Cisco CCIE Security 350-701 – Authentication, Authorization, Accounting – AAA

1. AAA – Network Security

Triple a overview. Now triple A stands for Authentication, Authorization and Accounting. Now, authentication, if you, if you go with some basic general examples, authentication refers to authenticating the user or verifying who the user is. Like if you take an example of any, any kind of credit card details, let’s say if you are using your own credit card, probably you may want to do some kind of transaction. Now, in order to do the transaction, you have to provide the credentials. Like maybe you need to type in the Pin or some card number and some Pin on the backside or maybe if I quit.

Any other additional details? Or if you take an example of any specific user in the company is trying to log into his computer and before he actually log into the computer, he must provide his username and the password to make sure that he can access that particular computer. So that’s what authentication also. So general examples, authentication is nothing but verifying the username and the password and ensure that whatever the username and the password he has provided, it’s correct. And once the user gets authenticated, or once you log into your card with the proper details, then authorization is going to tell what resources you can access, what resources you cannot access.

Just like when a user tries to log into the computer in the company network and he will be authenticated. And once he successfully gets authenticated, we need to make sure that what resources he can access. So if this user belongs to accounts department and I want to make sure that this particular user will be able to only access accounts computers, or if there is any guest user who is coming into a network, maybe he’s connecting to my WiFi network, let’s say. And I want to make sure that this user should be only able to access Internet, not more than that. So Authorization is going to tell what the user can access. Just like if you take a general example of your credit card, what is the maximum amount of transaction you can do? So maybe you have a limit of, let’s say $800 probably, but you cannot do more than that.

So that’s what Authorization is restricting the user, what he can do, what he cannot do. Now finally, the accounting is about keeping a track of the things, what is happening in your network, keeping a track of what are the changes, the user data. Like the example of user, whenever he logged in, he will be authenticated, maybe an account user. And once he gets authenticated, he will be authorized to only access the resources specific to that particular department. And then you also need to keep a track of when this particular user logged in, what time he logged in, or what are the changes he did, those kind of things. So if you want to keep a track of all these things, then we also need to enable a service called Accounting. So we’ll be using this tablet Accounting Authorization and Authentication. These three A’s we’ll be using in our network security also like in network security, also we’ll be using this three S. So we do this for either device access.

Now again, for device access means let me just write down device access and device administration. We can say typically and then we can say for network access also device administration means let’s take an example I got like in the previous sessions we discussed about some telnet or SSH protocols. Now this will allow the user to log into the device remotely. So maybe a user who belongs to It department and his job is to manage the router, the switch or the firewalls. Now this user actually tries to log into the device by using SSH or telnet and I want to make sure that this user should be able to log into the device. So we need to authenticate the user. That’s the first step.

So we need to make sure that that user should be allowed to do device administration. So the first step, he needs to get authenticated, provide the correct username and the passwords. And once this user log into the device, then he also needs to be authorized. Now in authorization, if this user belongs to the level one engineer and I want to make sure that this user should be only able to execute some basic show commands and maybe he can do some basic changes like changing the host name, changing the IP addresses, but he cannot make any other changes.

Like he cannot do any changes in the routing configurations, he cannot shut down the interface, something like that. That’s what authorization. And if the user is belonging to the Level Two and I want to give some additional permissions, he can do all the changes, but he cannot erase the configurations or delete any configurations. So for device administration we need to authenticate our users for accessing the devices remotely and we also need to give permissions what they can do, what they cannot do based on different user accounts. And finally we also need to keep a track of what he did, what are the changes he did, when he logged in, what time he logged in, what IP address or which device he used to log in, those kind of things. So these are options relating to device administration we’ll talk about more in detail as we progress with our topics. And also you need to do some AAA, the same thing for network access.

Now, network access relates to like a user, let’s say a user, as I said, a computer, a user who belongs to some accounts department and another user, let’s say, who is actually a guest user. Now, most of the predecessor production networks, everyone uses their own device. Let’s say he’s carrying his own laptop or maybe he’s his mobile phone and is connecting to a WiFi network and this user should be authenticated first before he actually connects to the network, maybe to WiFi network or WiFi network, any network. So the first step, this user must be authenticated, so he will provide his own username and the password and it gets authenticated.

