1 / 15

AAA Services

AAA Services. Authentication Who ? Management of the user’s identity Authorization What can the user do? Management of the granted services Accounting What did the user do? Logging of activities and auditing. Uses of AAA. Two modes: The character mode access

didina
Download Presentation

AAA Services

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AAA Services • Authentication • Who ? • Management of the user’s identity • Authorization • What can the user do? • Management of the granted services • Accounting • What did the user do? • Logging of activities and auditing

  2. Uses of AAA • Two modes: • The character mode access AAA services are used to control administrative access such as Telent or Console access to network devices • The packet mode access AAA services are used to manage remote user network access such as dialup clients or VPN clients Network Security

  3. c.f., Alternative methods to AAA • Examples: • Password-based authentication • Challenge-response authentication • Incomplete access management • Limited to authentication only Network Security

  4. Local vs Centralized Databases in AAA Network Security

  5. Authentication Protocols in AAA • RADIUS vs TACACS+ • RADIUS • Remote Authentication Dial In User Service • An IETF standard (RFC 2865) • Open source s/w • Interoperability among RADIUS-based products • Client/server authentication btwn a NAS (e.g., a router) and a RADIUS server • A shared secret btwn the client and the server • on UDP (port 1812 for authentication and authorization; port 1813 for accounting) Network Security

  6. RADIUS • RFC 2865 (2000): http://www.ietf.org/rfc/rfc2865.txt Network Security

  7. The Authenticator field • Request Authenticator • The authenticator in the Access-Request packets • Rqts: The value SHOULD be unpredictable and unique over the lifetime of a shared secret • Repetition of a request value in conjunction with the same secret would permit an attacker to reply with a previously intercepted response. • Response Authenticator • The authenticator in the Access-Accept, Access- Reject, and Access-Challenge packets • ResponseAuth = MD5(Code+ID+Length+RequestAuth+Attributes+Secret) Network Security

  8. RADIUS • http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml • Example Clients: router, switch, PIX/ASA, VPN3000 • The Access-Request: contains username, encrypted password, NAS IP address, NAS port number, and session information. Network Security

  9. RADIUS authentication • Note: Both authentication and authorization information are combined in a single Access-Request packet. • Upon receiving an Access-Request, the RADIUS server • Validates the shared secret • Validates the username and password If not validated, sends an Access-Reject response; • Authorizes the user If authorization fails, sends an Access-Reject response; Otherwise, sends an Access-Accept response; Network Security

  10. Security mechanisms in RADIUS • Shared secret btwn the client and the server • In the Access-Request packet, the password is encrypted. MD5 (shared secret + Request Authenticator) XOR the-first-16-octets-of-the-password • 16-octet encrypted password • Q: How would the RADIUS server authenticate the encrypted password? Network Security

  11. TACACS+ • TACACS: Terminal Access Controller Access Control System • A Cisco proprietary client/server authentication protocol • A shared secret btwn the client & the server • Can encrypt the entire body of the packet (as indicated by the flags field) • On TCP Network Security

  12. TACACS+ • http://tools.ietf.org/html/draft-grant-tacacs-02 Network Security

  13. TACACS+ • Example interactions: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml Network Security

  14. TACACS+ vs RADIUS • Shared: • Client/server based • Authentication btwn a NAS and an authentication server • Shared secret • Differences ? Network Security

  15. TACACS+ vs RADIUSsource: http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/ Network Security

More Related