• Uses UDP
    • Combines authentication and authorization
    • Intended for user access control
    • Encrypts only the password in the access-request packet, form the client to the server. The remainder of the packet is unecrypted
  2. TACACS+
    • Encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not
    • Provides two methods to control the authorization of router commands on a per-user or per-group basis and is suitable for device management
    • Uses TCP
    • Seperates authentication, authorization, and accounting
  3. Which AAA protocol is recommended for controlling Cisco devices and why?
    TACACS+ is the right one, because of per-command control (command authorization) access to the device. RADIUS is not suitable due to one-time transfer of authorization information at initial authentication only.
  4. Why a security tool like Cisco Access Control Server is a essential especially in a large enterprise network?
    In large networks, many devices require a lot of network administrators with verying levels of access, Cisco Secure ACS allows a centralized database where administrator accounts can be managed at single location.
  5. When configuring AAA, why is a method list used? Give an example.
    • In the example, where AAA Server failed, authentication goes by locally configured user-ID/password
    • Example: AAA authentication login mymethod group tacacs+ local enable
  6. List the steps to configure Cisco's routers to support AAA. Identify those steps that are optional and those that are required.
    • Enable AAA - aaa new-model
    • Create local user account - username localadmin password cisco
    • Identify the AAA Server Host IP and secret key password
    • Specify to use loopback interface as source for TACACS+ - ip tacacs+ source-interface loopback 0
    • Specify Authentication(Required) - Refer to 5.
    • Authorization/Accounting as optional
Card Set
Network Management Tutorial 5