AAA认证
相关主题
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-6
AAA Protocols: RADIUS and TACACS+
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-7
Accounting: – What did you do? How long and how often did you do it? – “User student accessed host serverXYZ using Telnet for 15 minutes.” – “User student was connected to VPN for 25 minutes.” – “EXEC session of user student lasted 20 minutes and only show
ISCW v1.0—5-2
AAA Model
• Authentication: – Who are you? – “I am user student and my password validateme proves it.”
• Authorization: – What can you do? What can you access? – “User student can access host serverXYZ using Telnet.”
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-4
Router Access Modes
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-5
AAA Protocols: RADIUS and TACACS+
ISCW v1.0—5-9
TACACS+ Authentication
• The example shows how TACACS+ exchange starts before the user is prompted for username and password.
• The prompt text can be supplied by the TACACS+ server.
• Includes only two security features: – Encryption of passwords – Authentication of packets (MD5 fingerprinting)
© 2006 Cisco Systems, Inc. All rights reserved.
commands were executed.”
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-3
Implementing AAA
• Administrative access: Console, Telnet, and AUX access • Remote user network access: VPN access
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-11
Configuring the AAA - Server 在NAS上指SERVER
TACACS+
RADIUS
© 2006 Ciscowk.baidu.comSystems, Inc. All rights reserved.
RADIUS Authentication and Authorization
• The example shows how RADIUS exchange starts once the NAS is in possession of the username and password.
• The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful.
ISCW v1.0—5-12
Configure AAA Login Authentication on Cisco Routers Using CLI
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-13
AAA Authentication Commands
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-10
TACACS+ Network Authorization
• The example shows the process of network authorization which starts after successful authentication.
Cisco Device Hardening
Configuring AAA on Cisco Routers
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-1
Introduction to AAA
© 2006 Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-8
RADIUS Features
• Standard protocol (RFC 2865)
• Uses UDP on standard port numbers (1812 and 1813; Cisco Secure ACS uses 1645 and 1646 by default)
ISCW v1.0—5-6
AAA Protocols: RADIUS and TACACS+
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-7
Accounting: – What did you do? How long and how often did you do it? – “User student accessed host serverXYZ using Telnet for 15 minutes.” – “User student was connected to VPN for 25 minutes.” – “EXEC session of user student lasted 20 minutes and only show
ISCW v1.0—5-2
AAA Model
• Authentication: – Who are you? – “I am user student and my password validateme proves it.”
• Authorization: – What can you do? What can you access? – “User student can access host serverXYZ using Telnet.”
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-4
Router Access Modes
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-5
AAA Protocols: RADIUS and TACACS+
ISCW v1.0—5-9
TACACS+ Authentication
• The example shows how TACACS+ exchange starts before the user is prompted for username and password.
• The prompt text can be supplied by the TACACS+ server.
• Includes only two security features: – Encryption of passwords – Authentication of packets (MD5 fingerprinting)
© 2006 Cisco Systems, Inc. All rights reserved.
commands were executed.”
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-3
Implementing AAA
• Administrative access: Console, Telnet, and AUX access • Remote user network access: VPN access
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-11
Configuring the AAA - Server 在NAS上指SERVER
TACACS+
RADIUS
© 2006 Ciscowk.baidu.comSystems, Inc. All rights reserved.
RADIUS Authentication and Authorization
• The example shows how RADIUS exchange starts once the NAS is in possession of the username and password.
• The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful.
ISCW v1.0—5-12
Configure AAA Login Authentication on Cisco Routers Using CLI
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-13
AAA Authentication Commands
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-10
TACACS+ Network Authorization
• The example shows the process of network authorization which starts after successful authentication.
Cisco Device Hardening
Configuring AAA on Cisco Routers
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-1
Introduction to AAA
© 2006 Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.
ISCW v1.0—5-8
RADIUS Features
• Standard protocol (RFC 2865)
• Uses UDP on standard port numbers (1812 and 1813; Cisco Secure ACS uses 1645 and 1646 by default)