You are on page 1of 10

{\rtf\ansi\deff0

{\fonttbl{\f0 Times New Roman;}{\f1 Arial;}}


{\colortbl;\red0\green0\blue0;}
{\info
}
\paperw11907 \paperh16443 \deftab1298 \margl567 \margr567 \margt567 \margb567 \p
gnstart1\ftnnar \aftnnrlc \ftnstart1 \aftnstart1 {\header \pard \ql {\fs24 \f1 0
6 - Foundation Router Security - Understanding and Implementing AAA}
\par \pard \ql {\fs10 \f1 }
\par}
{\footer \pard \qr {\fs20 \f1 \chpgn }
\par}
\pard \ql {\fs24 \f1 We're now going to dive into understanding and implementing
triple a no. We're not talking about the car repair service that you have the
card for that if you break down on the side of the road you can get a tow truck.
We're talking about triple a for cisco routers. So we're going to walk throug
h is first off what is this idea behind aaa what is. Aaa. Then will bring into
the picture the secure server engine. This is a specific server that cisco mak
es for aaa and to manage your aaa. Communication. Then we'll set up the router
we'll spend most our time by far sitting in the router interface setting it up
for aaa and. Configuring it to integrate with one of these a.c.s. servers. So
aaa in the cisco sense. Stands for authentication. Authorization and accountin
g. What it is is a new way of controlling the users that either come to or go t
hrough your router or switch in your network environment. By default everything
is using the passwords that you type in on the router right. The password cont
rols telnet and s.s.h. access. The enable secret allows you to get into privile
ge mode and once you're there you can do whatever it is you want. It's not very
flexible. I mean. If you have different levels of administrators your kind of
stock. You can do some. You know local authentication like we did with s.s.h.
a local user account but you just don't have the flexibility that some business
es are looking for. So authentication authorization accounting or aaa re does a
ll of that. Authentication. Is validating who you are essentially. This is a
username and password ninety percent of the time. There are other ways of authe
ntication like you can get into the thumbprint scanner voice recognition all tho
se kinds of things but. The traditional network uses. Username and password.
Authorisation tells what you can do. So once you log into that router and you'r
e sitting on that router what can you do on that router. Can you type in show c
ommand. Can you assign ip addresses. Can you just sable interfaces. All of th
at deals with authentication. Or sorry authorization. You also can look at it
from a through the router perspective. For people that are going through the ro
uter they're not asking it to be authorized to type in a command because that's
going to the router. That's. Accessing the router in. Configuring it through
the router are your users. They might be coming in on a v.p.n. connection. The
y might be dialing up to the network an authorization for them. Means. Oh i ca
n access this subnet. But not this server or. I can't reach these b. lands ove
r here. It authorizes them to perform different. Privileges once they authenti
cate to the network. Accounting is the logging. This is tracking what you did
once you got onto the network it's making you know. Every single time you type
in a command on that router. It looks you know this user logged in this time ty
ped in this command they did this. If you're going through the router and i'd s
ay this user connected at this time. Access these resources disconnected at thi
s time. It's all saved in a long file so if something goes wrong or you need to
pull up that for accounting purposes you have a record of everything that's hap
pened. You can use aaa on a cisco device to control. Anything that requires a
password or anything that requires access to or through the router. That includ
es your p.p.p. links if you've gone through and studied p.p.p. authentication in
c.c. in a course the ox access. The auxilary ports. A dial up moans when some
body dials in console access. This might pop up when you're accessing the s.d.m
.. That's requiring username password. Triple a can can can control. Any of t

hese and even multiple privileged modes that's when you're on a router. And you
have certain people that are able to type in certain commands. All this focus
is around aaa. When you set up your router switch for aaa. It's going to start
looking for a user database. You. You can configure three different locations
for your users. One of the easiest in a small network environment is the local
database. This means on your router or on your switches in your network you co
nfigure usernames and passwords individually. So i wonder sometimes why did i j
ust draw that. We have this little user here that we've configured on this rout
er. And then you go to the have to set up this. This right and this is from gl
obal config mode we did this for us to say that you type in user name. Such and
such. Password such and such and that adds the user to that device you go to y
our switches you add that user to those devices. So one by one the admin. For
small networks that. That works great you can do it without setting up a separa
te server or anything like that and you've got your own user accounts. But once
you start getting into the twenty thirty fifty hundred devices on your network.
