Home > Articles > Security > Network Security

This chapter is from the book

This chapter is from the book

Cisco Secure Internet Security SolutionsCisco Secure Internet Security Solutions

Learn More Buy

This chapter is from the book

This chapter is from the book

Cisco Secure Internet Security SolutionsCisco Secure Internet Security Solutions

Learn More Buy

AAA Authentication Setup with TACACS+ and RADIUS

To authenticate large numbers of users, you need to have a database that stores the usernames and passwords. This is where either TACACS+ or RADIUS servers come into play.

On the router configuration, TACACS+ and RADIUS are not difficult to configure. They also allow for multiple forms of authentication, including:

  • Digital certificates
  • One-time passwords
  • Changeable passwords
  • Static passwords
  • UNIX authentication using the /etc/password file
  • NT database authentication

Three steps are required to make a router use AAA:

Step 1 Initial configuration

Step 2 Building a method list

Step 3 Linking the list to interfaces

Each of these will be discussed in turn.

Initial Configuration

You need to know a few new commands before using TACACS+ or RADIUS. These commands are used in global configuration mode. For TACACS+, the commands are as follows:

aaa new-model
tacacs-server host host-ip-address
tacacs-server key serverkey

The first command, aaa new-model, tells the router that you are using either TACACS+ or RADIUS for authentication. The next line tells the router the IP address of the TACACS+ server, where host-ip-address is the IP address of that server. The third line tells the router what password key is shared between the router and the server. Unlike passwords, which can be made to appear encrypted within configuration files, this password key always appears in plain text.

It is important that the key is used on both the router and within the configuration file on the server. This ensures that the key is encrypted before being sent to the server. Unless both the TACACS+ server and one of the Ethernet ports on the router are located on an extremely secure network, it is possible for someone to gather keys through the use of a packet analyzer. Therefore, the authors recommend that the key is always entered in both places. There is little sense in not encrypting the key after going through the effort of configuring TACACS+ or RADIUS authentication.

RADIUS authentication also relies on three initial commands. The first command, aaa new-model, is the same as on a TACACS+ system. The next two commands differ only in the replacement of radius for tacacs:

aaa new-model
radius-server host host-ip-address
radius-server key serverkey

Building a Method List

Now that the initial configuration of authentication is completed, you need to determine in what order the authentication methods will be accomplished. You have some flexibility in the order chosen. For example, you can make the router check the TACACS+ server first and then the local entry on the router, or check the local first and then the TACACS+ server.

A number of different authentication services also can be used. Table 10-1 contains a list of the available services and a description of each.

Table 10-1 AAA Authentication Service Types

Service

Description

arap

Uses AppleTalk Remote Access Protocol list

enable

Uses the enable mode list

login

Used for character mode connections

nasi

Uses NetWare Asynchronous Services Interface

ppp

Uses Point-to-Point Protocol

In addition to the service used, the order in which authentication is checked is also chosen. Up to four different authentication methods can be chosen. Multiple authentication methods are usually employed in case the authentication server is unreachable, but it can also be used to allow some individuals, such as the administrator, to completely bypass the server authentication process. Table 10-2 contains a list of valid authentication methods.

Table 10-2 AAA Authentication Methods

Method

Description

auth-guest

Allows a guest logon only if the user has already logged into the EXEC mode.

enable

Uses the enable password for authentication.

guest

Allows a guest logon.

if-needed

Authenticates only if the user has not already been authenticated.

krb5

Uses Kerberos 5 for authentication.

krb5-telnet

Uses Kerberos 5 for authentication on Telnet sessions. Note: This must be the first in the list.

line

Uses the line password for authentication.

local

Uses the local database for authentication.

none

No authentication is used.

radius

Uses RADIUS for authentication.

tacacs+

Uses TACACS+ for authentication.

Not all of the services can use all of the methods listed in Table 10-2. For example, the local method cannot use the enable service, and RADIUS cannot be used with NASI. A complete list of compatibilities can be found in Table 10-3.

Table 10-3 Authentication Services and Methods Compatibility

Method

arap

enable

login

nasi

ppp

auth-guest

Yes

No

No

No

No

enable

No

Yes

Yes

Yes

No

guest

Yes

No

No

No

No

if-needed

No

No

No

No

Yes

krb5

No

No

Yes

No

No

krb5-telnet

No

No

Yes

No

No

line

Yes

Yes

Yes

Yes

No

local

Yes

No

Yes

Yes

Yes

none

No

Yes

Yes

Yes

Yes

radius

Yes

Yes

Yes

No

Yes

tacacs+

Yes

Yes

Yes

Yes

Yes

The aaa authentication command is used to start authentication on the router. The general syntax of this command is

aaa authentication service-type {default | list-name}
  method1 [method2] [method3] [method4]

With this command, service-type is one of the services previously listed in Table 10-1, such as arap, line, if-needed, and so on. The next parameter is either the keyword default or a list name. The list name can be virtually any word except the word default, and it is used to name the following list of authentication methods. The parameters method1, method2, method3, and method4 are used to specify the order in which authentication takes place. Use any of the methods listed in Table 10-2. At least one method must be used, with a maximum total of four methods specified.

