Configuring Edge Routers Using AAA

As with most services on a router, you must configure the specific service that you want because by default no functionality is provided. To use AAA on a router, you must not only define the AAA commands, but you must also tell the router where to find the AAA server. You can also configure authentication without configuring, and therefore using, authorization and accounting. If you want to configure authorization, you need to configure authentication.

Enabling AAA

Your first step in configuring AAA must be to enable the AAA daemon on the router. If you do not enable the AAA daemon, you cannot configure any AAA services.

The command to enable the AAA daemon is easy:

 Router(config)# aaa new-model 

The AAA daemon is disabled by default.

Configuring TACACS+

You must define the TACACS+ server on the router along with an associated encryption key that the router will use to communicate with the AAA server. If you want to use both TACACS+ and RADIUS with an authentication proxy, you must define both protocols.

Here is the syntax to define a TACACS+ server:

 Router(config)# tacacs-server host  ip_address  hostname  Router(config)# tacacs-server key  string  

Here is an example that defines a TACACS+ server:

 Router(config)# tacacs-server host 30.100.100.253 Router(config)# tacacs-server key kenrulz 

You can also use a single command to configure the TACACS+ server and the encryption key. Here is an example for TACACS+ using one line:

 Router(config)# tacacs-server host 30.100.100.253 key kenrulz 

Figure 5.1 shows how to start AAA services on the router and specify two TACACS+ server.

It is extremely important that the key you configure with TACACS+ or RADIUS on the router exactly matches the key you configure on the AAA server. If the keys are different, your router will not be able to talk to the AAA server.

This chapter assumes that TACACS+ and RADIUS servers are installed and configured properly. For more information on how to configure CiscoSecure Access Control Server (CSACS) for Windows, visit http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html. For more information how to configure CSACS for Unix, visit http://www.cisco.com/en/US/products/sw/secursw/ps4911/index.html.

Verifying and Troubleshooting TACACS+

Ensuring that your configurations are correct is critical to any successful network implementation. You can use several commands to verify your TACACS+ configuration and also troubleshoot your configuration.

An excellent show command is show tacacs . Below is the output of this command; notice that the last line shows that there is no connection to the TACACS+ server. The number after the IP address ( 49 ) is the standard port number used by the TACACS+ protocol.

Figure 5.2 uses the show tacacs command to display the TACACS+ servers configured on the router.

 Router#show tacacs Server: 10.0.0.250/49: opens=0 closes=0 aborts=0 errors=0         packets in=0 packets out=0 timeout=0 connection_fails=0         no connection Router# 

Debug Commands

You have two debug commands for TACACS+ troubleshooting. Those commands are debug tacacs and debug tacacs events .

Interpreting Debug Output

The following output comes from the debug tacacs command and shows the sequence of events when a user attempts authentication:

 Router#debug tacacs TACACS access control debugging is on Router# Router# debug tacacs 16:21:15: TAC+: Opening TCP/IP connection to 30.100.100.253 using source 1.1.1.1 16:21:15: TAC+: Sending TCP/IP packet number 545849463-1 to 30.100.100.253 (AUTHEN/START) 16:21:15: TAC+: Receiving TCP/IP packet number 545849463-2 from 30.100.100.253 16:21:15: TAC+ (383258052): received authen response status = GETUSER 16:21:16: TAC+: send AUTHEN/CONT packet 16:21:16: TAC+: Sending TCP/IP packet number 545849463-3 to 30.100.100.253 (AUTHEN/CONT) 16:21:16: TAC+: Receiving TCP/IP packet number 545849463-4 from 30.100.100.253 16:21:16: TAC+ (383258052): received authen response status = GETPASS 16:21:17: TAC+: send AUTHEN/CONT packet 16:21:17: TAC+: Sending TCP/IP packet number 545849463-5 to 30.100.100.253 (AUTHEN/CONT) 16:21:17: TAC+: Receiving TCP/IP packet number 545849463-6 from 30.100.100.253 16:21:17: TAC+ (383258052): received authen response status = PASS 16:21:17: TAC+: Closing TCP/IP connection to 30.100.100.253 

The TACACS+ server can return three possible status messages: PASS, FAIL , or ERROR. PASS means that the authentication was successful. FAIL means that the authentication was not successful. ERROR means that there was some problem and authentication could not be determined. However, if an error message is received, the next authentication method is tried. Notice that in this output, the authentication response received from the TACACS+ server was status = PASS .