This just becomes unmanageable in forget password changes. I mean they're goi
ng to have the same password always because you don't have to log into each one
of those devices one by one. So the second way that we can do this is a radius
server. Know linux and windows. With the capability of being a radio server.
In windows if you're if you're setting up windows. Matter fact i'll show this t
o you. Here is windows two thousand and three. And if i go into windows into t
he add or remove programs area. Click on the add remove windows components. Yo
u are looking for such under. Networking services. Right here. This internet.
Authentication service. This you can see it says enables authentication autho
rization and accounting of ha. Aaa. Of dial up and v.p.n. users i. Supports t
he radius. Protocol. So this is known as a radio server it comes built into wi
ndows and so by doing this you can use a windows. Database or something. Activ
e directory server something like that to be. Your authentic. Device. So inst
ead of configuring all the user accounts on all these different devices. I have
my windows server here or the linux server. Both of them can be. Radius. You
just point all of these guys to that server and say get your user accounts from
there. When somebody tries to telnet in or whatever comes over here and says.
Hi i am. I'm looking for this username and password. Oh is that valid great.
And it passes that in. Now that is included with windows it's quote unquote fr
ee. If you have a windows box. However cisco created a specialized box for thi
s called cisco. A.c.s. server. They even either have it as an add on to window
s you can install it on like a windows server platform. And it will become an a
.c.l. server. Or they sell an appliance version this is what the appliance look
s like right here and. This will allow you to have a dedicated. User device.
And this server. Can tie in to windows databases that can tie into novell datab
ases that can tie into all kinds of things. It uses what's known as the tac x.
plus protocols. These two protocols are competing standards of expand on what t
he advantages are and disadvantages are but let me just give you the high level
of you right now. The radius. Protocol. Allows you to do basic. User authent
ication. And you can say you know jeremy germany's password is cisco. Can chec
k that yes it's ok great. Then i'll allow him in a lot of the things in radius
you need to end up setting up manually. Meaning. Like different authorization
levels. Radius doesn't handle. Different levels of authorization by default wh
ereas tac x. attack x. is a proprietary protocol so it's geared for cisco it onl
y works on cisco. And it's designed for. User authentication authorization acc
ounting. It's got specific features in this box. That allows a user to come in
and say. Hi my user name is jeremy. And this box says ok what can jeremy do j
eremy can type this command that command opie tried. Type this command is that
all right. Oh no no then he can't type that command and. Disallow that were hi
s radius doesn't do that. Radius says they've authenticated. Their good. Cong
ratulations. You've authenticated. There's no real way. I mean. Rightly so w
indows is designed to be windows it's not designed to manage cisco commands. So
there's no real way to allow my configuration to get granular. On a broad serv
er level basis. To say when this user logs in they can do these commands or. W
hen this user logs in this access list gets applied to their profile. Only of t

hose if i'm using radius have to be applied. Manually to the routers. Whereas
if i'm using tac x. can be an all in one centralized. Box for configuration. L
ikewise you also have a dedicated. If you buy the appliance. Appliance model d
evice which is just a lot more stable than running this as one of many different
windows services. Now that we've seen the cisco a.c.s. server we asked the que
stion. Well. What areas of aaa. Does that a.c.s. server handle. The short an
swer is. All of them. This is. Server does authentication it does authorizati
on and it does accounting. Now under authentication the advantage of the a.c.s.
server is that it supports many. User databases extremely user databases. Whe
n i set up my router to communicate with the a.c.s. server. That doesn't mean t
hat i have to go on this. A.c.s. box. And create all of these separate users.
I can have this tie in to a novell server. A windows active directory server.
