This means that both the password and the username are case sensitive. The authentication is case-sensitive, indicated by the local-case keyword.The default keyword means that the authentication method applies to all lines, except those for which a specific line configuration overrides the default.The aaa authentication login command in the figure allows the ADMIN and JR-ADMIN users to log into the router via the console or vty terminal lines.R1(config)# aaa authentication login default local-caseĪaa authentication login method1. R1(config)# username JR-admin algorithm-type scrypt secret username Admin algorithm-type scrypt secret aaa new-model Confirm and troubleshoot the AAA configuration. Add usernames and passwords to the local router database for users that need administrative access to the router. Such records are necessary for users employing accounting records to manage and monitor their networks.Ĭonfiguring local AAA services to authenticate administrator access requires a few basic steps: The additional feature of generating “stop” records for calls that fail to authenticate as part of user authentication is also supported. Resource Accounting: The Cisco implementation of AAA accounting captures “start” and “stop” record support for calls that have passed user authentication.Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it. Command accounting: Command accounting captures information about the EXEC shell commands for a specified privilege level that are being executed on a network access server.System accounting: System accounting captures information about all system-level events (for example, when the system reboots or when accounting is turned on or off).EXEC accounting: EXEC accounting captures information about user EXEC terminal sessions (user shells) on the network access server, including username, date, start and stop times, and the access server IP address.Connection accounting: Connection accounting captures information about all outbound connections made from the AAA client, such as Telnet or SSH.Network accounting:Network accounting captures information for all Point-to-Point Protocol (PPP) sessions, including packet and byte counts.
These statistics can be extracted to create detailed reports about the configuration of the network. This data can be used for such purposes as auditing or billing. AccountingĪAA Accounting collects and reports usage data. Authorization is implemented immediately after the user is authenticated. These attributes are compared to the information contained within the AAA database, and a determination of restrictions for that user is made and delivered to the local router where the user is connected.Īuthorization is automatic and does not require users to perform additional steps after authentication.
Authorization uses a created set of attributes that describes the user’s access to the network. AuthorizationĪuthorization is basically what users can and cannot do on the network after they are authenticated.Īuthorization is typically implemented using a AAA server-based solution. On occasion, references are made to IPv6-specific technologies and protocols. Note: In this course, the focus is on implementing network security with IPv4 on Cisco routers, switches, and Adaptive Security Appliances. The router requests authorization from the AAA server for the client’s requested service. When a user has been authenticated, a session is established between the router and the AAA server.Ģ. When there are multiple routers and switches, server-based AAA is more appropriate.1. The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server. The central AAA server contains the usernames and password for all users. Server-Based AAA Authentication – With server-based method, the router accesses a central AAA server, such as the Cisco Secure Access Control System (ACS) for Windows, shown in Figure 2.This database is the same one required for establishing role-based CLI. This method stores usernames and passwords locally in the Cisco router, and users authenticate against the local database.
In this course, it will be referred to as local AAA authentication. This method is sometimes known as self-contained authentication.
0 kommentar(er)
