- "Do I Know This Already?" Quiz
- Authentication, Authorization, and Accounting
- Remote Authentication Dial-In User Service
- Terminal Access Controller Access Control System Plus
- Encryption Technology Overview
- Certificate Enrollment Protocol
- Extensible Authentication Protocol, Protected EAP, and Temporal Key Integrity Protocol
- Virtual Private Dial-Up Networks (VPDN)
- Foundation Summary
- Q & A
- Scenario: Configuring Cisco Routers for IPSec
- Scenario Answers
This chapter is from the book
This chapter is from the book
This chapter is from the book
Foundation Summary
The "Foundation Summary" is a condensed collection of material for a convenient review of this chapter's key concepts. If you are already comfortable with the topics in this chapter and decided to skip most of the "Foundation Topics" material, the "Foundation Summary" will help you recall a few details. If you just read the "Foundation Topics" section, this review should help further solidify some key facts. If you are doing your final preparation before the exam, the "Foundation Summary" offers a convenient and quick final review.
Table 4-8. AAA Terminology
|
Attribute |
Meaning |
|
Authentication |
Who are you? A remote user must be authenticated before being permitted access to network resources. Authentication allows users to submit their usernames and passwords, and permits challenges and responses. Username/password pairs are a common form of authentication. |
|
Authorization |
What resources are you permitted to use? Once the user is authenticated, authorization defines what services in the network the user is permitted access to. The operations permitted here can include IOS privileged EXEC commands. |
|
Accounting |
What resources were accessed, at what time, and by whom, and what commands were issued to access them? Accounting allows the network administrator to log and view what was actually performed; for example, if a Cisco router was reloaded or the configuration was changed. Accounting ensures that an audit will enable network administrators to view what was performed and at what time. |
Table 4-9. RADIUS Summary
|
Feature |
Meaning |
|
UDP |
Packets sent between clients and servers are UDP primarily because TCP's overhead does not allow for significant advantages. Typically, the user can wait for a username/password prompt. |
|
UDP destination port |
Early deployments of RADIUS used UDP ports 1645 and 1646. The officially assigned port numbers are 1812 and 1813. |
|
Attributes |
Attributes are used to exchange information between the NAS and client. |
|
Model |
Client/server-based model in which packets are exchanged in a unidirectional manner. |
|
Encryption method |
The password is encrypted using MD5; the username is not encrypted. RADIUS encrypts only the password in the access-request packet, sent from the client to the server. The remainder of the packet is in clear text. A third party could capture other information, such as the username, authorized services, and accounting information. |
|
Multiprotocol support |
Does not support protocols such as AppleTalk, NetBIOS, or IPX. IP is the only protocol supported. |
Table 4-10. TACACS+ Summary
|
Feature |
Meaning |
|
TCP |
Packets sent between client and server are TCP. |
|
TCP destination port |
Port 49. |
|
Attributes |
Packet types are defined in TACACS+ frame format as follows: Authentication 0x01 |
|
Seq_no |
The sequence number of the current packet flow for the current session. The Seq_no starts with 1, and each subsequent packet increments by one. The client sends only odd numbers. TACACS+ servers send only even numbers. |
|
Encryption method |
The entire packet is encrypted. Data is encrypted using MD5 and a secret key that matches both on the NAS (for example, a Cisco IOS router) and the TACACS+ server. |
|
Multiprotocol support |
Supports protocols such as AppleTalk, NetBIOS, or IPX. IP-supported only. |
Table 4-11. RADIUS Versus TACACS+
|
RADIUS |
TACACS+ |
|
|
Packet delivery |
UDP |
TCP |
|
Packet encryption |
Encrypts only the password in the access-request packet from the client to the server. |
Encrypts the entire body of the packet, but leaves a standard TCP header. |
|
AAA support |
Combines authentication and authorization. |
Uses the AAA architecture, separating authentication, authorization, and accounting. |
|
Multiprotocol support |
None. |
Supports other protocols, such as AppleTalk, NetBIOS, and IPX. |
|
Router management |
Can pass a privilege level down to the router, which can then be used locally for command authorization. |
Enables network administrators to control which commands can be executed on a router. |
Table 4-12. Encryption Methods
|
Encryption Method |
Description |
|
Data Encryption Standard (DES) |
A block cipher algorithm, which means that it performs operations on fixed-length data streams. Uses a 56-bit key to encrypt 64-bit datagrams. DES is a published, U.S. government-approved encryption algorithm. |
|
Triple DES (3DES) |
A variant of DES that iterates three times with three separate keys (encrypts with one 56-bit key, decrypts with another 56-bit key, and then encrypts with another 56-bit key). Three keys are used to encrypt data, resulting in a 168-bit encryption key. |
|
Advanced Encryption Standard (AES) |
A new standard that replaces DES. Encryption key lengths are 128, 192, and 256 bits. |
Table 4-13. IKE Phase I/II
|
Phase |
Tasks |
|
IKE phase I |
Authenticates IPSec peers Negotiates matching policy to protect IKE exchange Exchanges keys using Diffie-Hellman Establishes the IKE security association |
|
IKE phase II |
Negotiates IPSec SA parameters by using an existing IKE SA Establishes IPSec security parameters Periodically renegotiates IPSec SAs to ensure security and that no intruders have discovered sensitive data Can also perform optional additional Diffie-Hellman exchange |
Table 4-14. IPSec Terminology
|
Term |
Meaning |
|
Internet Key Exchange (IKE) |
A protocol that provides utility services for IPSec, such as authentication of peers, negotiation of IPSec SAs, and encryption algorithms. |
|
Security association (SA) |
A connection between IPSec peers. An SA is unidirectional, and two SAs are required to form a complete tunnel. |
|
Message Digest 5 (MD5) |
A hash algorithm (128 bit) that takes an input message (of variable length) and produces a fixed-length output message. IKE uses MD5 or SHA-1 for authentication purposes. |
|
Secure Hash Algorithm (SHA-1) |
A hash algorithm (160 bit) that signs and authenticates data. |
|
RSA signatures |
RSA is a public-key encryption system used for authentication. Users are assigned both private and public keys. The private key is not available to the public and is used to decrypt messages created with the public key. To have a signature validated you need to have a CA sign the public key, making it a certificate. |
|
Certificate Authority (CA) |
A trusted third party whose purpose is to sign certificates for network entities it has authenticated. |
|
Authentication Header (AH) |
Used to authenticate data. AH provides data origin authentication and optional replay-detection services. |
|
Encapsulating Security Payload (ESP) |
ESP (transport mode) does not encrypt the original IP header, and only encrypts the IP data by placing a header in between the original IP header and data. ESP (tunnel and transport modes) provides data confidentiality, data integrity, and data origin authentication. |
|
Diffie-Hellman (DH) |
Algorithm that is used to initiate and secure the session between two hosts, such as routers. |
|
Advanced Encryption Standard (AES) |
A new encryption standard that is considered a replacement for DES. The U.S. government made AES a standard in May 2002. AES provides key lengths for 128, 192, and 256 bits. |
Table 4-15. Enabling TKIP on an Access Point
|
Step 1 |
Enter global configuration mode: configuration terminal |
|
Step 2 |
Enter interface configuration mode for the radio interface: interface dot11radio 0 |
|
Step 3 |
Enable WEP, MIC, and TKIP: encryption [vlan vlan-id] mode wep {optional [key-hash] | mandatory [mic] [key-hash]} |