cisco AAA 认证.ppt

AAA Model Authentication: Who are you? 你是谁 “I am user student and my password validateme proves it.” Authorization: What can you do? What can you access? 你能做什么？你能访问什么 “User student can access host serverXYZ using Telnet.” “Assign an IP address and ACL to user student connecting through VPN.” “When user student starts an EXEC session, assign privilege level 10.” Accounting: What did you do? How long and how often did you do it? 你做了什么？多久和你通常做些什么？ “User student accessed host serverXYZ using Telnet for 15 minutes.” “User student was connected to VPN for 25 minutes.” “EXEC session of user student lasted 20 minutes and only show commands were executed.” Router Access Modes AAA Protocols: RADIUS and TACACS+ RADIUS Authentication and Authorization The example shows how RADIUS exchange starts once the NAS is in possession of the username and password. The ACS can reply with Access-Accept message, or Access-Reject if authentication is not successful. ACS能答复Access-Accept信息，如果认证没有成功发送Access-Reject信息 RADIUS AttributesRADIUS属性 RADIUS messages contain zero or more AV-pairs（属性参数对）, for example: User-Name User-Password (this is the only encrypted entity in RADIUS) CHAP-Password Service-Type Framed-IP-Address There are approximately 50 standard-based attributes (RFC 2865). 大约有50种基于标准的属性 RADIUS allows proprietary attributes. RADIUS允许私有的属性 Basic attributes are used for authentication purposes. 基本属性用于认证的意图 Most other attributes are used in the authorization process. 其他多数属性用于授权处理 RADIUS Features Standard protocol (RFC 2865) Standard attributes can be augmented by proprietary attributes: 标准的属性能够加入私有属性 Vendor-specific attribute 26 allows any TACACS+ attribute to be used over RADIUS 厂商指定属性值26插件允许TACACS+属性在RADIUS上使用 Uses UDP on standard port numbers (1812 and 1813; Cisco Secure ACS uses 1645 and 1646 by default) 使用UDP标准的端口号1812和1813,但CISCO的ACS默认使用1645和1646 Includes only two security features: Encryption of passwords (MD5 encryption) 密码加密 Authentication of packets (MD5 fingerprinting)