Previous Page Next Page

Implementing AAA

The AAA framework is supported on all major Cisco devices, including routers, switches, firewalls, and concentrators. This section will focus mainly on implementing AAA services on Cisco IOS devices.

AAA can be implemented on devices in three ways:

  1. A self-contained AAA local security database containing usernames and passwords directly on the NAS device, such as the router. This implementation is suitable for smaller networks with a small number of users.

  2. A Cisco Secure ACS for Windows application server. This can be an external server installed onto a Windows server operating system that scales well. This implementation is suitable for medium to large networks.

  3. Cisco Secure ACS Solutions Engine appliance. This is a dedicated external platform offered by Cisco Systems that scales and is suitable for very large networks.

To enable AAA on a Cisco IOS device, follow these general configurable procedures:

1.
Enable AAA using the aaa new-model global configuration command.

2.
Configure the security protocol parameters, such as the IP address of the RADIUS or TACACS+ server and the shared secret key. (This does not apply if you are using a local database.)

3.
Define the authentication service and the method lists by using the aaa authentication command set.

4.
Apply the authentication method list(s) by using the login authentication command (under the line mode) to the corresponding interface or line, if required.

5.
(Optional) Define the authorization service and method lists by using the aaa authorization command set.

6.
(Optional) Apply the authorization method list(s) using the authorization command (under the line mode) to the corresponding particular interface or line, if required.

7.
(Optional) Define the accounting service and method lists by using the aaa accounting command set.

8.
(Optional) Apply the accounting method list(s) using the accounting command (under the line mode) to the corresponding interface or line, if required.

AAA Methods

Method lists are configured to define which of the three AAA services will be performed and the sequence in which they will be executed. The method argument refers to the actual method the authentication the algorithm tries. Method lists also allow control of the one or more security protocols to be used for the authentication, ensuring a fallback system in case the initial method fails. The AAA engine will use the first method defined in the method list, and if, for example, the TACACS+ server is not reachable, it will fall back to the next method defined in the list if there was no response from the server (known as the ERROR message), (except if the actual authentication failed with a FAIL response message). An ERROR response means that the server did not respond to the authentication request. However, if the server is reachable but the user credentials did not match, it will result in an authentication FAIL message. A FAIL response means that the user has not met the criteria required; for example, the username or password was incorrect or not found on the server. With a FAIL response, the authentication process stops and no further authentication methods are attempted in the list. The cycle continues until there is successful communication or all methods defined in the method list are exhausted.

There are two basic types of method lists:

All authentication methods, except local, line password, and enable authentication, must be defined through AAA.

AAA services offer a variety of methods to be performed. In the section that follows, Tables 8-4, 8-5, and 8-6 define the different types of methods available for the AAA functions.

Table 8-4. Authentication Login Methods
KeywordDescription
enableUses the enable password for authentication.
group radiusUses the list of all RADIUS servers for authentication.
group tacacs+Uses the list of all TACACS+ servers for authentication.
krb5Uses Kerberos 5 authentication.
krb5-telnetUses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.
LineUses the line password for authentication.
LocalUses the local username database for authentication. Users can be created in the router local database using the username command.
local-caseThe same as local, but uses case-sensitive local username authentication.
noneUses no authentication when this method is processed.


Table 8-5. Authorization Methods
KeywordDescription
group radiusUses the list of all RADIUS servers for authentication. The NAS device requests authorization information from the RADIUS security server. RADIUS authorization defines specific rights for users by associating attribute-value pairs, which are stored in a database on the RADIUS server, with the appropriate user.
group tacacs+Uses the list of all TACACS+ servers for authentication. The NAS requests authorization information from the TACACS+ server. TACACS+ authorization defines specific rights for users by associating attribute-value pairs, which are stored in a database on the TACACS+ server, with the appropriate user.
if-authenticatedThe user is allowed to access the requested function, provided he has been authenticated successfully.
localUses the local username database for authentication. The router will check its local database, as defined by the username command. The local database offers a limited set of functions with a limited control.
noneNo authorization (always succeeds). The router does not request authorization information; authorization is not performed over this line/interface.


Table 8-6. Accounting Methods
KeywordDescription
group radiusUses the list of all RADIUS servers for accounting. The NAS reports user activity to the RADIUS server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the server.
group tacacs+Uses the list of all TACACS+ servers for authentication. The NAS reports user activity to the TACACS+ server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the server.


Authentication Methods

The following methods are available in the aaa authentication login command. These lists are applied using the login authentication command under the line configuration mode.

Authorization Methods

The following methods are available in the aaa authorization login command. These lists are applied by using the authorization command under the line configuration mode.

Accounting Methods

The following methods are available in the aaa accounting command. These lists are applied by using the accounting command under the line configuration mode.

