CCNA Security Chapter 3 筆記

CCNA Security Chapter 3

AAA Overview

AAA security in Cisco environment has several functional components:

• Authentication : Users and administrators must prove that they are who they say they are
• Authorization : After the user is authenticated, authorization services determine which resources the user can access and which operations the user is allowed to perform,
• Accounting and auditing : Accounting keep track of how network resources are used.

AAA Authentication

Can be used to authenticate user for administrative access or remote network access. Two access method use different mode to request AAA services:

• Character mode : A user send a request to establish an EXEC mode process with the router for administrative purposes.
• Packet mode : A user send a request to establish a connection through the router with a device on the network 

Local AAA Authentication

Uses a local database for authentication. Stores username and password locally in Cisco router. Is ideal for small networks

1. Client establishes a connection with the router
2. AAA router prompts the user for username and password
3. Router authenticated the username and password using the local database

Server-Based AAA Authentication

Uses an external database server resource that leverage RADIUS or TACACS+ protocols. If there are multiple routers, server-based more appropriate.

1. Client establishes a connection with the router
2. AAA router prompts the user for username and password
3. The router authenticate the username and password using a remote AAA server
4. The user is authorized to access the network based on information on the server.

AAA Authorization

User successfully authenticated against the select AAA data source, then authorized for specific network resources.

1. When a user has been authenticated, a session is established with the AAA server.
2. The router requests authorization for the requested service from the AAA server.
3. The AAA server returns a PASS/FAIL for authorization.

AAA Accounting
Accounting collects and reports usage data so that it can be employed for purposes such as auditing or billing. The collected data might include the start and stop connection times,executed commands, number of products, and number of bytes

1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process.
2. When the user finishes, a stop message is recorded and the accounting process ends.

Configuring Local AAA Authentication with CLI

1. Add username and password to the local router database for user administrative access to the router.
2. Enable AAA globally 
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA configuration 

Server-Based AAA Communication Protocols

Reference :

1) CCNA Security Cisco Network Academy