SlideShare a Scribd company logo

5 ip security aaa

S
SagarR24

This document provides information about AAA (authentication, authorization, and accounting), ACLs (access control lists), and RADIUS and TACACS+ protocols. It defines AAA as a system for tracking user activities on an IP network and controlling access to resources. It describes the key differences between RADIUS and TACACS+ protocols. The document also provides configuration examples for implementing AAA using TACACS+ and RADIUS servers on a Cisco switch. It defines standard and extended ACLs and how they can filter traffic based on source/destination addresses, protocols, and ports.

Education
1 of 10
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY TOPICS COVERED: IP SERVICES - AAA [ AUTHENTICATION, AUTHORIZATION, ACCOUTING ] - ACCESS-LIST [ ACL ]
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY AAA [ AUTHENTICATION, AUTHORIZATION, ACCOUTING ] AAA Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP- based network and controlling their access to network resources. AAA is often being implemented as a dedicated server. This term is also referred to as the AAA Protocol. 1. Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system. 2. Authorization refers to the process of adding or denying individual user access to a computer network and its resources. Users may be given different authorization levels that limit their access to the network and associated resources. 3. Accounting refers to the record-keeping and tracking of user activities on a computer network. For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred. RADIUS vs TACACS+ TACACS+ RADIUS TACACS+ uses TCP RADIUS uses UDP TACACS+ uses TCP port 49 Uses port 1812/1645 for authenticating Uses port 1813/1646 for accounting TACACS+ encrypts the entire communication RADIUS encrypts passwords only TACACS+ treats Authentication, Authorization and Accountability differently RADIUS combines authentication and authorization TACACS+ is Cisco proprietary protocol RADIUS is an open protocol TACACS+ is a heavy-weight protocol consuming more resources RADIUS is a light-weight protocol consuming less resources TACACS+ supports 15 privilege levels RADIUS is limited to privilege mode Mainly used for Device administration Mainly used for Network access Note: RADIUS has been officially assigned UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting by the Internet Assigned Numbers Authority (IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially, and became the default ports assigned by many RADIUS client/server implementations at that time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason, many RADIUS server implementations monitor both sets of UDP ports for RADIUS requests. The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812 (in 2000). The early deployment of RADIUS Accounting was done using UDP port number 1646, which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813 (in 2000).
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY GNS3 CLI Commands: (TACACS+) Switch (config)# interface vlan 1 no switchport ip add 192.168.1.101 255.255.255.0 exit Switch (config)#username admin pri 15 password cisco Switch (config)#enable password cisco Switch (config)#aaa new-model Switch (config)#aaa group server tacacs+ gns3group Switch (config-sg-tacacs+)#server name container Switch (config-sg-tacacs+)#exit Switch (config)#tacacs server container Switch (config-server-tacacs)#address ipv4 192.168.1.200 Switch (config-server-tacacs)#key gns3 Switch (config-server-tacacs)#exit Switch (config)# aaa authentication login default group gns3group local → TACACS+ Switch (config)#aaa authentication enable default enable → enable password cisco Verifications: ------------------- debug aaa authentication debug tacacs
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY Do a self telnet 192.168.29.102 Username: gns3 Password: gns3 Or Username: readonly Password: gns3 Show users show line cd /etc/tacacs+ cat tac_plus.conf root@AAA-1:~# service tacacs_plus start/stop CLI Commands: (RADIUS) Switch(config)#username admin pri 15 password cisco Switch(config)#aaa new-model Switch(config)#enable password cisco
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY Switch(config)#aaa group server radius gns3group2 Switch(config-sg-radius)#server name radius1 Switch(config-sg-radius)#exit Switch(config)# radius server radius1 Switch(config-radius-server)# address ipv4 192.168.29.221 auth-port 1812 acct-port 1813 Switch(config-radius-server)#key gns3 Switch(config)# aaa authentication login default group gns3group2 local → Radius Switch(config)#aaa authentication enable default enable → enable password cisco Note: RADIUS has been officially assigned UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting by the Internet Assigned Numbers Authority (IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially, and became the default ports assigned by many RADIUS client/server implementations at that time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason, many RADIUS server implementations monitor both sets of UDP ports for RADIUS requests. Verifications: ------------------- debug aaa authentication debug radius Do a self telnet 192.168.29.102 Username: bob or alice Password: gns3 Show users show line root@AAA-1:~# cat /etc/freeradius/3.0/users service freeradius start/stop
