AAA identity management security

Format:

Book

Author/Creator:

Santuka, Vivek, Author.

Contributor:

Banga, Premdeep, Contributor.

Carroll, Brandon, Contributor.

Language:

English

Subjects (All):

Computer networks--Security measures.

Computer networks.

Computers--Access control.

Computers.

Identification.

Authentication.

Genre:

Electronic books.

Physical Description:

1 online resource (xxiii, 443 p.) : ill.

Edition:

1st edition

Other Title:

Authentication, authorization, and accounting identity management security

Place of Publication:

[Place of publication not identified] Cisco Press 2011

Language Note:

English

System Details:

text file

Summary:

Cisco's complete, authoritative guide to Authentication, Authorization, and Accounting (AAA) solutions with CiscoSecure ACS AAA solutions are very frequently used by customers to provide secure access to devices and networks AAA solutions are difficult and confusing to implement even though they are almost mandatory Helps IT Pros choose the best identity management protocols and designs for their environments Covers AAA on Cisco routers, switches, access points, and firewalls This is the first complete, authoritative, single-source guide to implementing, configuring, and managing Authentication, Authorization and Accounting (AAA) identity management with CiscoSecure Access Control Server (ACS) 4 and 5. Written by three of Cisco's most experienced CiscoSecure product support experts, it covers all AAA solutions (except NAC) on Cisco routers, switches, access points, firewalls, and concentrators. It also thoroughly addresses both ACS configuration and troubleshooting, including the use of external databases supported by ACS. Each of this book's six sections focuses on specific Cisco devices and their AAA configuration with ACS. Each chapter covers configuration syntax and examples, debug outputs with explanations, and ACS screenshots. Drawing on the authors' experience with several thousand support cases in organizations of all kinds, AAA Identity Management Security presents pitfalls, warnings, and tips throughout. Each major topic concludes with a practical, hands-on lab scenario corresponding to a real-life solution that has been widely implemented by Cisco customers. This book brings together crucial information that was previously scattered across multiple sources. It will be indispensable to every professional running CiscoSecure ACS 4 or 5, as well as all candidates for CCSP and CCIE (Security or R and S) certification.

Contents:

Cover

Contents

Introduction

Chapter 1 Authentication, Authorization, Accounting (AAA)

Authentication Overview

Authentication Example

Authorization Overview

Authorization Example

Accounting Overview

Accounting Example

Overview of RADIUS

RADIUS in Detail

RADIUS Operation

RADIUS Encryption

RADIUS Authentication and Authorization

RADIUS Accounting

Overview of TACACS+

TACACS+ in Detail

TACACS+ Communication

TACACS+ Format and Header Values

Encrypting TACACS+

TACACS+ Operation

TACACS+ and Authentication

TACACS+ and Authorization

TACACS+ Accounting

Summary

Chapter 2 Cisco Secure ACS

Introduction to ACS

Overview

AAA Client-Server Framework

Cisco Secure Access Control Server Release 4.2 Characteristics and Features

Policy Model

Platform

Protocol Compliance

Features Available

Cisco Secure Access Control System Release 5.1 Characteristics and Features

Functions and Features

Installing Cisco Secure Access Control Server 4.2

Installing Cisco Secure Access Control Server for Windows 4.2

Installing Cisco Secure Access Control Server Solution Engine

Initial Setup of Cisco Secure Access Control System 5.1

Cisco Secure Access Control System Appliance 5.1

Installing Cisco Secure Access Control System 5.1

Installing Cisco Secure Access Control System 5.1 on VMware

Licensing Model of Cisco Secure Access Control System 5.1

Type of License

Base License

Add-on License

Evaluation License

Not-For-Resale (NFR) License

Common Problems After Installation

ACS Solution Engine Does Not Respond to Pings

No Proper Cisco Secure Access Control Server GUI Access

Remote Administration Access to Cisco Secure Access Control Server.

ACS Folder Is Locked During Upgrade or Uninstall

TACACS+/RADIUS Attributes Do Not Appear Under User/Group Setup

Key Mismatch Error

ACS Services Not Starting

ACS 5.1 Install Failing on VMWare

Chapter 3 Getting Familiar with ACS 4.2

The Seven Services of ACS

CSAdmin

CSAuth

CSDBSync

CSLog

CSMon

CSRadius

CSTacacs

The Grand Tour of the ACS Interface

Administration Control

Securing Access to ACS

Network Configuration

Network Access Profiles

Interface Configuration

TACACS+ Settings

Advanced Options

User Setup: Managing Users

Customizing User Attributes

Group Setup: Managing User Groups

System Configuration

Shared Profile Components

External User Databases

Reports and Activity

Chapter 4 Getting Familiar with ACS 5.1

My Workspace

Welcome Page

Task Guide

My Account

Network Resources

Network Device Groups

Network Devices and AAA Clients

Default Network Device

External RADIUS Servers

Users and Identity Stores

Identity Groups

Adding a User in the Internal Identity Store

Adding a Host in the Internal Identity Store

Policy Elements

Session Conditions: Date and Time

Session Conditions: Custom

Session Conditions: End Station Filters

Session Conditions: Device Filters

Session Conditions: Device Port Filters

Access Policies

Service Selection Rules

Access Services

Creating an Access Service

Configuring Identity Policy

Configuring Authorization Policy

Creating Service Selection Rules

Monitoring and Reports

ACS 5.1 Command-Line Interface (CLI)

Chapter 5 Configuring External Databases (Identity Stores) with ACS

External Databases/Identity Stores

External Databases/Identity Stores in Cisco Secure Access Control Server 4.2.