You know some ib or netscape. Directory service they have their own directory
service. All of these different protocols that we can tie into some other user
database that your. Your company already manages the advantage of that is that
you don't have to remember a separate username and password to log into windows
and log in the cisco router and all these different log ins. It's all going to
be the same and you can enforce. Strong password policies on your. Will say wi
ndows domain. So the past. It has to be complex it's changing every thirty day
s. And when it changes it changes on all the routers and switches as well so it
can tie into all kinds of different user databases there's a whole bullet list
on cisco's website of everything it supports. And it supports multiple authenti
cation methods. Meaning you've got your router right here that's going to speak
. Either. Radius or tac x.. To the a.c.s. server. The a.c.s. server can then
turn around and speak all kinds of different languages over here to the windows
server. Could be chap or m.s. chat microsoft's version of the chap. Encrypted
protocol. It could be. Peep. And there's many different standards we're goin
g to be talking about we talk about this. Protocol called x. very cool protocol
to lock down switch networks. Of today and wireless access points but anyway t
here's all these different fast and peepin all kinds of different standards that
can be spoken to the windows or novell or netscape directory server so it doesn
't. This device over here doesn't have to be a radius or attack x. server. It
can't be if it's. Attack x. because that's cisco proprietary the server x. is a
translator. From one aaa protocol. To another. Now we see authorization. Au
thorization we can implement time of day restrictions like you can only log on f
rom eight to five resource restrictions you can only access these ip addresses.
Connection limits. This many users. With this username can be logged on at th
e same time limits and these are just a few commands being what you can type in
on a router or switch. Accounting the records can be stored either locally on t
he server so you can actually browse the records and see what users did using th
e a.c.s. server. Or you can store it in c.s.v.. Stands for comma separated val
ue or. See which is an open database format that is widely supported sequal can
. That oracle can handle that so if you have a larger network where you want to
do all this accounting into a large database system you can export all this to
an o.t.c. format that can be read and understood by databases. Finally let's co
mpare our two street fighters or protocols tac x. and radius. To see what the b
ig differences are. You could go down and you could actually make quite a list
of differences but it boils down to these three. Tak x. plus which is the newes
t version of tac x. is. Cisco proprietary. So right there if you've got. Cisc
o routers and juniper routers and h.p. routers and switches and all that kind of
stuff. Immediately tack ask it's ruled out because all of these different devi
ces. Don't support the takacs protocol. Radius is an industry standard. So ev
erything supports using radios to communicate to some central database. Tac x..
Separates authentication and authorization. So what that means is let's say y
ou've got a user who. Authenticates to this. Router. The router will go to ju
st say the cisco server. And say a server is this user allowed in the a.c.s. se
rver will come back and say yes that username and password is valid. They're al
lowed in. Now that user tries to type. The show ip interface command. In the
router. And then flips back around and says. Server is the interface command.
Valid by this user. Yes that command is valid by that user it's every single t

hing authentication and authorization meaning. Who you are and what you can do.
Are separate attacks. Whereas radius it's combined in one big exchange. So w
hen the user comes in and says. Hello my name is jeremy with password of cisco.
The router goes over to the a.c.s. or windows server and says hi is this. Use
rname and password valid and. The server comes back and says yes and here's eve
rything that they are able to do. You know this is their privilege level. Now.
What that. Does is. Rely a lot on this router for the configuration. Where
as tac x.. Every command is compared against the database of commands that can
be type. With radius it just comes back and says their privilege level five. W
hich means on the router i've got to define this privilege level five level five
can do all these individual commands. Now we can template and use copy and pas
te to get that in all of our devices. But. Radius is not as centralized in tha
t sense to where. Authorization is all separate. With those. Those different
commands and most radio servers. Again aren't going to have a list of commands
or access list capabilities. Like the cisco a.c.s. server and finally in christ
ian lies attack x. encrypts the whole packet. Meaning when this guy says i'm ge
rmy with a password of cisco. It encrypts all of that. Sending it to the serve
r only the header is shown. Whereas radius just encrypt the password. So if so
mebody has a packet sniffer right here they'll say. I see a username of jeremy
just came through i can see their password because it's encrypted. But i see th
at. You know they have half the puzzle of the username that i am going to start
trying to hack now. Is jeremy. So that's the big comparison between the two a
nd let me boil it down to this. If you're using. If you are using the server o
r a centralized database. For just a user authentication. Meaning i've got all
