Ugrás a tartalomhoz

Szerkesztő:LinguisticMystic/ru/безопасность/7

A Wikiszótárból, a nyitott szótárból

🔒 07.0. Module 07: Authentication, Authorization, and Accounting (AAA) Introduction

[szerkesztés]

AAA (Authentication, Authorization, and Accounting) is a security framework used to manage user access to network devices and services. It ensures that only authorized users can access resources, controls their permissions, and logs their activities.

🌟 1. Why AAA Matters

[szerkesztés]
  1. Improved Security: Controls access to network devices and resources.
  2. Granular Access Control: Assigns permissions based on user roles.
  3. Accountability: Tracks user activities for auditing and troubleshooting.
  4. Centralized Management: Simplifies user administration across devices.
  5. Compliance: Supports regulatory requirements for access control and auditing.

🔑 2. Key Components of AAA

[szerkesztés]
  1. Authentication:
    • Verifies user identity before granting access.
    • Methods: Local database, RADIUS, TACACS+.
  2. Authorization:
    • Determines user permissions after authentication.
    • Controls access to specific commands and resources.
  3. Accounting:
    • Tracks user activities and resource usage.
    • Logs login attempts, commands executed, and session duration.

⚙️ 3. AAA Operation Workflow

[szerkesztés]
  1. User Login:
    • User provides credentials (username and password).
  2. Authentication:
    • AAA verifies credentials against the local database or external server.
  3. Authorization:
    • AAA checks user permissions based on assigned roles.
  4. Accounting:
    • AAA logs user activities for auditing.

🛠️ 4. AAA Configuration Overview

[szerkesztés]
  1. Enable AAA:
    • Activate the AAA framework on Cisco devices.
  2. Configure Authentication:
    • Define the login method (local or external).
  3. Set Up Authorization:
    • Assign privilege levels and access policies.
  4. Enable Accounting:
    • Log user sessions and command execution.

📡 5. AAA Server Options

[szerkesztés]
  1. Local AAA:
    • Authentication is performed on the local device.
    • Suitable for small networks.
  2. Remote AAA (Centralized):
    • Authentication is handled by an external server.
    • Supports large networks with multiple devices.
    • Protocols:
      • RADIUS: Used for user access control and accounting.
      • TACACS+: Cisco-specific, separates authentication and authorization.
Feature RADIUS TACACS+
Authentication Combines authentication and authorization Separates authentication and authorization
Encryption Encrypts passwords only Encrypts entire communication
Port UDP 1812 and 1813 TCP 49
Vendor Support Open standard Cisco-specific

🔒 6. Best Practices for AAA Implementation

[szerkesztés]
  1. Enable Strong Authentication:
    • Use multi-factor authentication (MFA).
    • Enforce password complexity.
  2. Role-Based Access Control (RBAC):
    • Assign privilege levels based on user roles.
  3. Restrict Access:
    • Limit access to trusted IP addresses.
  4. Enable Accounting:
    • Log user activities and configuration changes.
  5. Implement Redundancy:
    • Configure backup AAA servers for high availability.

📊 7. Benefits of AAA Implementation

[szerkesztés]
Benefit Description
Enhanced Security Ensures only authorized users access network resources.
Granular Access Control Assigns specific permissions based on user roles.
Improved Accountability Logs user activities for auditing and troubleshooting.
Centralized Management Simplifies user administration across devices.
Regulatory Compliance Supports standards for access control and auditing.

🚀 8. Learning Outcomes for Module 07

[szerkesztés]

After completing this module, you will be able to:
1. Configure AAA on Cisco devices.
2. Implement local and remote authentication.
3. Set up role-based access control (RBAC).
4. Enable accounting for user activity tracking.
5. Troubleshoot AAA authentication and authorization issues.

🔑 07.1. AAA Characteristics

[szerkesztés]

AAA (Authentication, Authorization, and Accounting) is a security framework that provides centralized access control for network devices and resources. It ensures that users are properly authenticated, authorized for specific actions, and their activities are logged for auditing.

🌟 1. Why AAA Matters

[szerkesztés]
  1. Enhanced Security: Ensures only authorized users can access the network.
  2. Granular Access Control: Assigns privileges based on user roles.
  3. Accountability: Tracks user activities for auditing and troubleshooting.
  4. Centralized Management: Simplifies user access management across devices.
  5. Regulatory Compliance: Supports standards for access control and auditing.

