Site Loader
Free CCNA | 802.1x and AAA – Day 40 | 200-125 | Cisco Training


Cisco Certified Network Associate Day
40. Welcome back everyone I’m Imran Rafai Your trainer for this entire series. Today we’re going to look at 802.1x framework and AAA. So without
wasting much time, let’s get straight into this class and like always before
we go ahead click on that subscribe button and click on that Bell icon to be
notified when we add a new video. Your LIKE on these videos, is going to
encourage us to create new videos. So please feel free to hit on that LIKE
button as well. Our social media contacts….. On the Left you will find
Networking Inc – our company’s social media contacts and on the right you
would find my personal social media contacts. For people who want to know my
email address – imran dot rafai at nwking dot org. So what are we going to look
at today? Today we’re going to look at 1.7a – that is 802.1x and we will
look at 5.4 that is – Describe device management using AAA with TACACS+
and RADIUS. Now compared to some of the other topics that we discussed earlier
this is a DESCRIBE topic and both of them are DESCRIBE topic – that means to
say Cisco does not expect you to know the configuration or doesn’t it need you
to know in depth on these topics. This is a DESCRIBE topic so it is going to be
more of theory so that you know what all these mean. Let’s look at a Cisco device
and how did we get login to Cisco devices earlier. Whenever we logged into
Cisco devices we configured the line password. So if you remember we talked
about a line vty and we said “line vty”, “login” and then we put a “password”. What
that means… it meant that the login, when we give the command “login” it said “look
for the password in line”. Right so otherwise had we said “login local” it was
looking for a local password configured by a “username”. So if you go to the global
config and type “username Imran password Imran” and if you go into “line
vty” and say “login local” it was looking for that local
password…. the username and password that you set up….. right but the problem with
that configuration was that both those configurations were locally configured
on the device so if at all let’s say your organization had thousand users….
right so each of those devices would have let’s say username and you will
have thousand usernames and passwords and let’s see if you had thousand
devices then you would have thousand devices and each of those thousand
devices would have thousand username and passwords that’s fine if you really want
to go and configure those username and passwords in thousand devices or 100
devices whatever a big number of devices and you would have to have these
usernames and passwords configured locally on those many devices now best
practices in security says that you didn’t user name or rather passwords
should be changed frequently right so if you have to change password for thousand
users you had to go to those of those hundred devices thousand devices and
make those changes and it’s it’s a tedious process there is a better way
there is a better way of configuring Cisco devices so that you have control
of usernames and passwords in a much more centralized form so that is where a
concept called triple-a comes into use triple a is nothing but authentication
authorization and accounting these are the three functions of a Triple Aim
so what it basically does is you would have a central server this central
server would have a database of usernames and passwords and your device
let’s say a Cisco switch if when you try as a user when you log into the Cisco
device instead of looking for username and password configured locally on the
device it would try communicating to the Triple A server so let’s it call
let’s let’s call this the triple-a server so it would call little contact
the triple-a server and check for the username and password that you’re giving
and if it works it can it lets the user connect right so this makes it easy
because if there are a hundred 100 devices right and all those devices just
need to be configured to the authorization server or triple-a server
and no matter what where you connect to those devices from it would always check
for the username and password from the triple-a server right so if you want to
change the password just come to the triple-a server once you change the
password that applies to all the devices on your network right that’s brilliant
because now you are moving your database authorization or rather authorization of
username and password to a central server so in Tripoli there are two
protocols that we use one is the radius and another one is tacacs+ the radius is
nothing but short form for remote authentication dial in user service and
it is described in RFC two eight six five and two eight six six write RFC is
a request for comment and this is whenever your new protocol is proposed
there is an RFC that is created and they describe the whole protocol then and
it’s open for people to comment if you if you think there is a better way to do
certain thing you can comment until they close the RFC and then they get that
protocol out right so until the protocol is finalized there are a lot of chances
for anybody involved to contribute to that protocol so RFC two eight six five
and two eight six six describes that radius protocol it’s an open standard it
was developed in 1991 right so it’s a it’s quite an old protocol it was
basically used for network user so basically a radius is if you won’t
control user authentication let the user gives username and password then you
would use the radius protocol it uses UDP UDP one six four five
one six four six and new devices have a UDP one eight one two and one eight one
three right but basically it uses UDP protocol it radius supports three
