WEBVTT 0:00:03.000000 --> 0:00:09.180000 Hello and welcome to this video titled, Securing Switch Access with AAA. 0:00:09.180000 --> 0:00:12.840000 In this video, we're going to talk about just some high-level principles 0:00:12.840000 --> 0:00:15.900000 of securing network devices in general, and then we're going to focus 0:00:15.900000 --> 0:00:19.460000 specifically on management plane protection. 0:00:19.460000 --> 0:00:23.180000 I'm going to define for you what AAA stands for as an acronym, and they're 0:00:23.180000 --> 0:00:26.720000 going to break down the various components that go into making up a AAA 0:00:26.720000 --> 0:00:30.960000 solution. Real quickly, I'm going to go over some design guidelines, really 0:00:30.960000 --> 0:00:35.420000 some questions that you would need to ask and answer before implementing 0:00:35.420000 --> 0:00:42.020000 AAA. Talk real briefly about the protocols involved in a AAA solution, 0:00:42.020000 --> 0:00:44.720000 and I'm going to real quickly at the end show you a sample configuration 0:00:44.720000 --> 0:00:49.940000 of AAA with a local fallback username and password. 0:00:49.940000 --> 0:00:55.660000 So let's talk about securing network devices. 0:00:55.660000 --> 0:00:58.660000 When it comes to securing network devices, we can think of networking 0:00:58.660000 --> 0:01:02.260000 devices as having three planes of existence. 0:01:02.260000 --> 0:01:04.040000 You've probably heard this before. 0:01:04.040000 --> 0:01:08.880000 The data plane, the control plane, and the management plane. 0:01:08.880000 --> 0:01:11.680000 So let's break down each one of these. 0:01:11.680000 --> 0:01:18.480000 So the data plane would be considered those databases and tables that 0:01:18.480000 --> 0:01:25.540000 data actually hits tables and structures that are referenced to actually 0:01:25.540000 --> 0:01:32.000000 forward data. So for example, your routing table would reside within the 0:01:32.000000 --> 0:01:35.720000 data plane. Data can't pass through a router without looking in the routing 0:01:35.720000 --> 0:01:41.160000 table first. In a switch, the MAC address table would be part of the data 0:01:41.160000 --> 0:01:45.360000 plane. Anything that actually talks to the data and helps the data get 0:01:45.360000 --> 0:01:48.320000 going where it needs to go as part of the data plane. 0:01:48.320000 --> 0:01:51.620000 Now the control plane, as you can see here is the path through which devices 0:01:51.620000 --> 0:01:53.360000 learn information. 0:01:53.360000 --> 0:01:59.100000 So if you think about whatever background task or process is populating 0:01:59.100000 --> 0:02:03.540000 those databases, for example, is populating the routing table or populating 0:02:03.540000 --> 0:02:08.020000 the MAC address table, those background processes would reside in the 0:02:08.020000 --> 0:02:11.180000 control plane. So for example, your routing protocols. 0:02:11.180000 --> 0:02:14.700000 You need your routing protocols to learn things to populate the routing 0:02:14.700000 --> 0:02:18.520000 table. That would be part of the control plane traffic. 0:02:18.520000 --> 0:02:19.800000 And then we have the management plane. 0:02:19.800000 --> 0:02:24.160000 These are the data structures and tables and logical entities that exist 0:02:24.160000 --> 0:02:30.900000 to give you access to the command line or the GUI of a router switch or 0:02:30.900000 --> 0:02:35.300000 access point. So for example, the command line itself is in the management 0:02:35.300000 --> 0:02:41.980000 plane. Telnet and SSH capability in a router switch is part of the management 0:02:41.980000 --> 0:02:45.060000 planes. It's allowing you to manage the switch or router. 0:02:45.060000 --> 0:02:49.400000 If that switch or router has embedded HTTP server functionality. 0:02:49.400000 --> 0:02:51.480000 So it can serve up a GUI. 0:02:51.480000 --> 0:02:54.000000 That would be part of the management plane. 0:02:54.000000 --> 0:02:57.040000 So in this video, we're going to be talking specifically about management 0:02:57.040000 --> 0:03:00.320000 plane protection with regards to AAA. 0:03:00.320000 --> 0:03:03.800000 So clearly, management plane protection is critical. 