Authentication Example | Cisco Access Control Security: AAA Administration Services

In this example, your user local-admin is attempting to Telnet to a Cisco router. The Cisco router is configured to request authentication from anyone that attempts to access it via Telnet. As the user enters a password, it is sent as clear text to the router. The router then takes that username and password and places it in a packet that is sent to either an AAA server, such as CSACS, or it compares it to a local username and password that are configured.

A more detailed look at the process is as follows:

Step 1.	The client establishes connection with the router.
Step 2.	The router prompts the user for their username and password.
Step 3.	The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database.

The process is illustrated in Figure 1-1.

Figure 1-1. A Simple Authentication Example

Of course, this is not the best type of authentication to perform because anyone that has access to the network and the path that local-admin is taking from their workstation to the router can see the username and password simply by using some type of "sniffer" software or protocol analyzer. In fact, most protocols don't encrypt the password, while others use weak ciphers and can be susceptible to brute force attacks. More secure methods might include protocols such as the Challenge Handshake Authentication Protocol (CHAP), or even the use of one-time passwords or the use of smart tokens like RSA SecurID or CRYPTOCard. These types of authentication will be discussed Chapter 11, "System Configuration."