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY ACCESS-LIST [ ACL ] Defining an ACL An ACL is a router configuration script (a list of statements) that controls whether a router permits or denies packets to pass, based on criteria in the packet header. To determine whether a packet is permitted or denied, it is tested against the ACL statements in sequential order. When a statement matches, no more statements are evaluated; the packet is either permitted or denied. There is an implicit deny any statement at the end of the ACL. If a packet does not match any of the statements in the ACL, it is dropped. Types of ACLs ACLs can be configured to filter any type of protocol traffic, including other network layer protocols such as AppleTalk and IPX. For the CCNA exam, we focus on IPv4 and IPv6 ACLs, which come in the following types: 1. Standard IPv4 ACLs: Filter traffic based on source address only (all services are blocked) 2. Extended IPv4 and IPv6 ACLs: Can filter traffic based on source and destination address, specific protocols, and source and destination TCP and UDP ports Two ways to Identify Standard or Extended ACL: 1. Numbered IPv4 ACLs: Use a number for identification 2. Named IPv4 and IPv6 ACLs: Use a descriptive name or number for identification Named ACLs must be used with some types of Cisco IOS configurations, including IPv6 ACLs. However, they provide two basic benefits for standard and extended IPv4 ACLs: ➢ By using a descriptive name (such as BLOCK-HTTP), a network administrator can more quickly determine the purpose of an ACL. This is particularly helpful in larger networks, where a router can have many ACLs with hundreds of statements. ➢ Both numbered and named ACLs can be configured for standard as well as extended ACL implementations.
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY ACL IDENTIFICATIONS: Cisco IOS Software Release 12.3 introduced IP access list entry sequence numbering for both numbered and named ACLs. IP access list entry sequence numbering provides the following benefits: ▪ You can edit the order of ACL statements. ▪ You can remove individual statements from an ACL. ▪ You can use the sequence number to insert new statements into the middle of the ACL. ▪ Sequence numbers are automatically added to the ACL if they are not entered explicitly at the time the ACL is created.
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY Access List Rules The following rules apply to access lists: 1. Only one access list per interface, per protocol, and per direction is allowed. 2. An access list must contain at least one permit statement or all packets are denied entry into the network. 3. After a match is found, no more criteria statements are checked. 4. If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network. 5. Standard access lists and extended access lists cannot have the same name. 6. Inbound access lists process packets before the packets are routed to an outbound interface. Inbound access lists that have filtering criteria that deny packet access to a network saves the overhead of routing lookup. 7. Outbound access lists process packets before they leave the device. Incoming packets are routed to the outbound interface and then processed by the outbound access list. For outbound access lists, when you configure a permit statement, packets are sent to the output buffer, and when you configure a deny statement, packets are discarded. 8. An access list can control traffic arriving at a device or leaving a device, but not traffic originating at a device. TYPES OF ACLS:
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY 1. Standard ACLs Standard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL. access-list access-list-number {permit|deny} {host|source source-wildcard|any} NUMBERED STANDARD ACL: interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group 1 in exit access-list 1 permit 10.1.1.0 0.0.0.255 NAMED STANDARD ACL: R1(config)# ip access-list standard blockacl R1(config-std-nacl)# deny 172.16.40.0 0.0.0.255 R1(config-std-nacl)# permit any R1(config)# int fa0/1 R1(config-if)# ip access-group blockacl out 2. Extended Access Lists Extended access lists are good for blocking traffic anywhere. Extended access lists test source and destination addresses and other IP packet data, such as protocols, TCP or UDP port numbers, type of service (ToS), precedence, TCP flags, and IP options. Extended access lists can also provide capabilities that standard access lists cannot, such as the following: • Filtering IP Options • Filtering TCP flags • Filtering noninitial fragments of packets • Time-based entries NAMED EXTENDED ACL: R1(config)# ip access-list extended blockacl R1(config-ext-nacl)# deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21 R1(config-ext-nacl)# deny tcp any 172.16.50.0 0.0.0.255 eq 23 R1(config-ext-nacl)# permit ip any any
TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY R1(config)# int fa0/1 R1(config-if)# ip access-group blockacl out NUMBERED EXTENDED ACL: R1(config)# access-list 110 deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21 R1(config)# access-list 110 permit ip any any R1(config)# int fa0/1 R1(config-if)# ip access-group 110 out