🔍 2. Key Components of AAA

[szerkesztés]

2.1. Authentication (Who Are You?)

[szerkesztés]

Authentication verifies the identity of users attempting to access the network. Users must provide valid credentials (username and password). Authentication Methods:
1. Local Authentication:
- Uses the router or switch’s local user database.
- Suitable for small networks.

  1. Remote Authentication:
    • Uses external AAA servers (RADIUS or TACACS+).
    • Scales for larger networks.

Example Configuration (Local Authentication):

!
aaa new-model
aaa authentication login default local
username admin privilege 15 secret AdminPass123
!

Explanation:
- aaa new-model: Enables AAA on the device.
- aaa authentication login default local: Uses the local database for login.

2.2. Authorization (What Are You Allowed to Do?)

[szerkesztés]

Authorization determines what actions users can perform after authentication. It defines access to commands, interfaces, and resources. Authorization Methods:
1. Command Authorization: Controls which commands users can execute.
2. Service Authorization: Limits access to specific services (e.g., VPN, CLI). Example Configuration (Command Authorization):

!
aaa authorization exec default local
!

Explanation:
- aaa authorization exec: Authorizes users for EXEC mode after login.

2.3. Accounting (What Did You Do?)

[szerkesztés]

Accounting logs user activities, including login/logout events, command execution, and resource usage. This provides visibility and supports auditing. Accounting Methods:
1. Session Accounting: Tracks user login and logout times.
2. Command Accounting: Logs commands executed by users. Example Configuration (User Session Accounting):

!
aaa accounting exec default start-stop group tacacs+
!

Explanation:
- start-stop: Logs session start and end times.

🔐 3. AAA Protocols: RADIUS vs. TACACS+

[szerkesztés]
Feature RADIUS TACACS+
Authentication Combines authentication and authorization Separates authentication and authorization
Encryption Encrypts only passwords Encrypts entire communication
Protocol UDP (Port 1812/1813) TCP (Port 49)
Vendor Support Open standard Cisco-specific
Best For Network access (e.g., VPN) Device administration

Recommendation:
- Use RADIUS for user access (e.g., 802.1X).
- Use TACACS+ for device administration.

🛠️ 4. AAA Configuration Steps

[szerkesztés]
  1. Enable AAA:
!
aaa new-model
!
  1. Configure Authentication:
!
aaa authentication login default group radius local
!
  1. Set Up Authorization:
!
aaa authorization exec default group radius local
!
  1. Enable Accounting:
!
aaa accounting exec default start-stop group radius
!
  1. Configure AAA Server (RADIUS/TACACS+):
!
radius-server host 192.168.1.100 key StrongRadiusKey123
!

📊 5. Verification and Monitoring

[szerkesztés]
  1. Verify AAA Configuration:
show running-config | include aaa
  1. Check User Sessions:
show aaa sessions
  1. View Accounting Logs:
show accounting

6. Summary of Key Commands

[szerkesztés]
Task Command Example
Enable AAA aaa new-model
Configure Authentication aaa authentication login default local
Configure Authorization aaa authorization exec default local
Enable Accounting aaa accounting exec default start-stop group radius
Verify AAA Configuration include aaa

🚀 7. Benefits of AAA Implementation

[szerkesztés]
  1. Enhanced Security: Prevents unauthorized access.
  2. Granular Control: Limits user privileges based on roles.
  3. Accountability: Logs user activities for auditing.
  4. Centralized Management: Simplifies user access administration.
  5. Compliance: Supports regulatory standards for access control.

⚔️ 8. Troubleshooting Tips

[szerkesztés]
Issue Possible Cause Solution
Login Failure Incorrect AAA server settings Verify server IP, key, and authentication method.
Authorization Denied User lacks required privileges Assign appropriate privilege levels.
Accounting Not Logging Server not receiving logs Ensure accounting is enabled and logs are forwarded.
Backup Fails AAA server unreachable Configure local authentication as a backup.

🔒 07.2. Configure Local AAA Authentication

[szerkesztés]

AAA Authentication ensures that only authorized users can access network devices. Local AAA Authentication uses the router or switch’s local database to verify credentials without relying on an external authentication server.

🌟 1. Why Use Local AAA Authentication?

[szerkesztés]
  1. Security: Prevents unauthorized access to network devices.
  2. Reliability: Works even if external authentication servers are unavailable.
  3. Granular Access Control: Assigns different privilege levels to users.
  4. Simple Implementation: Does not require additional infrastructure.

🔑 2. Key Components of Local AAA Authentication

[szerkesztés]
  1. AAA (Authentication, Authorization, and Accounting):
    • Manages user authentication for CLI and remote access.
  2. Local Database:
    • Stores user credentials on the device itself.
  3. Privilege Levels:
    • Determines the level of access each user has.

