SlideShare a Scribd company logo

AAA Implementation

A
Ahmad El Tawil

The document discusses authentication, authorization, and accounting (AAA) and provides instructions for configuring AAA on Cisco routers. It begins with an introduction to the three A's of AAA - authentication, authorization, and accounting. It then covers identifying each component and implementing authentication using local services or external servers like TACACS+ and RADIUS. The document also discusses authenticating router access, configuring AAA on Cisco routers including enabling AAA globally and setting authentication lists, and troubleshooting AAA using debug commands.

Education
1 of 29
1
2
3
4
5
6
7
8
9
Most read
10
11
Most read
12
13
14
15
16
17
18
19
20
Most read
21
22
23
24
25
26
27
28
29
AAA Implementation Presenter: Ahmad Ali Al Taweel Doctor: Kasem Ahmad
Outline – Introduction of AAA – Identification of each A – Implementing Authentication – TACACS+ and RADIUS AAA Protocols – Authenticating Router Access – Configuring AAA for Cisco Routers – Troubleshooting AAA on Cisco Routers – Configuring AAA with Cisco SDM – Summary
INTRODUCTION OF AAA  Sometimes referred to as “ triple-A” or just AAA,  A- Authentication  A- Authorization  A- Accounting Represent the big tree in terms of IP based network management & policy administration.
 AUTHENTICATION  Authentication is a process that ensures & confirms a user’s identity.  Authentication begins when a user tries to access information.  The user must prove his access rights & identity.  This login combination, which must be assigned to each user, authenticates access.
 AUTHORIZATION  Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username & password.  The amount of information & the amount of services the user has access to depend on the user’s authorization level.
 ACCOUNTING  Accounting is the process of keeping track of a user’s activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there & the amount of data transferred during the session.  Accounting data is used for trend analysis, capacity planning, billing auditing & cost allocation.
AAA MODEL—NETWORK SECURITY ARCHITECTURE • Authentication – Who are you? – “I am user student and my password validateme proves it.” • Authorization – What can you do? What can you access? – “User student can access host serverXYZ using Telnet.” • Accounting – What did you do? How long did you do it? How often did you do it? – “User student accessed host serverXYZ using Telnet for 15 minutes.”
IMPLEMENTING AUTHENTICATION USING LOCAL SERVICES 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. Perimeter Router Remote Client 1 2 3
IMPLEMENTING AUTHENTICATION USING EXTERNAL SERVERS 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote Client Cisco Secure ACS for Windows Server Cisco Secure ACS Solution Engine 1 2 3 4
TACACS+ AND RADIUS AAA PROTOCOLS • Two different protocols are used to communicate between the AAA security servers and authenticating devices. • Cisco Secure ACS supports both TACACS+ and RADIUS: – TACACS+ remains more secure than RADIUS. – RADIUS has a robust application programming interface and strong accounting. Cisco Secure ACS Firewall Router Network Access Server TACACS+ RADIUS Security Server
AAA Implementation
Microsoft Windows dial-up networking connection: Username and Password fields Security Server Microsoft Windows Remote PC NAS Username and password (TCP/IP PPP) PSTN or ISDN
PPP , ISDN , PSTN  Point-to-Point Protocol (PPP) is a data link (layer 2) protocol used to establish a direct connection between two nodes. It connects two routers directly without any host or any other networking device in between. It can provide connection authentication,transmission encryption (using E CP, RFC 1968), and compression.  Integrated Services Digital Network (ISDN) is a set of communication standards for simultaneous digital transmission of voice, video, data.  Public Switched Telephone Network (PSTN) is the world's collection of interconnected voice-oriented public telephone networks.
AUTHENTICATING ROUTER ACCESS Telnet Host LAN Remote LAN Network Access Console Router Remote Router Administrative Access Internet
ROUTER LOCAL AUTHENTICATION CONFIGURATION PROCESS Here are the general steps required to configure a Cisco router for local authentication: • Step 1: Secure access to privileged EXEC mode. • Step 2: Enable AAA globally on the perimeter router with the aaa new-model command. • Step 3: Configure AAA authentication lists. • Step 4: Configure AAA authorization for use after the user has passed authentication. • Step 5: Configure the AAA accounting options for how you want to write accounting records. • Step 6: Verify the configuration.
ENABLE AAA GLOBALLY USING THE AAA NEW-MODEL COMMAND aaa new-model router(config)# router(config)# aaa new-model username username password password router(config)# router(config)# username Joe106 password 1MugOJava • Establishes AAA section in configuration file • Sets username and password aaa authentication login default local • Helps prevent administrative access lockout while configuring AAA router(config)#
AAA AUTHENTICATION COMMANDS • These aaa authentication commands are available in Cisco IOS Releases 12.2 and later. • Each of these commands has its own syntax and options (methods). aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication username-prompt router(config)#
AAA authentication Login Command aaa authentication login {default | list-name} method1 [method2...] router(config)# router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line
AAA authentication PPP Command aaa authentication ppp {default | list-name} method1 [method2...] router(config)# router(config)# aaa authen ppp default local router(config)# aaa authen ppp dial-in local none
AAA authentication Enable Default Command aaa authentication enable default method1 [method2...] router(config)# router(config)# aaa authentication enable default group tacacs+ enable none
Apply Authentication Commands to Lines and Interfaces • Authentication commands can be applied to lines or interfaces. router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in Note: It is recommended that you always define a default list for AAA to provide “last resort” authentication on all lines and interfaces protected by AAA.
aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...] router(config)# router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none router(config)# aaa authorization exec delta if-authenticated router(config)# aaa authorization commands 15 default local
AAA ACCOUNTING COMMAND aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf- name] {start-stop | stop-only | none} [broadcast] group groupname router(config)# router(config)# aaa accounting commands 15 default stop-only group tacacs+ router(config)# aaa accounting auth-proxy default start-stop group tacacs+
TROUBLESHOOTING AAA USING DEBUG COMMANDS debug aaa authentication router# • Use this command to help troubleshoot AAA authentication problems debug aaa accounting router# • Use this command to help troubleshoot AAA accounting problems debug aaa authorization router# • Use this command to help troubleshoot AAA authorization problems
router# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
CONFIGURING AAA WITH CISCO SDM 1 2 3
AAA Implementation
THANK YOU