External Databases/Identity Stores in Cisco Secure Access Control System 5.1

Configuring Active Directory

Active Directory Configuration on Cisco Secure Access Control Server 4.2

Active Directory Configuration on Cisco Secure Access Control System 5.1

Configuring LDAP

LDAP Configuration on Cisco Secure Access Control Server 4.2

Domain Filtering

Common LDAP Configuration

Primary and Secondary LDAP Server

LDAP Configuration on Cisco Secure Access Control System 5.1

Configuring RSA SecureID

RSA SecureID Configuration on Cisco Secure Access Control Server 4.2

RSA SecureID Configuration on Cisco Secure Access Control System 5.1

Group Mapping

Group Mapping on Cisco Secure Access Control Server 4.2

Group Mapping on Cisco Secure Access Control System 5.1

Group Mapping with LDAP Identity Stores

Group Mapping with AD Identity Stores

Group Mapping with RADIUS Identity Stores

Group Mapping Conditions for LDAP, AD, and RADIUS Identity Databases

Chapter 6 Administrative AAA on IOS

Local Database

Privilege Levels

Lab Scenario #1: Local Authentication and Privilege Levels

Lab Setup

Lab Solution

Lab Verification

Using AAA

Configuring Authentication on IOS Using AAA

Configuring ACS 4.2 and 5.1 for Authentication

Verifying and Troubleshooting Authentication

Authorization of Administrative Sessions

Configuring ACS 4.2 and 5.1 for EXEC Authorization

Verifying and Troubleshooting EXEC Authorization

Command Authorization

Configuring ACS 4.2 and 5.1 for Command Authorization

Verifying and Troubleshooting Command Authorization

Accounting of Administrative Sessions

Configuring ACS for Accounting

Lab Scenario #2: Authentication, Authorization, and Accounting of Administrative Sessions Using TACACS+

Lab Verification.

Lab Scenario #3: Authentication and Authorization of HTTP Sessions

Chapter 7 Administrative AAA on ASA/PIX

Lab Scenario #4: Local Authentication and Privilege Levels on ASA

Configuring Authentication on ASA Using AAA

Accounting of Administrative Sessions and Commands

Lab Scenario #5: Authentication, Authorization and Accounting of Administrative Sessions on ASA using TACACS+

Chapter 8 IOS Switches

Introduction to 802.1X, EAP, and EAPOL

EAP

EAPOL

Message Exchange in 802.1X

EAP Types

PEAPv0/EAP-MSCHAPv2

PEAPv1/EAP-GTC

EAP Authentication Type Summary

802.1X Configuration on a Cisco Switch

802.1X Host Modes

Single-Host Mode

Multiple-Host Mode

Multidomain Authentication Mode

Pre-Authentication Open Access

Multiauthentication Mode

802.1X Authentication Features

Guest VLAN

Restricted/Authentication Failed VLAN

MAC Authentication Bypass

VLAN Assignment

802.1X Timers

Quiet Period

Switch-to-Client Retransmission Time (tx-period)

Switch-to-Client Retransmission Time for EAP-Request Frames (supp-timeout)

Switch-to-Authentication-Server Retransmission Time for Layer 4 Packets (server-timeout)

Switch-to-Client Frame Retransmission Number (max-reauth-req)

Configuring Accounting

Certificate Installation on ACS

Certificate Installation on ACS 4.2.

Certificate Installation on ACS 5.1

Configuring EAP-MD5 on ACS

EAP-MD5 Configuration on ACS 4.2

EAP-MD5 Configuration on ACS 5.1

Configuring PEAP on ACS

PEAP Configuration on ACS 4.2

PEAP Configuration on ACS 5.1

Configuring EAP-TLS on ACS

EAP-TLS Configuration on ACS 4.2

EAP-TLS Configuration on ACS 5.1

Dynamic VLAN Assignment: ACS Configuration

Dynamic VLAN Assignment for ACS 4.2

Dynamic VLAN Assignment for ACS 5.1

Lab Scenario #7: Configuring Switch, ACS, and Windows XP for 802.1X Authentication Using EAP-MD5

ACS 4.2 Configuration Requirement

ACS 5.1 Configuration Requirement

Switch Configuration Requirements

Client Configuration Requirements

Lab Scenario #8: Configuring Switch, ACS, and Windows XP for 802.1X Authentication Using PEAP

Lab Scenario #9: Configuring Switch, ACS, and Windows XP for 802.1X Authentication Using EAP-TLS

Useful show Commands

Troubleshooting 802.1X

Chapter 9 Access Points

Configuring Wireless NAS for 802.1X Authentication on an AP

Configuring Wireless NAS for 802.1X Authentication on a WLC

Configuring ACS 4.2 for LEAP

Configuring ACS 5.1 for LEAP

Configuring ACS 4.2 for EAP-FAST

Configuring ACS 5.1 for EAP-FAST

Lab Scenario #10: Configure WLC, ACS and Cisco Secure Services Client for 802.1X Authentication Using LEAP

ACS 4.2 Configuration Requirements

ACS 5.1 Configuration Requirements

WLC Configuration Requirements

Lab Scenario #11: Configure WLC, ACS, and Cisco Secure Services Client for 802.1X Authentication Using EAP-FAST

Summary.

Chapter 10 Cut-Through Proxy AAA on PIX/ASA.

Notes:

Bibliographic Level Mode of Issuance: Monograph

Description based on publisher supplied metadata and other sources.

ISBN:

9786612916397

9781587141522

1587141523

9781282916395

1282916394

9781587141515

1587141515

OCLC:

1024244639