Es CCNAS v11 Ch03

Autenticacin,
Autorizacin y Registro de
Auditoria
2012 Cisco and/or its affiliates. All rights reserved. 1

La gestin de acceso a la infraestructura administrativa es
crucial.
Mtodos:
Password only
Local database
AAA Local Authentication (self-contained AAA AAA autocontenido)
AAA Server-based Network Access Common AAA Command
Access Type Modes
Server Ports Element
Remote Character Mode

tty, vty, auxiliary, and login, exec, and enable
administrative (line or EXEC console commands
access mode)
Dial-up and VPN

Remote
Packet (interface access including
network ppp and network commands
mode) asynchronous and
access
ISDN (BRI and PRI)

User Access Verification
Password: cisco
Password: cisco1
Internet Password: cisco12
% Bad passwords
R1(config)# line vty 0 4

R1(config-line)# password cisco
R1(config-line)# login
User EXEC mode or privilege EXEC mode password access is limited

and does not scale well.

Welcome to SPAN Engineering
Username admin
Username: Admin
Password: cisco1
Password: cisco
% Login invalid
Internet
Username: Admin
Password: cisco12
% Login invalid
R1(config)# username Admin secret Str0ng5rPa55w0rd

R1(config-line)# login local
Proporciona mayor seguridad que una simple contrasea.

Its a cost effective and easily implemented security solution.

El problema de la base de datos local es que debe ser
replicado todos los dispositivos
A better scalable solution is to use AAA.

AAA es un marco arquitectnico para la configuracin:

Authentication Authorization
Who are you?
How much can you spend?
Accounting
What did you spend it on?

Routers Cisco IOS pueden implementar AAA utilizando:
Local username and Cisco Secure Access
password database Control Server (ACS)

AAA local usa una base de datos local para la autenticacin.
Este mtodo almacena los nombres de usuario y sus

correspondientes contraseas localmente en el router Cisco, y
los usuarios se autentican en la base de datos local.
Esta base de datos es la misma que se requiere para establecer
una CLI basada en roles.
AAA local es ideal para redes pequeas.

El mtodo basado en servidor usa un recurso externo de servidor
de base de datos que utiliza los protocolos RADIUS o TACACS+.
Los ejemplos incluyen el Servidor de Control de Acceso Seguro
de Cisco (ACS) para Windows Server, el Cisco Secure ACS
Solution Engine o Cisco Secure ACS Express.
Si hay ms de un router, AAA basado en servidor ser la opcin
ms apropiada.

Una vez que los usuarios han ido autenticados exitosamente
contra la fuente de datos AAA seleccionada (ya sea local o
basada en servidor), se les autoriza el acceso a recursos
especficos en la red.
La autorizacin consiste bsicamente en lo que un usuario puede
y no puede hacer en la red luego de que es autenticado, parecido
a cmo los niveles de privilegios y la CLI basada en roles les dan
a los usuarios derechos y privilegios especficos a ciertos
comandos en el router.
En general, la autorizacin se implementa usando una solucin
de AAA basada en servidor.

El registro de auditora recolecta y reporta datos de uso para que
puedan ser empleados para auditoras o emisin de facturas.
Los datos recolectados pueden incluir el inicio y fin de
conexiones, comandos ejecutados, nmeros de paquetes y
nmero de bytes.
El registro de auditora se implementa usando una solucin AAA
basada en servidor.
Este servicio reporta estadsticas de uso al servidor ACS.
Estas estadsticas pueden ser extradas para crear reportes

detallados sobre la configuracin de la red.

El aumento de la flexibilidad y el control de la configuracin de
acceso
Escalabilidad
Mltiples sistemas de respaldo
Mtodos de autenticacin estandarizados
RADIUS, TACACS+ and Kerberos

AAA se implementa tpicamente usando un servidor dedicado
ACS para guardar usuarios / contraseas en una base de datos
centralizada.
La informacin se introduce centralmente / actualizado a

diferencia de una base de datos local que debe configurarse en
cada router.

Tolerancia a fallos puede ser configurado en una secuencia
alternativa.
Consulte a un servidor de seguridad ...
Si el error o ninguno, consultar bases de datos locales, ...