🛠️ 3. Configuration Steps for Local AAA Authentication

[szerkesztés]

3.1. Enable AAA on the Device

[szerkesztés]

AAA must be enabled before configuring authentication.

!
aaa new-model
!

Explanation:
- Activates the AAA security framework on the device.

3.2. Create Local User Accounts

[szerkesztés]

Define user credentials with different privilege levels.

!
username admin privilege 15 secret AdminPass123
username support privilege 5 secret SupportPass123
!

Explanation:
- privilege 15: Full administrative access.
- privilege 5: Restricted access to specific commands.
- secret: Encrypts passwords.

3.3. Configure Local AAA Authentication for Login

[szerkesztés]
  1. Apply Local Authentication for Console Access:
!
aaa authentication login CONSOLE_AUTH local
!
  1. Apply Local Authentication for Remote Access (VTY Lines):
!
aaa authentication login VTY_AUTH local
!
line vty 0 4
login authentication VTY_AUTH
!

Explanation:
- CONSOLE_AUTH: Authenticates users for console access.
- VTY_AUTH: Authenticates users for remote SSH access.

3.4. Configure Enable Mode Authentication

[szerkesztés]

Require authentication when users enter privileged EXEC mode.

!
aaa authentication enable default enable
!

Explanation:
- Users must provide the enable password to enter privileged EXEC mode.

3.5. Restrict Access with ACLs (Optional)

[szerkesztés]

Only allow management access from specific IP ranges.

!
ip access-list standard MGMT_ACCESS
permit 192.168.1.0 0.0.0.255
deny any
!
line vty 0 4
access-class MGMT_ACCESS in
!

Explanation:
- Only devices from the 192.168.1.0/24 subnet can access the device.

🔍 4. Verification and Testing

[szerkesztés]
  1. Verify AAA Configuration:
show running-config | include aaa
  1. Check User Privilege Levels:
show running-config | section username
  1. Test Remote Login via SSH:
ssh -l admin 192.168.1.1
  1. Check AAA Debug Logs:
debug aaa authentication

5. Summary of Key Commands

[szerkesztés]
Task Command Example
Enable AAA aaa new-model
Create Local Users username admin privilege 15 secret pass
Configure Console Login aaa authentication login CONSOLE_AUTH local
Configure Remote Login aaa authentication login VTY_AUTH local
Restrict Remote Access access-class MGMT_ACCESS in
Verify AAA Configuration include aaa

🔐 6. Best Practices for Local AAA Authentication

[szerkesztés]
  1. Use Strong Passwords: Enforce complex passwords for user accounts.
  2. Restrict Remote Access: Apply ACLs to VTY lines to allow only trusted IPs.
  3. Enable Logging: Monitor authentication attempts for security incidents.
  4. Use Role-Based Access Control (RBAC): Assign privilege levels based on job functions.
  5. Regularly Audit User Accounts: Remove inactive accounts to enhance security.

⚔️ 7. Troubleshooting Tips

[szerkesztés]
Issue Possible Cause Solution
Login Failure Incorrect username/password Verify credentials with show running-config
Access Denied for VTY ACL blocking management traffic Adjust ACL with permit <trusted IP>
Enable Mode Requires Password Authentication set for enable mode Use enable secret for authentication
AAA Debug Not Showing Data Debugging not enabled Use debug aaa authentication

🌟 8. Benefits of Local AAA Authentication

[szerkesztés]
  1. Simple Deployment: No external authentication servers required.
  2. Improved Security: Enforces authentication before granting access.
  3. Granular Control: Assigns different privilege levels to users.
  4. Reliable Backup: Works even if external authentication servers fail.
  5. Logging and Monitoring: Tracks authentication attempts for auditing.

🔒 07.3. Server-Based AAA Characteristics and Protocols

[szerkesztés]

Server-based AAA (Authentication, Authorization, and Accounting) provides a centralized security framework that controls user access, privileges, and activity logging across multiple network devices. Instead of storing user credentials locally on each device, server-based AAA relies on external RADIUS or TACACS+ servers to manage authentication requests.

🌟 1. Why Use Server-Based AAA?

[szerkesztés]
  1. Centralized Authentication:
    • Manages all user credentials from one server.
    • Reduces administrative overhead.
  2. Granular Authorization Control:
    • Assigns different privilege levels based on user roles.
    • Prevents unauthorized configuration changes.
  3. Comprehensive Accounting & Auditing:
    • Logs user login/logout times and executed commands.
    • Ensures compliance with security policies.
  4. Scalability:
    • Supports large networks with multiple devices.
  5. Resilience & Backup:
    • Can integrate backup authentication methods in case of server failure.