0:03:03.800000 --> 0:03:08.140000 If some unauthorized person has access to the management plane and your 0:03:08.140000 --> 0:03:12.580000 router switch, firewall, access point, whatever, now they can completely 0:03:12.580000 --> 0:03:16.560000 screw it up. They can just wreak havoc on your configuration and make 0:03:16.560000 --> 0:03:18.640000 that thing completely unusable. 0:03:18.640000 --> 0:03:24.260000 So we want to protect our devices so that only authorized users can actually 0:03:24.260000 --> 0:03:28.220000 get access to the command line as an example. 0:03:28.220000 --> 0:03:32.880000 So we want to secure the command line and web access to our routers and 0:03:32.880000 --> 0:03:36.480000 switches. There's two high level ways to do this. 0:03:36.480000 --> 0:03:40.220000 There are physical controls that you can implement and there are logical 0:03:40.220000 --> 0:03:42.060000 controls you can implement. 0:03:42.060000 --> 0:03:46.460000 Let's just real briefly touch on some of the physical controls that you 0:03:46.460000 --> 0:03:50.940000 can do. A physical control is something like placing a device in a locked 0:03:50.940000 --> 0:03:55.700000 wiring closet or in a locked data center that has badge access only. 0:03:55.700000 --> 0:03:59.560000 Placing something inside of a locked cage or rack. 0:03:59.560000 --> 0:04:01.740000 Use of video surveillance. 0:04:01.740000 --> 0:04:05.200000 These are all things that you can physically put into place with your 0:04:05.200000 --> 0:04:10.080000 hands to try to lock down or prevent unauthorized users from getting to 0:04:10.080000 --> 0:04:12.420000 the management plane of your device. 0:04:12.420000 --> 0:04:17.340000 Now, even if they bypass all of that, now we have our logical controls 0:04:17.340000 --> 0:04:19.400000 that we can take place. 0:04:19.400000 --> 0:04:21.920000 For example, password protection. 0:04:21.920000 --> 0:04:24.720000 There's various different places you can put passwords on routers and 0:04:24.720000 --> 0:04:28.820000 switches and firewalls so that only authorized people can access them. 0:04:28.820000 --> 0:04:31.700000 Where's the password going to be stored? 0:04:31.700000 --> 0:04:34.940000 Well, it could be stored locally on the device right there. 0:04:34.940000 --> 0:04:37.260000 We call that local database. 0:04:37.260000 --> 0:04:41.220000 We could store it externally on some active directory server or maybe 0:04:41.220000 --> 0:04:44.520000 a AAA server or something of that nature. 0:04:44.520000 --> 0:04:47.040000 Also, there's CLI privilege levels. 0:04:47.040000 --> 0:04:50.600000 Even if somebody gets a hold of a password, maybe we've got it set up 0:04:50.600000 --> 0:04:55.900000 where only certain commands are privileged at that level. 0:04:55.900000 --> 0:04:58.940000 So if someone types in a password, maybe they only have access to some 0:04:58.940000 --> 0:05:03.100000 rather innocuous commands that won't allow them to really hurt the device. 0:05:03.100000 --> 0:05:07.740000 Where we have another set of username and pathswords that have more privilege 0:05:07.740000 --> 0:05:10.860000 with more access to commands. 0:05:10.860000 --> 0:05:13.960000 We can even restrict source addresses so if people are trying to access 0:05:13.960000 --> 0:05:19.100000 the management plane remotely using SSH or Telnet, we can say, hey, we're 0:05:19.100000 --> 0:05:23.220000 only going to allow incoming SSH and Telnet based on certain source IP 0:05:23.220000 --> 0:05:28.120000 addresses. So we're going to focus now on AAA. 0:05:28.120000 --> 0:05:33.220000 What is AAA? Well, clearly it's an acronym and it stands for authentication, 0:05:33.220000 --> 0:05:35.460000 authorization, and accounting. 0:05:35.460000 --> 0:05:39.300000 Each of these are three pieces or components to securing the management 0:05:39.300000 --> 0:05:45.740000 plane. Now, AAA is what's called a client NAS server architecture. 0:05:45.740000 --> 0:05:50.300000 There's three players in the world of AAA to make all this work. 0:05:50.300000 --> 0:05:53.040000 And I'm going to show you in just a moment a graphic of what that looks 0:05:53.040000 --> 0:05:59.020000 like. And like I said, it's typically used to secure management access. 