic" ?roup Setup on the navigation bar
2. Choose thegroup to edit
and clic" 5dit Settings
3. Clic" ermit in the *nmatched Cisco /S commands option
. Chec" the Command chec" bo-and select an argument
:. or the *nlisted Arguments option, clic" ermit
-
8/20/2019 Ccna Security Section 3b
17/21
User Setu"1. Clic" *ser Setup on the navigation bar
2. 5nter a username and clic" Add05dit
3. 5nter the data to define the user account
. Clic" Submit
-
8/20/2019 Ccna Security Section 3b
18/21
Con1*urin* Server-Based AAAAuthentication
= >lo)all4 ena)le AAA to allow the user of all AAAele!ents 9a "rere;uisite:
/= S"ecif4 the Cisco Secure ACS that will "rovideAAA services for the networ( access server
0= Con1*ure the encr4"tion (e4 that will )e used toencr4"t the data transfer )etween the networ(access server and the Cisco Secure ACS
%= Con1*ure the AAA authentication !ethod list
-
8/20/2019 Ccna Security Section 3b
19/21
aaa authenticationCo!!and
R1(config)# aaa authentication type { default | list-name } method1 … [method4]
R1(config)# aaa authentication login default ?
enable Use enable password for authentication.
group Use er!er"group
rb$ Use %erberos $ authentication.
rb$"telnet &llow logins onl' if alread' authenticated !ia %erberos
elnet.
line Use line password for authentication.
local Use local userna*e authentication.
local"case Use case"sensiti!e local userna*e authentication.
none +, authentication.
passwd"e-pir' enable the login list to pro!ide password aging support
R1(config)# aaa authentication login default group ?
,R/ er!er"group na*e
radius Use list of all Radius hosts.
tacacs0 Use list of all acacs0 hosts.
R1(config)# aaa authentication login default group
-
8/20/2019 Ccna Security Section 3b
20/21
Sa!"le Con1*uration
6 @ulti"le RADIUS servers can )eidenti1ed )4 enterin* a radius-server co!!and for each
6 8or TACACS+5 the sin*le-connection co!!and !aintains
a sin*le TC# connection for thelife of the session
R1
TACACS& or 'A*S protocols areused to communicate between theclients and AAA securit+ servers.
1;281
-
8/20/2019 Ccna Security Section 3b
21/21
Sa!"le Con1*uration
aaa new-!odelaaa authentication lo*in default *rou" tacacs+ local-caseaaa authentication ena)le default *rou" tacacs+ ena)leaaa authori$ation console
aaa authori$ation con1*-co!!andsaaa authori$ation e3ec default *rou" tacacs+ localaaa authori$ation co!!ands default *rou" tacacs+ localaaa authori$ation co!!ands default *rou" tacacs+localaaa accountin* e3ec default start-sto" *rou" tacacs+aaa accountin* co!!ands default sto"-onl4 *rou"tacacs+aaa accountin* co!!ands default start-sto" *rou"tacacs+