of these routers and i just don't want to type in the same username and passwor
d on all of them. Or i want to system where i can have a central database where
i have my user name. Jeremy. And the password will say of cisco right now but
in a month that's going to change the cisco. One. You know and my passwords a
re going to keep changing all around. As i go through and i want that to be ref
lected on all these devices if it's just that simple. Use radius. That's. Tha
t's great that's what radius is there for. Is i don't have to create a user acc
ounts and every single one of these. I can. Have a centralized database for th
at. However if i want to be able to get details. And i want to say well. The
user jeremy when he logs in has these restrictions can type these commands. Can
access these resources on this time of day. If you're going to do that then us
e the tax server specifically the cisco a.c.s. platform. There's no reason to b
uy a.c.s. if you just want to do user and password authentication. If you want
to apply all the specific restrictions. That's what it's designed for. Now let
's get into how we can configure our routers to support. Aaa and. Switches as
well this is across the board. The first thing i need to do is get to my router
. Move in a global configuration mode and i'm going to type in aaa. Question m
ark. You can see that as soon as i type in this new model command. Triple a ne
w model. It enables new access control commands and functions. Disables old co
mmands. What that means is that when i type in aaa it's going to say ok all the
old ways of doing authentication. They're gone. You now have all these new me
thods that are created for example. You used to go underneath. The v.t. y. por
ts and type and password cisco. To assign a telnet or s.s.h. password. No more
. When you type in new model. I'm not using that username. Or that or that pa
ssword underneath the v.t.i. ports. We're using a totally new way of doing thin
gs the aaa way. So as soon as i hit this look at this i'll type in aaa question
mark again. Notice up here. One command. Now and i had a question mark it's
like why am. All of these new commands have been opened up. Because i have ena
bled this on my router. Now before you go in heat any further on this. You wan
t to make sure that you don't lock yourself out of the router. And it's easy to
do when you're configuring aaa because. Doing this even notes. Disables the o
ld commands. And the old password and your v t y ports is no longer used. Now
it's going to be you use. Looking to use usernames and passwords that. Are at
least. He configured on the router. So here's a quick way to lock yourself out
of the router. Let's say you've got. Password using for telnet and enable sec
ret. You type in triple a new model. Save your config and log out. You are no

w going to be locked out of your router. Because all of the ports are going to
be configured to use by default. Local authentication which means. Check the l
ocal database. On the router. You know see if there's any user names configure
d in that local database. On the router and if you haven't configured in the us
ernames and passwords. You're doing you. You can't get in the router you have
to actually do password recovery. And break into the router because you'll be l
ocked out. So definitely don't just type in triple a new model and then go i ca
n't remember after that and walk away. Because you will lock yourself up. So a
fter that. We now have to type in. Aaa and choose what method with would like
we have aaa. Authentication. Aaa authorization. And aaa. Accounting there's
are three different. In our aaa. The most obvious one to configure first. Is
aaa authentication. Now before even go there. We haven't yet configured attack
x. or radius server. Now just so happens that. I've got over here my windows
two thousand and three box and. Cisco has on their website. A ninety day evolv
ed copy of the a.c.s. server for windows. So you can set up a windows server an
d try this for ninety days full features full functions and see if you like it.
So what you can do is on windows get this thing set up. And it's just you can
see trial. You can't actually download the full version from cisco's web site.
You do need a logon. So you just go through it's pretty much a next next next
finish button to install the a.c.s. server and says before you begin the followi
ng items must be complete and user clients can successfully connect to aaa clien
ts so you have to be able to log in to routers. The windows server can ping the
aaa clients. Any cisco. Or any cisco. Aaa klein is running i.o.'s eleven dot
one or later. If you're running eleven not want to earlier. You need to upgra
de. That's where dugan. Probably eight nine ten years old and then you're also
using internet explorer. Six point zero or seven point zero netscape. Eight p
oint zero or firefox two point zero. So good news is cisco has now made this.
Multi. Browser capable it just says you know make sure all of this is true befo
re you and solace. Hit the next button you know it's going to be basic was ther
e let me pause the video just click next to this to get this thing running. Oh
ok i couldn't i couldn't do it. I had to show you this. As you're going throug
h the installation it does ask you the question on the a.c.s. server. Are you g
oing to use an internal database meaning the a.c.s. server has everything. Or a
re you going to integrate this. With the windows user database. And if. Windo
ws. The windows active directory when you configure users has this. Grant dial
in permission was used for dial up users is the use for v.p.n. users. This is d
o you want to refer to this to allow or deny. Dial up or v.p.n. access to this.
