Cisco CCIE Security 350-701 – AAA Authentication

1. AAA Authentication – Device Access

Trip the authentication. Now, let’s take an example. I got a user here who wants to access the remote device either using a telenet or SSH. Now, I want to make sure that this user must be authenticated by using some AAAA method. Now, if you want to authenticate this user, I can either use locally where I can create a username and the password on my local device. It can be a router switch, it can be any device stored locally. So the user icons are stored locally and authentication is done by using the local database. But practically this is not a scalable solution because if you have hundreds of devices, probably it’s not an easy job for the administrator to create all the users inside the local device. So we can also use external authentication servers like we discussed about some ACS servers in the previous videos. ACS can be used where we are going to store all the username and the passwords. And whenever you try to establish a connection to this device, it’s going to send out the user credentials to the ACS server to verify the username and the password.

And if it sends a posture reply, if the username and the password matches the database, the user will be allowed to access the remote device. So mostly in the production network we will be using both the methods for redundancy purpose where we can configure the primary method. It has to use something like Takax protocol by using some ACS server and due to some reason if it fails, I can configure a local as a backup option. So we will be using multiple authentication methods.

As for renders the purpose, it is recommended the triple A authentication can be done for two different purposes. Like either for the login authentication where the user is trying to enter gain access to this device and before he actually see anymore board he will be prompted for username and the password and once the user provides the correct username and the password he will be allowed to log in. Of course, we can also assign some privilege levels that something will see in the authorization. So before he actually see any command he must get authenticated.

2. Authentication Local database

Using local database. Now if you want we can do Triple A thundercation. By either using a Local Database and the Local Database we are going to store the username and the passwords on the Local device. And if any user is trying to log into the device using either Telnet or SSH, the router is going to check the Local database, the Local username and the password and it will allow the user to log into that particular device. Now we can use either this method or we can actually tell the router to send this information to the external servers like Tech Access Server. And we can also do some external server based authentication also. So more on this we’ll see in the next classes.

But commonly we use external server based authentication which is referred as a primary authentication method. And due to some reason if that fails, we can always use the Local as a fallback authentication method using this one as a Local as a fallback. So in this example I’m going to configure only the Local authentication but in the next videos we’ll also see how to configure on the external service as well. So authentication is in local database. As I said, the username and the password are stored on the Local device to which you are trying to authenticate or log in and it’s going to store the username and the passwords in the Local Database and practically not a scalable solution. So if you have a very small network with some very small less number of devices like five to six, we can still go with the Local Database. Now to configure this Local Database authentication, first we have to enable the Triple A process. Now Triple A process by default will be disabled. So we need to enable this in order to use any of the Triple A commands. So Triple A numeral is a command to enable the Triple A process and then we can configure one local user account so that whenever a user tries to log into this router via Telnet, I must have a user account created.

And that’s what we are trying to do here, create one user account or we can create multiple user accounts as per the requirement. The next thing we need to enable the Triple A authentication and that’s what you are doing. Triple A authentication should be enabled for Login. Now, if a user login option means I’m trying to enable for any user who is trying to log in through BTY or the console lines by using any of the Telnet or SSH or any of the web sessions like Http or any other sessions. So for logging and then we can give any name for the list. Now this is actually the list of authentication methods we can use. So we can configure either just local that’s what I’m trying to do here, or in the in the next scenarios we can create a list with a name called CCI which is going to use maybe attack x protocol as a primary authentication method.

And the second option I can tell radius and the third I can tell local. And then we apply this list inside the console or the vibe lines so that if any user is trying to log into the device either of these lines, it’s going to use this authentication list and that list refers to use tacax authentication. If that is not responding, go back to the radius or if it is not working then you can also call back to the local authentication. So in my example I’m not using multiple, so I’m just using only local authentication. But in the later transitions when we configure with external servers, most of the configuration still remains the same. So these are the basic commands we need to configure.

So to verify this, I got a pre configured topology here in my packet tracer. And I got the routers, which are pre configured with 182. One six are pre configured with 182. One six shared one dot network. And the routers are also preconfigured. Like, if I go to router one and if I try to verify Shyp interface pre, this is my gateway one eight to 168110. And I’m able to pin to my PCs in the land, like 11213 and one four computers. So in this scenario I’m going to configure this router with a local authentication process. Now to enable the local authentication, the same commands I can use. So I’ll go to router one and I’ll quickly configure triple a new model and then we’ll create one user account, username admin and the password and then we’ll also enable a authentication. Now, when I say triple A authentication now when we use triple A, we can use if you use question mark, you’ve got multiple options like triple A authentication authorization, accounting.

At this point of time, we are using authentication. And then we can do authentication for multiple options. Like we can use it for enable password, enable authentication for login on the console or the video lines, or even you can use them in the PPP authentication process, generally in the broadband connections or on the service for networks. So in my case I’m using for logging. Now there are two options here I can use either specific name for the list of authentication methods I want to use like I’m using CCI here or I can just use an option of default. Now if I use a default name which means you don’t need to apply on the console or the VTV lens because if I use the name called default here instead of the specific name for the authentication list it will be applied automatically. So let me try default option and then I’ll also modify with the other options. So I’ll use default as of now and I want to use a local authentication but not the group. If you are using server page we use group authentications but at this point of time I’ll be using just local authentication. Now, if I use default I don’t need to apply on this lines which means automatically it ensures that anyone trying to log in through any of the line, they will be using a default list of authentication with a local authentication.