More Related Content

PDF
5 ip security aaa and acl
SagarR24
 
PDF
5 ip security urpf
SagarR24
 
PDF
5 ip security copp-mpp
SagarR24
 
PDF
5 ip security dataplace security
SagarR24
 
PDF
4 ip services nat
SagarR24
 
PDF
Ccnp presentation [Day 1-3] Class
SagarR24
 
PDF
ClearPass Policy Manager 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
4 ip services dhcp-part b
SagarR24
 
5 ip security aaa and acl
SagarR24
 
5 ip security urpf
SagarR24
 
5 ip security copp-mpp
SagarR24
 
5 ip security dataplace security
SagarR24
 
4 ip services nat
SagarR24
 
Ccnp presentation [Day 1-3] Class
SagarR24
 
ClearPass Policy Manager 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
4 ip services dhcp-part b
SagarR24
 

What's hot (20)

PDF
ArubaOS 6.3.x Quick Start Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Activate User Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba OS 6.3 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass Policy Model - An Introduction
Aruba, a Hewlett Packard Enterprise company
 
PDF
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass 6.3.6 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba OS 7.3 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
PDF
4 ip services dhcp
SagarR24
 
PDF
Aruba instant 6.4.0.2 4.1 user guide
Aruba, a Hewlett Packard Enterprise company
 
PPTX
Aos & cppm integration & testing document for eap tls & eap peap
Julia Ostrowski
 
PDF
7 network programmability concepts api
SagarR24
 
PDF
ClearPass 6.3.6 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass 6.3.2 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
PDF
Aruba OS 6.4 User Guide
Aruba, a Hewlett Packard Enterprise company
 
PPTX
Introduction to AirWave 10
Aruba, a Hewlett Packard Enterprise company
 
PDF
As rbook
Ashok Dwivedi
 
PPTX
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
PDF
ClearPass 6.3.5 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
ArubaOS 6.3.x Quick Start Guide
Aruba, a Hewlett Packard Enterprise company
 
Aruba Activate User Guide
Aruba, a Hewlett Packard Enterprise company
 
Aruba OS 6.3 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Model - An Introduction
Aruba, a Hewlett Packard Enterprise company
 
Useful cli commands v1
Aruba, a Hewlett Packard Enterprise company
 
ClearPass 6.3.6 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
Aruba ClearPass Guest 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Aruba OS 7.3 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
Aruba Instant 6.4.0.2-4.1 Command Line Interface Reference Guide
Aruba, a Hewlett Packard Enterprise company
 
4 ip services dhcp
SagarR24
 
Aruba instant 6.4.0.2 4.1 user guide
Aruba, a Hewlett Packard Enterprise company
 
Aos & cppm integration & testing document for eap tls & eap peap
Julia Ostrowski
 
7 network programmability concepts api
SagarR24
 
ClearPass 6.3.6 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
ClearPass 6.3.2 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
Aruba OS 6.4 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Introduction to AirWave 10
Aruba, a Hewlett Packard Enterprise company
 
As rbook
Ashok Dwivedi
 
Airheads Tech Talks: Cloud Guest SSID on Aruba Central
Aruba, a Hewlett Packard Enterprise company
 
ClearPass 6.3.5 Release Notes
Aruba, a Hewlett Packard Enterprise company
 
Ad

Similar to 5 ip security aaa (20)