If you use windows. Well i'm not going to use windows i'll use the a.c.s. or.
So it's going to do it's copy shindig. And then i'll bring the video back. A
ll right now i've got my server running. And it's working in you can see a. In
ternet explorer web browser that's how you do all of the management. Now before
we go any further i've got to configure my rounder to speak with my a.c.s. or s
omeone open a command prompt and. Do a quick ip config just to find out what th
e ip addresses of my a.c.s. server. Once me. Thirty that one hundred two twent
y nine. Remember that. Now i'm going to flip over to my router. And i'm going
to type in in this case i'm going to use the tac x. protocol to communicate wit
h the server. So i'll type in tac x.. Tac x. server. Host and then the ip add
ress of the tac x. server which. If so quickly forgotten. It is one. Thirty o
ne hundred twenty nine. So flip back over here. Once and thirty doubt one hund
red twenty nine is my tack xor then it gives me the option of. Typing in a key.
Single connection timeout all that kind of stuff. So if i type in single conn
ection and hit enter. I've now created and configured this. To use this as the
tax server this single connection command. Says i will use a single t.c.p. con
nection to the server. So when when the router connects. Let me jump back over
to my white board. When the router connects to the server. It will start a.
That's hurting me see a server there. It will start a single t.c.p. session ove
r here. You know three way handshake and then it will. Authentic users is this
user ok yes it is. Can you do this yes you can you know all of this back and f
orth over a single t.c.p. connection. Otherwise if i don't include that. Singl
e single connection command every single time and ask for a new username a new p

assword a new command. It's going to tear down and reestablish the t.c.p. conne
ction which is a lot more overhead. So usually the best way to do it. Now ther
e's one more thing i have to do. On the router side and that's define a key. I
can either type in a key at the end of this command or i can say that tag serve
r will use the key. And then whatever i want. Or delete this all just do. Tak
x. server. Key and then whatever i want the difference is the key type here is
associated with just this one server. Whereas if i type in tactics or key in t
hen i'll just put cisco as my key. That applies to all tac x. servers that i ha
ve this router configured for if i have multiple tax servers that i'm using for
redundancy or something like that. That's the router side. Now on the tax serv
er side. Wherever that is here we are on the tax server side i need to go to th
e network configuration. Now i want to make sure i mention for those of you tha
t are studying for the exam. Configuring this. This side the tac x. server. I
s part of the c c s p track. You will only need to know how to configure this s
ide. The router to communicate with the radius or the tac x. server. This is c
.c.'s speed but. I thought you know. I gotta show it to other wise it's just h
alf a config. So i need to go under this network configuration in add a aaa cli
ent. And you can see down here i have aaa servers. That's my server. And i sa
y. Yes i just named it test machine. Just brought up a simple test machine so
the aaa client. I mean i had an i'll call it the router. It's ip address. Is
and should over here. Do a show ip interface brief it's one thirty to one hundr
ed a pace that in there. And then the shared secret. This is the key. This is
the key that i need to type in between them that i typed in over on the router.
Now underneath i have some radius stuff if i'd like to do that but overall i'm
just i'm using tack x. i can skip that. It is going to be a single connection
between them and. You know some of these other settings we can apply. If we'd
like to do that. It's a minute apply and now. My c.v.t. router is added as a a
aa client of the a.c.s. server. Now i can go in and start creating my users. N
ow. Click fine and you can see there's no users matching anything i don't have
any users yet. So you can click click on add. At it now click on. Lets say.
Jeremy. Will be my username. Add in at that guy. And underneath you have all
of the user information real name user set up what is this password i'm going to
put cisco is this password. If you want to separate. For check. A ramp authe
ntication. To other types of authentication we can put a different one in here.
