AAA Questions
Question 1
Explanation
AAA security provides the following services:
+ Authentication – Identifies users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption.
Authentication is the process of verifying the identity of the person or device accessing the Cisco NX-OS device, which is based on the user ID and password combination provided by the entity trying to access the Cisco NX-OS device. Cisco NX-OS devices allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
+ Authorization – Provides access control.
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in the Cisco NX-OS software is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
+ Accounting – Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.
In conclusion, authorization specifies which resources the users are allowed to access.
Question 2
Explanation
In the “aaa authentication login login radius local” command, the first “login” is a keyword which authenticates users who want exec access into the access server (tty, vty, console and aux). The second “login” is a list name. “radius local” part indicates the RADIUS authentication should be used first. If the RADIUS server does not reply then use the local database to authenticate.
Question 3
Question 4
Explanation
Method lists are specific to the authorization type requested:
+ Auth-proxy – Applies specific security policies on a per-user basis. For detailed information on the authentication proxy feature, refer to the chapter “Configuring Authentication Proxy” in the “Traffic Filtering and Firewalls” part of this book.
+ Commands – Applies to the EXEC mode commands a user issues. Command authorization attempts authorization for all EXEC mode commands, including global configuration commands, associated with a specific privilege level.
+ EXEC – Applies to the attributes associated with a user EXEC terminal session.
+ Network – Applies to network connections. This can include a PPP, SLIP, or ARAP connection.
+ Reverse Access – Applies to reverse Telnet sessions.
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named “default”). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, local authorization takes place by default.
Question 5
Explanation
For 802.1x port-based authentication, the Remote Authentication Dial-In User Service (RADIUS) security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access Control Server version 3.0. RADIUS operates in a client/server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.
Question 6
Explanation
The console port is authenticated with NO_AUTH list. But this list does not contain any authentication method (it uses “none”) so no authentication is required when connecting to the console port.
Question 7
Explanation
The VTY line can be accessed via Telnet and SSH by default. It is authenticated by “default” list which is defined with the “aaa authentication login default group radius local line” command. Therefore users who access via Telnet or SSH are authenticated via RADIUS first, then local database and finally line VTY password.
Note: The “group” keyword provides a way to group existing server hosts. The feature allows the user to select a subset of the configured server hosts and use them for a particular service. Therefore we can understand “group radius” here means “some pre-defined radius servers”.
Question 8
Explanation
You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.
When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable 802.1X in single-host mode or multiple-host mode, one of the following occurs:
+ Single host mode—Port security learns the MAC address of the authenticated host.
+ Multiple host mode—Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.
If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure MAC addresses, the device sends an authentication failure message to the host.
The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.
If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.
Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit.
Question 9
Question 10
Explanation
The client/server packet exchange consists primarily of the following types of RADIUS messages:
+ Access-Request – sent by the client (NAS) requesting access
+ Access-Reject – sent by the RADIUS server rejecting access
+ Access-Accept – sent by the RADIUS server allowing access
+ Access-Challenge – sent by the RADIUS server requesting more information in order to allow access. The NAS, after communicating with the user, responds with another Access-Request.
When you use RADIUS accounting, the client and server can also exchange the following two types of messages:
+ Accounting-Request—sent by the client (NAS) requesting accounting
+ Accounting-Response—sent by the RADIUS server acknowledging accounting
Reference: http://www.cisco.com/c/en/us/td/docs/net_mgmt/access_registrar/1-7/concepts/guide/radius.html
Question 11
Question 12
Explanation
“aaa authentication login” specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define:
aaa authentication login {default | list-name} group {group-name | radius | tacacs+} [method 2…3…4] |
Two of the methods are:
+ “local-case” which uses case-sensitive local username authentication
+ “if-authenticated” which allows the user to access the requested function if the user is authenticated.
Note: The purpose of “if-authenticated” method here is where the router can not communicate with the TACACS server the router will authenticate the user and then the router will say the user is authorized (because he was previously authenticated) and the user login is successful.
Let’s find out the meaning of the command “aaa authentication login default group tacacs+ local-case if-authenticated”. It means that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then use the local user account configured on the router (make sure you have a local user configured on your router).
Notice the “if-authenticated” keyword at the end of this line. This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.
Q12.
There is a typo in there as the ‘if-authenticated’ argument is only supported for authorization purposes, NOT authentication as suggested.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a1.html