This Article Describes How To Configure Authentication, Authorization, And Accounting (AAA) On Cisco IOS
When It Comes To Network Security, AAA Is A Requirement. Here Is What Each Of These Are Used For And Why You Should Care:
AUTHENTICATION: Identifies Users By Login And Password Using Challenge And Response Methodology Before The User Even Gains Access To The Network. Depending On Your Security Options, It Can Also Support Encryption.
Identifies Users, Including Login And Password Dialog, Challenge And Response, Messaging Support, And, Depending On The Security Protocol That You Select, Encryption.
Authentication Is The Process Of Verifying The Identity Of The Person Or Device Accessing The Cisco NX-OS Device, Which Is Based On The User ID And Password Combination Provided By The Entity Trying To Access The Cisco NX-OS Device. Cisco NX-OS Devices Allow You To Perform Local Authentication (Using The Local Lookup Database) Or Remote Authentication (Using One Or More RADIUS Or TACACS+ Servers).
AUTHORIZATION (PROVIDES ACCESS CONTROL) : AAA Authorization Is The Process Of Assembling A Set Of Attributes That Describe What The User Is Authorized To Perform.
After Initial Authentication, Authorization Looks At What That Authenticated User Has Access To Do. Determines What Devices, Features, Or Services A Specific Remote User Is Authorized To Access In The Network, Such As Network Resources Or Services. This Concept Is Much Like That Of User Permissions In The Windows Server Model.
RADIUS Or TACACS+ Security Servers Perform Authorization For Specific Privileges By Defining Attribute-Value (AV) Pairs, Which Would Be Specific To The Individual User Rights. In The Cisco IOS, You Can Define AAA Authorization With A Named List Or Authorization Method.
ACCOUNTING : Provides The Method For Collecting Information, Logging The Information Locally, And Sending The Information To The AAA Server For Billing, Auditing, And Reporting. br/>
It Provides A Way Of Collecting Security Information That You Can Use For Billing, Auditing, And Reporting. You Can Use Accounting To See What Users Do Once They Are Authenticated And Authorized.
The Accounting Feature Tracks And Maintains A Log Of Every Management Session Used To Access The Cisco NX-OS Device. You Can Use This Information To Generate Reports For Troubleshooting And Auditing Purposes. You Can Store Accounting Logs Locally Or Send Them To Remote AAA Servers.
For Example, With Accounting, You Could Get A Log Of When Users Logged In And When They Logged Out.
Besides Passing Certification Tests Like The Cisco CCNA Security, AAA Is A Critical Piece Of Network Infrastructure. AAA Is What Keeps Your Network Secure By Making Sure Only The Right Users Are Authenticated, That Those Users Have Access Only To The Right Network Resources, And That Those Users Are Logged As They Go About Their Business.
AAA Provides The Following Benefits :
• Increased Flexibility And Control Of Access Configuration
• Scalability
• Standardized Authentication Methods, Such As RADIUS And TACACS+
• Multiple Backup Devices
AAA’s Support Of Authorization, In Addition To Authentication, Means Access Can Be Maintained On A “Need To Have” Basis, Without Having To Maintain Multiple Passwords. The Accounting Support Means That User Auditing And Cost-Allocation Policies Can Be Implemented, As Well As Providing A Trail That Might Be Useful In Troubleshooting Network Problems.
Multiple Devices With The Same Locally Administered User Name/Password Offer A Low Level Of Security. Everyone Having Access To Everything, Without Regard For Need, Also Unnecessarily Increases Risk. Multiple Locally Administered Passwords Would Appear To Increase Security, But Might Lead To Employees Writing Down Passwords If Too Many Exist To Remember. This Situation Would Be Exacerbated If Complex Passwords Were Implemented.
AAA, With Its Centralized Security Database And Authorization Features, Allows A Single Secure User Name/Password Combination For Each Employee And Yet Allows Restricting Access To A “Need To Have” Basis. At The Same Time, AAA Allows For Rapid Resolution Of Compromised Passwords Or Terminated Employees.
AAA Is A Template Approach To Security Management That Remains Reliable And Flexible As The Network Grows Larger And More Complex. By Centralizing The Security Databases And Supporting Authorization, AAA Avoids The Nightmare Of Managing Many User Name/Password Combinations In A Growing Environment Or The Alternative “Weak” Security Of Using A Small Number Of Combinations. Locally Stored Authentication Means Any Time There’s A Potential Of A Compromised User Name/Password Or Termination Of An Employee, Each Device “Should” Be Reconfigured. The More Devices That Exist, The Greater The Amount Of Effort. AAA Avoids This In Much The Same Way That Server Security Is Maintained Under The Same Circumstances.
AAA Supports Radius, TACACs+, And Kerberos Security Protocols For Securing Dial-In Sessions. These Protocols Provide Secure Authentication, Including Encrypted Communications And Interaction With Network Server Security Systems. The Next Section Compares These Three Systems.