PDF
5 ip security asa-partb
SagarR24
 
PDF
5 ip security ipsec gre
SagarR24
 
PPTX
CCNA_RSE_Chp7.pptx
NarcisIlie1
 
PPTX
CCNP Switching Chapter 7
Chaing Ravuth
 
PPTX
CNv6_instructorPPT_Chapter4.pptx
OritseKings
 
PPTX
AAA Implementation
Ahmad El Tawil
 
PPTX
Ccna sv2 instructor_ppt_ch3
SalmenHAJJI1
 
PDF
F5 Automation Toolchain
MarketingArrowECS_CZ
 
DOCX
AAA server
hetvi naik
 
PDF
7 network programmability concepts api
SagarR24
 
PPT
CCNA Discovery 3 - Chapter 8
Irsandi Hasan
 
PPT
CCNP 642-732 Training
saenaetr
 
PPT
CCNA_Security_03.ppt
veracru1
 
PPT
redes telematicas CISCO para ingenieros pre
VictorTonio
 
PPT
redes telematicas CISCO para ingenieros parte 2
VictorTonio
 
PDF
Ch4-Implementing Firewall Technologies.pdf
OhmRon
 
PDF
7 network programmability concepts python-ansible
SagarR24
 
PPT
Chapter 4 overview
ali raza
 
PDF
Explore Advanced CA Release Automation Configuration Topics
CA Technologies
 
PPTX
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
Waqas Ahmed Nawaz
 
5 ip security asa-partb
SagarR24
 
5 ip security ipsec gre
SagarR24
 
CCNA_RSE_Chp7.pptx
NarcisIlie1
 
CCNP Switching Chapter 7
Chaing Ravuth
 
CNv6_instructorPPT_Chapter4.pptx
OritseKings
 
AAA Implementation
Ahmad El Tawil
 
Ccna sv2 instructor_ppt_ch3
SalmenHAJJI1
 
F5 Automation Toolchain
MarketingArrowECS_CZ
 
AAA server
hetvi naik
 
7 network programmability concepts api
SagarR24
 
CCNA Discovery 3 - Chapter 8
Irsandi Hasan
 
CCNP 642-732 Training
saenaetr
 
CCNA_Security_03.ppt
veracru1
 
redes telematicas CISCO para ingenieros pre
VictorTonio
 
redes telematicas CISCO para ingenieros parte 2
VictorTonio
 
Ch4-Implementing Firewall Technologies.pdf
OhmRon
 
7 network programmability concepts python-ansible
SagarR24
 
Chapter 4 overview
ali raza
 
Explore Advanced CA Release Automation Configuration Topics
CA Technologies
 
CCNA (R & S) Module 02 - Connecting Networks - Chapter 4
Waqas Ahmed Nawaz
 
Ad

More from SagarR24 (18)

PDF
Ccnp enterprise workbook v1.0 bgp zero to hero
SagarR24
 
PDF
Ccnp enterprise workbook v1.0 completed till weigth
SagarR24
 
PDF
Ccnp enterprise workbook v1.0 eigrp
SagarR24
 
PDF
9. virtualization virtualization
SagarR24
 
PDF
3 ip routing vrf lite - v2
SagarR24
 
PDF
3 ip routing pbr bfd -v2
SagarR24
 
PDF
8 wireless part b
SagarR24
 
PDF
8 wireless parta v1
SagarR24
 
PDF
2 fhrp,hsrp,vrrp,gblp,ntp,nat glbp
SagarR24
 
PDF
Ccnp enterprise workbook hsrp vrrp glbp
SagarR24
 
PDF
4 ip services span,rspan
SagarR24
 
PDF
0.2 vt pv2 and v3
SagarR24
 
PDF
3 ip routing part b
SagarR24
 
PDF
3 ip routing bgp-updated
SagarR24
 
PDF
Ccnp enterprise workbook v1.0 ospf-updated
SagarR24
 
PDF
Ccnp enterprise workbook v1.0 added hsrpv1
SagarR24
 
PDF
3 ip routing eigrp
SagarR24
 
PDF
Class notes fhrp,hsrp,vrrp
SagarR24
 
Ccnp enterprise workbook v1.0 bgp zero to hero
SagarR24
 
Ccnp enterprise workbook v1.0 completed till weigth
SagarR24
 
Ccnp enterprise workbook v1.0 eigrp
SagarR24
 
9. virtualization virtualization
SagarR24
 
3 ip routing vrf lite - v2
SagarR24
 
3 ip routing pbr bfd -v2
SagarR24
 
8 wireless part b
SagarR24
 
8 wireless parta v1
SagarR24
 
2 fhrp,hsrp,vrrp,gblp,ntp,nat glbp
SagarR24
 
Ccnp enterprise workbook hsrp vrrp glbp
SagarR24
 
4 ip services span,rspan
SagarR24
 
0.2 vt pv2 and v3
SagarR24
 
3 ip routing part b
SagarR24
 
3 ip routing bgp-updated
SagarR24
 
Ccnp enterprise workbook v1.0 ospf-updated
SagarR24
 
Ccnp enterprise workbook v1.0 added hsrpv1
SagarR24
 
3 ip routing eigrp
SagarR24
 
Class notes fhrp,hsrp,vrrp
SagarR24
 

Recently uploaded (20)

