AAA Best Practices
Download as PPTX, PDF0 likes350 views
The document discusses AAA (authentication, authorization, and accounting) server communication security, highlighting that while RADIUS only encrypts user passwords, TACACS+ encrypts the entire payload. It emphasizes the importance of using strong secrets for authentication and suggests limiting AAA communication to authorized servers. Additionally, it outlines various types of AAA server-based accounting services available in Cisco IOS, which facilitate tracking user activity and network resource consumption.
AAA Best Practices
- 1. AAA Authentication, Authorization, and Accounting -By, Sagar Gor
- 2. AAA Server Communication Security Communication between an authenticator (also referred to as a NAS, Network Access Server) and a AAA server is commonly performed using RADIUS or TACACS+. The security of this communication can be summarized as follows: Both RADIUS and TACACS+ transactions are authenticated using a shared, static secret (or key) associated with the device name or IP address but this secret is never sent over the network. RADIUS, per the standard, only encrypts the user password field. All other packet data is passed in clear text and is thus vulnerable to sniffing. TACACS+ encrypts the full payload of the packet, thereby providing some confidentiality of data, though the encryption algorithm is not very strong. The general guidelines for securing AAA server communication are: Employ strong secrets for authentication of the AAA server and NAS. Regularly change the secrets used to authenticate the AAA server and NAS. Restrict AAA communication to the limited set of authorized AAA servers, and over the configured AAA communication ports, using extended ACLs. Since RADIUS and TACACS+ do not support strong authentication and encryption, it is recommended that an out-of-band (OOB) or IPSec management network be considered as a means of protecting AAA server communication transactions from attack.
- 3. AAA Server Based Accounting Services AAA server-based accounting enables the ability to track the services users are accessing, as well as the amount of network resources they are consuming. When AAA server-based accounting is enabled, the network infrastructure device reports user activity to the AAA server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server. This data can then be analyzed for network management, client billing, and/or auditing. Cisco IOS software supports five different kinds of accounting: Network Accounting Network accounting provides information for all PPP, SLIP, or ARAP sessions, including packet and byte counts. Connection Accounting Connection accounting provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembly-disassembly (PAD), and rlogin. EXEC Accounting EXEC accounting provides information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
- 4. Command Accounting Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a network access server. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it. System Accounting System accounting provides information about all system-level events (for example, when the system reboots or when accounting is turned on or off). The Network Security Baseline is focused on securing the network infrastructure and critical network services. Consequently, AAA-based accounting in Network Security Baseline includes: EXEC accounting Command accounting System accounting