Centralized Security in Remote Access Networks Exam Essentials

Understand the components of AAA. You should know that AAA is the acronym for
authentication, authorization, and accounting. Authentication is used to verify a user’s
authenticity, usually with a username and password. Authorization is used to determine
which services are available to a verified user. Accounting is used to audit the user’s activity
on the system to provide tracking.

Know the services provided by CiscoSecure. The CiscoSecure software runs on Windows NT and
Unix and provides a Java-based web client for configuration. The software provides RADIUS
and TACACS+ services for authentication, authorization, and accounting. The software can
store and retrieve user information with outside databases, including Oracle and Sybase.
Understand the functions provided by each AAA component, including the six accounting types.
In addition to the AAA functions of authorizing and authenticating a user for access to various functions
in the router, the accounting function can audit commands, connections, EXEC, network, system,
and resources.
Know how to configure AAA services for Cisco IOS. AAA has been updated since its initial
inception; the command aaa new-model is used so the user can utilize the new AAA commands.
There are many AAA commands used to configure authentication, authorization, and accounting
on a Cisco device. Each service command begins with the aaa prefix. You don’t need to
know the AAA commands for Cisco Catalyst series switches, but they are included in this chapter
for completeness.
Understand the differences between packet-mode and character-mode services. Packet-mode
services are typically dial-up connections, including asynchronous and ISDN access. Characterbased
services are connections such as login, exec, NASI, and commands. Most of these services
terminate at the access device, which is typical of character-mode services.
Know that aaa new-model requires additional commands to configure correctly. Invoking the
aaa new-model command with no other parameters will lock the administrator out of the router.
1026

Centralized Security in Remote Access Networks Summary

To have a complete security policy in place, authorization, authentication, and accounting
(AAA) must be implemented on a network. AAA not only allows full control over dial-up connections,
but login and exec access to devices. Tracking and auditing is accomplished through
the accounting services in AAA.
CiscoSecure is software that allows for centralized control over access to every device in your
network. It will run on Windows NT and Unix and provides RADIUS as well as TACACS+
authentication, authorization, and accounting services.
The two access modes, which are controlled by AAA, are character-mode and packet-mode
connections. Character-mode connections usually terminate at the access server or router, and
packet-mode connections are those that pass traffic through an access server or router.
Configuration of AAA services for Cisco devices has many facets. The administrator must
first configure how to authenticate users and then define which services those users will be
allowed to access. The optional accounting feature can be used to audit the user’s activity on
the system.
The use of a virtual template is a technology that enables the security server to supply the
access server with user-specific dialer profile information. Instead of each access server containing
user-specific dialer profile information, this information is kept on the security server and
downloaded to the access server when the user is authenticated.