More Related Content

PPTX
Internet security
Mohamed El-malki
 
PPTX
Mobile cloud Computing
Pooja Sharma
 
PPTX
Reinforcement Learning - Apprentissage par renforcement
YakoubAbdallahOUARDI
 
PPT
Spanning Tree Protocol
Manoj Gharate
 
PPT
Apprentissage par renforcement
NSim Technology
 
PDF
Overview of Spanning Tree Protocol
Arash Foroughi
 
PPTX
cyber security and forensic tools
Sonu Sunaliya
 
PPTX
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 
Internet security
Mohamed El-malki
 
Mobile cloud Computing
Pooja Sharma
 
Reinforcement Learning - Apprentissage par renforcement
YakoubAbdallahOUARDI
 
Spanning Tree Protocol
Manoj Gharate
 
Apprentissage par renforcement
NSim Technology
 
Overview of Spanning Tree Protocol
Arash Foroughi
 
cyber security and forensic tools
Sonu Sunaliya
 
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak
 

What's hot (20)

PDF
AAA Protocol
Netwax Lab
 
PPTX
network monitoring system ppt
ashutosh rai
 
PDF
AAA & RADIUS Protocols
Peter R. Egli
 
PPTX
System and network administration network services
Uc Man
 
PDF
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
PPTX
Kerberos
Sutanu Paul
 
DOCX
AAA server
hetvi naik
 
PPT
Wireless LAN security
Rajan Kumar
 
PPT
Virtualization.ppt
vishal choudhary
 
PDF
DNS (Domain Name System)
Shashidhara Vyakaranal
 
PPTX
Mac addresses(media access control)
Ismail Mukiibi
 
PPT
Cloud Computing Security Challenges
Yateesh Yadav
 
PDF
Network Access Control (NAC)
Forescout Technologies Inc
 
PPT
Active directory
deshvikas
 
PPT
Wlan security
Sajan Sahu
 
PPT
Implementing Cisco AAA
dkaya
 
PPTX
Network monitoring system
MyPresentations Services
 
PPT
Network management
Mohd Arif
 
PPTX
Dhcp ppt
Hema Dhariwal
 
PPTX
Computer security concepts
Prachi Gulihar
 
AAA Protocol
Netwax Lab
 
network monitoring system ppt
ashutosh rai
 
AAA & RADIUS Protocols
Peter R. Egli
 
System and network administration network services
Uc Man
 
IPSec (Internet Protocol Security) - PART 1
Shobhit Sharma
 
Kerberos
Sutanu Paul
 
AAA server
hetvi naik
 
Wireless LAN security
Rajan Kumar
 
Virtualization.ppt
vishal choudhary
 
DNS (Domain Name System)
Shashidhara Vyakaranal
 
Mac addresses(media access control)
Ismail Mukiibi
 
Cloud Computing Security Challenges
Yateesh Yadav
 
Network Access Control (NAC)
Forescout Technologies Inc
 
Active directory
deshvikas
 
Wlan security
Sajan Sahu
 
Implementing Cisco AAA
dkaya
 
Network monitoring system
MyPresentations Services
 
Network management
Mohd Arif
 
Dhcp ppt
Hema Dhariwal
 
Computer security concepts
Prachi Gulihar
 
Ad

Similar to AAA Implementation (20)

