As with most services on a router, you must configure the specific service that you want because by default no functionality is provided. To use AAA on a router, you must not only define the AAA commands, but you must also tell the router where to find the AAA server. You can also configure authentication without configuring, and therefore using, authorization and accounting. If you want to configure authorization, you need to configure authentication. Enabling AAAYour first step in configuring AAA must be to enable the AAA daemon on the router. If you do not enable the AAA daemon, you cannot configure any AAA services. The command to enable the AAA daemon is easy: Router(config)# aaa new-model
Configuring TACACS+You must define the TACACS+ server on the router along with an associated encryption key that the router will use to communicate with the AAA server. If you want to use both TACACS+ and RADIUS with an authentication proxy, you must define both protocols. Here is the syntax to define a TACACS+ server: Router(config)# tacacs-server host ip_address hostname Router(config)# tacacs-server key string Here is an example that defines a TACACS+ server: Router(config)# tacacs-server host 30.100.100.253 Router(config)# tacacs-server key kenrulz You can also use a single command to configure the TACACS+ server and the encryption key. Here is an example for TACACS+ using one line: Router(config)# tacacs-server host 30.100.100.253 key kenrulz Figure 5.1 shows how to start AAA services on the router and specify two TACACS+ server. Figure 5.1. Starting the AAA daemon and adding TACACS+ servers.
This chapter assumes that TACACS+ and RADIUS servers are installed and configured properly. For more information on how to configure CiscoSecure Access Control Server (CSACS) for Windows, visit http://www.cisco.com/en/US/products/sw/secursw/ps2086/index.html. For more information how to configure CSACS for Unix, visit http://www.cisco.com/en/US/products/sw/secursw/ps4911/index.html. Verifying and Troubleshooting TACACS+Ensuring that your configurations are correct is critical to any successful network implementation. You can use several commands to verify your TACACS+ configuration and also troubleshoot your configuration. An excellent show command is show tacacs . Below is the output of this command; notice that the last line shows that there is no connection to the TACACS+ server. The number after the IP address ( 49 ) is the standard port number used by the TACACS+ protocol. Figure 5.2 uses the show tacacs command to display the TACACS+ servers configured on the router. Router#show tacacs Server: 10.0.0.250/49: opens=0 closes=0 aborts=0 errors=0 packets in=0 packets out=0 timeout=0 connection_fails=0 no connection Router# Figure 5.2. The show tacacs command.
Debug CommandsYou have two debug commands for TACACS+ troubleshooting. Those commands are debug tacacs and debug tacacs events . Interpreting Debug OutputThe following output comes from the debug tacacs command and shows the sequence of events when a user attempts authentication: Router#debug tacacs TACACS access control debugging is on Router# Router# debug tacacs 16:21:15: TAC+: Opening TCP/IP connection to 30.100.100.253 using source 1.1.1.1 16:21:15: TAC+: Sending TCP/IP packet number 545849463-1 to 30.100.100.253 (AUTHEN/START) 16:21:15: TAC+: Receiving TCP/IP packet number 545849463-2 from 30.100.100.253 16:21:15: TAC+ (383258052): received authen response status = GETUSER 16:21:16: TAC+: send AUTHEN/CONT packet 16:21:16: TAC+: Sending TCP/IP packet number 545849463-3 to 30.100.100.253 (AUTHEN/CONT) 16:21:16: TAC+: Receiving TCP/IP packet number 545849463-4 from 30.100.100.253 16:21:16: TAC+ (383258052): received authen response status = GETPASS 16:21:17: TAC+: send AUTHEN/CONT packet 16:21:17: TAC+: Sending TCP/IP packet number 545849463-5 to 30.100.100.253 (AUTHEN/CONT) 16:21:17: TAC+: Receiving TCP/IP packet number 545849463-6 from 30.100.100.253 16:21:17: TAC+ (383258052): received authen response status = PASS 16:21:17: TAC+: Closing TCP/IP connection to 30.100.100.253
Configuring RADIUSYou must define the RADIUS server on the router along with an associated encryption key that the router will use to communicate with the AAA server. If you want to use both TACACS+ and RADIUS with an authentication proxy, you must define both protocols. Here is the syntax to define a RADIUS server: Router(config)# radius-server host ip_address hostname Router(config)# radius-server key string Here is an example that defines a RADIUS server: Router(config)# radius-server host 30.100.100.253 Router(config)# radius-server key ramanrulz You can also use a single command to configure the RADIUS server and the encryption key. Here is an example for RADIUS using one line: Router(config)# radius-server host 30.100.100.253 key ramanrulz Show CommandsYou can use the show radius statistics command to display RADIUS statistics for authentication packets and accounting packets between the NAS and RADIUS server. Debug CommandsTo troubleshoot your RADIUS implementation, you can issue the debug radius command: Router# debug radius 16:21:17: Radius: IPC Send 0.0.0.0:1645, Access-Request, id 0xB, len 56 16:21:17: Attribute 4 6 AC150E5A 16:21:17: Attribute 5 6 0000000A 16:21:17: Attribute 1 6 62696C6C 16:21:17: Attribute 2 18 0531FEA3 16:21:19: Radius: Received from 171.69.1.152:1645, Access-Accept, id 0xB, len 26 16:21:19: Attribute 6 6 00000001 The debug radius output shows a successful login attempt in the Access-Accept line. If the login attempt were unsuccessful , the line would display Access-Reject . Configuring AAA AuthenticationWe discussed a little earlier that access to network resources is characterized as administrative access or network access. Administrative access involves sessions that terminate at the networking device. Network access involves sessions that pass through the networking devices and terminate at a network resource. Given that you have two different access modes, you also have different AAA authentication commands to validate these sessions. Let's first look at the administrative access authentication commands. The command syntax to authenticate admin sessions is Router(config)# aaa authentication login {default list-name } method1 method2 method3 method4 If you use the default keyword, all admin login attempts must be authenticated based on the methods that you specify ( method1 , method2 , and so on), in the order that you specify. The methods can include authenticating using a TACACS+ server, authenticating using a RADIUS server, and authenticating using the enable password.
