Local Authentication


Local authentication is a configuration that is available on Cisco products in which the AAA service is contained on the device itself. In this situation, a username and password are created and contained on the device. While this is a simple configuration, it is not very scalable. This configuration is common in smaller networks.

To configure a Cisco router for local authentication, you must perform the following tasks:

Step 1.

Secure access to privileged exec and configuration modes for the vty, asynchronous, auxiliary, and TTY ports. Although this is not actually part of the AAA process, this must be enabled prior to enabling AAA.

Step 2.

Enable AAA on the router.

Step 3.

Configure AAA on the router.

Step 4.

Secure access to privileged exec and configuration modes for the vty, asynchronous, auxiliary, and TTY ports.

The focus of this chapter is on AAA authentication; therefore, you need to understand how to secure access to each of the following points of access:

  • EXEC (both user and privileged mode)

  • vty ports

  • asynchronous lines

  • auxiliary ports

  • TTY ports

In this chapter, you learn how to configure the EXEC mode as well as the vty, auxiliary, and TTY ports for authentication.

Enabling AAA on the Router

AAA is a framework or model for security and authentication. To enable the AAA process on a Cisco router, you must enable the AAA model. This creates a configuration location within the configuration for AAA.

When you enable AAA, it forces the Cisco router to override every other authentication method configured. This might cause you to lose connectivity to the management session that you are using to configure AAA. This might force you into an unwanted password recovery procedure.

To enable AAA, enter the following command in global configuration mode of a Cisco router:

 router(config)#aaa new-model 

You can disable AAA functionality with a single command. To disable AAA, use the following command in global configuration mode:

 router(config)#no aaa new-model 

Method Lists

From this point, you use a method list to configure what method to use AAA in. A method list is a list that defines the point of authentication and the method to be used. Figure 3-1 displays two different modes: character mode and packet mode. If you access the command-line interface, you are using character mode. If you access the network as a user through a PPP link, for example, you are using packet mode. Figure 3-1 shows the AAA command elements that are used in each of these modes.

Figure 3-1. Packet and Character Modes


To begin authentication configuration, you define a method list that protects administrative access to the console port of a Cisco router. The console port of a Cisco router is distinguished as Line Console 0. Example 3-1 shows a basic starting configuration. In this configuration, note that an enable password and enable secret password are configured. Additionally, a username and password have been created.

Example 3-1. Basic Configuration
 ! version 12.2 <text omitted> ! hostname router ! enable secret san-fran enable password cisco ! username admin password cisco ! ! interface Ethernet0/0  description ******* INSIDE ip address 10.0.1.2 255.255.255.0 ! interface Ethernet1/0  description ******* OUTSIDE ip address 172.30.1.2 255.255.255.0 ! line con 0  transport input none login password pa55w0rd line aux 0 line vty 0 4  password cisco  login ! 

At this point in the configuration, AAA has not been enabled. Line Console 0 is configured to authenticate using the password pa55w0rd. After the AAA process is enabled, the username and password of admin/cisco are used, and the password configured on the line is overridden.

To enable AAA, enter the aaa new-model command in global configuration mode. After AAA has been enabled, configure a method list to define what mode or command element and what method of authentication are to be performed.

The syntax for a method list created on a Cisco router is shown here in a generic form:

 router(config)# aaa authentication service {default | list-name} method1 [method2] 

The service option can be one of the following:

  • ARAP Performs authentication for AppleTalk Remote Access.

  • Enable Performs authentication of users attempting to access privileged level on the device.

  • Login Performs authentication of users accessing the console of the device. This is done prior to the Enable authentication.

  • NASI This is for authentication of NetWare Asynchronous Serviced Interface (NASI) clients connecting through the access server.

  • PPP This is for authentication on serial interfaces using the PPP protocol.

In the configuration shown in the code before the preceding bulleted list, it is the console port that is going to be secured. For this method, use the Login service. You also specify Login for Telnet through the vty ports, as well as access the aux port.

The second option to be determined is the name of the list. This binds the list to an interface or line. This list must be configured; however, you do have the option to choose the default option. This option is applied to all lines on which you do not specify a more specific list name. For example, Figure 3-2 shows the console port, five vty ports (line vty 0 4), and auxiliary ports. A generic method list named TEST1 is created along with the default list. If this TEST1 list is applied to Line Console 0, all other lines are automatically assigned the method list. Note that in Figure 3-2, a specific method list is not applied to any other line.

Figure 3-2. Application of Method Lists


Finally, you must select the method of authentication. The method can be TACACS+, RADIUS, or local. You can also configure multiple methods. In this fashion, you give yourself a backup. It is always a good idea to use local authentication as a second method in the event that the AAA server becomes unavailable on the network; however, you can use another RADIUS or TACACS+ server.

The completed configuration includes the following method lists:

 aaa authentication login default enable aaa authentication login TEST1 local 

The first list, default, specifies that the enable password is used for authentication. The second list specifies that the username and password that have been configured are to be used. At this point, the enable password is used everywhere because the more specific list has not been specified on any line. To make the vty ports authenticate using the username of admin and password cisco, you need to apply the TEST1 method list to line vty 0 4. To do so, use the login authentication configuration command.

The following statement applies the TEST1 method of authentication to line vty 0 4:

 line vty 0 4 login authentication TEST1 

To further configure the authentication on this device, another method list has been created for the service login. This method list is named is-in, and the method of authentication used is the local username and password. This is applied to line con 0.

The additional command statements are as follows:

 router(config)#aaa authentication login is-in local router(config)#line con 0 router(config-line)#login authentication is-in 

The final configuration resembles the configuration in Example 3-2. Note that although a login statement and a password are still applied to line vty 0 4, as well as line con 0, the login authentication statement in AAA overrides this password.

Example 3-2. Finished AAA Authentication Configuration
 ! version 12.2 ! hostname router ! aaa new-model ! ! aaa authentication login default enable aaa authentication login admins-in local aaa authentication login is-in local enable secret san-fran enable password cisco ! username admin password cisco interface Ethernet0/0  description ******* INSIDE  ip address 10.0.1.2 255.255.255.0 ! interface Ethernet1/0  description ******* OUTSIDE  ip address 172.30.1.2 255.255.255.0 ! ! ! line con 0 password pa55w0rd login authentication is-in ! line aux 0 ! line vty 0 4  password cisco  login authentication admins-in ! end 

To recap this configuration, AAA has been enabled, and a username and password have been created locally to this router. For users attempting to access the command-line interface via Telnet or console 0, they are authenticated using the admins-in method list or the is-in method list, which specifies the local username and password. When authenticated, the user attempts to access privileged EXEC mode by typing the command enable. Now, the method list default prompts for yet another password, requiring the admin to enter the line password. All other points of access take the default method list, which specifies the use of the enable password for authentication.




Cisco Access Control Security(c) AAA Administrative Services
Cisco Access Control Security: AAA Administration Services
ISBN: 1587051249
EAN: 2147483647
Year: 2006
Pages: 173

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net