🔑 2. Key Server-Based AAA Protocols: RADIUS vs. TACACS+

[szerkesztés]

Cisco devices support two main AAA protocols for authentication:

Feature RADIUS (Remote Authentication Dial-In User Service) TACACS+ (Terminal Access Controller Access-Control System Plus)
Authentication Combines authentication & authorization Separates authentication & authorization
Encryption Encrypts only passwords Encrypts the entire communication
Transport Protocol UDP (1812 for authentication, 1813 for accounting) TCP (Port 49)
Vendor Support Open standard (RFC 2865), used in VPNs & wireless networks Cisco proprietary, used for network device administration
Best For User authentication for remote access (e.g., 802.1X, VPNs, Wi-Fi) Device administration (router/switch management)

Recommendation: - Use RADIUS for user authentication (VPN, wireless, 802.1X).
- Use TACACS+ for network device management (routers, switches, firewalls).

🛠️ 3. How Server-Based AAA Works

[szerkesztés]

Step 1: Authentication

[szerkesztés]
  1. A user attempts to log into a device (e.g., a router or VPN).
  2. The device forwards the authentication request to the AAA server (RADIUS/TACACS+).
  3. The server checks the username/password against its database.
  4. If valid, the server grants access; if not, access is denied.

Step 2: Authorization

[szerkesztés]
  1. After authentication, the server authorizes what the user can do.
  2. Role-based access control (RBAC) determines command privileges.

Step 3: Accounting

[szerkesztés]
  1. The server logs session details:
    • Login/logout times
    • Executed commands
    • Configuration changes

📡 4. Server-Based AAA Configuration Overview

[szerkesztés]

To use RADIUS or TACACS+, you must configure:
1. The AAA client (Cisco router or switch).
2. The AAA server (RADIUS/TACACS+).

🔧 5. Configuration Steps for RADIUS and TACACS+

[szerkesztés]

5.1. Enable AAA on the Device

[szerkesztés]
!
aaa new-model
!

Explanation:
- Enables AAA functionality on the router/switch.

5.2. Configure RADIUS Authentication

[szerkesztés]
  1. Define the RADIUS Server:
!
radius-server host 192.168.1.100 key StrongRadiusKey123
!
  1. Enable RADIUS Authentication for User Login:
!
aaa authentication login default group radius local
!

Explanation:
- The router first checks RADIUS, then local authentication as a backup.

5.3. Configure TACACS+ Authentication

[szerkesztés]
  1. Define the TACACS+ Server:
!
tacacs-server host 192.168.1.200 key StrongTacacsKey123
!
  1. Enable TACACS+ Authentication for User Login:
!
aaa authentication login default group tacacs+ local
!

Explanation:
- If the TACACS+ server is unavailable, local authentication is used as a fallback.

5.4. Configure Authorization for Command Execution

[szerkesztés]
!
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
!

Explanation:
- Requires TACACS+ authorization before executing privileged EXEC commands.

5.5. Enable Accounting for User Sessions

[szerkesztés]
!
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!

Explanation:
- Tracks who logs in, what commands they run, and when they log out.

🔍 6. Verification and Testing

[szerkesztés]
  1. Check AAA Configuration:
show running-config | include aaa
  1. Verify RADIUS/TACACS+ Server Connectivity:
show radius-server statistics
show tacacs-server host
  1. Monitor AAA Authentication Logs:
debug aaa authentication
  1. View Active User Sessions:
show aaa sessions

7. Summary of Key Commands

[szerkesztés]
Task Command Example
Enable AAA aaa new-model
Configure RADIUS Server radius-server host 192.168.1.100 key pass
Enable RADIUS Auth aaa authentication login default group radius local
Configure TACACS+ Server tacacs-server host 192.168.1.200 key pass
Enable TACACS+ Auth aaa authentication login default group tacacs+ local
Enable Authorization aaa authorization exec default group tacacs+ local
Enable Accounting aaa accounting exec default start-stop group tacacs+
Verify AAA Sessions show aaa sessions

🔐 8. Best Practices for Server-Based AAA

[szerkesztés]
  1. Use Strong Encryption:
    • Ensure RADIUS uses TLS and TACACS+ encrypts the full session.
  2. Implement Role-Based Access Control (RBAC):
    • Limit commands based on user roles (e.g., Admin, Support, Read-Only).
  3. Enable Logging & Auditing:
    • Regularly review AAA logs for suspicious activities.
  4. Use Redundant Servers:
    • Configure multiple RADIUS/TACACS+ servers for failover.
  5. Restrict AAA Access via ACLs:
    • Allow only trusted IPs to communicate with AAA servers.

