AAA

Encryption = data

Hash. Check match

Authentication

Who are you ? Right person. (username, pass)

Authorization

What you are Allowed to access or use

Accounting

What you did

ACS tacacs+, ISE identity service engine radius (.1x)

Radius - open std, UDP 1645/1812 auth

UDP 1646 /1813. A/c

Md5,

Tacacs+ 2.1.0

Authentication.

1. Local

2. Remote device

Cons 1

Not scalable for big org. ( Memory utilisation,

Centralised management

Local Authentication

C# AAA new-model

C# username password

#aaa authentication login Bsoft local

__remote access

#line vty 0 4

#login authentication Bsoft

#transport input telnet ssh

# exit

Server Authentication

#____router__client

C# AAA new-model

Radius server 192.168.1.2

key Cisco123

#username admin password admin (redundancy)

#aaa authentication login Bsoft group tacacs local

#line vty 0 4

#login authentication Bsoft

#transport input telnet ssh

# exit

AAA enable

Client.

Key

Users PWD

Authorization (only local)

1. PL

2. RBA. ( Roll Based )

Modes

User

Privilege Execute

Global configuration

Interface, router, line, tunnel,

Privilege Level

Local.

1. Create User for authentication

2. privilege

3. Enable AAA authentication, Authorization

#Username L1 privilege 5 password 123

#privilege exec level 2 config t.

# privilege configure level 2 interface

# privilege interface level shut

C# AAA new-model

#aaa authentication login Bsoft local

# AAA Authorization exec Bsoft local

#line vty 0 4

#login authentication Bsoft

# Authorization exec Bsoft

#transport input telnet ssh

# exit

Con. Higher level can see the lower level, not vis versa

CMD should be in lower or same level

No complete isolation

No specific ( consider only first phrases)

RBA - Roll Based Authorization

Replacement of old method

Flexible ( no limitations)

Working based on Views

Complete isolation

Specific (exclude and include certain cmd parts)

1. Root view. Full privilege no.15,

Add parser view, and super view

# Enable

2. Parser view - (grouping = privilege level, add cmd)

3. Super view. (Manage parser view, Call parser view, can't add cmd)

Steps.

Enable secret.

Enable AAA

Create parser view

User with view. With privilege 15

Configure:

Parser view RS

Secret RS (local access)

Command exec include all show

Command conf exclude sh runn

Command conf include interface

Username user1 view RS secret user1

Username user1 privilege 15

AAA Authorization exec Bsoft local

#

Parser view _manager super view

Secret _123

View security

View RS

Verification

Sh parser view

Accounting

Buisness is first priority

Change within hours

Later checks with past 2 hours logs

Logging

Severity level

0 emergency - fan down

1 alerts - CPU 70 % 95 crash

2 critical - memory - packet drop

3 errors - interface down

4 warnings - portfast

5 notification - int up

6 information - ACL

7 debug -

1. Console logging

# no logging Console. Production environment. CPU utilisation

# logging Console critical

2. Buffered logging

Logging buffered critical

Logging buffered 64000

Sh logging

3. Terminal logging

Disabled

# terminal monitor

Terminal no monitor

4. Server logging

SNMP UDP 161 polling. 5 min

162 trap timly

NTP:

1. SNMP agent

2. SNMP manager. NMS

3. MIB.

Security level

No auth no privacy

Auth no privacy

Auth privacy

SNMP V3

Agent

R1# SNMP server group _bsoft V3 privacy

SNMP server user _R1 _bsoft V3

Authentication sha _cisco priv aes 128 _cisco

SNMP server enable traps SNMP linkdown linkup

SNMP server host _2.2.2.2 version 3 priv _R1

Sh SNMP group /user /

Sh run | in SNMP

ISE.

AAA authentication login CCNP/ default