AAA Supports Multiple Security Servers, Such As TACACs+, On The Same Network To Provide Redundancy In Case Of Device Failure Or Link Congestion. In Addition, AAA Allows For Multiple Authentication Methods To Be Specified So, If The First One Is Unavailable, Then A Second Or Third Option Could Be Used. For Example, If The Specified Tacacs+ Server Is Offline, The Locally Stored User Name/Password Database Could Possibly Be Used Or Maybe Even The Enable Password. These Alternatives Must Be Defined In Advance Or Access Could Be Blocked Until The Specified Service Is Restored.
Remote AAA Services Provided Through RADIUS And TACACS+ Protocols Have The Following Advantages Over Local AAA Services:
• It Is Easier To Manage User Password Lists For Each Cisco NX-OS Device In The Fabric.
• AAA Servers Are Already Deployed Widely Across Enterprises And Can Be Easily Used For AAA Services.
• You Can Centrally Manage The Accounting Log For All Cisco NX-OS Devices In The Fabric.
• It Is Easier To Manage User Attributes For Each Cisco NX-OS Device In The Fabric Than Using The Local Databases On The Cisco NX-OS Devices.
You Can Specify Remote AAA Servers For Authentication, Authorization, And Accounting Using Server Groups. A Server Group Is A Set Of Remote AAA Servers That Implement The Same AAA Protocol. The Purpose Of A Server Group Is To Provide For Fail-Over Servers In Case A Remote AAA Server Fails To Respond.
If The First Remote Server In The Group Fails To Respond, The Next Remote Server In The Group Is Tried Until One Of The Servers Sends A Response. If All The AAA Servers In The Server Group Fail To Respond, Then That Server Group Option Is Considered A Failure. If Required, You Can Specify Multiple Server Groups. If The Cisco NX-OS Device Encounters Errors From The Servers In The First Group, It Tries The Servers In The Next Server Group.
AAA Supports All Three Of These Security Protocols To Control Dial-Up Access Into Networks. You Look, In Turn, At Each, But Note That Cisco Supports Kerberos As A Legacy Security Protocol For Those Networks Already Committed To It. Cisco Secure Access Control Server (ACS), Covered In The Next Chapter, Only Implements TACACS+ And RADIUS Databases.
At The Most Obvious Level, Each Of These Three Protocols Does The Same Thing. Each Provides A Secure Authentication Process That Allows Remote Users To Access An Organization’s Network Resources. At The Nuts And Bolts Level, These Are Quite Different Systems, Requiring Several Chapters To Detail.
Kerberos Is Covered First, And Then TACACS+ And RADIUS Are Compared To Help Determine Which Should Be Implemented As Part Of Cisco Secure ACS.
It’s Important To Make Sure That TACACS+, RADIUS, Or Kerberos Server Services Are Properly Configured Before Adding The Client Features To The NAS. Otherwise, You Could Lock Yourself Out And Require A Password Recovery.
AAA Configuration In Cisco Nx-Os Devices Is Service Based, Which Means That You Can Have Separate Aaa Configurations For The Following Services:
• User Telnet Or Secure Shell (SSH) Login Authentication
• Console Login Authentication
• Cisco Trustsec Authentication
• 802.1x Authentication
• Extensible Authentication Protocol Over User Datagram Protocol (EAPOUDP) Authentication For Network Admission Control (NAC)
• User Management Session Accounting
• 802.1x Accounting
• Enable AAA
• Configure Authentication, Using RADIUS Or TACACS+
• Define The Method Lists For Authentication
• Apply The Method Lists Per Line/ Per Interface
It Is Important To Note That Cisco IOS Software Attempts Authentication With The Next-Listed Authentication Method Only When There Is No Response From The Previous Method. If The Security Server Or User Database Responds By Denying The User Access, The Authentication Process And The User Will Get A Denied User Prompt.
To Configure AAA,Use The Following Statement In Global Configuration Mode:
Router(Config)# AAA New-Model
From This Point, Most ADMINs Start Configuring AAA By Setting Up Authentication.
Here Is One Example Of How To Configure Login Authentication Using The Enable Password.
Router(Config)# AAA Authentication Login Default Enable
Perhaps You Wanted To Apply A Method List Only To A Particular Interface Or Set Of Interfaces. You Would Create A Method List And Then Apply It To The Interfaces.
Here’s An Example Of An Authentication Method That Will Be Applied Only To An Interface:
Router(Config)# AAA Authentication PPP Default Group Radius Group Tacacs+ Local
Router(Config)# AAA Authentication PPP Apple Group Radius Group Tacacs+ Local None
Router(Config)# Interface Async 3
Router (Config-If)# PPP Authentication Chap Apple
Before We Head Into AAA Authentication Configuration, There Are Some Other TACACS+ / RADIUS Differences You Should Be Aware Of:
While TACACS+ Encrypts The Entire Packet, RADIUS Encrypts Only The Password In The Initial Client-Server Packet.
