Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
Authentication, Authorization and Accounting (AAA)
AAA is one of the core concepts to know when implementing security on Cisco devices. Each of these
items has its own part of the security picture and each should be configured to secure a device.
These three are detailed as follows:
Authentication – The process where users and administrators prove who they are before being
able to access a system
Authorization – The process where users and administrators are authorized access to specific
resources or commands.
Accounting – The process where the activities which happen on a device are logged in detail
and provide a clear record of what each user and administrator did while logged in. Accounting
is commonly used for billing or security logging.
AAA Configuration
There are a number of different commands which are used to configure specific AAA functionality. These
will be separated in to three different sections in this guide.
The one command which is universal to all sections of AAA is the command to enable AAA:
router(config)#aaa new-model
Authentication
The main procedure for setting up authentication is as follows:
Enable AAA.
Setup security server configuration. (If used, see later in the domain.)
Create an authentication method list.
Apply the authentication method list.
There are a number of different commands which can be used to configure authentication depending on
how you want the authentication to work. The following is a list of the commonly available authentication
commands, which would all be entered in global configuration mode:
aaa authentication banner – Used to create a personalized login banner.
aaa authentication enable default – Used to create an authentication list which is used when
trying to access privileged command levels.
aaa authentication fail-message – Used to create a message which will be displayed when a
user login fails.
aaa authentication local-override – Used to enable the check of local user database
authentication before using other methods of authentication.
aaa authentication login – Used to create an authentication list which is used when logging in
to a device.
aaa authentication password-prompt – Used to change the text displayed when being
prompted for a password.
aaa authentication ppp – Used to create an authentication list which is using PPP
on an interface.
aaa authentication username-prompt – Used to change the text displayed when being
prompted for a username.
When configuring PPP authentication the command can be configured in a number of different ways; the
general command syntax is as follows:
router(config)#aaa authentication enable default method1…method4
The default parameter which is shown in this command is used to set the default “Enable Authentication”
behavior. There are a number of different methods which can be configured; up to four can be configured
at the same time and are used in order. The methods which can be specified are listed below:
group radius The RADIUS server configuration is used for authentication.
group tacacs+ The TACACS server configuration is used for authentication.
enable The “Enable Password” is used for authentication.
line The “Line Password” is used for authentication.
none Uses no authentication.
When configuring login authentication the command can be configured in a number of different ways;
the general command syntax is as follows:
router(config)#aaa authentication login {default | list-name} method1…method4
The default parameter which is shown in this command is used to set the default login authentication
behavior. The list-name parameter is used to setup a custom login authentication list which is used in
conjunction with the line or interface specific command, which is explained later. There are a number of
different methods which can be configured; up to four can be configured at the same time and are used in
order. The methods which can be specified are listed below:
enable The “Enable Password” is used for authentication.
group radius The RADIUS server configuration is used for authentication.
group tacacs+ The TACACS server configuration is used for authentication.
krb5 Uses Kerberos 5 for authentication.
krb5-telnet Uses Kerberos 5 Telnet authentication protocol when using telnet to access the device.
line The “Line Password” is used for authentication.
local The local user database is used for authentication.
local-case Uses case sensitive local user authentication.
none Uses no authentication.
When configuring PPP authentication the command can be configured in a number of different ways; the
general command syntax is as follows:
router(config)#aaa authentication ppp {default | list-name} method1…method4
The default parameter which is shown in this command is used to set the default PPP authentication
behavior. The list-name parameter is used to setup a custom PPP authentication list which is used in
conjunction with the line or interface specific command, which is explained later. There are a number of
different methods which can be configured, up to four can be configured at the same time and are used in
order. The methods which can be specified are listed below:
group radius The RADIUS server configuration is used for authentication.
group tacacs+ The TACACS server configuration is used for authentication.
krb5 Uses Kerberos 5 for authentication.
local The local user database is used for authentication.
local-case Uses case sensitive local user authentication.
none Uses no authentication.
In order to apply the configuration as detailed above on specific interfaces or lines, the following
commands are used:
router(config-if)#ppp authentication protocol1..protocol2 {default | list-name}
router(config-line)#login authentication {default | list-name}
It should be noted however that if a default method list is created, it is automatically enabled on all
interfaces and lines which are not specifically configured with a separate method list.
There are several available protocols which can be used with PPP; all four can be used in one command
and are attempted in the order entered. The protocols which are available for the ppp authentication
command are:
chap Enables use of the Challenge-handshake authentication protocol (CHAP).
pap Enables use of the Password Authentication Protocol (PAP).
ms-chap Enables use of the Microsoft - Challenge-handshake authentication protocol (MS-CHAP).
eap Enables use of the Extensible Authentication Protocol (EAP).
Authorization
The main procedure for setting up authorization is the same as authentication and is as follows:
Enable AAA.