You can set up call back ip address assignment. Network access restrictions t
hese are like access lists when the. When the user logs in. And the beauty is
in this a.c.s. server you've got this help system over here. If you ever confus
e like what is network access restrictions. You can click on this and it gives
you everything about it like here's what it is. The irony is there is no real t
raining class on the a.c.s. server. In the c.c. s.p. track they actually go int
o it a little more in depth but i would say maybe. Maybe one nugget would be de
dicated to this. There's hardly any training because really it's kind of a self
training system you just kind of muddle your way through it and you figure out
stuff as you go. Of course they have documentation on cisco's website but it's
easy enough to just figure out. On the fly. You see the mac sessions is this c
ount disabled and so on. You know all of these different settings. So once i'v
e created this. User account. I can just click on submit. And i've now added
a user when i click on find i've added my first user. To the database. And you
can see it's part of the default group which is one user. You can go under her
e and. Again i'm now diving way into the a.c.s. server you don't need any of th
is for the security exam but boy is it interesting. This is where you can apply
to the whole group. Your time of day access settings callback network access r
estrictions sessions ip address. Know all of these same things. And this is wh
ere you can say whether or not you want them to have access to the shell. The e
xact. In the router. If you would like that you can actually say i want. You
know users in this group to log in with privilege level fifteen. Which immediat
ely allows them to get. Enable mode access when they log into the router. You
can define what commands they're allowed to use i mean. The sky's the limit of
what you want to do on this but. This is the configuring the tax side. The rea
d the server side of it. From the client side. All we need to do was say. You

're. Using aaa my new model. I've now said. You're going to use this as your
tax ever you're going to use a single connection and here is the key that you're
going to use when you communicate with the tactics are now we can define our me
thods. When i go in and i want to say. When somebody's authenticates i want th
em to use. You know the. The tax or something like that that's known as a meth
od. Let me give you an example of one in then i'll explain it as i go. Let's s
ay i want to secure my authentication. I can type in aaa authentication i'll do
a question mark. And this is ok. What kind of authentication. Are you talkin
g about. Are you talking about p.p.p. authentication. Are you talking about wh
en somebody wants to get enable access. Are you talking about eight o two dot o
ne x. we're going to talk about all this. Later on. All of these are valid for
ms of authentication. The one i'm focused on is logons. When people are trying
to log into this router. I want to use this authentication method. Now you ca
n see that i can either create a word. He named authentication list i was level
in the routers as word. Just type a word there. Or underneath you have defaul
t. The default authentication list. This says. If you want to configure. Met
hods of authentication do you want to configure the default method that. Everyt
hing on the router uses. Meaning. Telnet. Consul port. Auxilary port. P.v.p
. dial up connections you know everything. Anything that going to this router.
Will use the default. Method that you define here or do you want to define you
r own method. Your own list of authentication that they can use. When this cas
e. Before i do the default i'm going to define my own. And we'll call it. My
own. Because i'm not feeling too creative. That's just the name it's the name
of the authentication list. Now the router is going to ask me. Ok. What kind
of. Authentication would you like to use. And i'll say ok well the first thing
i want to do when somebody is trying to authenticate to this. Router. Somehow
. I want to use the server group. And i want to use the group of. Attack x. s
ervers. Now how does it know the group. That's what we configured up here. Wh
en we went through and configured this. This was a server group. I've configur
ed one tax server. If i can figure more of them i guess you would call them a g
roup. But this is considered the group of attack x. servers. So when i'm. Whe
n i'm configuring this i'm saying. I'm going to have this list of authenticatio
n the first method i would like to use is the takacs servers. Now if that's dow
n. Let's say the tax server is down or the router can't get there maybe a switc
h failure or a need for net. Failure. Then. I want to use the local user data
base. Meaning. If i can't get to the tax server. Then see if there's any user
names and passwords locally. It's always good to configure a backup. Why. Wel
l if the router can't get to the tax server. Then you're locked out. I mean an
d that could be a denial of service attack an intruder. Knows that if they seve
r. This routers connection to the tac server. And nobody can log in they then.