And once this user gets authenticated, depending upon the username and the passwords, this user belongs to accounts and I want to make sure that this user should be only able to access the resources on the accounts department. But not everything. Of course you can also access Internet and some resources is extreme resources. So I want my server, we’ll see server, so I want this user, this user will be automatically dynamically, should be assigned to my accounts. Vlad and also you may want to push some ACLs. Probably you can actually define some restrictions to that particular user and if that user is a normal user who is using some guest accounts which we created, and that user will only be able to access the resources on the Internet, but he cannot access anything on my company network.

So that’s what authorization is like, restricting the user, what he can access in the network. So of course he should be authenticated first before he can access anything in the network. And once he gets authenticated he will be restricted what he can access, what he not access, the resources on the network. And finally you need to keep a track of when this user logged in, which devices or which IP he used and when he logged out. Probably that information is also important. So triple A, we’ll be seeing these options more in detail as we progress. So we can do AAA for either device administration or for network access, like just a quick authentication. What we discuss, identify, provides identification of the username. We use either username and the passports or some digital certificates.

We’ll talk about more on this. Certificates like PKI, public key infrastructure in cryptography topics and the user needs to be authenticated or the machine. Machine means maybe you’re connecting your printer and I want the printer also should be authenticated before it can connect to my network. Or maybe a VYP device, that’s for network access. It comes in the network access for authentication. Now this authentication we can do either for device administration, device administration or for network access, or maybe device access, we can say authorization, we can authorization is, like I said, what resources the user can access.

So if anything, device administration or device access, we can define some privilege levels. And what are the commands the user can execute once he log into the device, once he log into the ASA or the author outer and network access, we can say that when an account user connects to the network which we land, we should be assigned what ACL should be applied to that user. And some encryption, some advanced authorization like security group tax encryptions we can apply.

2. AAA – Components

Components. Now, triple A mainly have three components. We have something called Supplicant, authenticator and authentication server. Now, the basic difference between these three is the supplicant is nothing but the end device which is used for accessing the remote access. Like I said, there are two different things we’ll do in network security. One is device access, the other one is network access. If the user is using his own device to either to telnet or SSH, that is when in the case of device administration or maybe a guest user or the account user is trying to connect to the switch or connecting to my WiFi network to gain access to the network for the network access.

So whatever the device is used by the end user to either to access the remote device or for the network access. So that device is referred as supplicant or the end device which is used by the user to log in. So he can use his own computers or maybe laptop or maybe specific any other mobile phones or any other tablets or even the supplicant can be a printer. Also like even it can be a printer or V YP device in case of network access, because you may want before the printer is being accessed or in the network by any other users, it should be authenticated. And of course authentication is done in this case based on a Mac address, but that is also coming under supplicant device supplicant or non supplicant, we can say again, depends upon some features.

We’ll talk about more on this in the network access triple N. Now, once the device which is used by the end user is a supplicant device or the end user device and to whichever the device he’s trying to access, maybe he’s trying to turn it to the switch or the router, that device is called authenticator. So in case of device administration, he’s trying to log into the router or the switch, any other device or maybe in case of network access, this device can be a wireless access point or the wireless controllers, because he’s connecting through some WiFi network before he can access the network. So probably he is going to provide his user credentials. Now this authenticator the switch or the access point on the wireless controllers, they don’t authenticate. So they just simply forward that credentials to the another device called authentication server. And this authentication server can be ACS servers or Ice service, just like your active direct service which is going to store all the username and the password credentials and all the client information. And also they are responsible for doing authorization, they can push the authorization policies to this device, what is the authorization policy they should apply and also they also keep a track of accounting. So probably the entire triple A can be done locally by this device. But most of the advanced options we don’t use local triple.

