第6章_网络安全防范技术 -AAA
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Provides no fallback authentication method
R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid
温州大学
16
Method Type Keywords
Keywords
enable krb5 krb5-telnet line
Description
Uses the enable password for authentication. This keyword cannot be used. Uses Kerberos 5 for authentication. Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. Uses the line password for authentication.
router(config)#
aaa authentication login {default | list-name} method1…[method4]
Command Description Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in Character string used to name the list of authentication methods activated when a user logs in
温州大学
3
Authentication – Local Database
Creates individual user account/password on each device Provides accountability
User accounts must be configured locally on each device
Typically implemented using an AAA server-based solution
Uses a set of attributes that describes user access to the network
温州大学
10
AAA Accounting
1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.
温州大学
7
相对独立的AAA
AAA在路由器或NAS(network access server)中都 是相对独立的 AAA
Remote Client
也称为本地验证 适合于规模较小的网络 用户名和密码存在路由器本地上
Self-Contained AAA 1. The client establishes a connection with the router.
温州大学
13
Configure Local AAA Authentication with CLI
To authenticate administrator access (character mode access) 1. 2. 3. 4. Add usernames and passwords to the local router database Enable AAA globally Configure AAA parameters on the router Confirm and troubleshoot the AAA configuration
温州大学
8
基于服务器的AAA认证
Uses an external database server
Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express
R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login
Uses a login and password combination on access lines Easiest to implement, but most unsecure method Vulnerable to brute-force attacks Provides no accountability
温州大学
9
AAA Authorization
1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization.
Implemented using an AAA server-based solution Keeps a detailed log of what an authenticated user does on a device
温州大学
11
Local Versus Server-Based Authentication
温州大学
14
Additional Commands
aaa authentication enable
Enables AAA for EXEC mode access
aaa authentication ppp
Enables Aபைடு நூலகம்A for PPP network access
温州大学
15
AAA Authentication Command Elements
Internet
Local Database Method
温州大学
4
AAA技术
认证(authentication):核对用户和管理员身份 授权(authorization) 审计(accounting)
温州大学
5
AAA之间的依赖关系
AAA体系中三个独立功能之间的依存关系为:
可以在没有使用授权的情况下使用认证功能
default list-name
passwordexpiry
method1 [method2... ]
Enables password aging on a local authentication list.
Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods.
可以在没有使用审计的情况下使用认证功能
不能在没有使用认证的情况下使用授权功能 不能在没有使用认证的情况下使用审计功能
温州大学
6
AAA的使用方法
字符模式访问:用于控制网络设备的管理访问,如 TELNET或CONSOLE访问
数据包模式访问:用于管理远程用户的网络访问,如拨 号客户端或VPN客户端
第6章 网络安全防范技 术-AAA
计算机网络安全 张纯容
1
知识点
Authentication, Authorization, and Accounting Describe the purpose of AAA and the various implementation techniques Implement AAA using the local database Implement AAA using TACACS+ and RADIUS protocols Implement AAA Authorization and Accounting
温州大学
2
Authentication – Password-Only
Password-Only Method
User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords
Internet
More appropriate if there are multiple routers
AAA Router
Cisco Secure ACS Server
Remote Client
1 2
4
3
Server-Based AAA
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.
local
local-case none cache group-name group radius group tacacs+ group group-name
Uses the local username database for authentication.
Uses case-sensitive local username authentication. Uses no authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
温州大学
12
Configure Local AAA Authentication
Configure Local AAA Authentication with CLI Configure Local AAA Authentication with SDM
Troubleshooting Local AAA Authentication
1
Router
2
3
2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.
R1(config)# username Admin secret Str0ng5rPa55w0rd R1(config)# line vty 0 4 R1(config-line)# login local
User Access Verification Username: Admin Password: cisco1 % Login invalid Username: Admin Password: cisco12 % Login invalid
温州大学
16
Method Type Keywords
Keywords
enable krb5 krb5-telnet line
Description
Uses the enable password for authentication. This keyword cannot be used. Uses Kerberos 5 for authentication. Uses Kerberos 5 telnet authentication protocol when using Telnet to connect to the router. Uses the line password for authentication.
router(config)#
aaa authentication login {default | list-name} method1…[method4]
Command Description Uses the listed authentication methods that follow this keyword as the default list of methods when a user logs in Character string used to name the list of authentication methods activated when a user logs in
温州大学
3
Authentication – Local Database
Creates individual user account/password on each device Provides accountability
User accounts must be configured locally on each device
Typically implemented using an AAA server-based solution
Uses a set of attributes that describes user access to the network
温州大学
10
AAA Accounting
1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process. 2. When the user finishes, a stop message is recorded ending the accounting process.