Setup security server configuration. (If used, see later in the domain.)
Create an authorization method list.
Apply the authorization method list.
There are a number of different commands which can be used to configure authentication, depending on
how you want the authorization to work. The following is a list of the commonly available authorization
commands, all of which would be entered in global configuration mode:
aaa authorization network – Used to create an authorization list which is used when
implementing authorization over network-related services.
aaa authorization exec – Used to create an authorization list which is used when determining a
user’s ability to run the EXEC shell.
aaa authorization commands – Used to create an authorization list which is used when
implementing authorization of all commands at a specific user privilege level. The levels range
from 0 to 15.
aaa authorization reverse-access – Used to create an authorization list which is used when
implementing authorization for reverse access connections (typically reverse Telnet).
aaa authorization configuration – Used to create an authorization list which is used when
downloading a configuration from the AAA server.
When configuring network authorization the command can be configured in a number of different ways;
the general command syntax is as follows:
router(config)#aaa authorization network {default | list-name} method1…method4
When configuring exec authorization the command can be configured in a number of different ways;
the general command syntax is as follows:
router(config)#aaa authorization exec {default | list-name} method1…method4
When configuring reverse-access authorization the command can be configured in a number of different
ways; the general command syntax is as follows:
router(config)#aaa authorization reverse-access {default | list-name} method1…method4
When configuring configuration authorization the command can be configured in a number of different
ways; the general command syntax is as follows:
router(config)#aaa authorization configuration {default | list-name} method1…method4
When configuring commands authorization the command can be configured in a number of different
ways; the general command syntax is as follows:
router(config)#aaa authorization commands level {default | list-name} method1…method4
The default parameter which is shown in this command is used to set the default login authentication
behavior. The list-name parameter is used to setup a custom network authorization list which is used in
conjunction with the line or interface specific command, which is explained later. There are a number of
different methods which can be configured; up to four can be configured at the same time and are used in
order. The methods which can be specified are listed below:
group radius The RADIUS server configuration is used for authorization.
group tacacs+ The TACACS server configuration is used for authorization.
local The local user database is used for authorization.
if-authenticated Allows the user to run the specific function as long as they are authenticated.
none Uses no authorization.
In order to apply the configuration as detailed above on specific interfaces or lines, the following
command are used:
router(config-if)# authorization {arap | commands level | exec | reverse-access} [default | list-name]
router(config-line)#ppp authorization {default | list-name}
Accounting
The main procedure for setting up accounting is the same as authentication and authorization and
is as follows:
Enable AAA.
Setup security server configuration. (If used, see later in the domain).
Create an accounting method list.
Apply the accounting method list.
There are a number of different commands which can be used to configure accounting, depending
on how you want the accounting to work. The following is a list of the commonly available accounting
commands, all of which would be entered in global configuration mode:
aaa accounting system - Used to enable AAA accounting on all system-level events not
associated with users.
aaa accounting network – Used to enable AAA accounting on all networkrelated
service requests.
aaa accounting exec – Used to enable AAA accounting on all EXEC shell sessions.
aaa accounting connection – Used to enable AAA accounting on all outbound connections
made from the Network Access Server (NAS).
aaa accounting commands – Used to enable AAA accounting on all commands on a specific
privilege level.
When configuring system accounting, the command can be configured in a number of different ways; the
general command syntax is as follows:
router(config)#aaa accounting system {default | list-name} {start-stop | stop-only | none} group group-name
When configuring network accounting, the command can be configured in a number of different ways;
the general command syntax is as follows:
router(config)#aaa accounting network {default | list-name} {start-stop | stop-only | none} group group-name
When configuring exec accounting, the command can be configured in a number of different ways; the
general command syntax is as follows:
router(config)#aaa accounting exec {default | list-name} {start-stop | stop-only | none} group group-name
When configuring connection accounting, the command can be configured in a number of different ways;
the general command syntax is as follows:
router(config)#aaa accounting connection {default | list-name} {start-stop | stop-only | none} group group-name
When configuring commands accounting, the command can be configured in a number of different ways;
the general command syntax is as follows:
router(config)#aaa accounting commands level {default | list-name} {start-stop | stop-only | none} group group-name
The group-name parameter is able to be one of two options:
group radius The RADIUS server configuration is used for accounting.
group tacacs+ The TACACS server configuration is used for accounting.
In order to apply the configuration as detailed above on specific interfaces or lines, the following
commands are used:
router(config-if)#accounting {commands level | connection | exec} {default | list-name}
router(config-line)#ppp accounting {default | list-name}
AAA Debug
There are also a number of commands which are used to debug the various types of AAA. These different
commands are as follows:
router#debug aaa authentication
router#debug aaa authorization
router#debug aaa accounting
SDM AAA Configuration
In the newer exams, Cisco appears to be placing more emphasis on the use of SDM with specific
configuration processes. In order to configure the same parameters as shown under “AAA Debug”, above,
within SDM, the figures show the various configuration screens that would be used to configure these
items using SDM.