functions authentication executor ization and ex accounting now what that
means is authentication let’s tells the device if you are off know you’re
authenticated to come in like you are loved to come in or not right
authorization tells the device what are your tries to do right so are you
authorized to do a settlement command can you use can you make use of
configuring certain things on the device so that’s what authorization tell it
tells you the level of authorization that’s available for you right so do you
come at a privileged ten or you come at a privileged fifteen or you come and
prove the privilege five right so what at what level you are authorized right
that’s authorization now after you come in what have you done there like you
might change the routing protocol there so summons there should be an accounting
which records all those or throw all those commands that you type and right
that’s what accounting comes in so these are the three functions are you allowed
to log in at what are the configurations or levels that you are authorized to use
and what have you done there right these are the three functions it does right it
supports readiest now tech ax plus on the other hand it’s the short form for
terminal access control access control system and of course the plus is because
this is a protocol developed by Cisco and it was derived from the old tacacs
protocol which was an open standard protocol even though cisco developed
this protocol this was released as open standard right so anybody can use this
protocol so that’s Jack Express protocol and this is used more for device
administration than user administration right so the devices you can configure
tacacs+ with devices and you can tell if lets you connect a printer you can tell
what those printers can do and things like that it uses TCP so tacacs uses TCP
you need to know radius uses UDP and tacacs uses TCP for one reason
if you’re an administrator and if you have a firewall in between your n device
and the authentication server you need to open relevant ports right of using
radius you need to allow UDP port UDP traffic to go through different firewall
or using Tech Express you need to allow TCP traffic to flow through the firewall
right so this is very important you need to know the port numbers Tech Express
also supports a couple of more functions like command authorization right so in
radius you can just tell that this user goes at privileged 15 or privilege 10
but it can’t tell you in privilege 10 what are the commands that you are
authorized to use but in tech Hanks you can go to that granular level and tell
ok you even though you come in at privileged five or published a no
privilege 15 what are the commands that you can use right you may want to give
that user a lot of commands but not configuring let’s say for instance
routing protocols right so you can you can go to that granule 11 and either
love the user to make those configurations or not to love the user
to make those configuration right similarly even command level accounting
takes place you can tell exactly what are the commands that you applied so
that accounting also can be recorded by a tech express now on a typical switch
what happens is let’s say there is a you go to conference room and there is a
wall socket so you take your laptop right this is a laptop and you plug in
there now if you remember one of the older videos that we discuss in
especially and I see in the one part of this course we said there was something
called port security with discuss port security and we learned port security
what is port security do eight depends on the MAC address it can block that
port so if at all that McCarter MAC address is configured for that port the
port security can disable if it is if it’s a different MAC address
I’m the one that is confident right particularly something that is got
limited level of security where you can disable the port but on enterprise level
it’s not easy or it’s not practical to have protocol port level secure port
security because you might have a lot of people connecting to that port and you
can’t just have one or two or a next number of MAC addresses that you can
pre-configure there because you might have a lot of people connected and you
want a level of security where you don’t want people to misuse it but still you
don’t want to restrict people from using that port now typically there is a
framework called ape not to dot 1 X now if not 2 dot 1 X is a framework oh wait
not to dot 1 X you can use a protocol called e AP right now what is what this
protocol does is now if you if you have a switch port like when I say switch
port I mean the physical port in a switch right so this port on the wall in
a conference room is actually patched to a switch port in let’s say a 48 ports
which right so you have to go to each of those ports and configure it’s not root
of 1 X if you do typically what happens is when you connect to a device every
traffic DHCP tfd IP whatever is all blocked except for one special protocol
called EAP overland EEP all right EAP Overland now apol and traffic goes
through and switch does one has to do it contacts the authentication or triple a
server if the services find the username and password that you’re giving is
correct it will open that port and all traffic after that will start going on
if it says it does not let that traffic go through nothing changes and only a
pure traffic will pass through right so this is very simple explanation of what
a plot 2.1 X test if you want to look at eight not to 1x
process it not not 1x process basically contains three components so there is a
supplicant now supplicant is typically a software that’s on your computer so most
of the newer operating systems have a supplicant software inbuilt but if you