RADIUS Actually Combines The Authentication And Authorization Processes, Making It Very Difficult To Run One But Not The Other.
TACACS+ Considers Authentication, Authorization, And Accounting To Be Separate Processes. This Allows Another Method Of Authentication To Be Used (Kerberos, For Example), While Still Using TACACS+ For Authorization And Accounting.
RADIUS Does Not Support The Novell Async Services Interface (NASI) Protocol, The Netbios Frame Protocol Control Protocol, X.25 Packet Assembler / Disassembler (PAD), Or The Appletalk Remote Access Protocol (ARA Or ARAP). TACACS+ Supports All Of These.
RADIUS Implementations From Different Vendors May Not Work Well Together, Or At All.
RADIUS Can't Control The Authorization Level Of Users, But TACACS+ Can.
Any Time You See Differences Between Two Network Services That Do Basically The Same Thing, That's Highly Fertile Ground For Exam Questions).
Regardless Of Which "A" You're Configuring, AAA Must Be Enabled With The Global Command AAA New-Model. The Location Of The TACACS+ And / Or RADIUS Server Must Then Be Configured, Along With A Shared Encryption Key That Must Be Agreed Upon By The Client And Server.
There Are Literally Hundreds Of Different Ways To Configure AAA, Including Group RADIUS And TACACS+.
You Want To Assign Individual (Or Group) User Ids And Passwords To Network Staff. To Enable Locally Administered User Ids, Use The Following Set Of Configuration Commands:
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.
Router1(Config)#Username PremPassword SCNinf4sys
Router1(Config)#Username Kumar Password Prem
Router1(Config)#AAA New-Model
Router1(Config)#AAA Authentication Login Local_Auth Local
Router1(Config)#Line Vty 0 4
Router1(Config-Line)#Login Authentication Local_Auth
Router1(Config-Line)#Exit
Router1(Config)#End
Router1#
The Username Command Also Allows You To Create Usernames Without Passwords By Specifying The No Password Keyword:
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.
Router1(Config)#Username Weak Nopassword
Router1(Config)#AAA New-Model
Router1(Config)#AAA Authentication Login Default Local
Router1(Config)#End
Router1#
We Strongly Recommend Against Doing This Because It Can Severely Weaken The Router's Security.
Discussion: Enabling Locally Administered Usernames Overrides The Default VTY Password-Based Authentication System. When You Enable The AAA New-Model Command, As Shown In This Recipe, The Router Will Immediately Begin To Prompt For Usernames As Well As Passwords. Assigning Unique Usernames To Individuals Or Groups Provides Accountability, As We Will Show Later.
The Following Example Shows The Login Prompt For A Router Using Local Authentication :
Freebsd%Telnet Router1
Trying 172.25.1.5...
Connected To Router1.
Escape Character Is '^]'.
User Access Verification
Username: Prem
Password:
Router1>
The Router Prompts For The Username As Well As The Password. Compare This To How The Router Behaves When Just A Password Is Set On The VTY Lines:
Freebsd%Telnet Router2
Trying 172.25.1.6...
Connected To Router2.
Escape Character Is '^]'.
User Access Verification
Password:
Router2>
When You Configure Locally Administered Usernames, The Router Will Prompt For Usernames On All Lines, Including The Console And AUX Ports, As Well As The VTY Ports Used For Telnet Sessions. To Avoid Locking Yourself Out Of The Router, You Should Always Configure A Username Command Before Entering The AAA Commands.
It Also Is A Good Idea To Use Another Session Terminal To Test The New Authentication System Before Logging Out Of Your Original Session. If You Do Accidentally Lock Yourself Out Of The Router, You Will Need To Follow The Normal Password-Recovery Procedures For Your Router Type.
Locally Administered Usernames Work Well In A Small Environment With A Limited Number Of Administrators. However, This Method Does Not Scale Well To A Large Network With Many Administrators. Keeping Usernames Synchronized Across An Entire Network Can Become Quite Daunting. Fortunately, Cisco Also Supports An Advanced Authentication Methodology Called Authentication, Authorization, And Accounting (AAA), AAA Provides A Centralized Server That Administers Usernames And Passwords (Among Other Features).
Enabling Username Support Causes The Router To Associate Certain Functions With Usernames. This Provides Accountability For Each Username By Showing Exactly Who Is Doing What.
