AAA
SubairEncryption = data
Hash. Check match
Authentication
Who are you ? Right person. (username, pass)
Authorization
What you are Allowed to access or use
Accounting
What you did
ACS tacacs+, ISE identity service engine radius (.1x)
Radius - open std, UDP 1645/1812 auth
UDP 1646 /1813. A/c
Md5,
Tacacs+ 2.1.0
Authentication.
1. Local
2. Remote device
Cons 1
Not scalable for big org. ( Memory utilisation,
Centralised management
Local Authentication
C# AAA new-model
C# username password
#aaa authentication login Bsoft local
__remote access
#line vty 0 4
#login authentication Bsoft
#transport input telnet ssh
# exit
Server Authentication
#____router__client
C# AAA new-model
Radius server 192.168.1.2
key Cisco123
#username admin password admin (redundancy)
#aaa authentication login Bsoft group tacacs local
#line vty 0 4
#login authentication Bsoft
#transport input telnet ssh
# exit
AAA enable
Client.
Key
Users PWD
Authorization (only local)
1. PL
2. RBA. ( Roll Based )
Modes
User
Privilege Execute
Global configuration
Interface, router, line, tunnel,
Privilege Level
Local.
1. Create User for authentication
2. privilege
3. Enable AAA authentication, Authorization
#Username L1 privilege 5 password 123
#privilege exec level 2 config t.
# privilege configure level 2 interface
# privilege interface level shut
C# AAA new-model
#aaa authentication login Bsoft local
# AAA Authorization exec Bsoft local
#line vty 0 4
#login authentication Bsoft
# Authorization exec Bsoft
#transport input telnet ssh
# exit
Con. Higher level can see the lower level, not vis versa
CMD should be in lower or same level
No complete isolation
No specific ( consider only first phrases)
RBA - Roll Based Authorization
Replacement of old method
Flexible ( no limitations)
Working based on Views
Complete isolation
Specific (exclude and include certain cmd parts)
1. Root view. Full privilege no.15,
Add parser view, and super view
# Enable
2. Parser view - (grouping = privilege level, add cmd)
3. Super view. (Manage parser view, Call parser view, can't add cmd)
Steps.
Enable secret.
Enable AAA
Create parser view
User with view. With privilege 15
Configure:
Parser view RS
Secret RS (local access)
Command exec include all show
Command conf exclude sh runn
Command conf include interface
Username user1 view RS secret user1
Username user1 privilege 15
AAA Authorization exec Bsoft local
#
Parser view _manager super view
Secret _123
View security
View RS
Verification
Sh parser view
Accounting
Buisness is first priority
Change within hours
Later checks with past 2 hours logs
Logging
Severity level
0 emergency - fan down
1 alerts - CPU 70 % 95 crash
2 critical - memory - packet drop
3 errors - interface down
4 warnings - portfast
5 notification - int up
6 information - ACL
7 debug -
1. Console logging
# no logging Console. Production environment. CPU utilisation
# logging Console critical
2. Buffered logging
Logging buffered critical
Logging buffered 64000
Sh logging
3. Terminal logging
Disabled
# terminal monitor
Terminal no monitor
4. Server logging
SNMP UDP 161 polling. 5 min
162 trap timly
NTP:
1. SNMP agent
2. SNMP manager. NMS
3. MIB.
Security level
No auth no privacy
Auth no privacy
Auth privacy
SNMP V3
Agent
R1# SNMP server group _bsoft V3 privacy
SNMP server user _R1 _bsoft V3
Authentication sha _cisco priv aes 128 _cisco
SNMP server enable traps SNMP linkdown linkup
SNMP server host _2.2.2.2 version 3 priv _R1
Sh SNMP group /user /
Sh run | in SNMP
ISE.
AAA authentication login CCNP/ default