AAA soporta protocolos de seguridad estandarizados.
TACACS+
Controlador de Acceso Terminal de Acceso al Sistema de Control Plus
Sustituye a los protocolos de legado TACACS y XTACACS
RADIUS
Autenticacin remota Dial-In User Service

Configuracin de
Autenticacin
AAA Local

Paso 1. Agregar nombres de usuario y contraseas a la base de
datos local del router para los usuarios que requieren acceso
administrativo al router.
R1(config)# user alex secret alex12345
Paso 2. Habilitar AAA globalmente en el router.

R1(config)# aaa new-model
Paso 3. Configurar los parmetros AAA en el router.

R1(config)# aaa authentication login default local
R1(config)# aaa local authentication attempts max-fail 3
Paso 4. Confirmar la configuracin AAA y buscar posibles

problemas.

Especifique el tipo de autenticacin para configurar:
Login - enables AAA for logins on TTY, VTYs, and console 0.
Enable - enables AAA for EXEC mode access.
PPP - enables AAA for logins on PPP (packet transfer).

Lista mtodo default se aplica automticamente a todas las
interfaces si no hay otra lista de mtodos definida.
name list deben aplicarse a una interfaz especfica antes que
cualquiera de los mtodos de autenticacin definidos.
Lista de Mtodos de autenticacin - secuencia que se llevarn a
cabo, como por ejemplo:
Pre-defined passwords (e.g., local, enable, or line)
Consulting a TACACS+ / RADIUS / Kerberos server(s)

Usando el comando en el modo de configuracin global:
aaa local authentication attempts max-fail number-of-
unsuccessful-attempts
To remove the number of unsuccessful attempts that was set, use the no
form of this command.
Router(config)#
aaa local authentication attempts max-fail [number-of-unsuccessful-attempts]
Keyword Description
number-of-unsuccessful- Number of unsuccessful authentication attempts before a
attempts connection is dropped.

Para ver una lista de todos los usuarios bloqueados, use el
comando show aaa local user lockout en el modo EXEC
privilegiado.
Use el comando para desbloquear a un usuario especfico o para
desbloquear a todos los usuarios bloqueados.
clear aaa local user lockout {username username | all}
El comando login delay introduce un retraso entre intentos de

ingreso fallidos sin bloquear la cuenta.
login delay

R1# conf t
R1(config)# username alex secret Str0ngPa55w0rd
R1(config)# username julio secret Str0ng5rPa55w0rd
R1(config)# aaa authentication login default local-case
R1(config)# aaa local authentication attempts max-fail 3

Una lista predeterminada o una lista con nombre se pueden
definir.
Una lista predeterminada se aplica automticamente a todas las interfaces si
no hay otra lista de mtodos se define.
Una lista llamada debe aplicarse a una interfaz especfica antes que
cualquiera de los mtodos de autenticacin definidos.
R1# conf t
R1(config)# username alex secret Str0ngPa55w0rd
R1(config)# username julio secret Str0ng5rPa55w0rd
R1(config)# aaa authentication login default local-case enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config-line)# login authentication TELNET-LOGIN

R1# show aaa local user lockout
Local-user Lock time

JR-ADMIN 04:28:49 UTC Sat Dec 27 2008
R1# show aaa sessions

Total sessions since last reload: 4
Session Id: 1
Unique Id: 175
User Name: ADMIN
IP Address: 192.168.1.10
Idle Time: 0
CT Call Handle: 0

R1# debug aaa ?
accounting Accounting
administrative Administrative
api AAA api events
attr AAA Attr Manager
authentication Authentication
authorization Authorization
cache Cache activities
coa AAA CoA processing
db AAA DB Manager
dead-criteria AAA Dead-Criteria Info
id AAA Unique Id
ipc AAA IPC
mlist-ref-count Method list reference counts
mlist-state Information about AAA method list state change and
notification
per-user Per-user attributes
pod AAA POD processing
protocol AAA protocol processing
server-ref-count Server handle reference counts
sg-ref-count Server group handle reference counts
sg-server-selection Server Group Server Selection
subsys AAA Subsystem
testing Info. about AAA generated test packets
R1# debug aaa

R1# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

AAA is disabled by
default in CCP.