For Instance, The Output Of The Show Users Command Will Include Active Usernames :
Router1>Show Users
Line User Host(S) Idle Location
66 Vty 0 Prem Idle 00:36:21 SCN InF4 TECH.Com
67 Vty 1 Kumar Idle 00:00:24 Server1.SCN InF4 TECH.Com
* 68 Vty 2 Weak Idle 00:00:00 Freebsd. SCN InF4 TECH.Com
Interface User Mode Idle Peer Address
Router1>
More Importantly, Log Messages Will Capture The Username Of The Individual Who Invoked Certain High-Profile Commands, Such As Configuration Changes, The Clearing Of Counters, And Reloads. For Example:
Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured From Console By Prem On Vty2 (172.25.1.1)
Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear Counter On All Interfaces by Weak On Vty2 (172.25.1.1)
Jun 27 14:00:14: %SYS-5-RELOAD: Reload Requested By Kumar On Vty0 (172.25.1.1).
Notice That These Log Messages Now Include The Username Associated With Each Action. So Instead Of Just Knowing That Somebody Changed The Configuration Or Reloaded The Router.
In Addition, The Router Captures The Username Of The Last Person To Modify Its Configuration Or Save The Configuration To NVRAM, Which Is Visible Using The Show Running-Config:
Router1#Show Running-Config
Building Configuration...
Current Configuration : 4285 Bytes
!
! Last Configuration Change At 12:58:26 EDT Fri Jun 27 2003 By Prem
! NVRAM Config Last Updated At 13:01:45 EDT Fri Jun 27 2003 By Kumar
!
Version 12.2
Which You Can Use To Assign An EXEC Level Command To A Particular Username. This Is Useful When You Want To Provide Limited Access To A Particular Command, While Restricting Access To Everything Else On The Router.
For Example, You Might Want To Set Up A Special Username That Anybody Could Use To Run A Single Router Command, And Then Terminate The Session:
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.
Router1(Config)#AAA New-Model
Router1(Config)#AAA Authentication Login Default Local
Router1(Config)#AAA Authorization Exec Default Local
Router1(Config)#Username Run Nopassword Noescape
Router1(Config)#Username Run Autocommand Show Ip Interface Brief
Router1(Config)#End
Router1#
In This Example, We Defined The Username Run Without A Password And Assigned It An Auto Command Of Show Ip Interface Brief. When You Log In To The Router With This Username, The Router Will Not Prompt For A Password. It Will Just Automatically Execute The Command And Then Terminate The Session:
Freebsd% Telnet Router1
Trying 172.22.1.4...
Connected To Router1.
Escape Character Is '^]'.
User Access Verification
Username: Run
Interface 1 IP-Address 1 OK? Method Status 1 Protocol
BRI0/0 1 Unassigned 1 YES NVRAM Administratively Down 1 Down
Ethernet0/0 1 172.25.1.8 1 YES NVRAM 1 Administratively Down 1 Down
BRI0/0:1 1 Unassigned 1 YES Unset 1 Administratively Down 1 Down
BRI0/0:2 1 Unassigned 1 YES Unset 1 Administratively Down 1 Down
Fastethernet1/0 1 172.22.1.4 1 YES NVRAM 1 Up 1 Up
Loopback0 1 192.168.20.1 1 YES NVRAM 1 Up Up 1 Connection Closed By Foreign Host.
Freebsd%
Notice How The Router Issued The Command And Then Terminated The Session Without Providing The Opportunity To Issue Another Command.
The Noescape Keyword Prevents The User From Issuing An Escape Sequence To Access The Router EXEC. We Strongly Recommend Using This Keyword Whenever You Use Autocommands.
†
The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO – BASIC CONFIGURATION FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) IN THE CISCO IOS ". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts.
Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
When It Comes To Network Security, AAA Is A Requirement. Here Is What Each Of These Are Used For And Why You Should Care:
AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA)
WHAT IS AN AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA)?
AUTHENTICATION: Identifies Users By Login And Password Using Challenge And Response Methodology Before The User Even Gains Access To The Network. Depending On Your Security Options, It Can Also Support Encryption.
Identifies Users, Including Login And Password Dialog, Challenge And Response, Messaging Support, And, Depending On The Security Protocol That You Select, Encryption.
Authentication Is The Process Of Verifying The Identity Of The Person Or Device Accessing The Cisco NX-OS Device, Which Is Based On The User ID And Password Combination Provided By The Entity Trying To Access The Cisco NX-OS Device. Cisco NX-OS Devices Allow You To Perform Local Authentication (Using The Local Lookup Database) Or Remote Authentication (Using One Or More RADIUS Or TACACS+ Servers).
AUTHORIZATION (PROVIDES ACCESS CONTROL) : AAA Authorization Is The Process Of Assembling A Set Of Attributes That Describe What The User Is Authorized To Perform.
After Initial Authentication, Authorization Looks At What That Authenticated User Has Access To Do. Determines What Devices, Features, Or Services A Specific Remote User Is Authorized To Access In The Network, Such As Network Resources Or Services. This Concept Is Much Like That Of User Permissions In The Windows Server Model.
