AAA 101
AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process of tracking and logging a user’s actions while authenticated.
To enable the new-model of AAA implementation on a Cisco device, use:
R(config)# aaa new-model
Authentication methods can be grouped in 2 categories: Group methods and Non-Group methods. Group methods include protocols such as RADIUS, TACACS+ or Kerberos. These protocols require an external server that handles authentication requests. The non-group methods include local login (usernames defined locally), enable passwords or line passwords.
RADIUS is now an industry standard and runs on UDP 1812 and UDP 1813. A RADIUS packet encrypts only the password field.
To define a radius server that will process AAA requests, use the following commands:
R(config)# radius-server host {HOST|IP-ADDR} [auth-port PORT] [acct-port PORT] [timeout SEC] [retransmit RETRIES] [key KEY] [alias {HOST|IP-ADDR}]
! Configures a radius server
All Radius servers are by default part of the radius group, but custom groups that include subsets of the radius group can be configured:
R(config)# aaa group server radius RADIUS-GROUP
R(config-sg-radius)# server IP-ADDR [auth-port PORT] [acct-port PORT]
TACACS+ is a Cisco proprietary protocol that runs on TCP 49. With TACACS the entire packet body is encrypted. TACACS+ is configured in a similar way as RADIUS:
R(config)# tacacs-server host {HOST|IP-ADDR} [single-connection] [port PORT] [timeout SEC] [key KEY]
All TACACS+ servers are by default part of the tacacs+ group, but custom groups that include subsets of the tacacs+ group can be configured:
R(config)# aaa group server tacacs+ TACACS+GROUP
R(config-sg-tacacs)# server {HOST|IP-ADDR}
Just define the usernames on the local router:
R(config)# username USER [privilege {1-15}] [password PASS | secret SECRET]
The local method use the case-insensitive users locally defined, while the local-case method uses case-sensitive values.
R(config)# enable [password PASS | secret SECRET]
Line password uses the passwords defined on each line:
R(config-line)# password PASS
An authentication list consists of one or more authentication methods that are used, in order, for authentication. The first method in the list is used and if the result is an accept or a reject, the other methods are not used. They are used only if the previous methods are not available (like a server response timeout).
Authentication lists can be defined for several features that may require authentication. A default list is already applied for each feature, but other lists can be defined, or the default list can be populated.
R(config)# aaa authentication LIST-TYPE {default|LIST-NAME} METHODS-LIST
! Some LIST-TYPEs can be:
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable (privileged mode)
login Set authentication lists for logins.
ppp Set authentication lists for ppp.
! METHODS LIST can include:
enable Use enable password for authentication.
group {GROUP-NAME|radius|tacacs+} Use Radius/Tacacas+ Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication
Unless a LIST-NAME is specified, the router uses the default lists, but the default configuration of the default lists doesn’t show up in the configuration (by default). If you define the default lists yourself, they will show up in the config.
If you don’t, the router uses the Permanenet lists, which are predefined.
! For PPP and VTY line authenticaion, it uses the Permanent Local list, which is similar to:
R(config)# aaa authentication ppp default local
! For Console line authentication, it uses the Permanent None list, which is similar to:
R(config)# aaa authentication ppp default none
! For Enable authentication, it uses the Permanent Enable list, which is similar to:
R(config)# aaa authentication enable default enable
R(config)# line {con | vty LINE-START [LINE-END]}
R(config-line)# login authentication {default|LOGIN-LIST-NAME}
! attach the LOGIN-LIST-NAME to a line
R(config-if)# ppp authentication {chap|pap|...} {default | PPP-LIST-NAME}
! authenticate using the PPP-LIST-NAME
You can’t define custom lists, but you can change the authentication enable default list.
Authorization lists are created similarly to authentication lists:
R(config)# aaa authorization LIST-TYPE {LIST-NAME|default} METHODS-LIST
! LIST-TYPE can be:
commands For exec (shell) commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
! methods in METHODS-LIST are similar to authorization methods, but there's a new one:
if-authenticated Succeed if user has already authenticated.
Authorization usually works hand in hand with. But it can be also used with default privilege levels.
By default, the VTY privilege level is set to 1. You can change this level if you set
R(config-line)# privilege level LEVEL
This means all users that login via the VTY will be assigned this privilege LEVEL.
You can use a dynamic method of assigning users with an authentication level (radius, tacacs, local) or you can fallback to the line configuration (if-authenticated).
First define the EXEC-LIST-NAME method list, and then you apply it on the vty line:
R(config-line)# authorization exec {EXEC-LIST-NAME|default}
The same is true for console lines too, except by default authorization always succeeds and assigns the users to level 15 (Applies to router only, not switches), regardless of the authorization exec list defined on the console line. To enable the use of the list, you must also run:
R(config)# aaa authorization console
R(config-line)# authorization commands PRIV-LEVEL {COMMANDS-LIST-NAME|default}
When command authorization is enabled, the router will check if the user is authorized to run the specified command. It is useless to authorize both exec and commands against the local database since the privilege level defined there will be the same for both authorization types. It makes sense to authorize commands against another server where allowed commands for each user can be defined.
A user is able to run all commands enabled for its privilege level and all inferior levels, but authorization will only be checked for the commands enabled at the PRIV-LEVEL specified in the authorization command.
By default, only exec commands are checked. To enable authorization for configuration commands also, use:
R(config)# aaa authorization config-commands
To enable authorization for PPP, use:
R(config-if)# ppp autorization {default|LIST-NAME}
Accounting keeps track of the users’s actions while connected to the system.
To define an accounting list, use:
R(config)# aaa accounting LIST-TYPE {default|LIST-NAME} {start-stop|stop-only|none} METHOD-LIST
!LIST-TYPE:
network For network services. (PPP, SLIP, ARAP)
connection For outbound connections. (telnet, rlogin)
exec For starting an exec (shell).
system For system events.
commands For exec (shell) commands.
! METHOD-LIST:
group radius Uses RADIUS
group tacacs+ Uses TACACS+
To enable line accounting, use:
R(config)# accounting {exec|connection|commands|resource} {default|LIST-NAME}
! exec = info about EXEC sessions
! commands = info about commands issued
! connections = info about outbound connections
! resource = info about passed and failed authentications
To enable PPP accounting, use:
R(config-if)# ppp accounting {default|LIST-NAME}
! info about PPP sessions, including packet and byte count
Last modified 6mo ago