Implementing
Server-Based
AAA
Authentication

La familia de productos de ACS de Cisco soporta :
Terminal Access Control Access Control Server Plus (TACACS+)
Remote Dial-in User Services (RADIUS) protocols

Aunque ambos protocolos pueden ser usados para la
comunicacin entre clientes y servidores AAA, TACACS+ es
considerado el ms seguro entre ambos.
Esto es porque todos los intercambios de TACACS+ son cifrados:
RADIUS slo cifra la contrasea de usuario. No cifra nombres de
usuario, informacin del registro de auditora o cualquier otra
informacin que se transmita en el mensaje RADIUS.

Los factores crticos de TACACS+ incluyen.
Es incompatible con TACACS y XTACACS
Separa la autenticacin y la autorizacin
Cifra todas las comunicaciones
Usa el puerto TCP 49
Connect Username prompt?
Username:? Use Username:
ALEX ALEX
Password prompt?
Password:? Use Password:

Str0ngPa55w0rd Str0ngPa55w0rd
Accept/Reject

Los factores crticos de RADIUS incluyen.
Usa servidores proxy RADIUS para escalabilidad
Combina la autenticacin y la autorizacin RADIUS en un solo proceso
Cifra slo la contrasea
Usa UDP
Soporta tecnologas de acceso remoto, 802.1X y SIP
Access-Request
Username:? (ALEX, Str0ngPa55w0rd)
ALEX Access-Accept
Password:?
Str0ngPa55w0rd

ACS Seguro de
CISCO

Hoy en da, existen muchos servidores de autenticacin en el
mercado:
Funk's Steel-Belted RADIUS server
Livingston Enterprises' RADIUS Authentication Billing Manager
Merit Networks' RADIUS
Cisco Secure ACS for Windows Server (ACS)
ACS Seguro de Cisco para Windows Server es una sola solucin

que ofrece AAA tanto para TACACS+ como para RADIUS.

La interfaz de usuario basada en web simplifica y distribuye la configuracin para perfiles de
Ease of use
usuario, perfiles de grupo y configuracin de ACS Seguro de Cisco .
El ACS Seguro de Cisco fue desarrollado con la capacidad de proporcionar soporte de

Scalability servidores redundantes, bases de datos remotas y replicacin de bases de datos y
resguardo de datos a grandes redes.
El reenvi de autenticacin LDAP soporta la autenticacin de perfiles de usuario que se
Extensibility almacenan en directorios de marcas lderes de directorios, incluyendo Sun, Novell y
Microsoft .
El soporte Microsoft Windows Active Directory consolida la administracin Windows de
Management nombre de usuario y contrasea y usa el Windows Performance Monitor para visualizacin
de estadsticas en tiempo real.
Diferentes niveles de acceso para cada administrador del ACS Seguro de Cisco y la
Administration habilidad de agrupar dispositivos de red facilitan y flexibilizan el control del cumplimiento y
cambios a la administracin de la poltica de seguridad en todos los dispositivos de una red .
Product Cisco Secure ACS est disponible en tres opciones: Cisco Secure ACS Solution Engine,
flexibility Cisco Secure ACS Express y Cisco Secure ACS para Windows.
Integration Estrecho acoplamiento con los routers Cisco IOS y soluciones VPN.
Cisco Secure ACS ofrece soporte de servidor token para cualquier proveedor de contrasea
Third-party
de un solo uso (OTP) que proporciona una interfaz RADIUS compatible con RFC, como
support
RSA, PassGo, Secure Computing, ActiveCard, Vasco, o CryptoCard.
Proporciona cuotas dinmicas para restringir el acceso segn la hora del da, el uso de la
Control
red, el nmero de sesiones registradas, y el da de la semana.

Cisco Secure ACS Express 5.0
Entry-level ACS with simplified feature set
Support for up to 50 AAA device and up to 350 unique user ID logins in a
24-hour period
Cisco Secure ACS for Windows can be installed on:

Windows 2000 Server with Service Pack 4
Windows 2000 Advanced Server with Service Pack 4
Windows Server 2003 Standard or Enterprise Edition
Windows Server 2008 Standard or Enterprise Edition
Cisco Secure ACS Solution Engine

A highly scalable dedicated platform that serves as a high-performance
ACS
1RU, rack-mountable
Preinstalled with a security-hardened Windows software, Cisco Secure
ACS software
Support for more than 350 users

ACSv5 Demo
http://www.cisco.com/assets/cdc_content_elements/flash/netman/acsv5tacac
s/player.html

Configuring
Server-Based
AAA
Authentication

1. Enable AAA by using the global configuration command:
aaa new-model
2. Configure security protocol parameters:

Server IP address and Key
3. Define the authentication method lists using:

aaa authentication
4. Apply the method lists to a particular interface or line (if required).