RADIUS Or TACACS+ Security Servers Perform Authorization For Specific Privileges By Defining Attribute-Value (AV) Pairs, Which Would Be Specific To The Individual User Rights. In The Cisco IOS, You Can Define AAA Authorization With A Named List Or Authorization Method.
ACCOUNTING : Provides The Method For Collecting Information, Logging The Information Locally, And Sending The Information To The AAA Server For Billing, Auditing, And Reporting. br/>
It Provides A Way Of Collecting Security Information That You Can Use For Billing, Auditing, And Reporting. You Can Use Accounting To See What Users Do Once They Are Authenticated And Authorized.
The Accounting Feature Tracks And Maintains A Log Of Every Management Session Used To Access The Cisco NX-OS Device. You Can Use This Information To Generate Reports For Troubleshooting And Auditing Purposes. You Can Store Accounting Logs Locally Or Send Them To Remote AAA Servers.
For Example, With Accounting, You Could Get A Log Of When Users Logged In And When They Logged Out.
WHY EVERY NETWORK ADMIN SHOULD CARE ABOUT AAA :
Besides Passing Certification Tests Like The Cisco CCNA Security, AAA Is A Critical Piece Of Network Infrastructure. AAA Is What Keeps Your Network Secure By Making Sure Only The Right Users Are Authenticated, That Those Users Have Access Only To The Right Network Resources, And That Those Users Are Logged As They Go About Their Business.
BENEFITS OF AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA)
BENEFITS OF USING AAA
AAA Provides The Following Benefits :
• Increased Flexibility And Control Of Access Configuration
• Scalability
• Standardized Authentication Methods, Such As RADIUS And TACACS+
• Multiple Backup Devices
INCREASED FLEXIBILITY :
AAA’s Support Of Authorization, In Addition To Authentication, Means Access Can Be Maintained On A “Need To Have” Basis, Without Having To Maintain Multiple Passwords. The Accounting Support Means That User Auditing And Cost-Allocation Policies Can Be Implemented, As Well As Providing A Trail That Might Be Useful In Troubleshooting Network Problems.
INCREASED SECURITY :
Multiple Devices With The Same Locally Administered User Name/Password Offer A Low Level Of Security. Everyone Having Access To Everything, Without Regard For Need, Also Unnecessarily Increases Risk. Multiple Locally Administered Passwords Would Appear To Increase Security, But Might Lead To Employees Writing Down Passwords If Too Many Exist To Remember. This Situation Would Be Exacerbated If Complex Passwords Were Implemented.
AAA, With Its Centralized Security Database And Authorization Features, Allows A Single Secure User Name/Password Combination For Each Employee And Yet Allows Restricting Access To A “Need To Have” Basis. At The Same Time, AAA Allows For Rapid Resolution Of Compromised Passwords Or Terminated Employees.
SCALABILITY :
AAA Is A Template Approach To Security Management That Remains Reliable And Flexible As The Network Grows Larger And More Complex. By Centralizing The Security Databases And Supporting Authorization, AAA Avoids The Nightmare Of Managing Many User Name/Password Combinations In A Growing Environment Or The Alternative “Weak” Security Of Using A Small Number Of Combinations. Locally Stored Authentication Means Any Time There’s A Potential Of A Compromised User Name/Password Or Termination Of An Employee, Each Device “Should” Be Reconfigured. The More Devices That Exist, The Greater The Amount Of Effort. AAA Avoids This In Much The Same Way That Server Security Is Maintained Under The Same Circumstances.
STANDARD AUTHENTICATION METHODS :
AAA Supports Radius, TACACs+, And Kerberos Security Protocols For Securing Dial-In Sessions. These Protocols Provide Secure Authentication, Including Encrypted Communications And Interaction With Network Server Security Systems. The Next Section Compares These Three Systems.
MULTIPLE BACKUP SYSTEMS :
AAA Supports Multiple Security Servers, Such As TACACs+, On The Same Network To Provide Redundancy In Case Of Device Failure Or Link Congestion. In Addition, AAA Allows For Multiple Authentication Methods To Be Specified So, If The First One Is Unavailable, Then A Second Or Third Option Could Be Used. For Example, If The Specified Tacacs+ Server Is Offline, The Locally Stored User Name/Password Database Could Possibly Be Used Or Maybe Even The Enable Password. These Alternatives Must Be Defined In Advance Or Access Could Be Blocked Until The Specified Service Is Restored.
REMOTE AAA SERVICES :
Remote AAA Services Provided Through RADIUS And TACACS+ Protocols Have The Following Advantages Over Local AAA Services:
• It Is Easier To Manage User Password Lists For Each Cisco NX-OS Device In The Fabric.