don’t have you can have the party supplicant software so it’s a software
why do you need that software because when you could think to a 1802 dog
phonics enable port like I said all traffic would be blocked basically you
will not even have an IP address so this device cannot get an IP address the only
thing that I said that work is e all right EAP over LAN
now not all computers know how to frame EA pol right you don’t know how to
create that frame of e all now thats applicant software would be able to
create frames of EAP over land right so it creates those EI pol frame right so
that’s a supplicant that’s one of the component the second component is an
Authenticator an Authenticator is the device like let’s say for instance in
this case Cisco switch that’s an Authenticator that sits in between what
it does it it just relays information whatever the supplicant since the
Authenticator takes that it creates a new IP packet right so it depends if
it’s radius it uses UDP if it uses tax it uses TCP right so it creates a radius
packet or a tacacs+ packet extracts the EEP content that is on EEP oil it puts
that onto the packet right so it takes the e pole frame takes whatever content
takes the data out puts it onto an IP packet either radius or tacacs and sends
it to the authentication server which is the third component the authentication
server so authentication server looks at it it says if it is correct yes if it
says it fails the authentication it cancels so let’s look at the process a
little more so when initially when you start the port is blocked right the
first message that it sends the supplicants ends in E
we’ll start message now if we’ll start messages not mandatory
not all device meters and that even if it doesn’t send an Authenticator which
has ignored our phonics enabled on the port that port will are every few
seconds a few minutes depending on how you’re configured it would send an
identity request message right so if you send an e pone start message it
immediately sends an identity request when it receives the identity request
the supplicant will send an identity response let’s say if that is when you
send the username so when it asks for identity request it says okay username I
say Imran that frame comes to the Authenticator not indicator strips that
data which is Imran and puts it onto an IP packet sense it will authentication
server the authentication server says fine I can see a name Ron username now I
challenge you to send me the password so that’s the access challenge so this
message is called access request the replies callin access challenge don’t
worry you don’t have to really go in dip you don’t really have to know the
messages and message types because like I said these are describing right if you
look at the exam topics it says describe so you really don’t need to go into this
devil but just for information I’m going to say just for information I’m gonna
put it here so if you interested yes go through other ways like I said just keep
through these topics so access challenge it sends a message asking for the
password so Authenticator sends it to the supplicants applicant says fine I
need to send you the U password so basically it sends a password but there
are few more steps that happens in here there is a negotiation that happens
between the authentication server and the supplicant of what tunneling know
you can’t send password in clear-text they need to create a tunnel right you
need to click create an encryption method so the supplicant and
authentication either they decide to use EAP TLS which is a tunneling protocol
using TLS or they could use peep which is a protected EAP with other functions
like Microsoft chap right so there are other communication that happens between
the authentication server and the supplicant but basically after they do
that it’s risk it replies with the password so password goes through a
encrypted tunnel that goes with an access request dual authentication
server which looks at the password and if it fit if it’s if it a success it
says except access except if it fails it’s his accept reject right so finally
if it’s a success it’s it’s a success message on EAP oil and finally if
everything works that port gets opened right this is the process that is taken
to get a port from a shut on a state or a the filtered state to a open stage
right so basically a 2.1 X is a process of framework that helps you have a much
more advanced level of security than the old port security that we discussed I
think 8.1 X is enabled on wireless devices so basically it’s the same thing
on wireless devices you’ll have a wireless device so let’s say it’s it’s a
wireless device and you would have a laptop that connects or so you’ll have
multiple people connecting to that wireless device so this wireless device
can con contacts the triple-s server authentication server and depending on
what comes you can depending on TAC action or radius you can tell what a
VLAN so basically you can tell that device number one and this is device
number two so you can say device number one depending on the username and
password that was given you say that this device needs to be placed in VLAN
right VLAN 100 and this device need to go into VLAN 200 right so all traffic
now coming from this device will automatically go to
VLAN 200 traffic and this will go into VLAN 100 traffic so these are all the
things that can be done using 8 knot 2.1 x so this is a very short video with we
looked at 8 knot 2.1 x and triple-a with radius an tacacs+ will be back very very
soon and we will start getting into very complex topics like the most one of the
most requested topics was for OSPF and EIGRP and we’ll be getting into OSPF and
EIGRP very very soon so stay tuned and don’t forget to hit that like button and
subscribe to our Channel see y’all very very soon

