Category Archives: 5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [i] AAA with TACACS+ and RADIUS

RADIUS is an access server that uses AAA protocol and combines authentication and authorization. It is a system of distributed security that secures remote access to networks and network services against unauthorized access. TACACS + provides session encryption and can provide CLI authorization by user groups.

RADIUS comprises three components:

● A protocol with a frame format that utilizes User Datagram Protocol (UDP)/ IP

● A server

● A client

RADIUS uses UDP while TACACS + uses TCP. TCP offers several advantages over UDP. TCP offers a connection -oriented transport , while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as retransmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a TCP transport offers:

● TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.

● TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.

● Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.

● TCP is more scalable and adapts to growing, as well as congested, networks.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5110-5113).  . Kindle Edition.

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml

 

5.1.d Describe device security using IOS AAA with TACACS+ and RADIUS

5.1.d [ii] Local privilege authorization fallback

The local database can act as a fallback method for several functions. This behavior is designed to help prevent accidental lockout . For users who need fallback support, it is recommended that their usernames and passwords in the local database match their usernames and passwords in the AAA servers. This provides transparent fallback support. Because the user cannot determine whether a AAA server or the local database is providing the service, using usernames and passwords on AAA servers that are different than the usernames and passwords in the local database means that the user cannot be certain which username and password should be given.

The local database supports the following fallback functions:

● Console and enable password authentication—When you use the aaa authentication console command, you can add the LOCAL keyword after the AAA server group tag. If the servers in the group all are unavailable, the security appliance uses the local database to authenticate administrative access. This can include enable password authentication, too.

● Command authorization—When you use the aaa authorization command command, you can add the LOCAL keyword after the AAA server group tag. If the TACACS + servers in the group all are unavailable, the local database is used to authorize commands based on privilege levels.

● VPN authentication and authorization—VPN authentication and authorization are supported to enable remote access to the security appliance if AAA servers that normally support these VPN services are unavailable. The authentication-server-group command , available in tunnel-group general attributes mode, lets you specify the LOCAL keyword when you are configuring attributes of a tunnel group. When VPN client of an administrator specifies a tunnel group configured to fallback to the local database, the VPN tunnel can be established even if the AAA server group is unavailable, provided that the local database is configured with the necessary attributes.

Adam, Paul (2014-07-12). All-in-One CCIE V5 Written Exam Guide (Kindle Locations 5123-5133).  . Kindle Edition.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960xr/software/15.0_2_EX1/security/configuration_guide/b_sec_152ex1_2960-xr_chapter_0111.html