• AAA Servers Are Already Deployed Widely Across Enterprises And Can Be Easily Used For AAA Services.
• You Can Centrally Manage The Accounting Log For All Cisco NX-OS Devices In The Fabric.
• It Is Easier To Manage User Attributes For Each Cisco NX-OS Device In The Fabric Than Using The Local Databases On The Cisco NX-OS Devices.
AAA SERVER GROUPS :
You Can Specify Remote AAA Servers For Authentication, Authorization, And Accounting Using Server Groups. A Server Group Is A Set Of Remote AAA Servers That Implement The Same AAA Protocol. The Purpose Of A Server Group Is To Provide For Fail-Over Servers In Case A Remote AAA Server Fails To Respond.
If The First Remote Server In The Group Fails To Respond, The Next Remote Server In The Group Is Tried Until One Of The Servers Sends A Response. If All The AAA Servers In The Server Group Fail To Respond, Then That Server Group Option Is Considered A Failure. If Required, You Can Specify Multiple Server Groups. If The Cisco NX-OS Device Encounters Errors From The Servers In The First Group, It Tries The Servers In The Next Server Group.
TACACS+, RADIUS, AND KERBEROS SUPPORT :
AAA Supports All Three Of These Security Protocols To Control Dial-Up Access Into Networks. You Look, In Turn, At Each, But Note That Cisco Supports Kerberos As A Legacy Security Protocol For Those Networks Already Committed To It. Cisco Secure Access Control Server (ACS), Covered In The Next Chapter, Only Implements TACACS+ And RADIUS Databases.
At The Most Obvious Level, Each Of These Three Protocols Does The Same Thing. Each Provides A Secure Authentication Process That Allows Remote Users To Access An Organization’s Network Resources. At The Nuts And Bolts Level, These Are Quite Different Systems, Requiring Several Chapters To Detail.
Kerberos Is Covered First, And Then TACACS+ And RADIUS Are Compared To Help Determine Which Should Be Implemented As Part Of Cisco Secure ACS.
It’s Important To Make Sure That TACACS+, RADIUS, Or Kerberos Server Services Are Properly Configured Before Adding The Client Features To The NAS. Otherwise, You Could Lock Yourself Out And Require A Password Recovery.
AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) CONFIGURATION
AAA SERVICE CONFIGURATION OPTIONS :
AAA Configuration In Cisco Nx-Os Devices Is Service Based, Which Means That You Can Have Separate Aaa Configurations For The Following Services:
• User Telnet Or Secure Shell (SSH) Login Authentication
• Console Login Authentication
• Cisco Trustsec Authentication
• 802.1x Authentication
• Extensible Authentication Protocol Over User Datagram Protocol (EAPOUDP) Authentication For Network Admission Control (NAC)
• User Management Session Accounting
• 802.1x Accounting
HOW DO YOU CONFIGURE AAA IN THE CISCO IOS?
Here Are The Steps To Configuring AAA:• Enable AAA
• Configure Authentication, Using RADIUS Or TACACS+
• Define The Method Lists For Authentication
• Apply The Method Lists Per Line/ Per Interface
It Is Important To Note That Cisco IOS Software Attempts Authentication With The Next-Listed Authentication Method Only When There Is No Response From The Previous Method. If The Security Server Or User Database Responds By Denying The User Access, The Authentication Process And The User Will Get A Denied User Prompt.
DETAILED STEPS
ENABLING THE DEFAULT USER ROLE FOR AAA AUTHENTICATION
You Can Allow Remote Users Who Do Not Have A User Role To Log In To The Device Through RADIUS Or TACACS+ Using A Default User Role. You Can Enable Or Disable This Feature For The VDC As Needed. For The Default VDC, The Default Role Is Network-Operator. For Nondefault Vdcs, The Default VDC Is Vdc-Operator. When You Disable The AAA Default User Role Feature, Remote Users Who Do Not Have A User Role Cannot Log In To The Device.
BEFORE YOU BEGIN
Ensure that you are in the correct VDC (or use the switchto vdc command).
SUMMARY STEPS
1. configure terminal
2. aaa user default-role
3. exit
4. show aaa user default-role
5. copy running-config start-config
DETAILED STEPS
To Configure AAA,Use The Following Statement In Global Configuration Mode:
Router(Config)# AAA New-Model
From This Point, Most ADMINs Start Configuring AAA By Setting Up Authentication.
Here Is One Example Of How To Configure Login Authentication Using The Enable Password.
Router(Config)# AAA Authentication Login Default Enable
Perhaps You Wanted To Apply A Method List Only To A Particular Interface Or Set Of Interfaces. You Would Create A Method List And Then Apply It To The Interfaces.
