Home > Articles

  • Print
  • + Share This
This chapter is from the book

AAA Operation

To enable AAA on the router, go to configuration mode and simply enter

Router(config)#aaa new-model

Specify the protocol and location of the AAA server with one of the following lines:

tacacs-server host ip-address [single-connection]
radius-server host ip-address

The host ip-address specifies the IP address of the AAA TACACS or RADIUS server, and the single-connection option only available with TACACS specifies that the router maintain a single open connection for confirmation from an AAA/TACACS+ server (CiscoSecure Release 1.0.1 or later). The single-connection option does give better performance, but it is not the default.

The last command to get AAA up and running configures the shared password between the router and the AAA server. The passwords are case-sensitive:

tacacs-server key key
radius-server key key

A complete example looks something like this:

Router(config)#aaa new-model
Router(config)#tacacs-server host 192.168.1.100 single-connection
Router(config)#tacacs-server key MyPassWord

AAA Authentication Commands

aaa authentication login specifies that you want to use authentication. You need to give the authentication parameters a list name, either default or some other name you define:

aaa authentication login {default | list-name} group 
_{group-name | radius | tacacs+} [method 2...3...4]

Using the name default means its settings are applied to all lines (console, VTY, TTY, and so on) and interfaces (async, serial, Ethernet, and so on) unless you define and use another name. A unique list name overrides the default and its settings when applied to a specific line or interface.

The group parameter has three options: a group-name, radius, or tacacs+. If you use either tacacs+ or radius, the router uses all those types of servers that you configured using the tacacs/radius-server host ip-address command, or you can build a custom group and call it with its group name. The other methods are used if the method before it has an error. One other method of special note is none with the option that if all others fail, you are authenticated. All the different authentication methods appear in Table 3.1.

Table 3.1 AAA Authentication Methods

Method

Explanation

enable

Uses the router's enable password

krb5

Uses Kerberos Version 5

group radius

Uses the list of all RADIUS servers for authentication

group tacacs+

Uses the list of all TACACS+ servers for authentication

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group command

line

Uses the line password for authentication

local

Uses the local username database for authentication

local-case

Uses case-sensitive local username authentication

none

Uses no authentication


Here is a working example of two different authentication settings:

Router(config)#aaa authentication login default group tacacs+ local
Router(config)#aaa authentication login fallback group tacacs+ enable
Router(config)#line vty 0 4
Router(config-line)#login authentication fallback

The first command builds the default list. It tries to authenticate to all TACACS servers configured, and if it receives no response, it uses the next configured setting for authentication—in this example, the local username database.

The second command creates a list called fallback. It checks the TACACS servers, and if it receives no response, it uses the enable password.

The third and fourth commands apply the fallback list to the five VTY lines, 0 through 4.

TIP

A trick question here is to ask what authentication settings are in use for Line Console 0; the answer is the default list. Remember that once a default list is built, it applies to all interfaces and lines unless overridden by an explicit assignment as you saw on the VTY ports.

Another feature worth pointing out is that when you turn on authentication using the default group, it is applied to all interfaces. You will find yourself locked out of the router if you have not finished setting up your authentication sources and you log out or your session times out.

AAA Authorization Commands

Once a user is authenticated, you can set parameters that restrict the user's access on the network using the aaa authorization command. The authorization commands have the same look and feel as the authentication command:

aaa authorization {network | exec | commands level | reverse-access} 
_{default | list-name} [method 2...3...4]

Table 3.2 lists the four areas of control where you can grant specific authorization.

Table 3.2 AAA Authorization Command

Keyword

Explanation

network

Starts authorization for all network-related service such as Serial Line Internet Protocol (SLIP) and Point-to-Point Protocol (PPP)

exec

Starts authorization to determine whether the user is allowed to run an EXEC shell

commands level

Starts authorization for all commands at the specified privilege level (0 to 15)

reverse-access

For reverse access connections, such as reverse Telnet


Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. There are a number of ways in which a user can be authenticated; Table 3.3 lists the options for the AAA authorization command.

Table 3.3 AAA Authorization Methods

Method

Explanation

group radius

Uses the list of all RADIUS servers for authentication.

group tacacs+

Uses the list of all TACACS+ servers for authentication.

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group command.

if-authenticated

Allows the user to access the requested function if the user is authenticated.

local

Uses the local username database for authentication.

none

No authorization is performed.


For authorization, let's take a look at two different examples: one for character mode and the other for packet mode. Remember, in character mode, you are usually securing the router itself:

Router(config)#aaa authorization exec default group tacacs+ none

In this example, a user must be authorized by a TACACS+ server before he can gain access to an EXEC shell or prompt. If the TACACS+ servers are unreachable, then the user is automatically granted access because of the none option at the end. This method is used mainly for administrators who still have physical access to the device.

Let's examine a packet-level example:

Router(config)#aaa authorization network checkem group tacacs+ if-authenticated
Router(config)#int serial 0
Router(config-if)#ppp authorization checkem

The first command determines whether a user is allowed to make a packet-level connection. It built a list called checkem that looks to the TACACS+ servers first; if the servers are down, it allows access if the user has been authenticated. The last command applies the checkem list to PPP services on Serial 0.

AAA Accounting Commands

Accounting allows you to track individual and group usage of network resources. When AAA accounting is activated, the router logs user activity to the TACACS+ or RADIUS server. You can then analyze this data for network management, client billing, security, or auditing. The accounting command looks like this:

aaa accounting {system | network | exec | connection | commands level} 
_{default | list-name} {start-stop | wait-start | stop-only | none} 
_ [method 2...3...4]

The aaa accounting command is unlike the authorization and authentication commands that have two halves. Accounting has three parts: what service or services you want to audit (see Table 3.4), which events trigger it, and where to send the information.

Table 3.4 AAA Accounting Command

Keyword

Explanation

system

Performs accounting for all system-level events not associated with users, such as reloads

network

Runs accounting for all network-related services such as SLIP and PPP

exec

Runs accounting for an EXEC shell session

connection

Keeps information about all outbound connections made from the router, such as Telnet and rlogin

commands level

Runs accounting for all commands at the specified privilege level (0 to 15)


Remember that default and list-name are simply the identifiers for the AAA parameters. You use default, or specify other non-default parameters by using list-name. Also worth mentioning is that the aaa accounting system command is the only command that doesn't apply to packet or character mode. The different events that you can use for accounting appear in Table 3.5.

Table 3.5 AAA Accounting Events

Keyword

Explanation

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The user's process begins regardless.

wait-start

Same as a start-stop except the process doesn't begin until the accounting service request is acknowledged from the AAA server.

stop-only

Sends a stop accounting notice at the end of a requested user process.

none

Disables accounting services on this line or interface.


Then, the accounting command indicates for which server groups the information is recorded and logged. Table 3.6 lists accounting methods for server groups.

Table 3.6 AAA Accounting Methods

Method

Explanation

group radius

Uses the list of all RADIUS servers for authentication

group tacacs+

Uses the list of all TACACS+ servers for authentication

group group-name

Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group command


Let's look at an example of the aaa accounting command. Here we use the command twice to set up accounting for two different events:

Router(config)#aaa accounting connection default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+

The first command monitors any Telnet, rlogin, or other outbound connections, such as when they start and stop, and logs the information to the AAA servers configured under TACACS+.

The second command turns on accounting for privilege Level 15 commands, which is enable mode, and logs their use to the TACACS servers. You can also use Level 1 for user mode access.

  • + Share This
  • 🔖 Save To Your Account