Configuring RADIUS

You must define the RADIUS server on the router along with an associated encryption key that the router will use to communicate with the AAA server. If you want to use both TACACS+ and RADIUS with an authentication proxy, you must define both protocols.

Here is the syntax to define a RADIUS server:

 Router(config)# radius-server host  ip_address  hostname  Router(config)# radius-server key  string  

Here is an example that defines a RADIUS server:

 Router(config)# radius-server host 30.100.100.253 Router(config)# radius-server key ramanrulz 

You can also use a single command to configure the RADIUS server and the encryption key. Here is an example for RADIUS using one line:

 Router(config)# radius-server host 30.100.100.253 key ramanrulz 

Show Commands

You can use the show radius statistics command to display RADIUS statistics for authentication packets and accounting packets between the NAS and RADIUS server.

Debug Commands

To troubleshoot your RADIUS implementation, you can issue the debug radius command:

 Router# debug radius 16:21:17: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xB, len 56 16:21:17: Attribute 4 6 AC150E5A 16:21:17: Attribute 5 6 0000000A 16:21:17: Attribute 1 6 62696C6C 16:21:17: Attribute 2 18 0531FEA3 16:21:19: Radius: Received from 171.69.1.152:1645, Access-Accept, id 0xB, len 26 16:21:19: Attribute 6 6 00000001 

The debug radius output shows a successful login attempt in the Access-Accept line. If the login attempt were unsuccessful , the line would display Access-Reject .

Configuring AAA Authentication

We discussed a little earlier that access to network resources is characterized as administrative access or network access. Administrative access involves sessions that terminate at the networking device. Network access involves sessions that pass through the networking devices and terminate at a network resource.

Given that you have two different access modes, you also have different AAA authentication commands to validate these sessions. Let's first look at the administrative access authentication commands.

The command syntax to authenticate admin sessions is

 Router(config)# aaa authentication login {default  list-name  }  method1 method2 method3 method4  

If you use the default keyword, all admin login attempts must be authenticated based on the methods that you specify ( method1 , method2 , and so on), in the order that you specify. The methods can include authenticating using a TACACS+ server, authenticating using a RADIUS server, and authenticating using the enable password.

The aaa authentication login default method applies to all lines and interfaces by default unless overridden by a more specific method.

Here is an example that defines a default login authentication method:

 Router(config)# aaa authentication login default group tacacs+ group radius line enable 

This command tells the router to first check a user's credential with a TACACS+ server. If the TACACS+ server is unavailable, next check with the RADIUS server. If the RADIUS server is unavailable, check the password that is configured on the particular line or interface that is trying to be accessed. Finally, if a line password is not configured, check the enable password for authentication.

If at any time the authentication check fails because the user-supplied credentials are not valid, the processing of the default login methods ceases and access is denied . For instance, if the TACACS+ server returns a Fail message, the remaining methods are not checked and user access is denied.

To override the default login authentication method, you need to create a more specific method. You use the same command as before; however, instead of using the default keyword, you specify a list-name , which is simply a name you create, for the more specific method. Here is an example:

 Router(config)# aaa authentication login GOLDFISH group radius local line none 

Then, you must apply the GOLDFISH method to a specific line to override the default method. For example, apply the GOLDFISH method to the console port:

 Router(config)#line console 0 Router(config-line)#login authentication GOLDFISH 

Figure 5.3 shows how to create a login method called GOLDFISH and apply the authentication method to the console port.