So we can also configure primary radius and Tacky’s like that. So for testing we need to go to any one of the device. So I’ll go to my computer and I’ll try to pin it to my 1100 device, that’s my router. So from this PC I will initiate a telenet connection and then I’ll verify logging with the local user account. So if I say telenet 182-1681 100, you can see the admin and the password is NY one, two, three and you can see I’m able to log. Okay, so if I use a default option like on the router one, I’m using default option. So it will ensure that you don’t need to apply on any of the lines. It’s something enabled by default. But again, if you don’t want to use default, preferable you actually apply on the specific lines, whichever you want. So that’s the reason I generally don’t prefer the default option.

So we’ll try to remove this default option and then we’ll try to enable the login authentication with some name. So whenever we are using a name other than default, then it becomes mandatory for us to apply login authentication with that list name, saying that anyone who is trying to log in on the VDP line, the authentication method should follow the list. What I have mentioned in the CCI list and it shows only local authentication should be allowed at this point of time. So again, if you verify now or else if you don’t apply, it’s not going to work.

So you must apply this. And if I try once again I go to my browser, I can move on to other device, I’ll try to pin to my one nine to 168 1100 to verify the reachability land connection and then I’ll try to initiate a connection from 100 the username is admin and maybe I mistyped the password. Now you can see I’m able to log in, but if you go on the console line because we didn’t apply this list on the console line. So if I go back to my console so it’s not applied, you can see there is no authentication applied on the console screen. So if you want to do the same thing for the console then we need to go to the console and then we are still logging authentication CCI.

3. AAA External Servers

So triple a authentication using local database and drawbacks so mostly in the production networks. Triple a authentication or authorization by using local database is not really a preferable option because the main reason is it is not a scalable solution. Because let’s say if you have hundreds of devices and you got some around ten users who are responsible to manage your network network and you want to make sure that these ten user accounts must be this user, ten users should be allowed to access the device. Which means if I use a local database, I need to go to each and every device and configure the user account and privileges and everything. So practically a non scalable solution because if you have a very big network, managing the local database is not really a scalable because there’s no centralized control for the user accounts. And of course it will increase the administrative task because the reason is the username and the password are stored locally.

So the preferable option is using some external service where we can tell the user to log into the device whenever he tried to initiate a telenet or SSH connection. We can tell the device where we are not going to store the local database, but instead we tell the device to forward the request to the external server, like ACS servers where the username and the passwords are stored and the authorization or permissions are stored over there.

And based on that, it’s going to verify with the server and then the server is going to send out verify the database and confirm whether the user is allowed to access or not. And once the user is allowed to access, we can also authorize the user what commands they can execute. So the username and the password are stored on the remote service like ACS service. This provides a centralized authentication and authorization as well as some accounting. So the main reason is it is the administrative task as well as a much more scalable solution compared to the local database.

Now here we use a tech ax or Radius protocol because the user tries to log into the device and it’s going to forward the request to the external servers. So the communication between the end device and your remote device like router switch is done with the help of Telnet or SSH protocols and the communication between the authenticator, the device you want to access and the server with the help of either Takax or Radius protocols. So commonly we use Takax protocol for device administrations. So Takax Plus is an extension to RFC’s RFC Techax in RFC 1492. So Cisco adds some proprietary enhancements to that uses TCP port number 49.

4. Authentication – External server (TACACS)

Authentication using external servers. Now in this video we will see how to configure authentication by using some external servers and I’m going to show the configuration what should be done on the router and also on the tech act server. So we will be simulating this lab with the packet racer here where I’m going to simulate some external tribal tech server in a packet racer here. So there are four steps we need to configure on the triple A client. Like most of the configuration is same as what we discussed earlier in the local database. Like. First we need to start up that Triple A process by using Triple A new model command. And after that we need to tell the router. Because I want the user from here when he tells it or SSH, he must get authenticated based on the external server.

But the router should know where is your tag act server. So we need to configure the tag act server, what is the IP address and then also we need to configure some keys to be exchanged between the triple A client and the server. So we will be configuring some key between the client and the server. So this is like authenticating the client and the servers. So this key has to match on both the sites. So whatever the key I’m going to use on the router one, it has to match the same key on the triple A server as well. So we use a local user account, the local user account as a fallback option because I want to configure the triple A where it has to use that exact server as a primary authentication method and if it fails due to some reason, we should be able to fall back with a local local user account. So we need to enable the triple A for the login and the list name authentication list is CCI. So authentication list tells what are the authentication methods you want to use with a name called CCI here. And the first method should be tags and the second method should be based on the local database.