0:05:59.020000 --> 0:06:03.560000 Now, in addition to that, so we can see here, if a client wants CLI access 0:06:03.560000 --> 0:06:07.760000 to a network device, AAA is a great way of saying, okay, prove to me your 0:06:07.760000 --> 0:06:12.440000 credentials first, if you're authorized, then I'll let you in. 0:06:12.440000 --> 0:06:16.820000 Now, AAA can also be used to secure the data plane. 0:06:16.820000 --> 0:06:21.280000 So as an example, someone could connect to a network layer device like 0:06:21.280000 --> 0:06:24.560000 an access point or a switch. 0:06:24.560000 --> 0:06:27.680000 And then before we give them access to the rest of the network, before 0:06:27.680000 --> 0:06:32.200000 we actually allow their packets to go into that device and up to the Internet, 0:06:32.200000 --> 0:06:36.260000 we could first stop them and authenticate and authorize them with AAA. 0:06:36.260000 --> 0:06:39.500000 And if they're authenticate and authorized, then their packets are allowed 0:06:39.500000 --> 0:06:43.180000 through. So in that particular case, they're not trying to get management 0:06:43.180000 --> 0:06:46.800000 plane access. They don't care about getting access to the CLI. 0:06:46.800000 --> 0:06:49.720000 They just want to use this device to get their packets through. 0:06:49.720000 --> 0:06:51.980000 AAA could control that as well. 0:06:51.980000 --> 0:06:56.720000 So an example of doing that would be something called 802.1x. 0:06:56.720000 --> 0:07:01.100000 Now remember how I said that AAA up the top there is a client NAS server 0:07:01.100000 --> 0:07:03.100000 architecture? What does that mean? 0:07:03.100000 --> 0:07:04.600000 Well, this slide shows that. 0:07:04.600000 --> 0:07:10.260000 So in a AAA architecture, the client, like it shows you here, is the end 0:07:10.260000 --> 0:07:12.940000 host who's trying to get access. 0:07:12.940000 --> 0:07:16.080000 Now, in this video, we're going to focus exclusively on a client who's 0:07:16.080000 --> 0:07:19.020000 trying to get access to the management plane. 0:07:19.020000 --> 0:07:22.980000 They're trying to get access, for example, to the Cisco iOS command line 0:07:22.980000 --> 0:07:25.080000 so they can start issuing commands. 0:07:25.080000 --> 0:07:27.760000 So you've got your client on the left there, and that client could be 0:07:27.760000 --> 0:07:32.860000 trying to get access via a wired connection or a wireless connection. 0:07:32.860000 --> 0:07:37.680000 The next component in this architecture is the NAS, which stands for the 0:07:37.680000 --> 0:07:40.620000 network access server. 0:07:40.620000 --> 0:07:44.680000 So think of it in these terms. 0:07:44.680000 --> 0:07:52.840000 The network access server is the first device which can give access to 0:07:52.840000 --> 0:07:55.240000 the network from the client's perspective. 0:07:55.240000 --> 0:07:59.000000 So for example, here, it could be it's most likely going to be a physical 0:07:59.000000 --> 0:08:03.200000 switch. If we're talking about a hard wired connection, it could also 0:08:03.200000 --> 0:08:05.620000 on the bottom be a wireless access point. 0:08:05.620000 --> 0:08:10.700000 If we're talking about Wi-Fi or less likely, but certainly possible, a 0:08:10.700000 --> 0:08:13.440000 client could connect directly to a router's interface. 0:08:13.440000 --> 0:08:17.800000 In either case, all three of those devices are acting as network access 0:08:17.800000 --> 0:08:23.220000 servers. So in a AAA architecture, the network access server is the first 0:08:23.220000 --> 0:08:25.660000 and primary line of defense. 0:08:25.660000 --> 0:08:29.280000 So when the client first tries to get access to the management plane, 0:08:29.280000 --> 0:08:33.560000 the network access server will say, hold on, prove to me who you are. 0:08:33.560000 --> 0:08:36.000000 Give me your AAA credentials. 0:08:36.000000 --> 0:08:39.360000 Then once those AAA credentials are obtained by the NAS, what's he going 0:08:39.360000 --> 0:08:43.360000 to do? Well, he's not going to validate them himself. 