Server Groups

Server groups can be used to group any RADIUS or TACACS+ server hosts for use in the method lists. Subsets of hosts can be specified for a particular service; for instance, for login authentication, use server1; for PPP authentication, use server2. Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier.

Example 8-1 shows two RADIUS groups configured with different server addresses. The login authentication is using the first server group yusuf1, and the ppp authentication is using the second group yusuf2. The server group also allows definition of a separate shared secret key. In Example 8-1, the first group yusuf1 will use the default RADIUS key cisco123 configured globally, whereas the second group yusuf2 has its own unique secret key cisco456.

Example 8-1. Configuring Server Groups

aaa group server radius yusuf1
 server 172.16.1.1
aaa group server radius yusuf2
 server-private 172.16.1.2 key cisco456
!
aaa authentication login default group yusuf1
aaa authentication ppp default group yusuf2
!
radius-server key cisco123

Service Types for AAA Functions

A basic understanding of method lists and server groups enables you to effectively use the service types available for each AAA service. It is important to understand that various services are available and that the previously described methods can be used in different ways.

Authentication Services

AAA allows you to perform the types of service authentication listed in Table 8-7 by using the aaa authentication command.

Table 8-7. Authentication Services
KeywordDescription
arapUsed to enable authentication lists for AppleTalk Remote Access Protocol (ARAP)
loginUsed to enable authentication lists for any ASCII-based logins, such as Telnet, SSH
enableUsed to set authentication lists for enabling access on the router
pppUsed to enable authentication lists for any PPP-based protocol, such as ISDN, remote dial-in


Example 8-2 shows how to configure basic login authentication using the TACACS+ server with a default method list and a fallback method to the local user database. When using the default group, there is no need to apply it on any interface, because the command is applied to all the lines on the device.

Example 8-2. Login Authentication Using TACACS+ Server

aaa new-model
aaa authentication login default group tacacs+ local
!
tacacs-server host 192.168.1.1
tacacs-server key cisco

Authorization Services

AAA allows you to perform various types of authorization for all network-related services, including IP, Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), and AppleTalk Remote Access Protocol (ARAP). Service parameters are set to define a user's access to the network resources. The NAS is able to control user access to the network and network resources and allow users to perform only certain functions after successful authentication. Table 8-8 lists the types of authorization services that are available when you use the aaa authorization command.

Table 8-8. Authorization Services
KeywordDescription of Use
networkAuthorizes network connections (PPP, SLIP, ARAP).
ExecAuthorizes attributes associated with a user EXEC terminal session (shell).
commandAuthorizes the EXEC mode (shell) commands that a user issues. Command authorization attempts authorization for all EXEC mode commands associated with a specific privilege level.
Config-commandsSame as above; authorizes configuration mode commands.
Auth-proxyAuthorizes Authentication Proxy Service by applying specific security policies on a per-user basis.
ConfigurationDownloads configurations from the AAA server.
Reverse-accessReverses Telnet sessions.
ipmobileAuthorizes for Mobile IP services.


Authorization services can be configured to run for all network-related service requests, including IP, IPX, SLIP, PPP, Telnet, and ARAP.

Attribute-Value (AV) Pairs for Authorization

AV pairs are variable information exchanged by the RADIUS and TACACS+ server during the authorization phase to define service levels for users. AV pairs are used to define specific authentication, authorization, and accounting elements in a user profile. The attributes are stored in the server database, defined and associated with the users and groups, and sent to the NAS for enforcement, where they are applied to the user's connection.

For a list of Cisco-supported RADIUS and TACACS+ Attribute-Value pairs, refer to the Cisco technical documentation.

Accounting Service

The AAA accounting feature provides the means to track the services being used by the user and per-user resource utilization. The NAS sends accounting information in the form of accounting records to the server (RADIUS or TACACS+). Each accounting record contains accounting AV pairs, which are stored on the server and can be used for network management, reports, billing, and auditing.

Table 8-9 lists the types of accounting services available when using the aaa accounting command. Accounting services can be configured to run for all network-related service requests.

Table 8-9. Accounting Services
KeywordDescription
NetworkNetwork accounting provides information for all network-related services, including PPP, SLIP, or ARAP sessions. This also includes the packet and byte counts for each connection.
ConnectionConnection accounting provides information about all outbound connections made from the NAS, such as outbound Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.
ExecEXEC accounting provides information about user EXEC terminal sessions (user shells) on the NAS, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
SystemSystem accounting provides information about all system-level events (for example, when the system reboots or when accounting is enabled or disabled).
CommandCommand accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a NAS. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.


Note

For further information on implementing AAA services, refer to the AAA section in Part 1; refer also to Part 2, "Security Server Protocols" of the Cisco IOS Security Configuration Guide in the Cisco documentation:

www.cisco.com/en/US/products/ps6350/products_configuration_guide_book09186a008043360a.html


Previous Page Next Page