CCNA Security v2.0
Chapter special:
Authentication, Authorization,
and Accounting
Lektor: Jaroslav Dočkal
Jaroslav Dočkal
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
0.0 Metody šifrování
enable password cisco123
ena password cisco123
service password-encryption
enable secret 5 00271A5307542A02D22842
nebo
enable secret cisco123
obecný SHA-256
enable secret 4 Rv4kArhts7yA2xd8BD2YTVbts
solený pbkdf2-hmac-sha256
R1(config)#enable algorithm-type sha256 secret cisco
R1(config)#do sh run | i enable
enable secret 8
$8$mTj4RZG8N9ZDOk$elY/asfm8kD3iDmkBe3hD2r4xcA/0oWS5V3o
s.O91u.
R1(config)# username dockal algorithm-type sha256 secret class
R1# show running-config | inc username
username dockal secret 8
$8$dsYGNam3K1SIJO$7nv/35M/qr6t.dVc7UY9zrJDWRVqncHub1PE
9UlMQFs
SHA256, ale speciálně zaměřené na hesla
R1(config)#ena algorithm-type scrypt secret cisco
R1(config)#do sh run | i enable
enable secret 9
$9$WnArItcQHW/uuE$x5WTLbu7PbzGDuv0fSwGKS/KURsy5a3WC
QckmJp0MbE:
R1(config)# username dockal algorithm-type scrypt secret cisco
R1# show running-config | inc username
username dockal secret 9
$9$nhEmQVczB7dqsO$X.HsgL6x1il0RxkOSSvyQYwucySCt7qFm4v
7pqCxkKM
3.0 Introduction
3.1 Purpose of the AAA
3.2 Local AAA Authentication
3.3 Server-Based AAA
3.4 Server-Based AAA Authentication
3.5 Server-Based Authorization and Accounting
3.6 Summary
Telnet is Vulnerable to Brute-Force Attacks
SSH and Local Database Method
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 13
AAA Authorization
Types of accounting information:
• Network
• Connection
• EXEC
• System
• Command
• Resource
Upon completion of this section, you should be able to:
• Configure AAA authentication, using the CLI, to validate users against a local
database.
• Troubleshoot AAA authentication that validates users against a local database.
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 19
1. Add usernames and passwords to the local router database for users that
need administrative access to the router.
2. Enable AAA globally on the router.
3. Configure AAA parameters on the router.
4. Confirm and troubleshoot the AAA configuration.
Example Local AAA Authentication
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 27
Debug Local AAA Authentication
Understanding Debug Output
Upon completion of this section, you should be able to:
• Describe the benefits of server-based AAA.
• Compare the TACACS+ and RADIUS authentication protocols.
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 31
Server-based authentication:
1. User establishes a connection
with the router.
2. Router prompts the user for a
username and password.
3. Router passes the username and
password to the Cisco Secure
ACS (server or engine)
4. The Cisco Secure ACS
authenticates the user.
Local authentication:
1. User establishes a connection
with the router.
2. Router prompts the user for a
username and password,
authentication the user using a
local database.
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 34
TACACS+ Authentication Process
RADIUS Authentication Process
Cisco Secure ACS
Internet Authentication Service (IAS) byl přejmenován na Network Policy Server (NPS).
Upon completion of this section, you should be able to:
• Configure server-based AAA authentication, using the CLI, on Cisco routers.
• Troubleshoot server-based AAA authentication.
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 41
1. Enable AAA.
2. Specify the IP address of the ACS server.
3. Configure the secret key.
4. Configure authentication to use either the
RADIUS or TACACS+ server.
Cisco Access Control Server (ACS) a Cisco Identity Services Engine (ISE)
ACS supports only network access/Device admin. ISE has a lot more services.
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 48
Upon completion of this section, you should be able to:
• Configure server-based AAA authorization.
• Configure server-based AAA accounting.
• Explain the functions of 802.1x components.
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 54
Authentication vs. Authorization
• Authentication ensures a device or end-user is
legitimate
• Authorization allows or disallows authenticated
users access to certain areas and programs on
the network.
TACACS+ vs. RADIUS
• TACACS+ separates authentication from
authorization
• RADIUS does not separate authentication from
authorization
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 59
Cisco Public© 2013 Cisco and/or its affiliates. All rights reserved. 63
Command Syntax for dot1x port-control