Reynold King

52 Replies to “Free CCNA | 802.1x and AAA – Day 40 | 200-125 | Cisco Training”

  1. OMG, The series still continuing. I like your explanation. Can you please also make a motivational video about career opportunity in this area. I am the first commentator. Ha ha ha. 😀

  2. Finally after what it seemed like forever thank you for dis vedio imran … no1 explains the concepts like you do … so it's a humble request please try to upload vedios quickly as possible for you …

  3. You're really awsome I have just started my career by looking at you're video Now I am CCNA holder thanks for the support

  4. Hi mr king,wish you happy ramdan,
    For the past days i searching your institution in doha,plz let me know you institution address. Thank you

  5. hello sir, I have a question.
    for the ccna exam simulation questions, does the TAB key(autocomplete) and '?'(help) key work? or should we remember the complete commands? if so will points be deducted or something?

  6. I have two questions that seem to confuse me.
    Q1. Under normal operations, cisco recommends that you configure switch ports on which vlan?
    a. default vlan
    b. on any vlan except the default vlan

    Q2. Which NTP command configures the local devices as an NTP reference clock source?
    a. NTP master
    b. NTP server

    Thank You and Highly appreciated if you respond

  7. Need your advice.
    Nowadays companies only need Cisco security professional because Cisco security professional can also easily handle the configuration of router and switches I mean they can also play a role of CCNA RS.

    So I think the era of getting job in routing and switching field is gone Even if a person is Ccnp RS professional…??

  8. Bro am I ready to write ccna. I had go though all of ur videos.
    I am waiting for ur response so that i could write my exam

  9. sir plz upload more further lectures ..your teaching is superb and easy for everyone thankyou so much sir you are awsome

  10. Hi Imran Sir,
    Passed the ICND01 exam yesterday, followed your videos and it was very helpful for me to get through. Your teaching from basic to advancement is great, thank you for the free service, looking forward for new videos in the next series very often.

  11. One of the best tutor @imran if you want to learn from others as well look for Lazaro Diaz course in Udemy waited for Imran video for a long time and end up with Lazaro Diaz and pass 120 exam now back with Imran again for 125 also got study material from Lazaro Diaz so give a try he is very good too.

  12. Mind blowing teaching, in one watch we can easily understand your concepts. The way you are explaining is really nice but drawback is you need to upload the videos early.

  13. This video and this series are still valid. If anything changes, we will update this series accordingly. All the best.

    The full series can be found on this playlist: http://www.youtube.com/playlist?list=PLh94XVT4dq02frQRRZBHzvj2hwuhzSByN

    #FreeCCNA #CiscoCCNA #ImranRafai

  14. hello sir fwhat will be the switchport mode where the access point is connected for it to be able to provide traffic for multiple vlan

  15. after watching the previous video, many concepts related to my research work got cleared. Thank you bro.

Leave a Reply

Your email address will not be published. Required fields are marked *