Implementing AAA

The AAA framework is supported on all major Cisco devices, including routers, switches, firewalls, and concentrators. This section will focus mainly on implementing AAA services on Cisco IOS devices.

AAA can be implemented on devices in three ways:

To enable AAA on a Cisco IOS device, follow these general configurable procedures:

AAA Methods

Method lists are configured to define which of the three AAA services will be performed and the sequence in which they will be executed. The method argument refers to the actual method the authentication the algorithm tries. Method lists also allow control of the one or more security protocols to be used for the authentication, ensuring a fallback system in case the initial method fails. The AAA engine will use the first method defined in the method list, and if, for example, the TACACS+ server is not reachable, it will fall back to the next method defined in the list if there was no response from the server (known as the ERROR message), (except if the actual authentication failed with a FAIL response message). An ERROR response means that the server did not respond to the authentication request. However, if the server is reachable but the user credentials did not match, it will result in an authentication FAIL message. A FAIL response means that the user has not met the criteria required; for example, the username or password was incorrect or not found on the server. With a FAIL response, the authentication process stops and no further authentication methods are attempted in the list. The cycle continues until there is successful communication or all methods defined in the method list are exhausted.

There are two basic types of method lists:

• Named Method: A named method list can be configured for any AAA service—for example, for authentication or authorization—and applied to specific interfaces as required.

• Default Method: A default method list is configured globally and is automatically applied to all the interfaces on a device if no other method list is defined. Note that a defined method list (the same as a named method list) takes preference and will override the default method list.

All authentication methods, except local, line password, and enable authentication, must be defined through AAA.

AAA services offer a variety of methods to be performed. In the section that follows, Tables 8-4, 8-5, and 8-6 define the different types of methods available for the AAA functions.

Table 8-4. Authentication Login Methods

Keyword	Description
enable	Uses the enable password for authentication.
group radius	Uses the list of all RADIUS servers for authentication.
group tacacs+	Uses the list of all TACACS+ servers for authentication.
krb5	Uses Kerberos 5 authentication.
krb5-telnet	Uses Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.
Line	Uses the line password for authentication.
Local	Uses the local username database for authentication. Users can be created in the router local database using the username command.
local-case	The same as local, but uses case-sensitive local username authentication.
none	Uses no authentication when this method is processed.

Table 8-5. Authorization Methods

Keyword	Description
group radius	Uses the list of all RADIUS servers for authentication. The NAS device requests authorization information from the RADIUS security server. RADIUS authorization defines specific rights for users by associating attribute-value pairs, which are stored in a database on the RADIUS server, with the appropriate user.
group tacacs+	Uses the list of all TACACS+ servers for authentication. The NAS requests authorization information from the TACACS+ server. TACACS+ authorization defines specific rights for users by associating attribute-value pairs, which are stored in a database on the TACACS+ server, with the appropriate user.
if-authenticated	The user is allowed to access the requested function, provided he has been authenticated successfully.
local	Uses the local username database for authentication. The router will check its local database, as defined by the username command. The local database offers a limited set of functions with a limited control.
none	No authorization (always succeeds). The router does not request authorization information; authorization is not performed over this line/interface.

Table 8-6. Accounting Methods

Keyword	Description
group radius	Uses the list of all RADIUS servers for accounting. The NAS reports user activity to the RADIUS server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the server.
group tacacs+	Uses the list of all TACACS+ servers for authentication. The NAS reports user activity to the TACACS+ server in the form of accounting records. Each accounting record contains accounting AV pairs and is stored on the server.

Authentication Methods

The following methods are available in the aaa authentication login command. These lists are applied using the login authentication command under the line configuration mode.

Authorization Methods

The following methods are available in the aaa authorization login command. These lists are applied by using the authorization command under the line configuration mode.

Accounting Methods

The following methods are available in the aaa accounting command. These lists are applied by using the accounting command under the line configuration mode.

Server Groups

Server groups can be used to group any RADIUS or TACACS+ server hosts for use in the method lists. Subsets of hosts can be specified for a particular service; for instance, for login authentication, use server1; for PPP authentication, use server2. Server groups can also include multiple host entries for the same server, as long as each entry has a unique identifier.

Example 8-1 shows two RADIUS groups configured with different server addresses. The login authentication is using the first server group yusuf1, and the ppp authentication is using the second group yusuf2. The server group also allows definition of a separate shared secret key. In Example 8-1, the first group yusuf1 will use the default RADIUS key cisco123 configured globally, whereas the second group yusuf2 has its own unique secret key cisco456.

