AAA Services
• Authentication- Who ?- Management of the user’s identity
• Authorization- What can the user do?- Management of the granted services
• Accounting- What did the user do?- Logging of activities and auditing
Uses of AAA
• Two modes:– The character mode access
AAA services are used to control administrative access such as Telent or Console access to network devices
– The packet mode accessAAA services are used to manage remote user network access such as dialup clients or VPN clients
T. A. Yang Network Security 2
c.f., Alternative methods to AAA
• Examples:– Password-based authentication– Challenge-response authentication
• Incomplete access management– Limited to authentication only
T. A. Yang Network Security 3
Local vs Centralized Databases in AAA
Features Local dB Centralized dB
Location of user data local on the deviceIn a central authentication server (remote to the device)
Copies of user data Multiple copies (one per device)
Single copy
Scalability Poor (Given a change, each copy needs to be updated.)
Good
Single-point failure ? Depends (possibly no) Yes
Recommended ? Only for very small networks
Yes (especially for larger networks)
T. A. Yang Network Security 4
Authentication Protocols in AAA
• RADIUS vs TACACS+• RADIUS
– Remote Authentication Dial In User Service– An IETF standard (RFC 2865)– Open source s/w– Interoperability among RADIUS-based products– Client/server authentication btwn a NAS (e.g., a
router) and a RADIUS server• A shared secret btwn the client and the server
– on UDP (port 1812 for authentication and authorization; port 1813 for accounting)
T. A. Yang Network Security 5
RADIUS • RFC 2865 (2000): http://www.ietf.org/rfc/rfc2865.txt
T. A. Yang Network Security 6
The Authenticator field• Request Authenticator
– The authenticator in the Access-Request packets– Rqts: The value SHOULD be unpredictable and unique
over the lifetime of a shared secret• Repetition of a request value in conjunction with the same secret
would permit an attacker to reply with a previously intercepted response.
• Response Authenticator– The authenticator in the Access-Accept, Access- Reject,
and Access-Challenge packets– ResponseAuth =
MD5(Code+ID+Length+RequestAuth+Attributes+Secret) T. A. Yang Network Security 7
• http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
T. A. Yang Network Security 8
RADIUS
• Example Clients: router, switch, PIX/ASA, VPN3000
• The Access-Request: contains username, encrypted password, NAS IP address, NAS port number, and session information.
RADIUS authentication• Note: Both authentication and authorization information
are combined in a single Access-Request packet.
• Upon receiving an Access-Request, the RADIUS server
1. Validates the shared secret
2. Validates the username and passwordIf not validated, sends an Access-Reject response;
3. Authorizes the userIf authorization fails, sends an Access-Reject response;
Otherwise, sends an Access-Accept response;
T. A. Yang Network Security 9
Security mechanisms in RADIUS
• Shared secret btwn the client and the server• In the Access-Request packet, the password is
encrypted. MD5 (shared secret + Request Authenticator)
XOR the-first-16-octets-of-the-password16-octet encrypted password
• Q: How would the RADIUS server authenticate the encrypted password?
T. A. Yang Network Security 10
TACACS+
• TACACS: Terminal Access Controller Access Control System
• A Cisco proprietary client/server authentication protocol
• A shared secret btwn the client & the server• Can encrypt the entire body of the packet (as
indicated by the flags field)• On TCP
T. A. Yang Network Security 11
TACACS+
• http://tools.ietf.org/html/draft-grant-tacacs-02
T. A. Yang Network Security 12
T. A. Yang Network Security 13
• Example interactions: http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
TACACS+
TACACS+ vs RADIUS
• Shared:– Client/server based– Authentication btwn a NAS and an authentication
server– Shared secret
• Differences ?
T. A. Yang Network Security 14
T. A. Yang Network Security 15
TACACS+ vs RADIUSsource:
http://etutorials.org/Networking/network+management/Part+II+Implementations+on+the+Cisco+Devices/Chapter+9.+AAA+Accounting/High-Level+Comparison+of+RADIUS+TACACS+and+Diameter/
Criterion TACACS+ RADIUS
TransportTCP (reliable; more overhead)
UDP (unreliable; higher performance)
Authentication and Authorization
Can be separated (more flexible)
Combined
Multiprotocol Support
Supported (IP, Apple, NetBIOS, Novell, X.25)
IP only
Access to Router CLI Commands
Supports two methods to control the authorization of router commands on a per-user or per-group basis
Not supported
Encryption Packet payload Passwords only