5. Optionally configure authorization using the global command:
aaa authorization
6. Optionally configure accounting using the global command:

aaa accounting

1. Specify the location of the AAA server that will provide AAA
services.
2. Configure the encryption key needed to encrypt the data transfer
between the network access server and Cisco Secure ACS.

Command Description
Indicates the address of the Cisco Secure ACS server and

specifies use of the TCP single-connection feature of Cisco
tacacs-server host Secure ACS.
ip-address This feature improves performance by maintaining a single
TCP connection for the life of the session between the
single-connection
network access server and the Cisco Secure ACS server,
rather than opening and closing TCP connections for each
session (the default).
Establishes the shared secret encryption key between the

tacacs-server key key
network access server and the Cisco Secure ACS server.
radius-server host ip-

Specifies a RADIUS AAA server.
address
Specifies an encryption key to be used with the RADIUS AAA

radius-server key key
server.

192.168.1.100
R1
Cisco Secure ACS

for Windows
using RADIUS
192.168.1.101
Cisco Secure ACS

Solution Engine
radius-server host 10.0.0.2 auth-port 1812 acct-port 1813 key WinRadius using TACACS+

R1(config)#
R1(config)# tacacs-server host 192.168.1.101 single-connection
R1(config)# tacacs-server key TACACS+Pa55w0rd
R1(config)#
R1(config)# radius-server host 192.168.1.100
R1(config)# radius-server key RADIUS-Pa55w0rd
R1(config)#

R1(config)# aaa authentication login default ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support
R1(config)# aaa authentication login default group ?

WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R1(config)# aaa authentication login default group

R1(config)# aaa authentication login default group tacacs+ group radius local-case
Parameter Description
This command creates a default that is automatically applied to all

default lines and interfaces, specifying the method or sequence of methods
for authentication.
These methods specify the use of an AAA server.

group group-name The group radius and group tacacs+ methods refer to previously
defined RADIUS or TACACS+ servers.
group radius
The group-name string allows the use of a predefined group of
group tacacs+
RADIUS or TACACS+ servers for authentication (created with the aaa
group server radius or aaa group server tacacs+ command).

192.168.1.100
R1
Cisco Secure ACS

for Windows
using RADIUS
aaa authentication login default group tacacs+ local

aaa authentication login VTY group tacacs+
tacacs-server host 10.0.0.3 single-connection

tacacs-server key tacacspa55
192.168.1.101
line vty 0 4 Cisco Secure ACS

login authentication VTY Solution Engine
using TACACS+

R1(config)#
R1(config)# tacacs-server host 192.168.1.101 single-connection
R1(config)# tacacs-server key TACACS+Pa55w0rd
R1(config)#
R1(config)# radius-server host 192.168.1.100
R1(config)# radius-server key RADIUS-Pa55w0rd
R1(config)#
R1(config)# aaa authentication login default group tacacs+ group radius local-case
R1(config)#

R1# debug aaa authentication
AAA Authentication debugging is on
R1#
14:01:17: AAA/AUTHEN (567936829): Method=TACACS+
14:01:17: TAC+: send AUTHEN/CONT packet
14:01:17: TAC+ (567936829): received authen response status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS

R1# debug tacacs ?
accounting TACACS+ protocol accounting
authentication TACACS+ protocol authentication
authorization TACACS+ protocol authorization
events TACACS+ protocol events
packet TACACS+ packets
<cr>
R1# debug radius ?

accounting RADIUS accounting packets only
authentication RADIUS authentication packets only
brief Only I/O transactions are recorded
elog RADIUS event logging
failover Packets sent upon fail-over
local-server Local RADIUS server
retransmit Retransmission of packets
verbose Include non essential RADIUS debugs
<cr>
R1# debug radius

R1# debug tacacs
TACACS access control debugging is on
R1#
13:53:35: TAC+: Opening TCP/IP connection to 192.168.1.101 using source 192.48.0.79

