AAA Server
I'm hoping this is something simple I'm just way overthinking.
I understand how to configure a router/switches to use a AAA server for authentication and accounting.
The thing I don't get, and this may sound stupid, is what is the physical external AAA server? When configuring a router for AAA, of course, you need to supply the IP of the server. Is this a pre-existing server on the domain? Like does the PDC act as the AAA server? Do I need to use a new server and load it with AAA software, if so what software? Or does the router itself act as the AAA server?
Like I said, I hope this is something simple I looking too deeply into. Any help is much appreciated.
I understand how to configure a router/switches to use a AAA server for authentication and accounting.
The thing I don't get, and this may sound stupid, is what is the physical external AAA server? When configuring a router for AAA, of course, you need to supply the IP of the server. Is this a pre-existing server on the domain? Like does the PDC act as the AAA server? Do I need to use a new server and load it with AAA software, if so what software? Or does the router itself act as the AAA server?
Like I said, I hope this is something simple I looking too deeply into. Any help is much appreciated.
Techexams.net - Job security for one more day.
Comments
-
ilcram19-2
Banned Posts: 436
well it is, is u using RADIUS as your aaa server, you could use windows 2003 IAS server that would help you authenticate user account to active directory, it all depends of what you need the server to do for u -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Is this just a general Security+ type question or are you looking for something specific?
For a Windows domain, you'd install IAS (RADIUS) on a server and configure your network device to use that. Basically you just create a key on the IAS server, and enter the IP, port number, and key on the network device, and you're set. -
flares2
Member Posts: 79 ■■□□□□□□□□
Thanks for the expedient replies.
Dynamik, this isn't a Sec+ question, this is more of a "my boss told me to get the ASA to content filter, track/monitor traffic, and authenticate through AD." I'm planning on using the ASA's SSM module to run CSC, but I need AAA to Authenticate and Account. Side note, I'm also researching websense, so if anyone has any opinion on which is better let me know.
Pretty much our Network Admin left and I'm filling in until we find a permanent replacement.
The last network I worked on was big (3000 workstations, over 100 switches, etc). On that network I did routing and switching. Network Security was an entirely different department, so was maintaining the servers. Now I'm at a smaller company (200 workstations, 6 switches). So knowing routing/switching is great, except in my current employment, this position is also expected to be in charge of network security, server maintenance, etc.Techexams.net - Job security for one more day. -
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
Yea, just go with IAS. It's pretty straight forward.
You can add it through Add/Remove programs > Windows Components > Network Services > Internet Authentication Services.
http://technet.microsoft.com/en-us/network/bb643123.aspx -
hypnotoad
Banned Posts: 915
On the ASA (8.0)....
1. Create server group class_radius using radius protocol, and tell it where the IAS server is...
config# aaa-server class_radius protocol radius
config# aaa-server class_radius (inside) host 192.168.0.1 key qwerty1234
2. Tell the ASA to authenticate SSH through the server group class_radius. If it fails, fall back to local authentication.
config# aaa authentication ssh console class_radius LOCAL
Now SSH will use your IAS group. -
astorrs
Member Posts: 3,139 ■■■■■■□□□□
This might help with the IAS config once you have it installed: http://www.tech-recipes.com/cisco_networking_tips1478.html