TACACS+ and RADIUS
Two of the most used AAA protocols are Terminal Access Controller Access-Control System (TACACS+)
and Remote Authentication Dial In User Service (RADIUS). TACACS+ is a Cisco proprietary which runs
on TCP, and RADIUS is an IETF-maintained protocol and runs over UDP. TACACS+ gives some additional
functionality which is not supported by RADIUS, including the ability to separate authentication and
authorization, and the ability to control the authorization level of users.
TACACS+ Responses
As the TACACS+ server converses with the user, it uses a couple of responses which
determine request outcome:
ACCEPT – The user has been authenticated; authorization begins at this point if configured.
REJECT – Authentication has failed for the user.
ERROR – At some point during the authorization an error has occurred.
CONTINUE – The user is being prompted for further authorization before
acceptance or rejection.
TACACS+ Attributes
There are a number of different attributes which are used for authentication and authorization:
ACL (EXEC authorization) – Lists an access class number that will be applied to a line.
ADDR (SLIP, PPP Authorization) – Used to specify the IP address of the remote host when using a
SLIP or PPP connection.
CMD (EXEC) – The attribute-value (AV) pair is used to start an authorization request for
an EXEC command.
Priv-lvl (EXEC Authorization) – This is used to specify the current privilege level
for command authorization.
Route (SLIP, PPP Authorization) – Used to specify a route to be applied to an interface.
InACL (SLIP, PPP Authorization) – Used to list an inbound ACL for a SLIP or PPP Connection.
OutACL - Used to list an outbound ACL for a SLIP or PPP Connection.
Addr-pool – Used to set the name of the local address pool from which to obtain an address for
the remote host.
Autocmd – Used to specify a command which will be automatically executed at EXEC startup.
RADIUS Message Types
The following are the four message types which are used by a RADIUS server:
Access-Request – Contains AV pairs for username and password which are
encrypted by RADIUS.
Access-Challenge – Used for authentication methods which utilize
challenge-based approaches.
Access-Accept – Indicates that the user provides information that is correct.
Access-Reject - Indicates that the user provides information that is incorrect.
RADIUS Attributes
There are a number of different attributes which are used for both authorization and authentication:
User-Name
User-Password
CHAP-Password
NAS-IP-Address
NAS-Port
Service-Type
Framed-IP-Address
AAA Server Configuration
TACACS+ Configuration
There are three main commands which are required for TACACS+ to work. These include:
router(config)#aaa new-model
This command is used to enable AAA and is shown above as well.
router(config-line)#tacacs-server host ip-address single-connection
This command is used to setup the connection between the router and the TACACS+ server.
router(config-line)#tacacs-server key key
This command is used to establish a shared secret encryption key between the TACACS+ server
and the router.
RADIUS Configuration
There are three main commands which are required for RADIUS to work. These include:
router(config)#aaa new-model
This command is used to enable AAA and is shown above as well.
router(config-line)#radius-server host ip-address
This command is used to setup the connection between the router and the RADIUS server.
router(config-line)#radius-server key key
This command is used to establish a shared secret encryption key between the RADIUS server
and the router.
SDM TACACS+/RADIUS Server Configuration
The configuration of both TACACS+ and RADIUS servers are done through the same SDM
AAA Server screen.
Cisco Secure ACS
Cisco Secure ACS version 4.2 is Cisco’s Network Access Server solution. It provides a number of functions
including the management and administration of user access to IOS, WPN, firewalls, VoIP and Cisco
wireless solutions, to name a few. It also can act as an 802.1x server for access control including support for
Cisco’s Network Access Control (NAC). It can also provide TACACS+ and RADIUS security server functions.
Cisco Secure ACS Requirements
Cisco Secure ACS runs on a Microsoft Windows server and requires at least Windows 2000 Server SP4 to be
installed and work correctly. The server itself has physical requirements which are as follows:
1.8 Ghz Pentium 4 or better
1 GB of RAM
1 GB of hard drive space. (More of the database server is also being run on the same computer.)
Monitor supporting 800 x 600 with 256 colors or better
CD-ROM Drive
100 Base-T or faster connection.
Cisco Secure ACS Connections
In order for Cisco Secure ACS to communicate with clients it uses specific IP network ports. These are
detailed as follows:
Feature Protocol Port(s)
RADIUS Authentication and/or Authorization UDP 1645, 1812
RADIUS Accounting UDP 1646, 1813
TACACS+ TCP 49
Cisco Secure ACS database replication TCP 2000
RDBMS Synchronization TCP 2000
User-Changeable password web application TCP 2000
Logging TCP 2001
Administrative HTTP port TCP 2002
Administrative HTTP port range TCP Configurable
No comments:
Post a Comment