What aspect of AAA is responsible for determining what a user can and Cannot do with network resources?

Open topic with navigation

This section contains the following information:

About AAA Services

About the RADIUS Protocol

About the TACACS+ Protocol

About RADIUS Authentication and Authorization

Setting Up RADIUS Accounting

About AAA Services

AAA network security services provide the primary framework through which a network administrator can set up access control on network points of entry or network access servers.

Authentication identifies a user.

Authorization determines what that user can do on the network.

Accounting monitors the network usage time for billing purposes.

AAA information is typically stored in an external database or remote server such as a RADIUS or TACACS+ server. The information can also be stored locally on the access server or router.

Remote security servers, such as RADIUS and TACACS+ servers, assign users specific privileges by associating attribute-value pairs, which define the access rights with the appropriate user. All authorization methods must be defined through AAA.

About RADIUS Authentication and Authorization

Authentication is the process by which a system or network verifies the identity of a user who wishes to access it. Authentication ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual—that is the role of authorization.

Authorization is the process of giving individuals specific access rights to system or network resources based on their identity. Authorization employs access control rules to determine whether access requests from authenticated users are approved (granted) or disapproved (rejected).

The RADIUS protocol combines user authentication and authorization steps into one phase. The user must be successfully authenticated before the RADIUS server sends authorization information (from the user’s profile) to the Network Access Server (NAS).

Commands authorization assigns a list of CLI commands that can be executed by a specified user. The permitted CLI commands are defined on the remote RADIUS server in a user’s profile.When authentication is successful, the RADIUS server returns the permitted list of CLI commands that the authenticated user is authorized to execute. By default, all users can execute a minimal set of commands regardless of their authorization status, for example, “exit” and “logout." This minimal set of commands can prevent deadlock on the switch due to an error in the user’s authorization profile on the RADIUS server. The user’s profile is encoded into Vendor-Specific Attributes (VSAs).

The list of permitted commands is used to filter all the commands executed by the user until the end of the session. This allows greater authorization control, where different rights can be given to different manager or operator users.

About the RADIUS Protocol

The RADIUS (Remote Authentication Dial-In User Service) protocol carries authentication, authorization, and configuration information between a network access server (NAS) and a RADIUS authentication server.

Authentication with RADIUS allows for a unique password for each user, instead of the need to maintain and distribute switch-specific passwords to all users. RADIUS verifies identity for the following types of primary password access to the switch:

Serial port (console)

Telnet

SSH

SFTP/SCP

WebAgent

Port-Access (802.1X)

AOS switch es support RADIUS accounting for web-based authentication and MAC authentication sessions, collecting resource consumption data and forwarding it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis.

Requests and responses carried by the RADIUS protocol are called RADIUS attributes. These attributes provide the information needed by a RADIUS server to authenticate users and to establish authorized network service for them. The RADIUS protocol also carries accounting information between a network access server and a RADIUS accounting server.

RADIUS is a client/server protocol. The RADIUS client is typically a network access server. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver service to the user.

About the TACACS+ Protocol

TACACS AAA systems are used as a single point of management to configuring and store user accounts. They are often coupled with directories and management repositories, simplifying the set up and maintenance of the end-user accounts.

In the authorization function of the AAA system, network devices with Authentication Services can provide fine-grained control over user capabilities for the duration of the user’s session; for example, setting access control or session duration. Enforcement of restrictions to a user account can limit available commands and levels of access.

TACACS+ authentication provides a central server in which you can allow or deny access to switches and other TACACS-aware devices in your network. TACACS employs a central database that creates multiple unique user name and password sets with their associated privilege levels. This central database can be accessed by individuals via the AOS switch from either a console port or via Telnet.

TACACS+ uses an authentication hierarchy consisting of:

Remote passwords assigned in a TACACS+ server

Local passwords configured on the switch

A TACACS+ server is able to:

Configure login authentication for read/write or read-only privileges.

Manage the authentication of login attempts by either the console port or via Telnet.

Setting Up RADIUS Accounting

This section provides the following information:

Accounting Services

RADIUS Accounting Server

Enabling RADIUS Accounting

Operating Rules for RADIUS Accounting

Operating Rules for RADIUS

Accounting Services

RADIUS accounting on the switch collects resource consumption data and forwards it to the RADIUS server. This data can be used for trend analysis, capacity planning, billing, auditing, and cost analysis. Accounting support is provided for WebAgent sessions on the switch.

RADIUS accounting collects data about user activity and system events and sends it to a RADIUS server when specified events occur on the switch, such as a logoff or a reboot.