PPT
CCNA_Security_03.ppt
veracru1
 
PPT
redes telematicas CISCO para ingenieros pre
VictorTonio
 
PDF
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
PPTX
010 sa302 aaa+ldap
Babaa Naya
 
PPTX
010 sa302 aaa+ldap
Babaa Naya
 
PPT
CCNA Security 06- AAA
Ahmed Habib
 
PPT
Chapter 3 overview
ali raza
 
PDF
Ch3-Authentication, Authorization, and Accounting.pdf
OhmRon
 
PPTX
Securing management, control & data plane
NetProtocol Xpert
 
PPTX
CCNP Switching Chapter 7
Chaing Ravuth
 
PPT
Installation et configuration de système
khadijaguebsi45
 
PDF
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 
PDF
Brkcrt 2214
Mac An
 
PPTX
Network Security v1.0 -network Module 7.pptx
roanmhammed
 
PDF
5 ip security aaa and acl
SagarR24
 
PDF
Ch2 - Securing Network Devices - CCNA Security.pdf
OhmRon
 
PPT
Ciscorouterasavpnserver 100218045815-phpapp01
slavenvvv
 
PDF
At8000 s configurando_aaa
NetPlus
 
PPTX
Commissioning, Managing & Troubleshooting Industrial Networks
Creekside Marketing Group, LLC
 
PDF
5 ip security dataplace security
SagarR24
 
CCNA_Security_03.ppt
veracru1
 
redes telematicas CISCO para ingenieros pre
VictorTonio
 
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
010 sa302 aaa+ldap
Babaa Naya
 
010 sa302 aaa+ldap
Babaa Naya
 
CCNA Security 06- AAA
Ahmed Habib
 
Chapter 3 overview
ali raza
 
Ch3-Authentication, Authorization, and Accounting.pdf
OhmRon
 
Securing management, control & data plane
NetProtocol Xpert
 
CCNP Switching Chapter 7
Chaing Ravuth
 
Installation et configuration de système
khadijaguebsi45
 
Cisco Router and Switch Security Hardening Guide
Harris Andrea
 
Brkcrt 2214
Mac An
 
Network Security v1.0 -network Module 7.pptx
roanmhammed
 
5 ip security aaa and acl
SagarR24
 
Ch2 - Securing Network Devices - CCNA Security.pdf
OhmRon
 
Ciscorouterasavpnserver 100218045815-phpapp01
slavenvvv
 
At8000 s configurando_aaa
NetPlus
 
Commissioning, Managing & Troubleshooting Industrial Networks
Creekside Marketing Group, LLC
 
5 ip security dataplace security
SagarR24
 
Ad

More from Ahmad El Tawil (18)

PPTX
Force sensors presentation
Ahmad El Tawil
 
PPTX
Enabling Reusable and Adaptive Modeling,Provisioning & Execution of BPEL Proc...
Ahmad El Tawil
 
PPTX
Map reduce presentation
Ahmad El Tawil
 
DOCX
Map reduce advantages over parallel databases report
Ahmad El Tawil
 
PPTX
Map reduce advantages over parallel databases
Ahmad El Tawil
 
DOCX
Cloud computing risk assesment report
Ahmad El Tawil
 
PPTX
Cloud computing risk assesment
Ahmad El Tawil
 
DOCX
Piper Alpha Disaster Report
Ahmad El Tawil
 
PPTX
Fruit detection using morphological
Ahmad El Tawil
 
PPTX
Piper Alpha Disaster
Ahmad El Tawil
 
PPTX
Cloud computing risk assesment presentation
Ahmad El Tawil
 
PPTX
Bhopal Disaster Presentation
Ahmad El Tawil
 
PPTX
Security algorithms for manet
Ahmad El Tawil
 
PPTX
Bayesian network
Ahmad El Tawil
 
PPTX
5G green communication
Ahmad El Tawil
 
PPTX
A survey of ethical hacking process and security
Ahmad El Tawil
 
PPTX
E-DHCP
Ahmad El Tawil
 
PPTX
Cybercriminals focus on Cryptocurrency
Ahmad El Tawil
 
Force sensors presentation
Ahmad El Tawil
 
Enabling Reusable and Adaptive Modeling,Provisioning & Execution of BPEL Proc...
Ahmad El Tawil
 