Now, when an admin tries to log in to the console port, the router first checks with a RADIUS server for authentication. If the server is unavailable, it checks the local router database because the local method was configured. Then, if the local router database is not configured, the console port's line password is used for authentication. Finally, if a line password was not configured, the none method tells the router to let the user access the console port without requiring authentication.

The local method tells the router to check the router's local database. The line method tells the router to check the password that is configured under the line, such as line console 0. The enable method means the router checks either the enable password or the enable secret password for authentication. The none method tells the router that no authentication is required.

If the intruder breaks communication between the router and the TACACS+ or RADIUS servers, he or she will log on to the router without any authentication. Use local instead of none .

To authenticate sessions that travel through the router, in network access mode, you use a different command. However, the rules that were discussed for the default authentication method and the more specific list-name method are the same.

Here is the syntax to define a default login authentication method for a network access session:

 Router(config)# aaa authentication ppp {default  list-name method1 method2 method3 method4  

Here is an example that defines a default login authentication method for a network access session:

 Router(config)# aaa authentication ppp default group tacacs+ group radius line enable 

The aaa authentication ppp has a unique method, if-needed . The if-needed method says that the user does not need to supply authentication credentials again if the user has already been authenticated on a TTY line.

Here is an example that defines a more specific login authentication method:

 Router(config)# aaa authentication ppp HELLO_KITTY group tacacs+ local line enable 

Here is an example that applies the more specific methods:

 Router(config)#interface bri 0 Router(config-if)#ppp authentication chap HELLO_KITTY 

Cisco recommends that you always configure a default authentication method.

If you intend to use a AAA server for authentication, you should configure the AAA server first and then configure the router to use the AAA server. If you configure the AAA server last, you might get locked out of the router and then need to perform router-password recovery.

Configuring AAA Authorization

To specify what a user is allowed to access once the user is authenticated, you need to configure authorization. The command syntax is a little different from the aaa authentication command because you are concerned with the authorization of services, not the identification of users.

The syntax to define AAA authorization is

 
 [View full width] 
 Router(config)# aaa authorization {commands  level  configuration  exec  network  reverse-access} {default  list-name  }  method1 method2 method3 method4  

The default and list-name have the exact same meanings as they did with the aaa authentication command. When you define a default authorization method, it applies to all interfaces unless overridden by a more specific method as defined by list-name .

The methods to authorize services can be TACACS+ , RADIUS , local , none , and if-authenticated . The if-authenticated method is different in the AAA authentication command. With AAA authorization, if-authenticated means that if the user has already authenticated, the router will allow access to the requested service.

The other keywords are new, and you need to know what the different authorization types mean.

• commands level keyword ” means that the router will seek authorization when the user attempts to run any commands at the specified level.

• configuration keyword ” means that the router will download the user's authorization configuration from the AAA server.

• exec keyword ” means that the router will seek authorization for any EXEC shell sessions.

• network keyword ” means that if the user attempts to run a network- related server such as a Network Control Protocol (NCP), Point-to-Point Protocol (PPP), or Serial Line Internet Protocol (SLIP), authorization is required. The reverse-access keyword means that the router seeks authorization when any reverse Telnet sessions are attempted.

You need to know the authorization types and their functions, such as exec and network.

Here is an example that defines a default authorization method for an EXEC session:

 Router(config)# aaa authorization exec default group tacacs+ local if-authenticated 

Here is an example that defines a specific authorization method for an EXEC session:

 Router(config)# aaa authorization exec BARKSDALE group tacacs+ group RADIUS local 

Here is an example that applies the EXEC authorization method:

 Router(config)#line con 0 Router(config-line)#authorization exec BARKSDALE 

Figure 5.4 shows the creation of a AAA authorization method named BARKSDALE and how to apply this method to the console port.

Configuring AAA Accounting

To ensure that you know what users do on the network, you configure AAA accounting services. The command syntax for AAA accounting is

 
 [View full width] 
 aaa accounting {system  network  exec  connection  commands  level  } {default   list-name  } {start-stop  stop-only  none}  method1  [  method2  ...] 