13:53:35: TAC+: Sending TCP/IP packet number 416942312-1 to 192.168.1.101
(AUTHEN/START)
13:53:35: TAC+: Receiving TCP/IP packet number 416942312-2 from 192.168.60.15
13:53:35: TAC+ (416942312): received authen response status = GETUSER
(AUTHEN/CONT)
13:53:37: TAC+ (416942312): received authen response status = GETPASS
(AUTHEN/CONT)
13:53:38: TAC+ (416942312): received authen response status = FAIL
13:53:40: TAC+: Closing TCP/IP connection to 192.168.60.15

Server-Based
Authorization

Cuando la autorizacin AAA no est habilitada, se permite acceso
sin restricciones a todos los usuarios. Luego de que inicia la
autenticacin, por defecto no se permite acceso a nadie.
Esto significa que el administrador debe crear un usuario con
derechos de acceso sin restricciones antes de que se habilite la
autorizacin:
no hacerlo deja al administrador sin forma de ingresar al sistema al momento
en que ingresa el comando aaa authorization.
La nica manera de recuperarse de esto es reiniciar el router.
Si es un router de produccin, reiniciarlo puede no ser una opcin.
Asegrese de que al menos un usuario tiene derechos de acceso sin
restricciones.
Router(config)#
aaa authorization type { default | list-name } method1 [method4]

Command authorization for user
show version ALEX, command show version?
Display show
Accept
version output
ALEX Command authorization for user

configure terminal ALEX, command config terminal?
Do not permit
Reject
configure terminal

R1(config)# aaa authorization ?
auth-proxy For Authentication Proxy Services
cache For AAA cache configuration
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
console For enabling console authorization
exec For starting an exec (shell).
ipmobile For Mobile IP services.
multicast For downloading Multicast configurations from an AAA server
network For network services. (PPP, SLIP, ARAP)
prepaid For diameter prepaid services.
reverse-access For reverse access connections
template Enable template authorization
R1(config)# aaa authorization exec ?
WORD Named authorization list.
default The default authorization list.
R1(config)# aaa authorization exec default ?
group Use server-group.
if-authenticated Succeed if user has authenticated.
krb5-instance Use Kerberos instance privilege maps.
local Use local database.
none No authorization (always succeeds).
R1(config)# aaa authorization exec default group ?

aaa authorization exec default group tacacs+
!
aaa session-id common
R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authorization exec default group tacacs+
R1(config)# aaa authorization network default group tacacs+
R1(config-line)# ^Z

Server-Based
Accounting

En ocasiones, algunas empresas desean mantener un registro de
los recursos que los individuos o grupos utilizan.
Ejemplos de esto incluyen una situacin en la que un
departamento cobra el acceso a otros departamentos o una
empresa proporciona soporte interno a otra empresa.
Si, por ejemplo, el administrador se entera de que un empleado
se conecta con el sistema a la medianoche, esta informacin
puede ser usada para investigar el propsito de la sesin.
Otra razn a favor de implementar registros de auditora es la
creacin de una lista de los cambios que ocurren en la red, quin
los realiz y la naturaleza exacta de los cambios.
Router(config)#
aaa accounting type { default | list-name } record-type method1 [method2]

R1(config)# aaa accounting ?
auth-proxy For authentication proxy events.
commands For exec (shell) commands.
connection For outbound connections. (telnet, rlogin)
delay-start Delay PPP Network start record until peer IP address is known.
exec For starting an exec (shell).
gigawords 64 bit interface counters to support Radius attributes 52 & 53.
multicast For multicast accounting.
nested When starting PPP from EXEC, generate NETWORK records before EXEC-STOP
record.
network For network services. (PPP, SLIP, ARAP)
resource For resource events.
send Send records to accounting server.
session-duration Set the preference for calculating session durations
suppress Do not generate accounting records for a specific type of user.
system For system events.
update Enable accounting update records.
R1(config)# aaa accounting exec ?
WORD Named Accounting list.
default The default accounting list.
R1(config)# aaa accounting exec default ?
none No accounting.
start-stop Record start and stop without waiting
stop-only Record stop when service terminates.
R1(config)# aaa accounting exec default start-stop?
broadcast Use Broadcast for Accounting
group Use Server-group
R1(config)# aaa accounting exec default start-stop group ?