⚔️ 9. Troubleshooting Tips

[szerkesztés]
Issue Possible Cause Solution
Login Failure Wrong server key or unreachable server Verify server IP, shared key, and ACLs
Authorization Denied User lacks privileges Assign correct role-based permissions
Accounting Logs Missing AAA server not logging events Ensure aaa accounting exec is enabled
Backup Auth Not Working Local authentication not configured Add local fallback method

🌟 10. Benefits of Server-Based AAA

[szerkesztés]
  1. Centralized User Management – Reduces administrative overhead.
  2. Granular Access Control – Limits privileges based on user roles.
  3. Strong Security – Encrypts authentication and command authorization.
  4. Comprehensive Auditing – Tracks login attempts and executed commands.
  5. Scalability – Supports thousands of network devices and users.

🔒 07.4. Configure Server-Based Authentication

[szerkesztés]

Server-based authentication allows network devices (routers, switches, firewalls) to delegate user authentication to a AAA server such as RADIUS or TACACS+. This approach centralizes user management, simplifies access control, and enhances security.

🌟 1. Why Use Server-Based Authentication?

[szerkesztés]
  1. Centralized Access Control:
    • Manage all network access from a single authentication server.
  2. Enhanced Security:
    • Prevents unauthorized access using encrypted authentication.
  3. Scalability:
    • Supports large-scale networks with many users and devices.
  4. Logging & Auditing:
    • Tracks user login/logout, executed commands, and session duration.
  5. Redundancy & Backup:
    • Supports multiple authentication servers for failover.

🔑 2. Choosing Between RADIUS and TACACS+

[szerkesztés]
Feature RADIUS (Remote Authentication Dial-In User Service) TACACS+ (Terminal Access Controller Access-Control System Plus)
Authentication Combines authentication & authorization Separates authentication & authorization
Encryption Encrypts only passwords Encrypts the entire session
Transport Protocol UDP (1812 for authentication, 1813 for accounting) TCP (Port 49)
Vendor Support Open standard, used for VPN, Wi-Fi, 802.1X Cisco proprietary, used for device management
Best For User authentication (VPNs, Wi-Fi, 802.1X) Network device management (routers, switches)

Recommendation:
- Use RADIUS for user authentication (e.g., VPN, 802.1X, wireless).
- Use TACACS+ for device management (routers, switches, CLI access).

🛠️ 3. Configuration Steps for Server-Based Authentication

[szerkesztés]

To configure server-based AAA authentication, you must:
1. Enable AAA on the network device.
2. Configure RADIUS or TACACS+ server settings.
3. Apply authentication policies.
4. Verify authentication and troubleshoot if needed.

📌 3.1. Enable AAA on the Cisco Device

[szerkesztés]
!
aaa new-model
!

Explanation:
- Activates AAA functionality on the router or switch.

📌 3.2. Configure RADIUS Authentication (For VPN, Wireless, 802.1X)

[szerkesztés]
  1. Define the RADIUS Server:
!
radius-server host 192.168.1.100 key StrongRadiusKey123
!
  1. Enable RADIUS Authentication for Login:
!
aaa authentication login default group radius local
!

Explanation:
- The router first checks RADIUS.
- If RADIUS is unavailable, it falls back to local authentication.

📌 3.3. Configure TACACS+ Authentication (For Router & Switch CLI Access)

[szerkesztés]
  1. Define the TACACS+ Server:
!
tacacs-server host 192.168.1.200 key StrongTacacsKey123
!
  1. Enable TACACS+ Authentication for Login:
!
aaa authentication login default group tacacs+ local
!

Explanation:
- If TACACS+ is unavailable, it falls back to local authentication.

📌 3.4. Configure Authorization (Command Privileges)

[szerkesztés]
  1. Enable Authorization for EXEC Mode:
!
aaa authorization exec default group tacacs+ local
!
  1. Restrict Command Execution Based on User Privileges:
!
aaa authorization commands 15 default group tacacs+ local
!

Explanation:
- Users must be authorized before running privileged EXEC commands.