Map reduce presentation
Ahmad El Tawil
 
Map reduce advantages over parallel databases report
Ahmad El Tawil
 
Map reduce advantages over parallel databases
Ahmad El Tawil
 
Cloud computing risk assesment report
Ahmad El Tawil
 
Cloud computing risk assesment
Ahmad El Tawil
 
Piper Alpha Disaster Report
Ahmad El Tawil
 
Fruit detection using morphological
Ahmad El Tawil
 
Piper Alpha Disaster
Ahmad El Tawil
 
Cloud computing risk assesment presentation
Ahmad El Tawil
 
Bhopal Disaster Presentation
Ahmad El Tawil
 
Security algorithms for manet
Ahmad El Tawil
 
Bayesian network
Ahmad El Tawil
 
5G green communication
Ahmad El Tawil
 
A survey of ethical hacking process and security
Ahmad El Tawil
 
E-DHCP
Ahmad El Tawil
 
Cybercriminals focus on Cryptocurrency
Ahmad El Tawil
 

Recently uploaded (20)

PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Lesson notes of climatology university.
sgladness67
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
PDF
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
PPTX
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
Complications of Minimal Access Surgery at WLH
mohitsuren827
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Lesson notes of climatology university.
sgladness67
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Anesthesia in Laparoscopic Surgery in India
mohitsuren827
 
102 student loan defaulters named and shamed – Is someone you know on the list?
Kweku Zurek
 
1st Inaugural Professorial Lecture held on 19th February 2020 (Governance and...
kawisojames10
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 