R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authorization exec group tacacs+
R1(config)# aaa authorization network group tacacs+
R1(config)# aaa accounting exec start-stop group tacacs+
R1(config)# aaa accounting network start-stop group tacacs+
R1(config-line)# ^Z
aaa authentication login default group tacacs+ local

aaa authentication login VTY group tacacs+
aaa authorization exec default group tacacs+
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 VTY start-stop group tacacs+
line vty 0 4
authorization commands 15 VTY
authorization exec VTY
accounting commands 1 VTY
accounting exec VTY
login authentication VTY

Es CCNAS v11 Ch03

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Es CCNAS v11 Ch03

Uploaded by

Copyright:

Available Formats

Autenticacin,

2012 Cisco and/or its affiliates. All rights reserved. 1

Remote Character Mode

Dial-up and VPN

2012 Cisco and/or its affiliates. All rights reserved. 3

R1(config)# line vty 0 4

User EXEC mode or privilege EXEC mode password access is limited

2012 Cisco and/or its affiliates. All rights reserved. 4

R1(config)# username Admin secret Str0ng5rPa55w0rd

Proporciona mayor seguridad que una simple contrasea.

2012 Cisco and/or its affiliates. All rights reserved. 5

2012 Cisco and/or its affiliates. All rights reserved. 6

2012 Cisco and/or its affiliates. All rights reserved. 7

2012 Cisco and/or its affiliates. All rights reserved. 8

2012 Cisco and/or its affiliates. All rights reserved. 9

Este mtodo almacena los nombres de usuario y sus

2012 Cisco and/or its affiliates. All rights reserved. 10

2012 Cisco and/or its affiliates. All rights reserved. 12

2012 Cisco and/or its affiliates. All rights reserved. 14

Estas estadsticas pueden ser extradas para crear reportes

2012 Cisco and/or its affiliates. All rights reserved. 16

2012 Cisco and/or its affiliates. All rights reserved. 19

La informacin se introduce centralmente / actualizado a

2012 Cisco and/or its affiliates. All rights reserved. 20

2012 Cisco and/or its affiliates. All rights reserved. 21

2012 Cisco and/or its affiliates. All rights reserved. 22

2012 Cisco and/or its affiliates. All rights reserved. 23

Paso 2. Habilitar AAA globalmente en el router.

Paso 3. Configurar los parmetros AAA en el router.

R1(config)# aaa local authentication attempts max-fail 3

Paso 4. Confirmar la configuracin AAA y buscar posibles

2012 Cisco and/or its affiliates. All rights reserved. 24

2012 Cisco and/or its affiliates. All rights reserved. 25

2012 Cisco and/or its affiliates. All rights reserved. 27

2012 Cisco and/or its affiliates. All rights reserved. 30

El comando login delay introduce un retraso entre intentos de

2012 Cisco and/or its affiliates. All rights reserved. 31

2012 Cisco and/or its affiliates. All rights reserved. 32

2012 Cisco and/or its affiliates. All rights reserved. 33

Local-user Lock time

R1# show aaa sessions

2012 Cisco and/or its affiliates. All rights reserved. 34

R1# debug aaa

2012 Cisco and/or its affiliates. All rights reserved. 35

2012 Cisco and/or its affiliates. All rights reserved. 36

2012 Cisco and/or its affiliates. All rights reserved. 37

2012 Cisco and/or its affiliates. All rights reserved. 40

2012 Cisco and/or its affiliates. All rights reserved. 42

2012 Cisco and/or its affiliates. All rights reserved. 43

Connect Username prompt?

Username:? Use Username:

Password:? Use Password:

2012 Cisco and/or its affiliates. All rights reserved. 44

2012 Cisco and/or its affiliates. All rights reserved. 45

2012 Cisco and/or its affiliates. All rights reserved. 47

ACS Seguro de Cisco para Windows Server es una sola solucin

2012 Cisco and/or its affiliates. All rights reserved. 48

El ACS Seguro de Cisco fue desarrollado con la capacidad de proporcionar soporte de

2012 Cisco and/or its affiliates. All rights reserved. 49

Cisco Secure ACS for Windows can be installed on:

Cisco Secure ACS Solution Engine

2012 Cisco and/or its affiliates. All rights reserved. 50

2012 Cisco and/or its affiliates. All rights reserved. 57