3. AAA Protocols – TACACS – RADIUS

Components. Now, triple A mainly have three components. We have something called Supplicant, authenticator and authentication server. Now, the basic difference between these three is the supplicant is nothing but the end device which is used for accessing the remote access. Like I said, there are two different things we’ll do in network security. One is device access, the other one is network access. If the user is using his own device to either to telnet or SSH, that is when in the case of device administration or maybe a guest user or the account user is trying to connect to the switch or connecting to my WiFi network to gain access to the network for the network access.

So whatever the device is used by the end user to either to access the remote device or for the network access. So that device is referred as supplicant or the end device which is used by the user to log in. So he can use his own computers or maybe laptop or maybe specific any other mobile phones or any other tablets or even the supplicant can be a printer. Also like even it can be a printer or VYP device in case of network access. Because you may want before the printer is being accessed or in the network by any other users, it should be authenticated. And of course authentication is done in this case based on a Mac address, but that is also coming under supplicant device supplicant or non supplicant, we can say again, depends upon some features.

We’ll talk about more on this in the network access triple A. Now, once the device which is used by the end user is a supplicant device or the end user device and to whichever the device he’s trying to access, maybe he’s trying to turn it to the switch or the router, that device is called authenticator. So in case of device administration, he’s trying to log into the router or the switch, any other device or maybe in case of network access, this device can be a wireless access point or the wireless controllers because he’s connecting through some WiFi network before he can access the network. So probably he is going to provide his user credentials. Now this authenticator the switch or the access point or the wireless controllers, they don’t authenticate.

So they just simply forward that credentials to the another device called authentication server. And this authentication server can be ACS servers or Ice service, just like your active directory service, which is going to store all the username and the password credentials and all the client information. And also they are responsible for doing authorization, they can push the authorization policies to this device, what is the authorization policy they should apply and also they also keep a track of accounting. So probably the entire Triple A can be done locally by this device. But most of the advanced options we don’t use local triple.

4. AAA- Cisco Authentication Servers

So in order to do triple A, we need to configure some external servers. And those external servers can be either ACS servers like ACS is like it can be a separate specific dedicated hardware or maybe some kind of virtual image running inside the VMware. So we can either use a Cisco ACS service. Now, this is a little bit end of sale now, probably because Cisco is trying to add these ACS features or the benefits into the eyes, but again, currently we still use ACS servers, ACS servers which can be used for both device access as well as for network access. Which means if the user is trying to turn the nett, we can actually forward his credentials to the ACS service at the same time when the user is trying to connect to the network. We can actually do AAAA for the network access using ACS service, but commonly we use ACS currently for only device access, because for network access we have a separate product from Cisco called Cisco Ice. Now, the main reason of using Cisco Ice is it can be used for network access, but it supports some additional features like profiling, posture assessment and Web Portal services.

Now, Web Portal services are just like when a guest user tries to log in, he will be authenticated based on the portal page, he get a web portal page and once you type in the credentials, he will be authenticated and then authorized. And also we can do accounting. Now, posture assessment is just like verifying the health status of that particular device. Like if you’re using your mobile phone or any laptop, and that particular laptop must have updated antivirus into that machine, so it can also check the health status and based on the conditions, you will be allowed to access the resources or not, it depends. And also profiling. Even the Ice can get information of what device exactly you have used.

Whether you’re using your iPad or maybe or if you’re using any other device like a laptop, or if you’re using a laptop, which vendor it is, or you’re using some iPhone device, you can get all the static sticks collected by the Ice device. So, if you want these additional benefits, probably Ice is more a preferable device for network access because we get these additional benefits which Ice ACS do not offer. So again, Ice mainly works with the help of Radius.

So the Radius protocol is used for communication between the authenticator and the Ice service because Techax currently doesn’t support in the one three or one two Ice versions, but starting from Ice 20 Tech acts is also supported. But again, Radius offers some additional options like change of authorization, where you can force the authorization to change in between by using Radius. So commonly when we use network access, for network access, we use Identity Service engine, Ice device instead of using for additional benefits and the protocol which is used.