There are three exceptions to the syntax described above. These exceptions are:

aaa authentication local-override
aaa authentication password-prompt text-string
aaa authentication username-prompt text-string

The aaa authentication local-override command is used on an individual interface to force the IOS to check the local database before attempting any other form of authentication. The aaa authentication password-prompt text-string command is used to change the text that is displayed when a user is prompted for a password. The parameter text-string is the text that is displayed. The aaa authentication username-prompt text-string changes the text that is displayed when a user is prompted for a username.

Now look at how these commands work. Assume that you want to make TACACS+ the default authentication method for PPP access. You would use the following command:

aaa authentication ppp default tacacs+

If you want to use TACACS+ as the default and also allow the local database to be used if the TACACS+ server does not respond, you would use the following command:

aaa authentication ppp branch-office-users tacacs+ login

Notice in this scenario that you have dropped the use of the word default and are now using branch-office-users instead. The parameter branch-office-users is an arbitrary name made up for this list. It is critical that the administrator understands that the local database is not used if any response is received from the TACACS+ server. In other words, the local database is only used if the TACACS+ server is not available. The local database is not consulted if the TACACS+ server rejects the request to log in.

To review, the following shows the new commands used in this configuration. For this example you will use TACACS+ to authenticate users logging into the router. If the TACACS+ server is not available, you will use the local database to authenticate. The set of global commands required follows:

aaa new-model
!Get ready to use AAA

tacacs-server host 172.30.1.50
!Set the server to look for the TACACS+ server at the IP address of 172.30.1.50

tacacs-server key mysecretkey
!Using the server key "mysecretkey" on both the router and
!within the configuration of the TACACS+ server forces
!encryption when the key is sent to the server

aaa authentication ppp branch-office-users tacacs+ login
!Set authentication for PPP to first use the TACACS+ server and
!then use the local database.
!The name of this list is "branch-office-users."

Now that the method list is built, you still need to link the list to an interface before authentication can take place.

Linking the List to Interfaces

Because the initial and method list configurations are done, you merely need to add the proper commands to the individual interfaces.

In this example, you are going to use AAA authentication on S2, which is connected to the branch office.

 interface serial 2
!This interface is connected via ISDN to the branch office

ppp authentication chap
!You have set the PPP authentication to use CHAP

Although this configuration works to authenticate the users with CHAP, it might not be the best configuration for your purposes. Instead, you could use the TACACS+ server for the initial authentication. You would then use CHAP if the user is not already authenticated. To do this, you change the last interface configuration line to read: 

ppp authentication chap if-needed branch-office-users
!You have set the PPP authentication to use CHAP if the user has
!not already been authenticated by the TACACS+ server.

This gives a little more protection. To refine this a little more, in the following configuration the router first expects a CHAP password. If the received password fails, the router then accepts another password attempt, this time expecting a PAP password. Because PAP sends the password itself in clear text, the administrator should ensure that the chap keyword is used before the pap keyword. This causes the first connection attempt password hash to be encrypted with a clear text password being sent only if the CHAP connection attempt fails. Using the pap keyword first would cause the first attempt to be accomplished with a clear-text password, which is a less secure method.

ppp authentication chap pap if-needed branch-office-users
!You have set the PPP authentication to use CHAP if the user has
!not already been authenticated by the TACACS+ server.
!If CHAP is not available, you use PAP.

Finally, because you only need to verify users from the remote office coming into the main branch, you can specify that only those calling in are authenticated. As the router is now configured, both incoming and outgoing users are authenticated. Adding the keyword callin to the previous command authenticates only incoming calls:

ppp authentication chap pap if-needed branch-office-users callin
!You have set the PPP authentication to use CHAP if the user has 
!not already been authenticated by the TACACS+ server.
!If CHAP is not available, you use PAP.
!This only applies to connections initiated from the outside of this interface.

The final configuration looks like this:

aaa new-model
tacacs-server host 172.30.1.50
tacacs-server key mysecretkey
aaa authentication ppp branch-office-users tacacs+ login

interface serial 2
ppp authentication chap pap if-needed branch-office-users callin

Fine-Tuning the Configuration

You now have a configuration where the remote PPP user authenticates through the TACACS+ server. However, there is a configuration issue here that is sure to become a problem sometime in the future. You have not really secured how you log into the router for administrative purposes. You need to be extremely careful when authenticating users to the console. If you rely solely on a TACACS+ or RADIUS server, you will be unable to log onto the router if there are problems in communication between the two. Therefore, you need to enable another method of accessing the console.

This is very simple to do, but very important for troubleshooting purposes. First, set the default authentication for the login through the console and TTY to use TACACS+ or RADIUS. Then create a list that requires no authentication. Finally, associate this list with an interface. An example follows:

aaa authentication login default tacacs+
aaa authentication login administrative none

line con 0
login authentication administrative

The only security issue related to this configuration is that anyone who has physical access to the router can plug into the console and log in, bypassing the TACACS+ authentication. However, anyone with physical access to the router also has the ability to reset the router and bypass the current configuration anyway. As always, physical security is necessary on all equipment critical to your network.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020