What courses does DClessons offer?

DClessons offers a wide range of online courses including SD-WAN & Cloud Networking, Data Center Technologies, VMware, Docker, SDN, and more.

How can I register for a course on DClessons?

You can register for courses on DClessons by visiting our registration page at https://www.dclessons.com/register and selecting your desired course.

What is the pricing for DClessons courses?

The pricing for each course varies. For example, the SD-WAN & Cloud Networking training is priced at $100. For detailed pricing, visit our course pages.

Is the training online or in-person?

All training provided by DClessons is fully online, allowing you to learn from anywhere, anytime.

Do I get a certification after completing a course?

Yes, upon completing the course and passing the assessments, you will receive a certificate of completion from DClessons.

AAA Fundamentals

In this section we will learn Configuring AAA in ISE and we will see its deep dive concepts.

AAA stands for Authentication, Authorization & Accounting. There are two aspects of AAA in Network & Security Field.

Device Administration
Network Access AAA

Device Administration:

When access to device is required via Console, SSH, Telnet, AAA is used to control its access. A user can authenticates to Cisco IOS shell and when request goes to ISE, it can either permit or deny user execution of individual command.

Authenticating device is authenticated once but it is authorized many times during single session in CLI of device.

Network Access:

In this, user identity is learned and based on policy, permit or deny to user access is determined. RADIUS protocol is used between network access device (NAD) and authentication server. Earlier Authentication was done by PAP or CHAP protocol. Currently RADIUS protocol is widely used for Network Access AAA between Cisco ISE and Network Device.

TACACS+:

TACACS+ was developed by Cisco around 1990 and became supported protocol with Cisco ISE 2.0 and prior to ISE 2.0, ACS server was used as Primary AAA server for Enterprise. With ISE 2.0, ISE replaced the ACS for both RADIUS and TACACS+.

TACACS+ uses TCP protocol on port 49 to communicate between TACACS+ client and TACACS+ server.

TACACS+ is protocol used for authentication as well as authorization many times during a single administration session in CLI of device.

TACACS + Authentication Message:

When TACACS+ is used for Authentication, There are three types of Message or packets are exchanged between client (Network Device) and Server.

START: It is used to start the authentication process or request between AAA Client and AAA Server.
REPLY: It is the message or packer sent by AAA Server to AAA Client.
CONTINUE: It is message from AAA Client used to respond to AAA server request for user name and password.

AAA Client sends the START message to start Authentication request, this START message tells AAA server that a client want to authenticate and authenticate request is coming. REPLY message will be sent from AAA Server to AAA Client every time during authentication. AAA Server send REPLY message to Client to get Username and password. AAA Client will send the username with CONTINUE message, once AAA Server receives the username, it will respond to AAA Client with REPLY message asking for password.

AAA Client will send password with CONTINUE message and server will finally send REPLY message with authentication –pass or fail status.

Below is the possible value AAA Server will send to AA Client with final REPLY Message are as follows:

ACCEPT: User Authentication succeed and authorization process can begin if AAA Client is configured for authorization.
REJECT: User authentication is failed, login is denied to end user and AAA Server may ask for authentication again.
ERROR: An Error occurred during authentication process. AAA Client will reattempt for authentication.
CONTINUE: AAA User asked for additional information, this message is not same message type discussed on main Authentication process discussed above. This Message type is used for item such as password change, or requesting for second authentication or token.

TACACS+ Authorization & Accounting Message:

Once authentication is done, only two message type is used for authorization between AAA Client and AAA Server.

REQUEST: When Client request for authorization, this REQUEST message is used. The Authorization may be to access Shell, or to authorize specific command and we say as request for authorization for specific Service. Each Service may be communicated with attribute-value (AV) value pairs.
RESPONSE: This message is send from AAA Server to AAA Client with result of authorization request asked by AAA Client.

GENERAL FAQ

What is AAA and why used in a network?

AAA is often referred to as Authentication, Authorization, and Accounting. It manages who has access to devices and networks, what they can do, and maintains a record for security and management. The authentication, authorization, and accounting (AAA) framework is the basis for two key services: network access and device administration.

How does the AAA device access and operate in the network?

AAA authenticates a user attempting to log in to a device through Console, SSH, or Telnet. Because authentication happens once, but authorization decisions are made for every action during a session to determine what a user is allowed to do.

What is the importance of AAA in network access?

In network access, users are identified by AAA, and access is provisioned or refused based on policies. The two main types of authentication protocols include TACACS+ and RADIUS. While the RADIUS protocol is used for the authentication and authorization of network users, TACACS+ is the preferred choice for administrative users.

What is the use of TACACS+ for Cisco?

TACACS+ is a Cisco protocol that allows for authentication and reauthorization of account parameters within a session on the device. It works on TCP port 49 and provides fine-grained control over user activity to the network devices. TACACS+ is a Cisco-developed protocol that is typically no longer used for network access. It is best suited for device administration.

How is the TACACS+ authentication process?

When performing device administration, users must first authenticate to gain access to the administrative interface. Administrators attempt to access a network device via the device serial port, Telnet, Secure Shell (SSH,) or HTTPS GUI. The network device acts as an AAA client. It gathers user credentials and relays them to the AAA server, using the TACACS+ protocol.

The AAA process with TACACS is as follows:

1. Assuming acceptable credentials are provided, the user is authenticated.

2. Each command the user enters is subject to authorization by the AAA server.

3. Accounting functionality is used to provide an audit log for commands that are executed on devices.

It involves START, REPLY, and CONTINUE messages. (The client starts with START, and the server sends REPLY to ask for credentials, and the client responds with CONTINUE). The server afterward responds with a REPLY saying ACCEPT, REJECT, or ERROR.

How does TACACS+ do Authorization and accounting?

Once authenticated, the client seeks authorization by sending a REQUEST message. The server replies with a RESPONSE (whether to allow or refuse access to commands or services). Activity is logged within accounting for auditing/reporting.

The authentication and authorization flow for a user with one authentication and two authorization processes is as follows:

1. Authentication: Verify that the authenticated user can access the command environment.

2. Shell Authorization – Verify which EXEC level the user should be granted.

3. Command Authorization – If enabled, verify that the user is authorized to execute each command that is parsed through the command environment.

TACACS+ also performs accounting for each authentication event, as well as accounting for each command that is authorized. With TACACS+ command accounting, you will have a record for each command that was entered, and which administrator issued that command in the ISE monitoring database. This command history is searchable with the reporting features in Cisco ISE and helps meet certain organizational compliance standards.

Comment

You are will be the first.

Please login here to comment.

EMAIL SUPPORT

LOCATION

AAA Fundamentals