And then we need to apply this triple A authentication list on the Vtva line so that any user who is trying to enter through Vtva line will be authenticated based on the list. And this list says that it has to use local server tags authentication and if it fails it has to fall back to the local authentication again. On the server side we will be configuring two steps like adding the device as a client and creating the user accounts. We’ll see these steps anyway when we get into the configuration.

So I got a pre configured Topology with all the IP addressing on the router. So the router one is my triple A client. So in my scenario, this router one is my triple A client and my attack server is on 182, 168 one one. So the first thing we’ll go to router one and we’ll configure saying that we need to enable the tribal end. So it’s like a fresh configurations and then we need to tell the taca server Takak server is on one nine to 116 one.

And the key we also need to define the key and the key is let’s say Cisco one two three I’m using here. Now once we configure the tacax server, now we need to enable AAAA. Already we did that. So it’s better to configure the local user account so that in case if the tacax server fails then we can still we should be able to log in with a local user account. So I’m using the password as admin 123123 so just ignore this one. And then I need to enable the tribal authentication. Once you enable the tribal authentication it is for login. Login is for BTY or console lines login. And then we can either use a default. Default will be automatically enabled on all the lines.

So I’ll be using some specific name and then what is the first method you want to use? The first method will be based on the server with a group protocol tagax. So I’ll be using techax protocol and the second option I can still say Radius if I have a specific Radius service. So I’m using the local option as a fallback authentication. And then we need to apply this tip layer authentication list on the line VDY on the VDY line. Now once you are done with this, now the next step is we want authentication should be done based on the tag acts, right?

So the next thing is we need to also configure the ACS server with these two steps because the ACS server must know who is a client. That is router one. In my case, if you have router two you need to add router two. Also switch one switch to all these clients you can add, you need to add them. So at this point of time we just have only router one. And the next thing is we need to create some user account. So I’ll be using a user account of user one and the user one on and the password is also user one. Just to make it simple. Of course you can.

So I’ll be creating two user accounts, user one and user two on the ACS server. So probably here in the packet tracer I’m going to simulate the ACS servers because here at the end level I’m not getting into actual ACS service. But definitely when you get into CCNP we’ll be using the real ACS server in the inside the VMware. But here we can simulate some ACS server here inside the services you got an option of AAA. So we need to enable the option of AAA on and of course here you have to select which protocol you want to use to communicate between the server and the client and the client IP address. Like here you have two options. One option is we are going to add the router one as AAAA client and the second option here we will be adding the user accounts.

So I’m saying the client name is router one and the client IP address. In my scenario it is 192 one six 8100 the router IP address and the key we have to use the same key what we have configured on the router. If you remember we have configured some key here and of course we need to say add like that. We can add router tools which one anywhere. I’m just adding router two just for testing purpose because anyway, I am not enabling simply on that. But you can try this one as an additional lab. So I’m selecting Takats like that and then the user account we need to add the user one. I’m just using the same username and the password just to make it simple.

But in the production networks you’ll be using some complicated passwords. So this is something we need to do now for verifying, we need to get into some client device. So from the one three computer I’ll try to turn it on the router one. So I’m expecting the router one will be sending the credentials to the tech ad server because we have already configured who is tech apps. So let’s go to the PC and the first thing I’ll try to make sure that this PC has reachable to my gateway. That’s a basic thing I need to check because if I don’t have reach ability then there will be a problem. So you can see I have reach ability which means I can tell that to my router. And this time I’m going to use the user account which are configured the user accounts which I created on the ACS server, the user one and the user one. And you can see I’m able to log in with the user account.

So let me try with the user tool user tool and the user two I should be able to log in because we configured on the router to send these credentials to the external server and on this external server we have created the user accounts and we added the router one as a client. So if you want to add the router to switch one and switch to these devices, you need to follow the same process. Now testing wise, let me try to log in with my admin account, the local user account. So it doesn’t allow me to log in because the reason is this account is not present in the attack server. Because when this user is trying to log in to the router, it’s going to send out a request to the server and on the server this admin account is not present because the server is reachable.

And as long as the server is reachable, it is going to use only the first method that is based on the Tacax, what we have configured here. So this is the first preferable method. If it fails, let’s say due to some reason if the tech act server is not reachable, then only the local authentication will be used. So in my case, let’s go and disconnect the let me remove the connection from to the tag server assuming the Takak server fails or maybe some kind of network issue. Now if I go to my computer and if I try to log in once again, this time with the user account on the Takak server, it’s not going to work. And the reason is because the Takak server is not reachable. So it will try to verify whether this user account is in the local database. If it is not present, it will simply say the login is invalidated. Now I want to make sure that I should be able to log in with my local user account in case if the Taca server fails. So it is trying to log in with first it will try to reach the tag act server. That’s what it was doing. And if the tag act server is not reachable then it will try to check the local database.

And as for my local database, this user account was created so it will allow me to log in. If you’re using the real ACS servers then the options will be like this. So once you log into the ACS server you can see most of the options leading to user accounts will be inside the user and unable entity stores. We go to the users and create the user accounts and of course to configure the passwords here and if you want to add the router one asset client then most of these options will be inside the network resource.