📌 3.5. Configure Accounting (Track User Actions)

[szerkesztés]
  1. Enable Accounting for Login Sessions:
!
aaa accounting exec default start-stop group tacacs+
!
  1. Enable Command Accounting (Logs All Commands Run by Users):
!
aaa accounting commands 15 default start-stop group tacacs+
!

Explanation:
- Logs user logins and commands for security auditing.

📌 3.6. Configure Authentication for Console & SSH Access

[szerkesztés]
  1. Apply AAA Authentication to Console Login:
!
aaa authentication login CONSOLE_AUTH group tacacs+ local
line console 0
login authentication CONSOLE_AUTH
!
  1. Apply AAA Authentication to VTY (SSH) Access:
!
aaa authentication login VTY_AUTH group tacacs+ local
line vty 0 4
login authentication VTY_AUTH
!

🔍 4. Verification and Testing

[szerkesztés]
  1. Verify AAA Configuration:
show running-config | include aaa
  1. Check RADIUS/TACACS+ Server Status:
show radius-server statistics
show tacacs-server host
  1. Monitor AAA Authentication Logs:
debug aaa authentication
  1. View Active AAA Sessions:
show aaa sessions

5. Summary of Key Commands

[szerkesztés]
Task Command Example
Enable AAA aaa new-model
Configure RADIUS Server radius-server host 192.168.1.100 key pass
Enable RADIUS Auth aaa authentication login default group radius local
Configure TACACS+ Server tacacs-server host 192.168.1.200 key pass
Enable TACACS+ Auth aaa authentication login default group tacacs+ local
Enable Authorization aaa authorization exec default group tacacs+ local
Enable Accounting aaa accounting exec default start-stop group tacacs+
Verify AAA Sessions show aaa sessions

🔐 6. Best Practices for Server-Based Authentication

[szerkesztés]
  1. Use Strong Encryption:
    • TACACS+ encrypts the entire session, making it more secure.
    • RADIUS should use TLS for security.
  2. Implement Role-Based Access Control (RBAC):
    • Assign different privilege levels based on job roles.
  3. Enable Logging & Auditing:
    • Regularly review AAA logs for security monitoring.
  4. Use Redundant Servers:
    • Configure backup RADIUS/TACACS+ servers for failover.
  5. Restrict AAA Access via ACLs:
    • Allow only trusted IPs to communicate with AAA servers.

⚔️ 7. Troubleshooting Tips

[szerkesztés]
Issue Possible Cause Solution
Login Failure Wrong AAA server key or unreachable server Verify server IP, shared key, and ACLs
Authorization Denied User lacks privileges Assign correct role-based permissions
Accounting Logs Missing AAA server not logging events Ensure aaa accounting exec is enabled
Backup Auth Not Working Local authentication not configured Add local fallback method

🌟 8. Benefits of Server-Based Authentication

[szerkesztés]
  1. Centralized User Management: Reduces admin overhead.
  2. Granular Access Control: Limits privileges based on user roles.
  3. Stronger Security: Encrypts authentication and command authorization.
  4. Comprehensive Auditing: Tracks login attempts and executed commands.
  5. Scalability: Supports thousands of devices and users.

🔒 07.5. Configure Server-Based Authorization and Accounting

[szerkesztés]

This section explains how to configure server-based authorization and accounting using RADIUS or TACACS+ on Cisco devices. Authorization controls what a user can do after authentication, while accounting logs user activity for auditing.

🌟 1. Why Use Server-Based Authorization and Accounting?

[szerkesztés]
  1. Granular Access Control: Assign different access levels based on user roles.
  2. Improved Security: Prevent unauthorized access to sensitive commands.
  3. Compliance & Auditing: Track login sessions, executed commands, and configuration changes.
  4. Centralized Management: Simplifies access control for multiple devices.

🔑 2. Key Concepts: Authorization & Accounting

[szerkesztés]
AAA Component Purpose
Authorization Determines what users can do after authentication.
Accounting Logs user activities, including login/logout, commands, and session duration.

Authorization Example:
- An Admin user can configure the router, while a Support user can only view logs. Accounting Example:
- Logs when a user logs in, runs commands, or modifies configurations.

🛠️ 3. Configuration Steps for Server-Based Authorization & Accounting

[szerkesztés]

To configure authorization and accounting, we will:
1. Enable AAA on the device.
2. Configure the RADIUS or TACACS+ server settings.
3. Enable authorization policies (to control user privileges).
4. Enable accounting policies (to track user activity).

📌 3.1. Enable AAA on the Device

[szerkesztés]
!
aaa new-model
!

Explanation:
- Activates AAA functionality on the router/switch.