Accounting Service Types

The switch supports four types of accounting services:

Network accounting: Provides records containing information on clients directly connected to the switch and operating under Port-Based Access Control (802.1X).

Executive accounting: Provides records holding the information about login sessions (console, Telnet, and SSH) on the switch.

System accounting: Provides information regarding system events that occur on the switch, including system reset, system boot, and enabling or disabling system accounting.

Commands accounting: Provides records containing information on CLI-command execution during user sessions.

RADIUS Accounting Server

A Network Access Server (NAS) operates as a client of the RADIUS accounting server. The client is responsible for passing user accounting information to a designated RADIUS accounting server. The RADIUS accounting server is responsible for receiving the accounting request and returning a response to the client indicating that it has successfully received the request. The RADIUS accounting server can act as a proxy client to other kinds of accounting servers. Transactions between the client and RADIUS accounting server are authenticated through the use of a shared secret, which is never sent over the network.

Enabling RADIUS Accounting

You can enable RADIUS Accounting for multiple features within the switch accounting configuration. Additionally you can configure accounting start-stop for other components. You also need to configure the accounting interval update timer—aaa accounting update periodic parameter (set to 2 minutes in the example below) . To set up RADIUS accounting, run the following commands:

AOS-switch(config)# aaa accounting network start-stop radius server-group CP-cluster

AOS-switch(config)# aaa accounting update periodic 2

AOS-switch(config)# show accounting

Figure 1  show accounting Command Output

Operating Rules for RADIUS Accounting

The operating rules for RADIUS accounting are as follows:

You can configure up to four types of accounting to run simultaneously: executive, system, network, and command.

RADIUS servers used for accounting are also used for authentication.

The switch must be configured to access at least one RADIUS server.

RADIUS servers are accessed in the order in which their IP addresses were configured in the switch. To view the order of the RADIUS servers, use the show radius command .As long as the first server is accessible and responding to authentication requests from the switch, a second or third server cannot be accessed.

If access to a RADIUS server fails during a session, but after the client has been authenticated, the switch continues to assume the server is available to receive accounting data. Thus, if server access fails during a session, it doesn't receive accounting data transmitted from the switch.

Operating Rules for RADIUS

The AOS switch operating rules for RADIUS are as follows:

You must have at least one RADIUS server accessible to the switch.

The switch supports authentication and accounting using up to fifteen RADIUS servers. The switch accesses the servers in the order in which they are listed by show radius. If the first server does not respond, the switch tries the next one, and so on.

You can select RADIUS as the primary authentication method for each type of access.

In the switch, EAP RADIUS uses MD5 and TLS to encrypt a response to a challenge from a RADIUS server.

When primary/secondary authentication is set to Radius/Local (for either Login or Enable) and the RADIUS server fails to respond to a client attempt to authenticate, the failure is noted in the Event Log with the message:

radius: Can't reach RADIUS server <server-ip-address>.

When this type of failure occurs, the switch prompts the client again to enter a user name and password. In this case, use the local user name (if any) and password configured on the switch itself.

Zero-length user names or passwords are not allowed for RADIUS authentication, even though this is allowed by some RADIUS servers.

Additional Configuration Considerations

Beyond the 802.1X configuration basics described above, there are many additional parameters you may choose to configure across the switch ports, such as the following recommendations.

Limiting Access for Unauthorized Clients

On the AOS switch, a switch port with a static VLAN ID and an unauthenticated client VLAN ID is automatically part of the Unauthenticated-client VLAN as soon as a device connects. If the device passes authentication, the port becomes an untagged member of the static VAN. This behavior helps guest and other devices with 802.1X supplicants to connect more quickly.

To set an unauthenticated-client VLAN for one or more interfaces, issue the following command:

AOS-switch (config) # aaa port-access authenticator <port ID list> unauth-vid <VLAN ID>

The unauth-vid parameter configures the VLAN to keep the specified ports while there is an unauthenticated client connected to the network.

Preventing Connectivity Delays for 802.1X Devices

For users who use 802.1X to log in, setting an unauthenticated-client VLAN might lose connectivity. If the user's device allows non-EAP traffic before authentication, it might receive a DHCP address that is in the unauthenticated-client VLAN, which would cause the user's device to lose connectivity after the port moves to the VLAN for authenticated users.

To prevent connectivity delays based on this scenario, issue the following command:

AOS-switch (config) # aaa port-access authenticator <port ID list> unauth-period <seconds>

What kind of firewall can block designated types of traffic based on application data contained within packets quizlet?

What is a SIEM system utilized for quizlet?

Which of the following utilities performs sophisticated vulnerability scans and can identify unencrypted data such as credit card numbers?

What should be enabled to block BPDUs?