Here’s An Example Of An Authentication Method That Will Be Applied Only To An Interface:
Router(Config)# AAA Authentication PPP Default Group Radius Group Tacacs+ Local
Router(Config)# AAA Authentication PPP Apple Group Radius Group Tacacs+ Local None
Router(Config)# Interface Async 3
Router (Config-If)# PPP Authentication Chap Apple
IMPORTANT TO NOTE :
Before We Head Into AAA Authentication Configuration, There Are Some Other TACACS+ / RADIUS Differences You Should Be Aware Of:
While TACACS+ Encrypts The Entire Packet, RADIUS Encrypts Only The Password In The Initial Client-Server Packet.
RADIUS Actually Combines The Authentication And Authorization Processes, Making It Very Difficult To Run One But Not The Other.
TACACS+ Considers Authentication, Authorization, And Accounting To Be Separate Processes. This Allows Another Method Of Authentication To Be Used (Kerberos, For Example), While Still Using TACACS+ For Authorization And Accounting.
RADIUS Does Not Support The Novell Async Services Interface (NASI) Protocol, The Netbios Frame Protocol Control Protocol, X.25 Packet Assembler / Disassembler (PAD), Or The Appletalk Remote Access Protocol (ARA Or ARAP). TACACS+ Supports All Of These.
RADIUS Implementations From Different Vendors May Not Work Well Together, Or At All.
RADIUS Can't Control The Authorization Level Of Users, But TACACS+ Can.
Any Time You See Differences Between Two Network Services That Do Basically The Same Thing, That's Highly Fertile Ground For Exam Questions).
Regardless Of Which "A" You're Configuring, AAA Must Be Enabled With The Global Command AAA New-Model. The Location Of The TACACS+ And / Or RADIUS Server Must Then Be Configured, Along With A Shared Encryption Key That Must Be Agreed Upon By The Client And Server.
AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) CONFIGURATION EXAMPLE
There Are Literally Hundreds Of Different Ways To Configure AAA, Including Group RADIUS And TACACS+.
SETTING UP USER IDS
You Want To Assign Individual (Or Group) User Ids And Passwords To Network Staff. To Enable Locally Administered User Ids, Use The Following Set Of Configuration Commands:
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.
Router1(Config)#Username PremPassword SCNinf4sys
Router1(Config)#Username Kumar Password Prem
Router1(Config)#AAA New-Model
Router1(Config)#AAA Authentication Login Local_Auth Local
Router1(Config)#Line Vty 0 4
Router1(Config-Line)#Login Authentication Local_Auth
Router1(Config-Line)#Exit
Router1(Config)#End
Router1#
The Username Command Also Allows You To Create Usernames Without Passwords By Specifying The No Password Keyword:
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.
Router1(Config)#Username Weak Nopassword
Router1(Config)#AAA New-Model
Router1(Config)#AAA Authentication Login Default Local
Router1(Config)#End
Router1#
We Strongly Recommend Against Doing This Because It Can Severely Weaken The Router's Security.
Discussion: Enabling Locally Administered Usernames Overrides The Default VTY Password-Based Authentication System. When You Enable The AAA New-Model Command, As Shown In This Recipe, The Router Will Immediately Begin To Prompt For Usernames As Well As Passwords. Assigning Unique Usernames To Individuals Or Groups Provides Accountability, As We Will Show Later.
The Following Example Shows The Login Prompt For A Router Using Local Authentication :
Freebsd%Telnet Router1
Trying 172.25.1.5...
Connected To Router1.
Escape Character Is '^]'.
User Access Verification
Username: Prem
Password:
Router1>
The Router Prompts For The Username As Well As The Password. Compare This To How The Router Behaves When Just A Password Is Set On The VTY Lines:
Freebsd%Telnet Router2
Trying 172.25.1.6...
Connected To Router2.
Escape Character Is '^]'.
User Access Verification
Password:
Router2>
When You Configure Locally Administered Usernames, The Router Will Prompt For Usernames On All Lines, Including The Console And AUX Ports, As Well As The VTY Ports Used For Telnet Sessions. To Avoid Locking Yourself Out Of The Router, You Should Always Configure A Username Command Before Entering The AAA Commands.
It Also Is A Good Idea To Use Another Session Terminal To Test The New Authentication System Before Logging Out Of Your Original Session. If You Do Accidentally Lock Yourself Out Of The Router, You Will Need To Follow The Normal Password-Recovery Procedures For Your Router Type.
Locally Administered Usernames Work Well In A Small Environment With A Limited Number Of Administrators. However, This Method Does Not Scale Well To A Large Network With Many Administrators. Keeping Usernames Synchronized Across An Entire Network Can Become Quite Daunting. Fortunately, Cisco Also Supports An Advanced Authentication Methodology Called Authentication, Authorization, And Accounting (AAA), AAA Provides A Centralized Server That Administers Usernames And Passwords (Among Other Features).