📌 3.2. Configure RADIUS or TACACS+ Server

[szerkesztés]

RADIUS Server Configuration

[szerkesztés]
!
radius-server host 192.168.1.100 key StrongRadiusKey123
!

TACACS+ Server Configuration

[szerkesztés]
!
tacacs-server host 192.168.1.200 key StrongTacacsKey123
!

Explanation:
- Defines the AAA server’s IP address and shared secret key for authentication.

📌 3.3. Configure Authorization (Command Privileges)

[szerkesztés]

Enable Authorization for EXEC Mode

[szerkesztés]
!
aaa authorization exec default group tacacs+ local
!

Restrict Command Execution Based on User Privileges

[szerkesztés]
!
aaa authorization commands 15 default group tacacs+ local
!

Explanation:
- Users must be authorized before accessing EXEC mode or running privileged commands.

📌 3.4. Configure Accounting (Log User Activity)

[szerkesztés]

Enable Accounting for Login Sessions

[szerkesztés]
!
aaa accounting exec default start-stop group tacacs+
!

Enable Accounting for Command Execution

[szerkesztés]
!
aaa accounting commands 15 default start-stop group tacacs+
!

Explanation:
- Tracks user logins, logouts, and executed commands for auditing.

📌 3.5. Configure Authorization & Accounting for Console & SSH Access

[szerkesztés]

Apply AAA Authentication & Authorization to Console Login

[szerkesztés]
!
aaa authentication login CONSOLE_AUTH group tacacs+ local
aaa authorization exec CONSOLE_AUTH group tacacs+ local
line console 0
login authentication CONSOLE_AUTH
!

Apply AAA Authentication & Authorization to VTY (SSH) Access

[szerkesztés]
!
aaa authentication login VTY_AUTH group tacacs+ local
aaa authorization exec VTY_AUTH group tacacs+ local
line vty 0 4
login authentication VTY_AUTH
!

🔍 4. Verification and Testing

[szerkesztés]

Verify AAA Configuration

[szerkesztés]
show running-config | include aaa

Check RADIUS/TACACS+ Server Status

[szerkesztés]
show radius-server statistics
show tacacs-server host

Monitor AAA Authentication & Authorization Logs

[szerkesztés]
debug aaa authentication
debug aaa authorization

View Active AAA Sessions

[szerkesztés]
show aaa sessions

5. Summary of Key Commands

[szerkesztés]
Task Command Example
Enable AAA aaa new-model
Configure RADIUS Server radius-server host 192.168.1.100 key pass
Configure TACACS+ Server tacacs-server host 192.168.1.200 key pass
Enable Authorization aaa authorization exec default group tacacs+ local
Enable Command Authorization aaa authorization commands 15 default group tacacs+ local
Enable Accounting aaa accounting exec default start-stop group tacacs+
Enable Command Accounting aaa accounting commands 15 default start-stop group tacacs+
Verify AAA Sessions show aaa sessions

🔐 6. Best Practices for Server-Based Authorization & Accounting

[szerkesztés]
  1. Use Role-Based Access Control (RBAC):
    • Assign different privilege levels based on job roles.
  2. Enable Logging & Auditing:
    • Regularly review AAA logs for suspicious activity.
  3. Use Redundant AAA Servers:
    • Configure backup RADIUS/TACACS+ servers for failover.
  4. Restrict AAA Access via ACLs:
    • Allow only trusted IPs to communicate with AAA servers.
  5. Test AAA Policies Regularly:
    • Verify that authorization rules match user access needs.

⚔️ 7. Troubleshooting Tips

[szerkesztés]
Issue Possible Cause Solution
Login Failure AAA server unreachable or wrong credentials Check server IP and shared secret key
Authorization Denied User lacks correct privileges Assign correct role-based permissions
Accounting Logs Missing AAA server not receiving logs Ensure aaa accounting exec is enabled
Backup Auth Not Working Local authentication not configured Add local fallback method

🌟 8. Benefits of Server-Based Authorization & Accounting

[szerkesztés]
  1. Granular Access Control:
    • Ensures users only access approved resources and commands.
  2. Security & Compliance:
    • Prevents unauthorized configuration changes and tracks user activity.
  3. Centralized Management:
    • Controls user access across multiple devices from one AAA server.
  4. Auditing & Troubleshooting:
    • Provides a detailed activity log for security reviews and compliance.

🚀 Final Thoughts

[szerkesztés]

By configuring server-based authorization and accounting, network administrators can:
✅ Restrict who can access what.
✅ Track who does what.
✅ Improve security and compliance.

