Tutorial 8

Question 1

What are the three components of AAA, and how do they work together to secure network access?

Answer 1

AAA stand for Authentication, Authorization, and Accounting, and it forms a foundational framework for enforcing access control policies. There three components work together to ensure that only legitimate users can access network resources, that their actions are appropriately restricted, and their activities are logged for auditing and analysis.

• Authentication is the first step in the AAA process. It verifies the identity of the user or device attempting to access the network. This can be done using various methods such as usernames, passwords, digital certificates, or biometric data. Without successful authentication, no further access is granted.
• Authorization follows authentication and determines what an authenticated user is allowed to do. This includes access to specific commands, interfaces, or services. For example, a network administrator might be authorized to configure routers, while a guest user might only be allowed internet access.
• Accounting is the final component and it involves tracking user activities. This includes logging login times, commands executed, and resources accessed. Accounting is crucial for auditing, billing, and forensic analysis in case of security incidents.

Together, AAA provides scalable and secure way to manage user access in a network. It ensures that access is granted only to verified users, that their permissions are appropriately enforced, and that their actions are recorded for accountability.

Question 2

Compare and contrast RADIUS and TACACS+ protocols.

Answer 2

Both Radius and TACACS+ are protocols used to implement AAA services, but they differ significantly in design, functionality, and use cases.

• RADIUS (Remote Authentication Dial-In User Service) is an open standard protocol defined in RFCs 2865 and 2866. It uses UDP for communication, which makes it faster but less reliable than TCP. Radius combines authentication and authorization in a single packet, which simplifies the process but limits flexibility. It encrypts only the password in the packet, leaving other information exposed. Radius is widely supported across vendors and is ideal for network access scenarios like VPNs and Wi-Fi authentication.
• TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco proprietary protocol that uses TCP, providing reliable communication and better control over sessions. Unlike Radius, TACACS+ separates authentication, authorization, and accounting into distinct processes, allowing for more granular control. It encrypts the entire packet, offering enhanced security. TACACS+ is preferred for device administration tasks, such as controlling access to router or switch command line interfaces.

In summary, RADIUS is better suited for access control in multi-vendor environments, while TACACS+ excels in administrative control within Cisco-centric networks. The choice between them depends on specific requirements of the network environment, such as security, flexibility, and vendor compatibility.

Question 3

Briefly explain each stage of the AAA security service?

Answer 3

The AAA security consists of three distinct but interrelated stages: Authentication, Authorization, and Accounting. Each stage plays a critical role in securing network access and managing user interactions.

• Authentication is the process of verifying identity of a user or device. This is typically done using credentials such as usernames and passwords, certificates, or biometric data. Authentication ensures that only legitimate users can access the network. In Cisco IOS, authentication can be configured using local databases or remote servers like Radius or TACACS+.
• Authorization determines what an authenticated user is allowed to do. It controls access to specific commands, interfaces, or services. For example, a user might be authorized to view network status but not change configurations. Authorization is configured by defining method lists and applying them to interfaces or services. RADIUS uses Attribute-Value (AV) pairs to define user permissions.
• Accounting tracks user activities and resource usage. It logs events such as login times, commands executed, and bandwidth consumed. Accounting data is essential for auditing, billing, and detecting anomalies. Like authentication and authorization, accounting is configured using method lists and applied to interfaces.

Together, these stages together provide a comprehensive framework for managing network access. Authentication ensures identity verification, authorization ensures access control, and accounting provides visibility into user behaviour.

Question 4

What is 802.1x Protocol? Brief explain the role of Authenticator, supplicant and Authentication server.

Answer 4

IEEE 802.1X is a port-based network access control protocol that provides secure authentication for devices attempting to connect to a LAN or WLAN. It is a key component of identity-based networking, which grants access based on user identity rather than physical location.

The protocol involves three main entities:

• Supplicant: This is the client device (e.g, laptop, workstation) that requests access to the network. The supplicant initiates the authentication process by sending identify information to the authenticator.
• Authenticator: Typically a network switch or wireless access point, the authenticator acts as a gatekeeper. It controls network access and forwards authentication requests from the supplicant to the authentication server. It does not perform authentication itself but enforces the result.
• Authentication Server: Usually a RADIUS server, this entity performs the actual authentication. It validates credentials provided by the supplicant and informs the authenticator whether access should be granted.

802.1X uses EAPOL (Extensible Authentication Protocol over LAN) for communication between supplicant and authenticator. If authentication is successful, the port transitions into authorized state, allowing normal traffic. If not, access is denied or restricted to guest VLAN. This protocol is essential for securing campus networks against unauthorized access.

Question 5

What is MAC flooding and does port security help mitigate this attack?

Answer 5

MAC flooding is a Layer-2 attack that targets the Content Addressable Memory (CAM) table of a switch. The CAM table stores MAC addresses and associated switch ports. It has a finite size, and when it becomes full, the switch can no longer learn new MAC addresses.

Attacker performs MAC flowing by sending a large number of frames with spoofed, random, source MAC addresses. This fills up the CAM table, causing the switch to enter a fail-open mode where it floods incoming traffic out all ports. This allows the attacker to intercept traffic not intended for them, leading to potential data breaches.

Port Security is a mitigation technique that restricts the number of MAC addresses that can be learned on a switch port. It can be configured to:

• Allow only a specific number of MAC addresses.
• Permit only predefined MAC addresses.
• Take actions such as shutting down the port or generating alerts when violations occur.

By limiting MAC address learning, port security prevents the CAM table from being overwhelmed, thereby protecting the switch from MAC flooding attacks. It is a fundamental security feature in campus networks.