PDF
SOIL: Factor, Horizon, Process, Classification, Degradation, Conservation
Sipra Biswas
 
PDF
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PPTX
Digestion and Absorption of Carbohydrates, Proteina and Fats
rekhapositivity
 
PDF
Trump Administration's workforce development strategy
Mebane Rash
 
PDF
LDMMIA Reiki Yoga Finals Review Spring Summer
LDMMia Reiki Lectures
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
Introduction to Building Materials
Mrunali Vasava
 
PPTX
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
PDF
advance database management system book.pdf
hinamannan364
 
PDF
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
PPTX
UNIT III MENTAL HEALTH NURSING ASSESSMENT
Sonali Gupta
 
DOC
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
PPTX
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
PDF
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
Radiologic_Anatomy_of_the_Brachial_plexus [final].pptx
atiaruhi95
 
SOIL: Factor, Horizon, Process, Classification, Degradation, Conservation
Sipra Biswas
 
Indian roads congress 037 - 2012 Flexible pavement
offersjackpot
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
1_English_Language_Set_2.pdf probationary
emailjagmeetsingh9
 
Lesson notes of climatology university.
sgladness67
 
Digestion and Absorption of Carbohydrates, Proteina and Fats
rekhapositivity
 
Trump Administration's workforce development strategy
Mebane Rash
 
LDMMIA Reiki Yoga Finals Review Spring Summer
LDMMia Reiki Lectures
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
Introduction to Building Materials
Mrunali Vasava
 
CHAPTER IV. MAN AND BIOSPHERE AND ITS TOTALITY.pptx
greciamaycalambro
 
advance database management system book.pdf
hinamannan364
 
What if we spent less time fighting change, and more time building what’s rig...
Derek Wenmoth
 
UNIT III MENTAL HEALTH NURSING ASSESSMENT
Sonali Gupta
 
Soft-furnishing-By-Architect-A.F.M.Mohiuddin-Akhand.doc
ArchitectAFMMohiuddi
 
202450812 BayCHI UCSC-SV 20250812 v17.pptx
home
 
IGGE1 Understanding the Self1234567891011
rhea22labucay
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
Radiologic_Anatomy_of_the_Brachial_plexus [final].pptx
atiaruhi95
 