You know the router is locked out you are completely disabled from reaching th
e router. I would even say. You know. Security wise it's just a good practice
i mean by golly if i if i can't reach my server i don't want to be locked out o
f my devices because they can't get there. I'm going to fall back on the local
authentication in maybe on all my routers and switches i just create this. Horr
ifically difficult. Backdoor username and password that says ok if everything's
down. This is the key to my system. So i can put in local there. Now. You c
an keep going with this and you can say well if you know the local database is u
navailable but i mean i can stop with that same and say. Well the local databas
e will never be unavailable because it's local on the router. If. If it's unav
ailable that means the routers down and you can't get to the router anyway. But
just some other. Adams that i can put on this list you know instead of local i
could say. You know if. Here's a dangerous one. If the tac x. server is down
go out and use none. No authentication. You know that means. It means that i
f you can't reach the tax server then anybody can logon. You want to tell that
ensure. Come on in. There's no authentication. It's fair game here anybody ca
n get in. That's dangerous you don't want to do that you can also use. The ena
ble password. I could type in. Enable so. If the tactic servers down then the
password on need to get into the router is the enable password. So there's a l
ot of options that i can do. Most people will just say. Tactics are followed b

y local. Know this is right here. A aaa method. I have now created a method n
amed. My own. And now i can apply that method wherever i would like to. I wan
t to use authentication on the ports. While i can go underline v t y z o space
for and type in. Logon remember we have been doing this is old news right here.
We've always tried to log in and we've even typed in. Logon local but. You c
an see the logon command. If i if i type it now it's like sorry you're not done
in the log in local. That's no longer valid. I don't. I don't know what you
mean. What. How did these commands go away they worked before. Well as soon a
s we typed in aaa a new model. And i want to make sure i highlight again. It s
oon as i type it in. It disables the old way of doing authentication. There's
no longer the logon command or the logon local because i type in now. Logon. S
orry for flying around so fast i get excited. I type in love again. And i foll
ow that up with. Authentication it says ok well. What kind of authentication d
o you want to use. You can either. Type in the method. You would like to use.
Or you can just use the default. Now this is where i can apply this. It's ki
nd of like an access list. Config mode. And i apply it to wherever i'd like to
apply it i say log in authentication. My own. And now. Applied to the lines
is the. My own method. That says use the tac x. server first whenever somebody
tries to get in view of v.t. why. And then use the local user database. This
is now configured for. Aaa. This is the first aaa method. I can exit out i co
uld go you know i could create multiple methods i could say aaa. Authentication
. Logon and i'll just say none. And i'll just say that this authentication met
hod named none will have no authentication. You may be thinking well. Gerri wh
ere would you want to do that. Right here. Whoops. Did i something wrong. Au
thentication list. None is not defined. What did i do. I must of type somethi
ng wrong there. I mean do. Authentication. Logon none. Let's just say no log
on. Maybe it just doesn't like the name on no logon. Will say this uses. I th
ink i know it's wrong. Uses the local database and then. None should be down w
ell. Take it. I'm just debating with myself here. Line council zero. I'll do
logon. Authentication. No logon. Ok. It just might must not have liked the
name none. So that what that does. Is now say there is no authentication on th
e council board. Now i have met some people in there. Let me back up. Before
i start on my little. Rants here. There are some people who like to put passwo
rds on the consul port. Because they just like that extra layer of security. B
ut the thing is. At this point in your cisco journey you know that if you can p
hysically get to a cisco device. You can do password recovery you know. Go aro
und every password in probably three to five minutes or less if you're really go
od. By breaking into raw monitor mode and all that kind of stuff and getting ar
ound all the passwords. So my thought is. Unless you're using a terminal serve
r for that. Out of band management. Where somebody could potentially hack your
terminal server then get into the consul ports. I would say it's pretty rare t
hat you want authentication on the console port because most the time if you're
plugging into the consul port. It's a crisis. And i've been in situations wher
e i've run into the room with my consul cable i plug in there and i hit internet
like ope what's the password and i'm like the password. Things are broken and
i don't remember the consul password that somebody said. Three years ago and wh
at i did somebody fun you know you're screamin so many fun the consul password a
nd usually end up doing password recovery and getting around it anyway. Because
nobody remembers what the consul password is. So i usually say. No logging on
the consul port is the best bet so you know if you're physically at the device.
Then you can do that now. All bets are off when you move into a terminal serv
er environment where somebody could potentially. Telnet into a router and then
reverse telnet remember the out of band management i talked about earlier on. T
hat might be a good place for a council password. But then you'd be using it al
l the time. So. Anyhow. Let me do a show run. And i'll say include aaa. And
you can see on this c.v.t. router i now have two methods. One of them called a
my own one of them called no log in each applying different methods of logging
into this router. And i've now applied. My own and. No log into the ports and
consul ports respectively. I can do this for as many methods as i want in one
can even configure the aaa. Authentication. Logon. Default method. And i cou

ld say well by default i wanted to use will say the local database. And what th
at does is for anything that does not have an explicit method assignment. Like.
