Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting.

Published byMiranda Robbins Modified over 8 years ago

Similar presentations

Presentation on theme: "AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting."— Presentation transcript:

1 AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting -What did the user do? -Logging of activities and auditing

2 Uses of AAA Two modes: –The character mode access AAA services are used to control administrative access such as Telent or Console access to network devices –The packet mode access AAA services are used to manage remote user network access such as dialup clients or VPN clients T. A. YangNetwork Security2

3 c.f., Alternative methods to AAA Examples: –Password-based authentication –Challenge-response authentication Incomplete access management –Limited to authentication only T. A. YangNetwork Security3

4 Local vs Centralized Databases in AAA FeaturesLocal dBCentralized dB Location of user datalocal on the device In a central authentication server (remote to the device) Copies of user dataMultiple copies (one per device) Single copy ScalabilityPoor (Given a change, each copy needs to be updated.) Good Single-point failure ?Depends (possibly no)Yes Recommended ?Only for very small networks Yes (especially for larger networks) T. A. YangNetwork Security4

5 Authentication Protocols in AAA RADIUS vs TACACS+ RADIUS –Remote Authentication Dial In User Service –An IETF standard (RFC 2865) –Open source s/w –Interoperability among RADIUS-based products –Client/server authentication btwn a NAS (e.g., a router) and a RADIUS server A shared secret btwn the client and the server –on UDP (port 1812 for authentication and authorization; port 1813 for accounting) T. A. YangNetwork Security5

6 RADIUS RFC 2865 (2000): http://www.ietf.org/rfc/rfc2865.txt http://www.ietf.org/rfc/rfc2865.txt T. A. YangNetwork Security6

7 The Authenticator field Request Authenticator –The authenticator in the Access-Request packets –Rqts: The value SHOULD be unpredictable and unique over the lifetime of a shared secret Repetition of a request value in conjunction with the same secret would permit an attacker to reply with a previously intercepted response. Response Authenticator –The authenticator in the Access-Accept, Access- Reject, and Access-Challenge packets –ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) T. A. YangNetwork Security7

8 http://www.cisco.com/en/US/tech/tk59/technologi es_tech_note09186a0080094e99.shtmlhttp://www.cisco.com/en/US/tech/tk59/technologi es_tech_note09186a0080094e99.shtml T. A. YangNetwork Security8 RADIUS Example Clients: router, switch, PIX/ASA, VPN3000 The Access- Request: contains username, encrypted password, NAS IP address, NAS port number, and session information.

9 RADIUS authentication Note: Both authentication and authorization information are combined in a single Access-Request packet. Upon receiving an Access-Request, the RADIUS server 1.Validates the shared secret 2.Validates the username and password If not validated, sends an Access-Reject response; 3.Authorizes the user If authorization fails, sends an Access-Reject response; Otherwise, sends an Access-Accept response; T. A. YangNetwork Security9

10 Security mechanisms in RADIUS Shared secret btwn the client and the server In the Access-Request packet, the password is encrypted. MD5 (shared secret + Request Authenticator) XOR the-first-16-octets-of-the-password  16-octet encrypted password Q: How would the RADIUS server authenticate the encrypted password? T. A. YangNetwork Security10

11 TACACS+ TACACS: Terminal Access Controller Access Control System A Cisco proprietary client/server authentication protocol A shared secret btwn the client & the server Can encrypt the entire body of the packet (as indicated by the flags field) On TCP T. A. YangNetwork Security11

12 TACACS+ http://tools.ietf.org/html/draft-grant-tacacs-02 T. A. YangNetwork Security12

13 T. A. YangNetwork Security13 Example interactions: http://www.cisco.c om/en/US/tech/tk5 9/technologies_te ch_note09186a00 80094e99.shtml http://www.cisco.c om/en/US/tech/tk5 9/technologies_te ch_note09186a00 80094e99.shtml TACACS+

14 TACACS+ vs RADIUS Shared: –Client/server based –Authentication btwn a NAS and an authentication server –Shared secret Differences ? T. A. YangNetwork Security14

15 T. A. YangNetwork Security15 TACACS+ vs RADIUS source: http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Device s/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/ http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Device s/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/ CriterionTACACS+RADIUS Transport TCP (reliable; more overhead) UDP (unreliable; higher performance) Authentication and Authorization Can be separated (more flexible) Combined Multiprotocol Support Supported (IP, Apple, NetBIOS, Novell, X.25) IP only Access to Router CLI Commands Supports two methods to control the authorization of router commands on a per- user or per-group basis Not supported EncryptionPacket payloadPasswords only

Download ppt "AAA Services Authentication -Who ? -Management of the user’s identity Authorization -What can the user do? -Management of the granted services Accounting."

Similar presentations

Authentication.

Authentication.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Securing the Router Chris Cunningham.

Securing the Router Chris Cunningham.
Web Security CS598MCC Spring 2013 Yiwei Yang. Definition a set of procedures, practices, and technologies for assuring the reliable, predictable operation.

Web Security CS598MCC Spring 2013 Yiwei Yang. Definition a set of procedures, practices, and technologies for assuring the reliable, predictable operation.
DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.

DHCP Dynamic Host Configuration Part 7 NVCC Professional Development TCP/IP.
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)

CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
Authentication servers: RADIUS TACACS+

Authentication servers: RADIUS TACACS+
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 3 – Authentication, Authorization and Accounting.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod5_L11 1 Implementing Secure Converged Wide Area Networks (ISCW)
Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.

Chapter 16 AAA. AAA Components  AAA server –Authenticates users accessing a device or network –Authorizes user to perform specific activities –Performs.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.

Radius Dave Grizzanti Steve Curti. What is RADIUS? Remote Authentication Dial-In User Service (RADIUS) is a protocol for remote user authentication and.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.

RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,

Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 20 RADIUS and Internet Authentication Service.
S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

S6C12 - AAA AAA Facts. AAA Defined Authentication, Authorization, and Accounting Central Management of AAA –Information in a single, centralized, secure.

Similar presentations

Ads by Google