5 ip security aaa

  • 1. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY TOPICS COVERED: IP SERVICES - AAA [ AUTHENTICATION, AUTHORIZATION, ACCOUTING ] - ACCESS-LIST [ ACL ]
  • 2. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY AAA [ AUTHENTICATION, AUTHORIZATION, ACCOUTING ] AAA Authentication, authorization and accounting (AAA) is a system for tracking user activities on an IP- based network and controlling their access to network resources. AAA is often being implemented as a dedicated server. This term is also referred to as the AAA Protocol. 1. Authentication refers to unique identifying information from each system user, generally in the form of a username and password. System administrators monitor and add or delete authorized users from the system. 2. Authorization refers to the process of adding or denying individual user access to a computer network and its resources. Users may be given different authorization levels that limit their access to the network and associated resources. 3. Accounting refers to the record-keeping and tracking of user activities on a computer network. For a given time period this may include, but is not limited to, real-time accounting of time spent accessing the network, the network services employed or accessed, capacity and trend analysis, network cost allocations, billing data, login data for user authentication and authorization, and the data or data amount accessed or transferred. RADIUS vs TACACS+ TACACS+ RADIUS TACACS+ uses TCP RADIUS uses UDP TACACS+ uses TCP port 49 Uses port 1812/1645 for authenticating Uses port 1813/1646 for accounting TACACS+ encrypts the entire communication RADIUS encrypts passwords only TACACS+ treats Authentication, Authorization and Accountability differently RADIUS combines authentication and authorization TACACS+ is Cisco proprietary protocol RADIUS is an open protocol TACACS+ is a heavy-weight protocol consuming more resources RADIUS is a light-weight protocol consuming less resources TACACS+ supports 15 privilege levels RADIUS is limited to privilege mode Mainly used for Device administration Mainly used for Network access Note: RADIUS has been officially assigned UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting by the Internet Assigned Numbers Authority (IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially, and became the default ports assigned by many RADIUS client/server implementations at that time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason, many RADIUS server implementations monitor both sets of UDP ports for RADIUS requests. The early deployment of RADIUS was done using UDP port number 1645, which conflicts with the "datametrics" service. The officially assigned port number for RADIUS is 1812 (in 2000). The early deployment of RADIUS Accounting was done using UDP port number 1646, which conflicts with the "sa-msg-port" service. The officially assigned port number for RADIUS Accounting is 1813 (in 2000).
  • 3. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY GNS3 CLI Commands: (TACACS+) Switch (config)# interface vlan 1 no switchport ip add 192.168.1.101 255.255.255.0 exit Switch (config)#username admin pri 15 password cisco Switch (config)#enable password cisco Switch (config)#aaa new-model Switch (config)#aaa group server tacacs+ gns3group Switch (config-sg-tacacs+)#server name container Switch (config-sg-tacacs+)#exit Switch (config)#tacacs server container Switch (config-server-tacacs)#address ipv4 192.168.1.200 Switch (config-server-tacacs)#key gns3 Switch (config-server-tacacs)#exit Switch (config)# aaa authentication login default group gns3group local → TACACS+ Switch (config)#aaa authentication enable default enable → enable password cisco Verifications: ------------------- debug aaa authentication debug tacacs
  • 4. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY Do a self telnet 192.168.29.102 Username: gns3 Password: gns3 Or Username: readonly Password: gns3 Show users show line cd /etc/tacacs+ cat tac_plus.conf root@AAA-1:~# service tacacs_plus start/stop CLI Commands: (RADIUS) Switch(config)#username admin pri 15 password cisco Switch(config)#aaa new-model Switch(config)#enable password cisco
  • 5. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY Switch(config)#aaa group server radius gns3group2 Switch(config-sg-radius)#server name radius1 Switch(config-sg-radius)#exit Switch(config)# radius server radius1 Switch(config-radius-server)# address ipv4 192.168.29.221 auth-port 1812 acct-port 1813 Switch(config-radius-server)#key gns3 Switch(config)# aaa authentication login default group gns3group2 local → Radius Switch(config)#aaa authentication enable default enable → enable password cisco Note: RADIUS has been officially assigned UDP ports 1812 for RADIUS authentication and 1813 for RADIUS accounting by the Internet Assigned Numbers Authority (IANA). However, prior to IANA allocation of ports 1812 and 1813, ports 1645 and 1646 (authentication and accounting, respectively) were used unofficially, and became the default ports assigned by many RADIUS client/server implementations at that time. The tradition of using 1645 and 1646 for backwards compatibility continues to this day. For this reason, many RADIUS server implementations monitor both sets of UDP ports for RADIUS requests. Verifications: ------------------- debug aaa authentication debug radius Do a self telnet 192.168.29.102 Username: bob or alice Password: gns3 Show users show line root@AAA-1:~# cat /etc/freeradius/3.0/users service freeradius start/stop
