AAA, Dot1x
AAA, Dot1x
AAA, Dot1x
• Authentication
• Authorization
• Accounting
Authentication
• Authentication
– Who are you?
– “I am user student and my password validateme proves it.”
• Authorization
– What can you do? What can you access?
– “User student can access host serverXYZ using Telnet.”
• Accounting
– What did you do? How long did you do it?
How often did you do it?
– “User student accessed host serverXYZ using Telnet for
15 minutes.”
Upon completion of this section, you should be able to:
• Configure AAA authentication, using the CLI, to validate users against a
local database.
• Troubleshoot AAA authentication that validates users against a local
database.
AAA Network Configuration
• Authentication
– Verifies a user identify
• Authorization
– Specifies the permitted tasks for the
user
• Accounting
– Provides billing, auditing, and
monitoring
Authentication Methods
2
3
aaa new-model
aaa authentication login default local
1. User establishes a
connection with the router.
Server-based authentication:
1. User establishes a
connection with the router.
1. Enable AAA.
2. Specify the IP address of the ACS server.
3. Configure the secret key.
4. Configure authentication to use either the RADIUS or
TACACS+ server.
AAA Configuration for TACACS+ Example
aaa new-model
!
aaa authentication login TACACS_SERVER tacacs+ local
aaa authorization exec tacacs+
!
!
tacacs-server host 10.0.1.11
tacacs-server key ciscosecure
!
line vty 0 4
login authentication TACACS_SERVER
debug tacacs
router#debug tacacs
14:00:09: TAC+: Opening TCP/IP connection to 10.1.1.4/49
14:00:09: TAC+: Sending TCP/IP packet number 383258052-1 to 10.1.1.4/49
(AUTHEN/START)
14:00:09: TAC+: Receiving TCP/IP packet number 383258052-2 from 10.1.1.4/49
14:00:09: TAC+ (383258052): received authen response status = GETUSER
14:00:10: TAC+: send AUTHEN/CONT packet
14:00:10: TAC+: Sending TCP/IP packet number 383258052-3 to 10.1.1.4/49
(AUTHEN/CONT)
14:00:10: TAC+: Receiving TCP/IP packet number 383258052-4 from 10.1.1.4/49
14:00:10: TAC+ (383258052): received authen response status = GETPASS
14:00:14: TAC+: send AUTHEN/CONT packet
14:00:14: TAC+: Sending TCP/IP packet number 383258052-5 to 10.1.1.4/49
(AUTHEN/CONT)
14:00:14: TAC+: Receiving TCP/IP packet number 383258052-6 from 10.1.1.4/49
14:00:14: TAC+ (383258052): received authen response status = PASS
14:00:14: TAC+: Closing TCP/IP connection to 10.1.1.4/49
Setting Multiple Privilege Levels
router(config)#
Authentication
Supplicant Authenticator
Server
EAPOL RADIUS
How 802.1x Works
EAPOL RADIUS
Unauthorized External
Wireless User Identity-Based
Authentication
No Access
Invalid/No Credentials
X
Authorized User
802.1x and VLAN Assignment
A = Attacker
I do not know A;
I do know B, and
B gets VLAN 10.
Port unauthorized
Cisco Secure
Identity with VLAN ACS/RADIUS
Assignment
B = Legitimate User
802.1x and the Guest VLAN
Remediation
A = Attacker Server
Non-IEEE
802.1x -compliant
I do not know A,
(no supplicant) I do know B, and
B gets VLAN 10.
Port is put into
guest VLAN.
Identity with
Guest VLAN Cisco Secure
ACS/RADIUS
B = Legitimate User
802.1x and the Restricted VLAN
Remediation
A = Attacker Server
Identity with
Protected VLAN Cisco Secure
ACS/RADIUS
B = Legitimate User
Configuring 802.1x
Switch(config)#aaa new-model
• Enables AAA
Switch(config)#aaa authentication dot1x {default} method1
[method2…]