Example 8-1. Configuring Server Groups

aaa group server radius yusuf1 server 172.16.1.1 aaa group server radius yusuf2 server-private 172.16.1.2 key cisco456 ! aaa authentication login default group yusuf1 aaa authentication ppp default group yusuf2 ! radius-server key cisco123

Service Types for AAA Functions

A basic understanding of method lists and server groups enables you to effectively use the service types available for each AAA service. It is important to understand that various services are available and that the previously described methods can be used in different ways.

Authentication Services

AAA allows you to perform the types of service authentication listed in Table 8-7 by using the aaa authentication command.

Table 8-7. Authentication Services

Keyword	Description
arap	Used to enable authentication lists for AppleTalk Remote Access Protocol (ARAP)
login	Used to enable authentication lists for any ASCII-based logins, such as Telnet, SSH
enable	Used to set authentication lists for enabling access on the router
ppp	Used to enable authentication lists for any PPP-based protocol, such as ISDN, remote dial-in

Example 8-2 shows how to configure basic login authentication using the TACACS+ server with a default method list and a fallback method to the local user database. When using the default group, there is no need to apply it on any interface, because the command is applied to all the lines on the device.

Example 8-2. Login Authentication Using TACACS+ Server

aaa new-model aaa authentication login default group tacacs+ local ! tacacs-server host 192.168.1.1 tacacs-server key cisco

Authorization Services

AAA allows you to perform various types of authorization for all network-related services, including IP, Serial Line Internet Protocol (SLIP), Point-to-Point Protocol (PPP), and AppleTalk Remote Access Protocol (ARAP). Service parameters are set to define a user's access to the network resources. The NAS is able to control user access to the network and network resources and allow users to perform only certain functions after successful authentication. Table 8-8 lists the types of authorization services that are available when you use the aaa authorization command.

Table 8-8. Authorization Services

Keyword	Description of Use
network	Authorizes network connections (PPP, SLIP, ARAP).
Exec	Authorizes attributes associated with a user EXEC terminal session (shell).
command	Authorizes the EXEC mode (shell) commands that a user issues. Command authorization attempts authorization for all EXEC mode commands associated with a specific privilege level.
Config-commands	Same as above; authorizes configuration mode commands.
Auth-proxy	Authorizes Authentication Proxy Service by applying specific security policies on a per-user basis.
Configuration	Downloads configurations from the AAA server.
Reverse-access	Reverses Telnet sessions.
ipmobile	Authorizes for Mobile IP services.

Authorization services can be configured to run for all network-related service requests, including IP, IPX, SLIP, PPP, Telnet, and ARAP.

Attribute-Value (AV) Pairs for Authorization

AV pairs are variable information exchanged by the RADIUS and TACACS+ server during the authorization phase to define service levels for users. AV pairs are used to define specific authentication, authorization, and accounting elements in a user profile. The attributes are stored in the server database, defined and associated with the users and groups, and sent to the NAS for enforcement, where they are applied to the user's connection.

For a list of Cisco-supported RADIUS and TACACS+ Attribute-Value pairs, refer to the Cisco technical documentation.

Accounting Service

The AAA accounting feature provides the means to track the services being used by the user and per-user resource utilization. The NAS sends accounting information in the form of accounting records to the server (RADIUS or TACACS+). Each accounting record contains accounting AV pairs, which are stored on the server and can be used for network management, reports, billing, and auditing.

Table 8-9 lists the types of accounting services available when using the aaa accounting command. Accounting services can be configured to run for all network-related service requests.

Table 8-9. Accounting Services

Keyword	Description
Network	Network accounting provides information for all network-related services, including PPP, SLIP, or ARAP sessions. This also includes the packet and byte counts for each connection.
Connection	Connection accounting provides information about all outbound connections made from the NAS, such as outbound Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin.
Exec	EXEC accounting provides information about user EXEC terminal sessions (user shells) on the NAS, including username, date, start and stop times, the access server IP address, and (for dial-in users) the telephone number the call originated from.
System	System accounting provides information about all system-level events (for example, when the system reboots or when accounting is enabled or disabled).
Command	Command accounting provides information about the EXEC shell commands for a specified privilege level that are being executed on a NAS. Each command accounting record includes a list of the commands executed for that privilege level, as well as the date and time each command was executed, and the user who executed it.