  • 6. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY ACCESS-LIST [ ACL ] Defining an ACL An ACL is a router configuration script (a list of statements) that controls whether a router permits or denies packets to pass, based on criteria in the packet header. To determine whether a packet is permitted or denied, it is tested against the ACL statements in sequential order. When a statement matches, no more statements are evaluated; the packet is either permitted or denied. There is an implicit deny any statement at the end of the ACL. If a packet does not match any of the statements in the ACL, it is dropped. Types of ACLs ACLs can be configured to filter any type of protocol traffic, including other network layer protocols such as AppleTalk and IPX. For the CCNA exam, we focus on IPv4 and IPv6 ACLs, which come in the following types: 1. Standard IPv4 ACLs: Filter traffic based on source address only (all services are blocked) 2. Extended IPv4 and IPv6 ACLs: Can filter traffic based on source and destination address, specific protocols, and source and destination TCP and UDP ports Two ways to Identify Standard or Extended ACL: 1. Numbered IPv4 ACLs: Use a number for identification 2. Named IPv4 and IPv6 ACLs: Use a descriptive name or number for identification Named ACLs must be used with some types of Cisco IOS configurations, including IPv6 ACLs. However, they provide two basic benefits for standard and extended IPv4 ACLs: ➢ By using a descriptive name (such as BLOCK-HTTP), a network administrator can more quickly determine the purpose of an ACL. This is particularly helpful in larger networks, where a router can have many ACLs with hundreds of statements. ➢ Both numbered and named ACLs can be configured for standard as well as extended ACL implementations.
  • 7. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY ACL IDENTIFICATIONS: Cisco IOS Software Release 12.3 introduced IP access list entry sequence numbering for both numbered and named ACLs. IP access list entry sequence numbering provides the following benefits: ▪ You can edit the order of ACL statements. ▪ You can remove individual statements from an ACL. ▪ You can use the sequence number to insert new statements into the middle of the ACL. ▪ Sequence numbers are automatically added to the ACL if they are not entered explicitly at the time the ACL is created.
  • 8. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY Access List Rules The following rules apply to access lists: 1. Only one access list per interface, per protocol, and per direction is allowed. 2. An access list must contain at least one permit statement or all packets are denied entry into the network. 3. After a match is found, no more criteria statements are checked. 4. If an access list is referenced by a name, but the access list does not exist, all packets pass. An interface or command with an empty access list applied to it permits all traffic into the network. 5. Standard access lists and extended access lists cannot have the same name. 6. Inbound access lists process packets before the packets are routed to an outbound interface. Inbound access lists that have filtering criteria that deny packet access to a network saves the overhead of routing lookup. 7. Outbound access lists process packets before they leave the device. Incoming packets are routed to the outbound interface and then processed by the outbound access list. For outbound access lists, when you configure a permit statement, packets are sent to the output buffer, and when you configure a deny statement, packets are discarded. 8. An access list can control traffic arriving at a device or leaving a device, but not traffic originating at a device. TYPES OF ACLS:
  • 9. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY 1. Standard ACLs Standard ACLs are the oldest type of ACL. They date back to as early as Cisco IOS Software Release 8.3. Standard ACLs control traffic by the comparison of the source address of the IP packets to the addresses configured in the ACL. access-list access-list-number {permit|deny} {host|source source-wildcard|any} NUMBERED STANDARD ACL: interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0 ip access-group 1 in exit access-list 1 permit 10.1.1.0 0.0.0.255 NAMED STANDARD ACL: R1(config)# ip access-list standard blockacl R1(config-std-nacl)# deny 172.16.40.0 0.0.0.255 R1(config-std-nacl)# permit any R1(config)# int fa0/1 R1(config-if)# ip access-group blockacl out 2. Extended Access Lists Extended access lists are good for blocking traffic anywhere. Extended access lists test source and destination addresses and other IP packet data, such as protocols, TCP or UDP port numbers, type of service (ToS), precedence, TCP flags, and IP options. Extended access lists can also provide capabilities that standard access lists cannot, such as the following: • Filtering IP Options • Filtering TCP flags • Filtering noninitial fragments of packets • Time-based entries NAMED EXTENDED ACL: R1(config)# ip access-list extended blockacl R1(config-ext-nacl)# deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21 R1(config-ext-nacl)# deny tcp any 172.16.50.0 0.0.0.255 eq 23 R1(config-ext-nacl)# permit ip any any
  • 10. TRAINER: SAGAR | NetworkJourney.com | www.youtube.com/c/NetworkJourney | LinkedIN CCNP ENTERPRISE 2020 LAB WORKBOOK|| TRAINER: SAGAR || WWW.YOUTUBE.COM/C/NETWORKJOURNEY R1(config)# int fa0/1 R1(config-if)# ip access-group blockacl out NUMBERED EXTENDED ACL: R1(config)# access-list 110 deny tcp 172.16.40.0 0.0.0.255 172.16.50.0 0.0.0.255 eq 21 R1(config)# access-list 110 permit ip any any R1(config)# int fa0/1 R1(config-if)# ip access-group 110 out