Here is an example that defines a default login authentication method: Router(config)# aaa authentication login default group tacacs+ group radius line enable This command tells the router to first check a user's credential with a TACACS+ server. If the TACACS+ server is unavailable, next check with the RADIUS server. If the RADIUS server is unavailable, check the password that is configured on the particular line or interface that is trying to be accessed. Finally, if a line password is not configured, check the enable password for authentication.
To override the default login authentication method, you need to create a more specific method. You use the same command as before; however, instead of using the default keyword, you specify a list-name , which is simply a name you create, for the more specific method. Here is an example: Router(config)# aaa authentication login GOLDFISH group radius local line none Then, you must apply the GOLDFISH method to a specific line to override the default method. For example, apply the GOLDFISH method to the console port: Router(config)#line console 0 Router(config-line)#login authentication GOLDFISH Figure 5.3 shows how to create a login method called GOLDFISH and apply the authentication method to the console port. Figure 5.3. AAA authentication.
Now, when an admin tries to log in to the console port, the router first checks with a RADIUS server for authentication. If the server is unavailable, it checks the local router database because the local method was configured. Then, if the local router database is not configured, the console port's line password is used for authentication. Finally, if a line password was not configured, the none method tells the router to let the user access the console port without requiring authentication.
If the intruder breaks communication between the router and the TACACS+ or RADIUS servers, he or she will log on to the router without any authentication. Use local instead of none . To authenticate sessions that travel through the router, in network access mode, you use a different command. However, the rules that were discussed for the default authentication method and the more specific list-name method are the same. Here is the syntax to define a default login authentication method for a network access session: Router(config)# aaa authentication ppp {default list-name method1 method2 method3 method4 Here is an example that defines a default login authentication method for a network access session: Router(config)# aaa authentication ppp default group tacacs+ group radius line enable
Here is an example that defines a more specific login authentication method: Router(config)# aaa authentication ppp HELLO_KITTY group tacacs+ local line enable Here is an example that applies the more specific methods: Router(config)#interface bri 0 Router(config-if)#ppp authentication chap HELLO_KITTY
Configuring AAA AuthorizationTo specify what a user is allowed to access once the user is authenticated, you need to configure authorization. The command syntax is a little different from the aaa authentication command because you are concerned with the authorization of services, not the identification of users. The syntax to define AAA authorization is [View full width]
The default and list-name have the exact same meanings as they did with the aaa authentication command. When you define a default authorization method, it applies to all interfaces unless overridden by a more specific method as defined by list-name . The methods to authorize services can be TACACS+ , RADIUS , local , none , and if-authenticated . The if-authenticated method is different in the AAA authentication command. With AAA authorization, if-authenticated means that if the user has already authenticated, the router will allow access to the requested service. The other keywords are new, and you need to know what the different authorization types mean.
Here is an example that defines a default authorization method for an EXEC session: Router(config)# aaa authorization exec default group tacacs+ local if-authenticated Here is an example that defines a specific authorization method for an EXEC session: Router(config)# aaa authorization exec BARKSDALE group tacacs+ group RADIUS local Here is an example that applies the EXEC authorization method: Router(config)#line con 0 Router(config-line)#authorization exec BARKSDALE Figure 5.4 shows the creation of a AAA authorization method named BARKSDALE and how to apply this method to the console port. Figure 5.4. AAA authorization.
Configuring AAA AccountingTo ensure that you know what users do on the network, you configure AAA accounting services. The command syntax for AAA accounting is [View full width]
As you can see, the syntax and keywords are much like those in the previous two AAA commands for authentication and authorization. Debugging AAAThree debug commands can be very useful when you troubleshoot your implementation of AAA services. Those commands are debug aaa authentication , debug aaa authorization , and debug aaa accounting . Let's look at the output of the debug aaa authentication command first: [View full width]
When reviewing the debug output produced by the debug aaa authorization command, it is important to know what the user is attempting to do and what service the user is attempting to access. Let's review the output from the debug command: Router# debug aaa authorization 11:11:17: AAA/AUTHOR (0): user='raman' 11:11:17: AAA/AUTHOR (0): send AV service=shell 11:11:17: AAA/AUTHOR (0): send AV cmd* 11:11:17: AAA/AUTHOR (741456852): Method=TACACS+ 11:11:17: AAA/AUTHOR/TAC+ (741456852): user=raman 11:11:17: AAA/AUTHOR/TAC+ (741456852): send AV service=shell 11:11:17: AAA/AUTHOR/TAC+ (741456852): send AV cmd* 11:11:17: AAA/AUTHOR (741456852): Post authorization status = FAIL Look at the line that says send AV service=shell . (AV means attribute value.) This line tells you what service the user is attempting to access. Do you know what service shell is? Most of the services that you see will be easy to identify, but this one might not be.
The last debug output that you need to know is the debug aaa accounting command output: [View full width]
|