Please enable JavaScript.

Coggle requires JavaScript to display documents.

AAA, | - Coggle Diagram

- - - - Identity and access control policy platform from Cisco TrustSec that enhances infraestructure security by combining policy definition, control and reporting in one place
    - - Gather real-time contextual information from users and devices
      - Defines fair access policies and enforces compliance for all end devices including BYOD
    - - Asset visibility
        
        Provides visibility of who and what is on the network
      - Posture assesement
        
        Determines if the device complies with device security policies before it connects to the network.
      - Segmentation
        
        Uses contextual data about network devices and endpoints to facilitate network segmentation.
      - Guest management and secure wireless
        
        Enables providing secure network accesss to external users
      - Threat Containament
        
        Adaptive network control policies are sent to endpoints whenever a threat is detected
  - - - Combines authentication and authorization but separates accounting
    - - Open/RFC standard
    - - UDP port 1645 or 1812 for authentication and UDP port 1646 or 1813 for accounting.
    - - Unidirectional challenge and response from the RADIUS security server to the RADIUS client
    - - Only user password encrypted with MD5
    - - Has no option to authorize router commands on a per-user or per-group basis
    - - Extensive
    - - Remote-acces technologies such as 802.1X, and Session Initiation Protocol (SIP), VoIP
    - - ISP for detailed accounting required for billing users
  - - - Separates AAA according the AAA architecture, allowing modularity
    - - Mostly Cisco supported
    - - TCP port 49
    - - Bidirectional challenge and response as used in Challenge Handshake Authentication Protocol (CHAP)
    - - Entire packet encrypted
    - - Provides authorization of router commands on a per-user or per-group basis
    - - Limited
    - - Organization with various user groups
- - - - STEP. 1 Globally enable AAA
      - STEP. 2 Specify the server that will provide AAA service for the router
      - STEP. 3 Configure the encryption key needed to encrypt the data transfer between the network device and AAA server
      - STEP. 4 Configure the AAA authentication method list to the TACACS+ or RADIUS server, it can use both when one fails, so authenticaiton method order is important when configuring a list
    - - STEP1
        
        R1(config)# aaa new-model
      - STEP2
        
        Enter TACACS+ configuration mode
        
        R1(config)# tacacs server name
        
        Configure server IP addresss
        
        IPv4
        
        R1(config-server-tacacs)# address ipv4 A.B.C.D
        
        IPv6
        
        R1(config-server-tacacs)# address ipv6 ipv6-address
        
        Maintain a single TCP connection for the life of the session
        
        R1(config-server-tacacs)# single-connection
      - STEP3
        
        R1(config-server-tacacs)# key password
      - STEP4
        
        R1(config)# aaa authentication login default group tacacs+
    - - STEP1
        
        R1(config)# aaa new-model
      - STEP2
        
        Enter RADIUS configuration mode
        
        R1(config)# radius server name
        
        Configure server IP addresss and ports
        
        About ports
        
        Cisco routers use port 1645 for the authentication and port 1646 for the accounting
        
        IANA has reserved ports 1812 for the RADIUS authentication port and 1813 for the RADIUS accounting port
        
        IPv4
        
        R1(config-radius-server)# address ipv4 ipv4-address auth-port port acct-port port
        
        IPv6
        
        R1(config-radius-server)# address ipv6 ipv6-address auth-port port acct-port port
      - STEP3
        
        R1(config-radius-server)# key password
      - STEP4
        
        R1(config)# aaa authentication login default group radius
  - - - Router(config)# aaa authorization (network | exec | commands level) {default | list-name} method1… [method4]
    - - Authorization type
        
        network
        
        For network services such as PPP and SLIP
        
        exec
        
        For User EXEC terminal sessions
        
        commands level
        
        command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level
  - - - Router(config)# aaa accounting {network | exec | connection} {default | list-name} {start-stop | stop-only | none } [broadcast] method1...[method4]
    - - types
        
        network
        
        Runs accounting for all network-related service requests, including PPP.
        
        exec
        
        Runs accounting for the EXEC shell session.
        
        connection
        
        Runs accounting on all outbound connections such as SSH and Telnet.
      - Record type which specifies what action cause accounting records to be updated
        
        start-stop
        
        Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process.
        
        stop-only
        
        Sends a "stop" accounting record for all cases including authentication failures.
        
        none
        
        Disables accounting services on a line or interface.
- - - - Example
        
        R1(config)# username username algorithm-type {scrypt | sha256 | md5 } secret password
    - - R1(config)# aaa new-model
    - - Example
        
        Router(config)# aaa authentication login {default | list-name} method1…[ method4 ]
      - Parameters
        
        default
        
        Use the listed authenticaiton method that follow this keyword as default list of methods when user logs in
        
        list-name
        
        Specify a name for documenation purposes. The name can be up to 31 characters
        
        method1...[method4]
        
        Identifies the list of methods that the AAA authentication process will query in the given sequence. Minimum 1, maximum 4
        
        Methods
        
        enable
        
        Uses the enable password for authentication
        
        local
        
        Uses the local username database for authentication
        
        local-case
        
        Uses case-sensitive local username authentication
        
        none
        
        Uses no authentication
        
        gropu radius
        
        Uses list of all RADIUS servers for authentication
        
        group tacacs+
        
        Uses the list of all TACACS+ servers for authentication
        
        group group-name
        
        Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command
    - - Configure a custom authentication method list to an interface
        
        R1(config-line)# login authentication list
      - Return to default method list
        
        R1(config-line)# no authentication login
      - Secure AAA user accounts by locking out accounts that have excesive failed attempts
        
        Router(config)# aaa local authentication attempts max-fail [number-of-unsuccessful-attempts]
        
        Unlock an account by admin
        
        Router# clear aaa local user lockout
        
        Display a list of locked-out users
        
        Router# show aaa local user lockout
      - Display AAA sesion collected atributes such as ID, user IP, router access protocol, connection speed, number of packets
        
        Router# show aaa sessions
- - - - Users prove their identity before accessing resources with username and password combinations
      - Modes
        
        Local AAA authentication
        
        uses local databases
        
        Server-based AAA authentication
        
        The network device accesses a central AAA server (RADIUS or TACACS+)
    - - Determine which resources the user can access and which operations the user is allowed to perfom
    - - Records detailed information of what the user does during the session and for how much time