0:08:43.360000 --> 0:08:47.060000 He's going to offload those credentials to the third component of AAA, 0:08:47.060000 --> 0:08:50.840000 which is the authentication server, which is the FAR server on the right, 0:08:50.840000 --> 0:08:54.740000 right there. So now let's just go into a little bit more detail about 0:08:54.740000 --> 0:08:56.900000 those three different components of AAA. 0:08:56.900000 --> 0:08:58.740000 Let's start with authentication. 0:08:58.740000 --> 0:09:02.700000 So this is clearly verifying the credentials of the client. 0:09:02.700000 --> 0:09:07.740000 So if there's any component of AAA you would definitely want to do, it's 0:09:07.740000 --> 0:09:11.740000 this. Which leads me into my next topic, which is that you don't necessarily 0:09:11.740000 --> 0:09:16.580000 as a network administrator or a network engineer, you're not forced to 0:09:16.580000 --> 0:09:19.520000 use all three elements of AAA. 0:09:19.520000 --> 0:09:24.660000 Remember, AAA stands for authentication, authorization, and accounting. 0:09:24.660000 --> 0:09:29.420000 99% of the people when they implement AAA will implement authentication 0:09:29.420000 --> 0:09:31.680000 and authorization. 0:09:31.680000 --> 0:09:33.260000 A lot of them will implement accounting. 0:09:33.260000 --> 0:09:37.680000 Accounting a lot of times is optional, but authentication is pretty much 0:09:37.680000 --> 0:09:41.920000 a must, otherwise AAA won't do you any good. 0:09:41.920000 --> 0:09:45.640000 So authentication, like it says here, does not determine what the client 0:09:45.640000 --> 0:09:48.160000 is done, is allowed to do or not do. 0:09:48.160000 --> 0:09:51.680000 This is just used to determine who the client is. 0:09:51.680000 --> 0:09:55.500000 Is the client somebody we already know with a well-known username and 0:09:55.500000 --> 0:09:59.960000 password? So it says here, there's many different methods to facilitate 0:09:59.960000 --> 0:10:03.740000 authentication. Usename and password is very, very common. 0:10:03.740000 --> 0:10:08.540000 We can get a little bit more fancy by using digital certificates or for 0:10:08.540000 --> 0:10:12.820000 static devices, for example, like a network-based printer or something 0:10:12.820000 --> 0:10:16.780000 that can't respond to either one of those two things, we could authenticate 0:10:16.780000 --> 0:10:18.980000 it simply based on like a MAC address. 0:10:18.980000 --> 0:10:21.840000 So that's the high level of authentication. 0:10:21.840000 --> 0:10:26.460000 Then we have authorization, which is about, okay, now that you've proven 0:10:26.460000 --> 0:10:30.020000 yourself to me, now that you've given me a valid username and password 0:10:30.020000 --> 0:10:34.820000 or a valid digital certificate, what are you actually authorized to do? 0:10:34.820000 --> 0:10:39.640000 Are you actually authorized to get access to the management plane? 0:10:39.640000 --> 0:10:43.940000 If you are, are you access to get all of the management plane or only 0:10:43.940000 --> 0:10:46.880000 certain commands? 0:10:46.880000 --> 0:10:49.940000 And in addition to this, authorization can be used for a lot of other 0:10:49.940000 --> 0:10:51.980000 different purposes in AAA as well. 0:10:51.980000 --> 0:10:56.280000 For example, we could authorize you to have basic network access or not. 0:10:56.280000 --> 0:11:00.880000 We could authorize you to have availability to the command line or not. 0:11:00.880000 --> 0:11:05.700000 Put you in a dynamic VLAN, not based on where you are, but based on who 0:11:05.700000 --> 0:11:11.760000 you are. Dynamic QoS policies and dynamic access lists, all of these could 0:11:11.760000 --> 0:11:18.140000 be dynamically downloaded from the AAA authentication server to the network 0:11:18.140000 --> 0:11:22.540000 access server, which is the router, the switch, the access point. 0:11:22.540000 --> 0:11:26.040000 And then the third component of AAA is of course accounting. 0:11:26.040000 --> 0:11:29.820000 This is the gathering of statistics. 0:11:29.820000 --> 0:11:34.040000 So the information that gathered might be the identity of users, the types 0:11:34.040000 --> 0:11:35.600000 of services that were delivered. 0:11:35.600000 --> 0:11:37.560000 Did we give them regular Ethernet service? 0:11:37.560000 --> 0:11:39.640000 Did we give them PPP service? 0:11:39.640000 --> 0:11:41.100000 What kind of service? 