Enabling Username Support Causes The Router To Associate Certain Functions With Usernames. This Provides Accountability For Each Username By Showing Exactly Who Is Doing What.
For Instance, The Output Of The Show Users Command Will Include Active Usernames :
Router1>Show Users
Line User Host(S) Idle Location
66 Vty 0 Prem Idle 00:36:21 SCN InF4 TECH.Com
67 Vty 1 Kumar Idle 00:00:24 Server1.SCN InF4 TECH.Com
* 68 Vty 2 Weak Idle 00:00:00 Freebsd. SCN InF4 TECH.Com
Interface User Mode Idle Peer Address
Router1>
More Importantly, Log Messages Will Capture The Username Of The Individual Who Invoked Certain High-Profile Commands, Such As Configuration Changes, The Clearing Of Counters, And Reloads. For Example:
Jun 27 12:58:26: %SYS-5-CONFIG_I: Configured From Console By Prem On Vty2 (172.25.1.1)
Jun 27 13:02:22: %CLEAR-5-COUNTERS: Clear Counter On All Interfaces by Weak On Vty2 (172.25.1.1)
Jun 27 14:00:14: %SYS-5-RELOAD: Reload Requested By Kumar On Vty0 (172.25.1.1).
Notice That These Log Messages Now Include The Username Associated With Each Action. So Instead Of Just Knowing That Somebody Changed The Configuration Or Reloaded The Router.
In Addition, The Router Captures The Username Of The Last Person To Modify Its Configuration Or Save The Configuration To NVRAM, Which Is Visible Using The Show Running-Config:
Router1#Show Running-Config
Building Configuration...
Current Configuration : 4285 Bytes
!
! Last Configuration Change At 12:58:26 EDT Fri Jun 27 2003 By Prem
! NVRAM Config Last Updated At 13:01:45 EDT Fri Jun 27 2003 By Kumar
!
Version 12.2
THE USERNAME COMMAND ALSO HAS AN AUTO COMMAND KEYWORD :
Which You Can Use To Assign An EXEC Level Command To A Particular Username. This Is Useful When You Want To Provide Limited Access To A Particular Command, While Restricting Access To Everything Else On The Router.
For Example, You Might Want To Set Up A Special Username That Anybody Could Use To Run A Single Router Command, And Then Terminate The Session:
Router1#Configure Terminal
Enter Configuration Commands, One Per Line. End With CNTL/Z.
Router1(Config)#AAA New-Model
Router1(Config)#AAA Authentication Login Default Local
Router1(Config)#AAA Authorization Exec Default Local
Router1(Config)#Username Run Nopassword Noescape
Router1(Config)#Username Run Autocommand Show Ip Interface Brief
Router1(Config)#End
Router1#
In This Example, We Defined The Username Run Without A Password And Assigned It An Auto Command Of Show Ip Interface Brief. When You Log In To The Router With This Username, The Router Will Not Prompt For A Password. It Will Just Automatically Execute The Command And Then Terminate The Session:
Freebsd% Telnet Router1
Trying 172.22.1.4...
Connected To Router1.
Escape Character Is '^]'.
User Access Verification
Username: Run
Interface 1 IP-Address 1 OK? Method Status 1 Protocol
BRI0/0 1 Unassigned 1 YES NVRAM Administratively Down 1 Down
Ethernet0/0 1 172.25.1.8 1 YES NVRAM 1 Administratively Down 1 Down
BRI0/0:1 1 Unassigned 1 YES Unset 1 Administratively Down 1 Down
BRI0/0:2 1 Unassigned 1 YES Unset 1 Administratively Down 1 Down
Fastethernet1/0 1 172.22.1.4 1 YES NVRAM 1 Up 1 Up
Loopback0 1 192.168.20.1 1 YES NVRAM 1 Up Up 1 Connection Closed By Foreign Host.
Freebsd%
Notice How The Router Issued The Command And Then Terminated The Session Without Providing The Opportunity To Issue Another Command.
The Noescape Keyword Prevents The User From Issuing An Escape Sequence To Access The Router EXEC. We Strongly Recommend Using This Keyword Whenever You Use Autocommands.
CONCLUSION:
The Goal Of This Article Is To Give An Easy Way To Understand The “CISCO – BASIC CONFIGURATION FOR AUTHENTICATION, AUTHORIZATION AND ACCOUNTING (AAA) IN THE CISCO IOS ". Hope This Article Will Help Every Beginners Who Are Going To Start Cisco Lab Practice Without Any Doubts.
Some Topics That You Might Want To Pursue On Your Own That We Did Not Cover In This Article Are Listed Here, Thank You And Best Of Luck.
This Article Written Author By: Premakumar Thevathasan. CCNA, CCNP, CCIP, MCSE, MCSA, MCSA - MSG, CIW Security Analyst, CompTIA Certified A+.
No comments:
Post a Comment