Upon completing this chapter, you will be able to do the following:
Describe the components of the AAA model
Describe access password technologies
Describe how authentication over PPP works
Describe the interaction of PAP and CHAP authentication
Compare the capabilities of each of the security server types
Describe Cisco security servers
This chapter presents an overview of the authentication, authorization, and accounting (AAA) architecture and the security technologies associated with it. This chapter contains information required to implement the access security solutions using the Cisco products covered in Chapter 5, "Configuring the Network Access Server for AAA Security," and Chapter 6, "Configuring CiscoSecure ACS and TACACS+/RADIUS." This chapter generally avoids coverage of "generic" access security that isn't related to Cisco products.
Securing Network Access by Using AAA
Unauthorized access and repudiation in the campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment and services. The AAA architecture gives legitimate users the ability to access networked assets while limiting unauthorized access and repudiation in the campus, dialup, and Internet environments.
The AAA Security Architecture
Network access security—whether it involves campus, dialup, or Internet access—is based on a modular architecture that has three components:
Authentication—Requires users to prove that they really are who they say they are, utilizing a username and password, challenge/response, token cards, and other methods:
- "I am user student, and my password validateme proves it."
Authorization—After authenticating the user, authorization services decide which resources the user is allowed to access and which operations the user is allowed to perform:
- "User student can access host NT_Server with Telnet."
Accounting—Accounting records what the user actually did, what he accessed, and how long he accessed it, for accounting, billing, and auditing purposes. Accounting keeps track of how network resources are used. Auditing can be used to track network access and to detect network intrusions:
- "User student accessed host NT_Server with Telnet 15 times."
Table 4-1 summarizes access security problems and shows the AAA methods that can be used to solve them. It also shows some ways in which AAA methods are accomplished.
Table 4-1 Access Security Problems and Solutions
|
Security Problem |
AAA Method |
How It's Accomplished |
|
Unauthorized access:
|
|
|
|
Repudiation |
Accounting |
|
Note that the solutions to securing network access summarized in Table 4-1 all include at least one of the three AAA methods supported in Cisco products. The solutions may also include AAA security server (remote security database) standards supported by Cisco products, including Terminal Access Controller Access Control System Plus (TACACS+), Remote Access Dial-In User Service (RADIUS), and Kerberos. Each AAA method and remote security database standard is examined in more detail in this chapter.
AAA and Access Traffic
Remote access is an integral part of the corporate mission. Traveling salespeople, executives, remote office staff, telecommuters, and others need to communicate by connecting to the main office LAN.
A remote user will have the needed application software (for example, FTP or Telnet client software), a protocol stack (for example, Transmission Control Protocol/Internet Protocol [TCP/IP], Internetwork Packet Exchange [IPX], AppleTalk), and link-layer drivers installed on the remote client to make network connections.
The application software and protocol stacks encapsulate the higher-layer data and protocols in link-layer protocols such as Serial Line Interface Protocol (SLIP) and Point-to-Point Protocol (PPP). The encapsulated packets are transmitted across the dialup line in analog or digital form, depending on the type of telecommunication line used.
The dialup networking components typically consist of a remote client system (Windows 95/98/2000 PC or Macintosh), the telephone network connections (Public Switched Telephone Network [PSTN] or Integrated Services Digital Network [ISDN]), a network access server (such as a Cisco 5300 network access server), and a remote security database running security server software (CiscoSecure Access Control Sever [ACS] running TACACS+), as shown in Figure 4-1.
){kind=link}
Figure 4-1 AAA Technologies Securing Character- and Packet-Mode Traffic
AAA technologies in the remote client system, the network access server, and the security server work together to secure dialup access. The network access server implements AAA protocols to handle the AAA services.
AAA and Character-Mode Traffic
AAA technologies are useful for protecting character-mode or line-mode access to network access servers and other network equipment. In Cisco routers, AAA secures character-mode traffic during login sessions via the line types described in Table 4-2.
Table 4-2 Line Types Generating Character-Mode Traffic Secured by AAA
|
Line Type |
Description |
|
Aux |
Auxiliary EIA/TIA-232 DTE port on Cisco routers and Ethernet switches used for modem support and asynchronous access |
|
Console |
Console EIA/TIA-232 DCE port on Cisco routers and Ethernet switches used for asynchronous access to device configuration modes |
|
tty |
Standard EIA/TIA-232 DTE asynchronous line on a network access server |
|
vty |
Virtual terminal line and interface terminating incoming character streams that do not have a physical connection to the access server or router |
AAA and Packet-Mode Traffic
AAA technologies can also protect dialup access in the packet or interface mode via async, group-async, Basic Rate Interface (BRI) ISDN lines, or Primary Rate Interface (PRI) ISDN interfaces on Cisco routers. Table 4-3 outlines the protocols generating packet-mode traffic secured by AAA on Cisco routers.
Table 4-3 Protocols Generating Packet-Mode Traffic Secured by AAA
|
Packet-Mode Type |
Description |
|
PPP |
PPP on serial or ISDN interfaces |
|
arap |
AppleTalk Remote Access Protocol (ARAP) on serial interfaces |
|
NASI |
NetWare Access Server Interface (NASI) clients connecting through the access server on serial interfaces |