温州大学
7
相对独立的AAA
AAA在路由器或NAS(network access server)中都 是相对独立的 AAA
Remote Client
也称为本地验证 适合于规模较小的网络 用户名和密码存在路由器本地上
Self-Contained AAA 1. The client establishes a connection with the router.
温州大学
13
Configure Local AAA Authentication with CLI
To authenticate administrator access (character mode access) 1. 2. 3. 4. Add usernames and passwords to the local router database Enable AAA globally Configure AAA parameters on the router Confirm and troubleshoot the AAA configuration
温州大学
8
基于服务器的AAA认证
Uses an external database server
Cisco Secure Access Control Server (ACS) for Windows Server Cisco Secure ACS Solution Engine Cisco Secure ACS Express
R1(config)# line vty 0 4 R1(config-line)# password cisco R1(config-line)# login
Uses a login and password combination on access lines Easiest to implement, but most unsecure method Vulnerable to brute-force attacks Provides no accountability
温州大学
9
AAA Authorization
1. When a user has been authenticated, a session is established with an AAA server. 2. The router requests authorization for the requested service from the AAA server. 3. The AAA server returns a PASS/FAIL for authorization.
Implemented using an AAA server-based solution Keeps a detailed log of what an authenticated user does on a device
温州大学
11
Local Versus Server-Based Authentication
温州大学
14
Additional Commands
aaa authentication enable
Enables AAA for EXEC mode access
aaa authentication ppp
Enables Aபைடு நூலகம்A for PPP network access
温州大学
15
AAA Authentication Command Elements
Internet
Local Database Method
温州大学
4
AAA技术
认证(authentication):核对用户和管理员身份 授权(authorization) 审计(accounting)
温州大学
5
AAA之间的依赖关系
AAA体系中三个独立功能之间的依存关系为:
可以在没有使用授权的情况下使用认证功能
default list-name
passwordexpiry
method1 [method2... ]
Enables password aging on a local authentication list.
Identifies the list of methods that the authentication algorithm tries in the given sequence. You must enter at least one method; you may enter up to four methods.
可以在没有使用审计的情况下使用认证功能
不能在没有使用认证的情况下使用授权功能 不能在没有使用认证的情况下使用审计功能
温州大学
6
AAA的使用方法
字符模式访问:用于控制网络设备的管理访问,如 TELNET或CONSOLE访问
数据包模式访问:用于管理远程用户的网络访问,如拨 号客户端或VPN客户端
第6章 网络安全防范技 术-AAA
计算机网络安全 张纯容
1
知识点
Authentication, Authorization, and Accounting Describe the purpose of AAA and the various implementation techniques Implement AAA using the local database Implement AAA using TACACS+ and RADIUS protocols Implement AAA Authorization and Accounting
温州大学
2
Authentication – Password-Only
Password-Only Method
User Access Verification Password: cisco Password: cisco1 Password: cisco12 % Bad passwords
Internet
More appropriate if there are multiple routers
AAA Router
Cisco Secure ACS Server
Remote Client
1 2
4
3
Server-Based AAA
1. The client establishes a connection with the router. 2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using a remote AAA server. 4. The user is authorized to access the network based on information on the remote AAA Server.
local
local-case none cache group-name group radius group tacacs+ group group-name
Uses the local username database for authentication.
Uses case-sensitive local username authentication. Uses no authentication. Uses a cache server group for authentication. Uses the list of all RADIUS servers for authentication. Uses the list of all TACACS+ servers for authentication. Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.
温州大学
12
Configure Local AAA Authentication
Configure Local AAA Authentication with CLI Configure Local AAA Authentication with SDM
Troubleshooting Local AAA Authentication
1
Router
2
3
2. The AAA router prompts the user for a username and password. 3. The router authenticates the username and password using the local database and the user is authorized to access the network based on information in the local database.