The AAA framework is supported on all major Cisco devices, including routers, switches, firewalls, and concentrators. This section will focus mainly on implementing AAA services on Cisco IOS devices.
AAA can be implemented on devices in three ways:
To enable AAA on a Cisco IOS device, follow these general configurable procedures:
1. | Enable AAA using the aaa new-model global configuration command. |
2. | Configure the security protocol parameters, such as the IP address of the RADIUS or TACACS+ server and the shared secret key. (This does not apply if you are using a local database.) |
3. | |
4. | Apply the authentication method list(s) by using the login authentication command (under the line mode) to the corresponding interface or line, if required. |
5. | (Optional) Define the authorization service and method lists by using the aaa authorization command set. |
6. | (Optional) Apply the authorization method list(s) using the authorization command (under the line mode) to the corresponding particular interface or line, if required. |
7. | (Optional) Define the accounting service and method lists by using the aaa accounting command set. |
8. | (Optional) Apply the accounting method list(s) using the accounting command (under the line mode) to the corresponding interface or line, if required. |
Method lists are configured to define which of the three AAA services will be performed and the sequence in which they will be executed. The method argument refers to the actual method the authentication the algorithm tries. Method lists also allow control of the one or more security protocols to be used for the authentication, ensuring a fallback system in case the initial method fails. The AAA engine will use the first method defined in the method list, and if, for example, the TACACS+ server is not reachable, it will fall back to the next method defined in the list if there was no response from the server (known as the ERROR message), (except if the actual authentication failed with a FAIL response message). An ERROR response means that the server did not respond to the authentication request. However, if the server is reachable but the user credentials did not match, it will result in an authentication FAIL message. A FAIL response means that the user has not met the criteria required; for example, the username or password was incorrect or not found on the server. With a FAIL response, the authentication process stops and no further authentication methods are attempted in the list. The cycle continues until there is successful communication or all methods defined in the method list are exhausted.
There are two basic types of method lists:
Named Method: A named method list can be configured for any AAA service—for example, for authentication or authorization—and applied to specific interfaces as required.
Default Method: A default method list is configured globally and is automatically applied to all the interfaces on a device if no other method list is defined. Note that a defined method list (the same as a named method list) takes preference and will override the default method list.
All authentication methods, except local, line password, and enable authentication, must be defined through AAA.
AAA services offer a variety of methods to be performed. In the section that follows, Tables 8-4, 8-5, and 8-6 define the different types of methods available for the AAA functions.
The following methods are available in the aaa authentication login command. These lists are applied using the login authentication command under the line configuration mode.
The following methods are available in the aaa authorization login command. These lists are applied by using the authorization command under the line configuration mode.
The following methods are available in the aaa accounting command. These lists are applied by using the accounting command under the line configuration mode.
Server groups can be used to group any RADIUS or TACACS+ server hosts for use in the method lists. Subsets of hosts can be specified for a particular service; for instance, for login authentication, use server1; for PPP authentication, use server2. Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier.
Example 8-1 shows two RADIUS groups configured with different server addresses. The login authentication is using the first server group yusuf1, and the ppp authentication is using the second group yusuf2. The server group also allows definition of a separate shared secret key. In Example 8-1, the first group yusuf1 will use the default RADIUS key cisco123 configured globally, whereas the second group yusuf2 has its own unique secret key cisco456.
aaa group server radius yusuf1 server 172.16.1.1 aaa group server radius yusuf2 server-private 172.16.1.2 key cisco456 ! aaa authentication login default group yusuf1 aaa authentication ppp default group yusuf2 ! radius-server key cisco123 |
A basic understanding of method lists and server groups enables you to effectively use the service types available for each AAA service. It is important to understand that various services are available and that the previously described methods can be used in different ways.
AAA allows you to perform the types of service authentication listed in Table 8-7 by using the aaa authentication command.
Example 8-2 shows how to configure basic login authentication using the TACACS+ server with a default method list and a fallback method to the local user database. When using the default group, there is no need to apply it on any interface, because the command is applied to all the lines on the device.
aaa new-model aaa authentication login default group tacacs+ local ! tacacs-server host 192.168.1.1 tacacs-server key cisco |
AAA allows you to perform various types of authorization for all network-related services, including IP, Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), and AppleTalk Remote Access Protocol (ARAP). Service parameters are set to define a user's access to the network resources. The NAS is able to control user access to the network and network resources and allow users to perform only certain functions after successful authentication. Table 8-8 lists the types of authorization services that are available when you use the aaa authorization command.
Authorization services can be configured to run for all network-related service requests, including IP, IPX, SLIP, PPP, Telnet, and ARAP.
AV pairs are variable information exchanged by the RADIUS and TACACS+ server during the authorization phase to define service levels for users. AV pairs are used to define specific authentication, authorization, and accounting elements in a user profile. The attributes are stored in the server database, defined and associated with the users and groups, and sent to the NAS for enforcement, where they are applied to the user's connection.
For a list of Cisco-supported RADIUS and TACACS+ Attribute-Value pairs, refer to the Cisco technical documentation.
The AAA accounting feature provides the means to track the services being used by the user and per-user resource utilization. The NAS sends accounting information in the form of accounting records to the server (RADIUS or TACACS+). Each accounting record contains accounting AV pairs, which are stored on the server and can be used for network management, reports, billing, and auditing.
Table 8-9 lists the types of accounting services available when using the aaa accounting command. Accounting services can be configured to run for all network-related service requests.
Note
For further information on implementing AAA services, refer to the AAA section in Part 1; refer also to Part 2, "Security Server Protocols" of the Cisco IOS Security Configuration Guide in the Cisco documentation:
www.cisco.com/en/US/products/ps6350/products_configuration_guide_book09186a008043360a.html