0:11:41.100000 --> 0:11:45.220000 Time stamps of when the services began and ended. 0:11:45.220000 --> 0:11:49.300000 So this is particularly useful in a situation when you are a service provider 0:11:49.300000 --> 0:11:54.860000 or you are an ISP and maybe your billing is directly tied to these types 0:11:54.860000 --> 0:11:57.660000 of statistics that you want to gather. 0:11:57.660000 --> 0:12:01.220000 All right, so you say to yourself, hey, AAA sounds pretty good. 0:12:01.220000 --> 0:12:02.860000 I think I want to start using that. 0:12:02.860000 --> 0:12:05.580000 All right, well there's a variety of questions that you have to answer 0:12:05.580000 --> 0:12:10.420000 ahead of time, which will determine how you implement AAA. 0:12:10.420000 --> 0:12:14.000000 And that gets into this topic right here, so there's some design guidelines. 0:12:14.000000 --> 0:12:16.340000 So this is just going to be a series of questions that you need to answer 0:12:16.340000 --> 0:12:20.500000 for yourself that will guide you along the path of how you implement this 0:12:20.500000 --> 0:12:24.300000 whole thing. So number one, will you need to implement all three components 0:12:24.300000 --> 0:12:28.880000 of AAA? Do you need all three or just need one or two? 0:12:28.880000 --> 0:12:31.680000 Which protocol is best sued for your environment? 0:12:31.680000 --> 0:12:36.000000 Radius or Tacx? We're going to talk about those in just one moment, but 0:12:36.000000 --> 0:12:38.920000 they both have their distinctive pros and cons and you'll have to choose 0:12:38.920000 --> 0:12:40.560000 one over the other. 0:12:40.560000 --> 0:12:45.500000 Just to give you a high level overview of it real quickly, when the client 0:12:45.500000 --> 0:12:50.040000 provides his or her credentials to the network access server, remember, 0:12:50.040000 --> 0:12:54.440000 that's another term for the router switch or access point, it's radius 0:12:54.440000 --> 0:12:59.580000 or Tacx that will take those credentials from the router switch or access 0:12:59.580000 --> 0:13:04.700000 point and pass them along to the AAA authentication server. 0:13:04.700000 --> 0:13:09.680000 So radius or Tacx will be carrying that information. 0:13:09.680000 --> 0:13:13.140000 How do you want to implement it on your networking devices? 0:13:13.140000 --> 0:13:16.440000 Are you going to have a network device that requires the CLI? 0:13:16.440000 --> 0:13:19.880000 Is a network device primarily driven via a GUI? 0:13:19.880000 --> 0:13:24.240000 If it is, do you know what menus and what drop down items and what checkboxes 0:13:24.240000 --> 0:13:26.920000 you have to do to get AAA working? 0:13:26.920000 --> 0:13:31.500000 You're going to have to implement a AAA server, an authentication server. 0:13:31.500000 --> 0:13:34.540000 So which server level application is best for your needs? 0:13:34.540000 --> 0:13:39.460000 You can go with something absolutely free, like free radius as an example, 0:13:39.460000 --> 0:13:42.400000 or maybe you want to pay a little bit of money for someone's proprietary 0:13:42.400000 --> 0:13:48.120000 solutions, like Cisco Secure ACS or Cisco's Identity Services Engine. 0:13:48.120000 --> 0:13:50.940000 And of course, there are others as well. 0:13:50.940000 --> 0:13:53.960000 And lastly, where are you going to store those credentials? 0:13:53.960000 --> 0:13:58.000000 Are you going to store them directly or locally on the AAA server or will 0:13:58.000000 --> 0:14:01.180000 you have another server, like an active directory server or something 0:14:01.180000 --> 0:14:03.820000 that has that information? 0:14:03.820000 --> 0:14:07.720000 Alright, so let's go back up to radius and Tacx and take a look at both 0:14:07.720000 --> 0:14:12.600000 of those. So remember, if we go back to this picture right here, notice 0:14:12.600000 --> 0:14:14.720000 where this is taking place. 0:14:14.720000 --> 0:14:20.280000 This is the protocol that takes place between the NAS and the AAA server. 0:14:20.280000 --> 0:14:23.000000 The client, he's not doing radius or Tacx. 0:14:23.000000 --> 0:14:24.580000 The client has no knowledge of that. 0:14:24.580000 --> 0:14:28.120000 The client is just handing off his credentials, probably username and 0:14:28.120000 --> 0:14:35.420000 password, and then that in turn is sort of packaged by the NAS into a 0:14:35.420000 --> 0:14:38.280000 Tacx or radius packet. 