tailieunhanh - Basic Access Control

This chapter addresses what most people think about when they start to secure a router—authenticating users and restricting access. There are many more ways to access Cisco routers than most network administrators realize. Each of these methods can have different authentication methods and can be set to allow various levels of privilege access. It is important that all methods of access are either secured or disabled. The chapter briefly discusses the differences between authentication and authorization and then moves on to the fundamentals of how Cisco routers handle controlling and protecting access | Page 11 Friday February 15 2002 2 53 PM CHAPTER 3 Basic Access Control This chapter addresses what most people think about when they start to secure a router authenticating users and restricting access. There are many more ways to access Cisco routers than most network administrators realize. Each of these methods can have different authentication methods and can be set to allow various levels of privilege access. It is important that all methods of access are either secured or disabled. The chapter briefly discusses the differences between authentication and authorization and then moves on to the fundamentals of how Cisco routers handle controlling and protecting access. Authentication Versus Authorization Access control involves both authentication and authorization. People often confuse the two. Authentication is the process of identifying a user authorization restricts what a user is allowed to do. Cisco router authentication controls can be divided into two main categories those that use the AAA authentication authorization accounting access methods and those that don t. The non-AAA methods include line authentication console auxiliary and VTY ports local username authentication and Terminal Access Controller Access Control System TACACS or extended TACACS authentication. The AAA authentication methods add TACACS RADIUS and Kerberos. AAA provides much greater control over authentication authorization and accounting than do non-AAA methods. While Cisco calls AAA the primary and recommended method of access control you must configure AAA on your router manually. This chapter describes non-AAA methods of access. AAA will be discussed in Chapter 5. Points of Access There are many ways to access a Cisco router. Each way can provide different levels of authorization from viewing router information to completely reconfiguring the 11 Page 12 Friday February 15 2002 2 53 PM router or some level in between. Each access method is either out-of-band