Access Control CCNA 200 301
Access Control CCNA 200 301

Access Control

Access Control

Summary

This topic explain how AAA and 802.1X are used to authenticate LAN endpoints and devices. Start learning CCNA 200-301 for free right now!!

Note: Welcome: This topic is part of Module 10 of the Cisco CCNA 2 course, for a better follow up of the course you can go to the CCNA 2 section to guide you through an order.

Authentication with a Local Password

In the previous topic, you learned that a NAC device provides AAA services. In this topic, you will learn more about AAA and the ways to control access.

Many types of authentication can be performed on networking devices, and each method offers varying levels of security. The simplest method of remote access authentication is to configure a login and password combination on console, vty lines, and aux ports, as shown in the vty lines in the following example. This method is the easiest to implement, but it is also the weakest and least secure. This method provides no accountability and the password is sent in plaintext. Anyone with the password can gain entry to the device.

R1(config)# line vty 0 4
R1(config-line)# password ci5c0
R1(config-line)# login

SSH is a more secure form of remote access:

  • It requires a username and a password, both of which are encrypted during transmission.
  • The username and password can be authenticated by the local database method.
  • It provides more accountability because the username is recorded when a user logs in.

The following example illustrates SSH and local database methods of remote access.

R1(config)# ip domain-name example.com
R1(config)# crypto key generate rsa general-keys modulus 2048
R1(config)# username Admin secret Str0ng3rPa55w0rd
R1(config)# ssh version 2
R1(config)# line vty 0 4
R1(config-line)# transport input ssh
R1(config-line)# login local

The local database method has some limitations:

  • User accounts must be configured locally on each device. In a large enterprise environment with multiple routers and switches to manage, it can take time to implement and change local databases on each device.
  • The local database configuration provides no fallback authentication method. For example, what if the administrator forgets the username and password for that device? With no backup method available for authentication, password recovery becomes the only option.

A better solution is to have all devices refer to the same database of usernames and passwords from a central server.

AAA Components

AAA stands for Authentication, Authorization, and Accounting. The AAA concept is similar to using a credit card, as shown in the figure. The credit card identifies who can use it, how much that user can spend, and keeps an account of what items or services the user purchased.

AAA provides the primary framework to set up access control on a network device. AAA is a way to control who is permitted to access a network (authenticate), what they can do while they are there (authorize), and to audit what actions they performed while accessing the network (accounting).

AAA Components
AAA Components

Authentication

Local and server-based are two common methods of implementing AAA authentication.

Local AAA Authentication

Local AAA stores usernames and passwords locally in a network device such as the Cisco router. Users authenticate against the local database, as shown in figure. Local AAA is ideal for small networks.

Local AAA Authentication
Local AAA Authentication
  1. The client establishes a connection with the router.
  2. The AAA router prompts the user for a username and password.
  3. The router authenticates the username and password using the local database and the user is provided access to the network based on information in the local database.

Server-Based AAA Authentication

With the server-based method, the router accesses a central AAA server, as shown in figure. The AAA server contains the usernames and password for all users. The router uses either the Remote Authentication Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System (TACACS+) protocols to communicate with the AAA server. When there are multiple routers and switches, server-based AAA is more appropriate.

Server-Based AAA Authentication
Server-Based AAA Authentication
  1. The client establishes a connection with the router.
  2. The AAA router prompts the user for a username and password.
  3. The router authenticates the username and password using a AAA server.
  4. The user is provided access to the network based on information in the remote AAA server.

Authorization

AAA authorization is automatic and does not require users to perform additional steps after authentication. Authorization governs what users can and cannot do on the network after they are authenticated.

Authorization uses a set of attributes that describes the user’s access to the network. These attributes are used by the AAA server to determine privileges and restrictions for that user, as shown in the figure.

AAA authorization
AAA authorization
  1. When a user has been authenticated, a session is established between the router and the AAA server.
  2. The router requests authorization from the AAA server for the client’s requested service.
  3. The AAA server returns a PASS/FAIL response for authorization.

Accounting

AAA accounting collects and reports usage data. This data can be used for such purposes as auditing or billing. The collected data might include the start and stop connection times, executed commands, number of packets, and number of bytes.

A primary use of accounting is to combine it with AAA authentication. The AAA server keeps a detailed log of exactly what the authenticated user does on the device, as shown in the figure. This includes all EXEC and configuration commands issued by the user. The log contains numerous data fields, including the username, the date and time, and the actual command that was entered by the user. This information is useful when troubleshooting devices. It also provides evidence for when individuals perform malicious acts.

AAA accounting
AAA accounting
  1. When a user has been authenticated, the AAA accounting process generates a start message to begin the accounting process.
  2. When the user finishes, a stop message is recorded and the accounting process ends.

802.1X

The IEEE 802.1X standard is a port-based access control and authentication protocol. This protocol restricts unauthorized workstations from connecting to a LAN through publicly accessible switch ports. The authentication server authenticates each workstation that is connected to a switch port before making available any services offered by the switch or the LAN.

With 802.1X port-based authentication, the devices in the network have specific roles, as shown in the figure.

IEEE 802.1X
IEEE 802.1X
  • Client (Supplicant) – This is a device running 802.1X-compliant client software, which is available for wired or wireless devices.
  • Switch (Authenticator) –The switch acts as an intermediary between the client and the authentication server. It requests identifying information from the client, verifies that information with the authentication server, and relays a response to the client. Another device that could act as authenticator is a wireless access point.
  • Authentication server –The server validates the identity of the client and notifies the switch or wireless access point that the client is or is not authorized to access the LAN and switch services.

Glossary: If you have doubts about any special term, you can consult this computer network dictionary.

Ready to go! Keep visiting our networking course blog, give Like to our fanpage; and you will find more tools and concepts that will make you a networking professional.

More Goodies
Configure IP Default Static Routes
Configure IP Default Static Routes