0:14:38.280000 --> 0:14:41.700000 So now we're going to look at what's the difference between Tacx and radius. 0:14:41.700000 --> 0:14:45.320000 They both have their pros and their cons. 0:14:45.320000 --> 0:14:47.380000 And so let's look at those. 0:14:47.380000 --> 0:14:51.620000 Let's start out with Tacx. 0:14:51.620000 --> 0:14:58.580000 So we can see here what it stands for. 0:14:58.580000 --> 0:15:00.680000 Good luck memorizing that. 0:15:00.680000 --> 0:15:08.920000 But you can see, Tacx was primarily designed to control people who were 0:15:08.920000 --> 0:15:13.780000 trying to access the management plane of a networking device. 0:15:13.780000 --> 0:15:16.760000 So that is its real strength, which is what we're talking about here in 0:15:16.760000 --> 0:15:20.660000 this video. So remember, AAA at a real high level can be used for two 0:15:20.660000 --> 0:15:24.360000 basic things. You can use it to control when someone's trying to get access 0:15:24.360000 --> 0:15:25.920000 to the command line. 0:15:25.920000 --> 0:15:28.800000 Tacx was designed really well for that. 0:15:28.800000 --> 0:15:32.420000 Or you can use AAA when someone's just trying to get onto your network 0:15:32.420000 --> 0:15:35.740000 in general and control, are they allowed on the network? 0:15:35.740000 --> 0:15:39.020000 And if they are, what are they allowed to do on the network? 0:15:39.020000 --> 0:15:43.520000 Now, Tacx can also be used for that, but that wasn't why it was invented. 0:15:43.520000 --> 0:15:46.440000 That wasn't its primary purpose. 0:15:46.440000 --> 0:15:51.900000 You can see, Tacx carries all three components of AAA, authentication, 0:15:51.900000 --> 0:15:53.100000 authorization, and accounting. 0:15:53.100000 --> 0:15:56.360000 Now, notice this is Cisco proprietary. 0:15:56.360000 --> 0:15:59.840000 So if you're going to be doing Tacx, whatever authentication server you 0:15:59.840000 --> 0:16:04.660000 get will have to be a Cisco authentication server and does establish a 0:16:04.660000 --> 0:16:11.240000 TCP connection between the NAS and the server on TCP port 49. 0:16:11.240000 --> 0:16:14.760000 And it considers authentication, authorization, and accounting as separate 0:16:14.760000 --> 0:16:21.000000 processes, which means it gives you the flexibility to use Tacx as a protocol 0:16:21.000000 --> 0:16:24.500000 for any one of those three or all of those three. 0:16:24.500000 --> 0:16:28.600000 You could say, hey, I want to have Tacx carry my authentication, my authorization, 0:16:28.600000 --> 0:16:30.480000 and my accounting information. 0:16:30.480000 --> 0:16:34.120000 Or you could say, well, I'm just going to use Tacx for my authorization 0:16:34.120000 --> 0:16:38.380000 and accounting, and I'm going to use some completely different authentication 0:16:38.380000 --> 0:16:41.720000 protocol like Kerberos that we see right here. 0:16:41.720000 --> 0:16:46.500000 And last high level thing, all the packets are encrypted between the AAA 0:16:46.500000 --> 0:16:48.800000 client and the server. 0:16:48.800000 --> 0:16:52.600000 That's probably one of the biggest benefits of Tacx, is if someone was 0:16:52.600000 --> 0:16:58.160000 in between the network access server, the switch, the router, and the 0:16:58.160000 --> 0:17:01.320000 authentication server because in reality, those two guys are not going 0:17:01.320000 --> 0:17:02.400000 to be directly connected. 0:17:02.400000 --> 0:17:04.680000 There's probably going to be several routers in between. 0:17:04.680000 --> 0:17:08.980000 If someone was in between there and it was able to capture your Tacx traffic 0:17:08.980000 --> 0:17:12.280000 in like wire shark or something, it wouldn't really do them much good 0:17:12.280000 --> 0:17:14.480000 because it would be encrypted. 0:17:14.480000 --> 0:17:19.860000 However, like it says, the downside to this is it is Cisco proprietary. 0:17:19.860000 --> 0:17:23.720000 So if you want to go with a free solution, which a lot of people do, you're 0:17:23.720000 --> 0:17:26.700000 going to want to go with RADIUS, which stands for the remote authentication 0:17:26.700000 --> 0:17:30.260000 dial-in user service. 