As you can see, the syntax and keywords are much like those in the previous two AAA commands for authentication and authorization.

Debugging AAA

Three debug commands can be very useful when you troubleshoot your implementation of AAA services. Those commands are debug aaa authentication , debug aaa authorization , and debug aaa accounting .

Let's look at the output of the debug aaa authentication command first:

 
 [View full width] 
 Router# debug aaa authentication 11:11:11: AAA/AUTHEN: create_user user='' ruser='' port='tty34' rem_addr='30.3.250.250'  authen_type=1 service=1 priv=1 11:11:11: AAA/AUTHEN/START (0): port='tty34' list='' action=LOGIN service=LOGIN 11:11:11: AAA/AUTHEN/START (0): using "default" list 11:11:11: AAA/AUTHEN/START (64841354): Method=TACACS+ 11:11:11: TAC+ (64841354): received authen response status = GETUSER 11:11:11: AAA/AUTHEN (64841354): status = GETUSER 11:11:14: AAA/AUTHEN/CONT (64841354): continue_login 11:11:14: AAA/AUTHEN (64841354): status = GETUSER 11:11:14: AAA/AUTHEN (64841354): Method=TACACS+ 11:11:14: TAC+: send AUTHEN/CONT packet 11:11:14: TAC+ (64841354): received authen response status = GETPASS 11:11:14: AAA/AUTHEN (64841354): status = GETPASS 11:11:16: AAA/AUTHEN/CONT (64841354): continue_login 11:11:16: AAA/AUTHEN (64841354): status = GETPASS 11:11:16: AAA/AUTHEN (64841354): Method=TACACS+ 11:11:16: TAC+: send AUTHEN/CONT packet 11:11:16: TAC+ (64841354): received authen  response status = PASS 11:11:16: AAA/AUTHEN (64841354): status = PASS 

Know how to interpret the debug output and be familiar with the three responses that a TACACS+ server can return: status = PASS, status = FAIL , and status = ERROR . Remember that if a FAIL message is received, processing immediately stops, no further authentication methods in your AAA authentication method list are tried, and the user is denied access. If the status is ERROR , the next method in your AAA authentication method list will be tried.

When reviewing the debug output produced by the debug aaa authorization command, it is important to know what the user is attempting to do and what service the user is attempting to access. Let's review the output from the debug command:

 Router# debug aaa authorization 11:11:17:  AAA/AUTHOR (0): user='raman' 11:11:17:  AAA/AUTHOR (0): send AV service=shell 11:11:17:  AAA/AUTHOR (0): send AV cmd* 11:11:17:  AAA/AUTHOR (741456852): Method=TACACS+ 11:11:17:  AAA/AUTHOR/TAC+ (741456852): user=raman 11:11:17:  AAA/AUTHOR/TAC+ (741456852): send AV service=shell 11:11:17:  AAA/AUTHOR/TAC+ (741456852): send AV cmd* 11:11:17:  AAA/AUTHOR (741456852): Post authorization status = FAIL 

Look at the line that says send AV service=shell . (AV means attribute value.) This line tells you what service the user is attempting to access. Do you know what service shell is? Most of the services that you see will be easy to identify, but this one might not be.

service=shell means the user is attempting to access the router's EXEC shell. The command and keyword used to specify that the router should obtain authorization for attempts to access the shell is aaa authorization exec .

The last debug output that you need to know is the debug aaa accounting command output:

 
 [View full width] 
 Router# debug aaa accounting 11:11:16: AAA/ACCT: EXEC acct start, line 21 11:11:16: AAA/ACCT: Connect start, line 21, glare 11:11:49: AAA/ACCT: Connection acct stop: task_id=55 service=exec port=34 protocol=telnet  address=30.3.250.250 cmd=glare bytes_in=1025 bytes_out=999 paks_in=101 paks_out=84  elapsed_time=33