We just did with the consul porton v t y lines. It will use the local databas
e for those. So that would be v.p.n. connections p.p.p. links will all use the
local user database and by the way. This is defaults i typed in the default met
hod of local but that is actually in there by default by default aaa uses the lo
cal user database. That is the idea behind aaa. One more thing i want to bring
up on this. This final summary slide. Is just some port numbers. Some key po
rts and off the top of your head. If you decide to use radius. Radius. Uses t
he u.d.p. protocol. And it will use for authentication authorization. The port
s. Sixteen forty five and we're talking from cisco router here and. Eight hund
red twelve. There to two different port numbers that it will use for radius. T
ac x. hoops. Uses the t.c.p. protocol it actually creates this reliable session
. And it will use t.c.p. port. And easy one to remember. Forty nine. Very lo
w number. When you're configuring radius i've got to mention that windows serve
r i'm trying to think. Two thousand and three two thousand and three. Switched
the default ports that windows use to something other than this. So by default
if you try to commute configure. Cisco router to talk with a windows server us
ing radius. It will actually have a port mismatch. On those so you have to mak
e sure to manually hard code the ports either on the windows side or on the cisc
o side to be the same port numbers. So the final bonus information. Now i know
we did talk about aaa and we talked primarily about aaa authentication. I'm go
ing to get more into the accounting and more into the authorization. In the fut
ure nuggets of the series when we start talking about the different levels of in
minutes. That we can create. On the cisco router. We also saw in this nugget
. The cisco a.c.s. engine. Not necessary at all. If all you want to do is use
rname and password authentication. I would say if you're going to do that. Set
up just a little free ware linux box or. If you've got windows windows include
s it as the i.a.s. server. User radius. Much cheaper. But if you want to get
granular with the privileges that are allowed and very specific with what users
can do once they've connected. That is where the server comes in in a huge way.
We also solve. Configuring aaa for local management and that's just pointing
to the local database. The only command that you need to do that is just turnin
g on triple a triple a new model. By default. Aaa. Looks to the local databas
e. To find out what usernames and passwords it has. We also saw configuring aa
a for the a.c.s. server. Setting that up a little bonus information on the serv
er side. I would suggest to try this. Go download the ninety day evil copy of
the a.c.s. server from cisco's website. Get a little laboratory and get him com
municating create some user accounts. Do some all. I just had an idea. Why do
i always have these ideas. I have an idea to show you triple a in action. So
one last thing before we conclude. Going to bring this up. We've got are going
to turn on terminal monitor. So we can see some debugging going to do a debug.
Aaa authentication. And let's also do a debug. Tax. So we can actually see
what the exchanges between the tactics are. And then jump over here. And just
open a command prompt and type in telnet twenty thirty dot to dot one hundred wh
ich is my router and hit the enter key. And as soon as i do that you can immedi
ately see. Aaa coming in and saying oh we came in on the v.t. wife board so i'm
going to pick the method. My. Own it that was the my own that we created. We
see the tac x. plus that's the version attack axis start a little authenticatio
n event. Says. Response. Status we are currently at the get user stage. So i
'll type in my username. I was german i was the one we created and you can see
it comes back and says ok we've got the request. We wrote the packet now we're
at the get password. Stage. We come back here and type in cisco. It's a passw
ord i'm logged in now and now. You can come right here it says a response came
back in the status. Is past. Showing that the tax server is communicating succ
essfully. Now you can always do a show tac x.. And see the messages you can se
e the. Opens and closes of the sockets. The t.c.p. sockets and we've got the n
umber of. Packets sent in the number of packets received so we can watch what's
happening between us in the router and if you see a whole bunch of packets sent
and none received there may be something wrong in the tax server configuration.

Maybe you've got the ip address of the router batter or something like that.
But we can. We can verify i'll do a show run include user. And just show that
there is no user. On this router named jeremy there's germy admin. But there i
s no jeremy so it is pulling this username and password from over in that tax da
tabase that we created. So with that. I hope this has been informative for you
and i'd like to thank you for viewing. }
}

You might also like