0:17:30.260000 --> 0:17:34.220000 So just like Tacx, this was designed to carry authentication, authorization, 0:17:34.220000 --> 0:17:37.060000 and accounting information, and this is a standard. 0:17:37.060000 --> 0:17:38.980000 This is an IETF protocol. 0:17:38.980000 --> 0:17:42.900000 Right there, you can see the original RFC if you ever want to dig it up 0:17:42.900000 --> 0:17:46.620000 and look into some of the specifics of how it works. 0:17:46.620000 --> 0:17:50.160000 Now, this bundles authentication and authorization. 0:17:50.160000 --> 0:17:52.220000 You cannot split those two apart. 0:17:52.220000 --> 0:18:01.100000 And unlike Tacx, think of T and Tacx's TCP port 49, RADIUS has a U in 0:18:01.100000 --> 0:18:03.900000 it. It's carried by UDP. 0:18:03.900000 --> 0:18:10.960000 When RADIUS was first invented, it used UDP port number 1645 and 1646. 0:18:10.960000 --> 0:18:15.100000 So 1645 was the port that was used to carry back and forth authentication 0:18:15.100000 --> 0:18:17.840000 and authorization information. 0:18:17.840000 --> 0:18:21.800000 1646 was used for accounting. 0:18:21.800000 --> 0:18:25.560000 And then at some point in time, many, many years ago, they decided to 0:18:25.560000 --> 0:18:30.240000 change the port numbers and they upgraded to 1812 and 1813. 0:18:30.240000 --> 0:18:36.060000 And with UDP, I should say with RADIUS, only the password is encrypted 0:18:36.060000 --> 0:18:40.940000 between the AAA clients and the server, not the entire packet. 0:18:40.940000 --> 0:18:47.240000 All right, so the last thing I want to show you here, the primary intent 0:18:47.240000 --> 0:18:51.620000 of this video was just to introduce you to these AAA concepts of what 0:18:51.620000 --> 0:18:55.340000 the acronym means, give you a little bit more information about what is 0:18:55.340000 --> 0:18:59.080000 different between authentication, authorization, and accounting, and give 0:18:59.080000 --> 0:19:03.740000 you a little high-level overview of the differences between Tacx and RADIUS, 0:19:03.740000 --> 0:19:09.440000 and where all this fit in the client NAS server architecture. 0:19:09.440000 --> 0:19:12.160000 I'm not really going to go into the details of how to configure this. 0:19:12.160000 --> 0:19:16.300000 However, I will show you here just a real brief configuration example. 0:19:16.300000 --> 0:19:20.000000 So if you ever see this on a router switch, you can somewhat parse your 0:19:20.000000 --> 0:19:26.340000 way through it. Now, in Cisco devices, most AAA commands are not enabled 0:19:26.340000 --> 0:19:30.280000 by default. As a matter of fact, if you try to type them in, the command 0:19:30.280000 --> 0:19:32.100000 will show us unrecognized. 0:19:32.100000 --> 0:19:36.440000 So the very first thing you have to do is type in AAA new dash model, 0:19:36.440000 --> 0:19:37.840000 like you see up at the top there. 0:19:37.840000 --> 0:19:40.860000 Without that command, all the other commands will essentially be hidden 0:19:40.860000 --> 0:19:42.620000 and inaccessible. 0:19:42.620000 --> 0:19:48.280000 Secondly, even though the AAA server will probably have your usernames 0:19:48.280000 --> 0:19:52.460000 and passwords of all your hundreds or thousands of clients on it, in the 0:19:52.460000 --> 0:19:57.180000 event that that server becomes unreachable, you still want maybe a handful 0:19:57.180000 --> 0:20:02.220000 of username and passwords locally configured on the router or switch itself. 0:20:02.220000 --> 0:20:06.480000 Because after all, that router switch is even going to be authenticating 0:20:06.480000 --> 0:20:10.740000 you as the network administrator when you try to get onto it. 0:20:10.740000 --> 0:20:14.320000 So there's nothing more frustrating than trying to get access to the command 0:20:14.320000 --> 0:20:18.080000 line of a router switch that is rightfully yours, that you should rightfully 0:20:18.080000 --> 0:20:22.260000 manage, but because the AAA server is down, it doesn't have the ability 0:20:22.260000 --> 0:20:23.360000 to authenticate you. 0:20:23.360000 --> 0:20:28.040000 So we see here we've configured a local username