AAA Implementation

  • 1. AAA Implementation Presenter: Ahmad Ali Al Taweel Doctor: Kasem Ahmad
  • 2. Outline – Introduction of AAA – Identification of each A – Implementing Authentication – TACACS+ and RADIUS AAA Protocols – Authenticating Router Access – Configuring AAA for Cisco Routers – Troubleshooting AAA on Cisco Routers – Configuring AAA with Cisco SDM – Summary
  • 3. INTRODUCTION OF AAA  Sometimes referred to as “ triple-A” or just AAA,  A- Authentication  A- Authorization  A- Accounting Represent the big tree in terms of IP based network management & policy administration.
  • 4.  AUTHENTICATION  Authentication is a process that ensures & confirms a user’s identity.  Authentication begins when a user tries to access information.  The user must prove his access rights & identity.  This login combination, which must be assigned to each user, authenticates access.
  • 5.  AUTHORIZATION  Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username & password.  The amount of information & the amount of services the user has access to depend on the user’s authorization level.
  • 6.  ACCOUNTING  Accounting is the process of keeping track of a user’s activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there & the amount of data transferred during the session.  Accounting data is used for trend analysis, capacity planning, billing auditing & cost allocation.
  • 7. AAA MODEL—NETWORK SECURITY ARCHITECTURE • Authentication – Who are you? – “I am user student and my password validateme proves it.” • Authorization – What can you do? What can you access? – “User student can access host serverXYZ using Telnet.” • Accounting – What did you do? How long did you do it? How often did you do it? – “User student accessed host serverXYZ using Telnet for 15 minutes.”
  • 8. IMPLEMENTING AUTHENTICATION USING LOCAL SERVICES 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database. Perimeter Router Remote Client 1 2 3
  • 9. IMPLEMENTING AUTHENTICATION USING EXTERNAL SERVERS 1. The client establishes a connection with the router. 2. The router prompts the user for a username and password. 3. The router passes the username and password to the Cisco Secure ACS (server or engine). 4. The Cisco Secure ACS authenticates the user. The user is authorized to access the router (administrative access) or the network based on information found in the Cisco Secure ACS database. Perimeter Router Remote Client Cisco Secure ACS for Windows Server Cisco Secure ACS Solution Engine 1 2 3 4
  • 10. TACACS+ AND RADIUS AAA PROTOCOLS • Two different protocols are used to communicate between the AAA security servers and authenticating devices. • Cisco Secure ACS supports both TACACS+ and RADIUS: – TACACS+ remains more secure than RADIUS. – RADIUS has a robust application programming interface and strong accounting. Cisco Secure ACS Firewall Router Network Access Server TACACS+ RADIUS Security Server
  • 12. Microsoft Windows dial-up networking connection: Username and Password fields Security Server Microsoft Windows Remote PC NAS Username and password (TCP/IP PPP) PSTN or ISDN
  • 13. PPP , ISDN , PSTN  Point-to-Point Protocol (PPP) is a data link (layer 2) protocol used to establish a direct connection between two nodes. It connects two routers directly without any host or any other networking device in between. It can provide connection authentication,transmission encryption (using E CP, RFC 1968), and compression.  Integrated Services Digital Network (ISDN) is a set of communication standards for simultaneous digital transmission of voice, video, data.  Public Switched Telephone Network (PSTN) is the world's collection of interconnected voice-oriented public telephone networks.
  • 14. AUTHENTICATING ROUTER ACCESS Telnet Host LAN Remote LAN Network Access Console Router Remote Router Administrative Access Internet
  • 15. ROUTER LOCAL AUTHENTICATION CONFIGURATION PROCESS Here are the general steps required to configure a Cisco router for local authentication: • Step 1: Secure access to privileged EXEC mode. • Step 2: Enable AAA globally on the perimeter router with the aaa new-model command. • Step 3: Configure AAA authentication lists. • Step 4: Configure AAA authorization for use after the user has passed authentication. • Step 5: Configure the AAA accounting options for how you want to write accounting records. • Step 6: Verify the configuration.
  • 16. ENABLE AAA GLOBALLY USING THE AAA NEW-MODEL COMMAND aaa new-model router(config)# router(config)# aaa new-model username username password password router(config)# router(config)# username Joe106 password 1MugOJava • Establishes AAA section in configuration file • Sets username and password aaa authentication login default local • Helps prevent administrative access lockout while configuring AAA router(config)#
  • 17. AAA AUTHENTICATION COMMANDS • These aaa authentication commands are available in Cisco IOS Releases 12.2 and later. • Each of these commands has its own syntax and options (methods). aaa authentication arap aaa authentication banner aaa authentication enable default aaa authentication fail-message aaa authentication local-override aaa authentication login aaa authentication nasi aaa authentication password-prompt aaa authentication ppp aaa authentication username-prompt router(config)#
  • 18. AAA authentication Login Command aaa authentication login {default | list-name} method1 [method2...] router(config)# router(config)# aaa authentication login default enable router(config)# aaa authentication login console-in local router(config)# aaa authentication login tty-in line
  • 19. AAA authentication PPP Command aaa authentication ppp {default | list-name} method1 [method2...] router(config)# router(config)# aaa authen ppp default local router(config)# aaa authen ppp dial-in local none
  • 20. AAA authentication Enable Default Command aaa authentication enable default method1 [method2...] router(config)# router(config)# aaa authentication enable default group tacacs+ enable none
  • 21. Apply Authentication Commands to Lines and Interfaces • Authentication commands can be applied to lines or interfaces. router(config)# line console 0 router(config-line)# login authentication console-in router(config)# int s3/0 router(config-if)# ppp authentication chap dial-in Note: It is recommended that you always define a default list for AAA to provide “last resort” authentication on all lines and interfaces protected by AAA.
  • 22. aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2...] router(config)# router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none router(config)# aaa authorization exec delta if-authenticated router(config)# aaa authorization commands 15 default local
  • 23. AAA ACCOUNTING COMMAND aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf- name] {start-stop | stop-only | none} [broadcast] group groupname router(config)# router(config)# aaa accounting commands 15 default stop-only group tacacs+ router(config)# aaa accounting auth-proxy default start-stop group tacacs+
  • 24. TROUBLESHOOTING AAA USING DEBUG COMMANDS debug aaa authentication router# • Use this command to help troubleshoot AAA authentication problems debug aaa accounting router# • Use this command to help troubleshoot AAA accounting problems debug aaa authorization router# • Use this command to help troubleshoot AAA authorization problems
  • 25. router# debug aaa authentication 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS
  • 26. router# debug aaa accounting 16:49:21: AAA/ACCT: EXEC acct start, line 10 16:49:32: AAA/ACCT: Connect start, line 10, glare 16:49:47: AAA/ACCT: Connection acct stop: task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78 cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54 elapsed_time=14
  • 27. CONFIGURING AAA WITH CISCO SDM 1 2 3