🔒 07.6. Authentication, Authorization, and Accounting (AAA) Summary

[szerkesztés]

This section summarizes the key concepts, configurations, and benefits of Authentication, Authorization, and Accounting (AAA) in securing network access and management.

🌟 1. Why AAA is Important

[szerkesztés]
  1. Improves Security: Prevents unauthorized access to network devices.
  2. Granular Access Control: Defines different permission levels for users.
  3. Auditing & Compliance: Logs user activities for troubleshooting and auditing.
  4. Centralized Management: Simplifies user authentication across multiple devices.
  5. Scalability: Supports large networks with centralized authentication.

🔑 2. Key AAA Components

[szerkesztés]
Component Function
Authentication Verifies user identity before granting access.
Authorization Determines what users can do after authentication.
Accounting Tracks user login/logout, commands executed, and session activity.

📌 3. AAA Authentication Methods

[szerkesztés]

AAA Authentication ensures users provide valid credentials before accessing the network.

Method Description Use Case
Local Authentication User accounts stored on the device. Small networks, backup for server-based AAA.
Server-Based (RADIUS/TACACS+) Authentication delegated to an external AAA server. Large networks, centralized authentication.

Example Configuration:

aaa authentication login default local

or

aaa authentication login default group radius local

📌 4. AAA Authorization Methods

[szerkesztés]

AAA Authorization defines what commands or resources a user can access after authentication.

Authorization Type Purpose
EXEC Authorization Controls access to EXEC mode (CLI).
Command Authorization Restricts specific commands.

Example Configuration:

aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local

📌 5. AAA Accounting Methods

[szerkesztés]

AAA Accounting logs user activity, including login times, executed commands, and session details.

Accounting Type Purpose
Login Accounting Logs user login/logout activity.
Command Accounting Tracks commands executed by users.

Example Configuration:

aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+

🛠️ 6. Key AAA Configurations

[szerkesztés]
Task Command Example
Enable AAA aaa new-model
Configure Local Authentication aaa authentication login default local
Configure RADIUS Server radius-server host 192.168.1.100 key pass
Enable RADIUS Authentication aaa authentication login default group radius local
Configure TACACS+ Server tacacs-server host 192.168.1.200 key pass
Enable TACACS+ Authentication aaa authentication login default group tacacs+ local
Enable Authorization aaa authorization exec default group tacacs+ local
Enable Accounting aaa accounting exec default start-stop group tacacs+

🔐 7. Best Practices for AAA Implementation

[szerkesztés]
  1. Use Strong Authentication Methods:
    • Prefer server-based authentication (RADIUS or TACACS+) over local authentication.
    • Implement multi-factor authentication (MFA) for added security.
  2. Restrict User Privileges:
    • Apply role-based access control (RBAC) using AAA authorization.
  3. Enable Logging & Auditing:
    • Monitor login attempts and command execution with AAA accounting.
  4. Use Redundant AAA Servers:
    • Configure backup RADIUS/TACACS+ servers for failover.
  5. Restrict AAA Access via ACLs:
    • Only allow trusted IP addresses to communicate with the AAA server.
  6. Encrypt Communication:
    • TACACS+ encrypts the entire session, making it more secure than RADIUS.
    • Use RADIUS over TLS for encrypted authentication.

⚔️ 8. Troubleshooting AAA Issues

[szerkesztés]
Issue Possible Cause Solution
Login Failure AAA server unreachable or wrong credentials Verify server IP, shared key, and ACLs
Authorization Denied User lacks privileges Assign correct role-based permissions
Accounting Logs Missing AAA server not logging events Ensure aaa accounting exec is enabled
Backup Authentication Not Working Local authentication not configured Add local fallback method

🌟 9. Benefits of AAA Implementation

[szerkesztés]
  1. Improved Security: Prevents unauthorized access to network devices.
  2. Granular Access Control: Limits user privileges based on job roles.
  3. Compliance & Auditing: Logs user activity for forensic analysis.
  4. Centralized Management: Simplifies user access across multiple devices.
  5. Scalability: Supports large enterprise networks.

🚀 Final Thoughts

[szerkesztés]

AAA Authentication, Authorization, and Accounting is a critical framework for securing network devices and managing user access. Implementing server-based AAA with RADIUS or TACACS+ enhances security, provides granular control, and ensures compliance with industry standards.

A lap eredeti címe: „https://hu.wiktionary.org/w/index.php?title=Szerkesztő:LinguisticMystic/ru/безопасность/7&oldid=3489265