and password of Bob and 0:20:28.040000 --> 0:20:33.780000 admin. Now step number two is we have to tell the NAS, which in this case 0:20:33.780000 --> 0:20:37.640000 is our router server, we have to say, hey, I want you to use TACX or I 0:20:37.640000 --> 0:20:42.440000 want you to use RADIUS and over here is the server I want you to go to. 0:20:42.440000 --> 0:20:45.600000 So we have to give him the IP address of the server and there's going 0:20:45.600000 --> 0:20:49.640000 to be a password that's shared between the NAS and the authentication 0:20:49.640000 --> 0:20:53.260000 server. The authentication server is not just going to sit back and allow 0:20:53.260000 --> 0:20:58.380000 any old router switch to say, hey, can you authenticate this user I've 0:20:58.380000 --> 0:21:06.160000 got for me? Only valid authorized NASs are allowed to talk to the AAA 0:21:06.160000 --> 0:21:09.060000 server. And so here's how we do that. 0:21:09.060000 --> 0:21:13.660000 In this particular case, we're creating some AAA groups, some RADIUS server 0:21:13.660000 --> 0:21:16.200000 groups. These are named groups. 0:21:16.200000 --> 0:21:21.020000 You can see here the very first name group is called building one and 0:21:21.020000 --> 0:21:27.260000 we're saying, hey, for the RADIUS servers here, the RADIUS server is IPv4, 0:21:27.260000 --> 0:21:29.620000 here is his IP address. 0:21:29.620000 --> 0:21:32.960000 We're just going to use the default port numbers and the password to talk 0:21:32.960000 --> 0:21:35.040000 to that guy is Cisco. 0:21:35.040000 --> 0:21:40.840000 Oh, and if that RADIUS server fails, if he's completely non-responsive, 0:21:40.840000 --> 0:21:43.380000 maybe we want to roll over to another RADIUS server. 0:21:43.380000 --> 0:21:46.460000 So we're defining another one in building two. 0:21:46.460000 --> 0:21:48.860000 It's got a different IP address, different key. 0:21:48.860000 --> 0:21:55.520000 Now the next step is we actually have to tell AAA, hey, I want you to 0:21:55.520000 --> 0:21:59.100000 use these servers and we have to tell AAA, what exactly are you going 0:21:59.100000 --> 0:21:59.960000 to authenticate? 0:21:59.960000 --> 0:22:03.480000 Are you going to authenticate people who are logging in on the console? 0:22:03.480000 --> 0:22:06.960000 Are you going to authenticate people who are trying to SSH or tell that 0:22:06.960000 --> 0:22:10.460000 in? And so here we see that. 0:22:10.460000 --> 0:22:20.220000 So now here, we take these two separate servers and we bundle them together 0:22:20.220000 --> 0:22:24.740000 into a group called Southwest Campus or SW Campus. 0:22:24.740000 --> 0:22:27.800000 Now this is optional, you don't have to do this, we could have just had 0:22:27.800000 --> 0:22:32.960000 one server, but this way we got a group called SW Campus with our building 0:22:32.960000 --> 0:22:36.280000 one and building two servers. 0:22:36.280000 --> 0:22:40.760000 And then the last thing is here's where we actually enabled AAA. 0:22:40.760000 --> 0:22:45.200000 We say, okay, AAA, I want you to do authentication. 0:22:45.200000 --> 0:22:46.640000 Who do I want you to authenticate? 0:22:46.640000 --> 0:22:50.400000 I want you to authenticate anyone who's trying to log in, who's trying 0:22:50.400000 --> 0:22:54.760000 to access the command line of this router or switch. 0:22:54.760000 --> 0:23:00.580000 Alright, so when someone logs in, I want you to run this named authentication 0:23:00.580000 --> 0:23:02.600000 method called Campus. 0:23:02.600000 --> 0:23:04.720000 I've just called it Campus. 0:23:04.720000 --> 0:23:08.620000 And when you run Campus, I want you to try to authenticate them against 0:23:08.620000 --> 0:23:13.020000 the group of AAA servers in the Southwest Campus group. 0:23:13.020000 --> 0:23:17.920000 Now, if you try to reach out to those servers and both of them are completely 0:23:17.920000 --> 0:23:23.560000 unresponsive, then fall back to a local username and password, which in 0:23:23.560000 --> 0:23:30.360000 this case we only have one, Bob with a password of admin. 0:23:30.360000 --> 0:23:36.760000 So that concludes this video on an overview and introduction to AAA. 0:23:36.760000 --> 0:23:37.580000 Thank you for watching.