ccie.nyquist.eu
Search…
Table of Contents
Layer 2 Technologies
Ethernet Switching
Layer 2 WAN Protocols
IPv4
IPv4 Addressing
IPv4 Routing
IPv6
IPv6-101
IPv6 Routing
Interconnecting IPv6 and IPv4
MPLS
MPLS 101
MPLS L3 VPN
Multicast
Multicast 101
PIM 101
IGMP 101
Inter Domain Multicast
IPv6 Multicast
Multicast features on switches
Security
NAT 101
NAT for Overlapping Networks
ACLs 101
ACLs 102
Cisco IOS Firewall
Zone Based Firewall
AAA 101
Controlling CLI Access
Control Plane
Switch Security
IPSec VPN 101
DMVPN 101
Network Services
NTP 101
HTTP 101
File Transfer 101 – TFTP & FTP
WCCP 101
QoS
QoS 101
Classification and Marking
Congestion Management
Congestion Avoidance – WRED
Policing and Shaping
Compression and LFI
Frame Relay QoS
RSVP 101
Switching QoS
Network Optimization
NetFlow 101 – TNF – Traditional NetFlow
NetFlow 102 – FNF – Flexible NetFlow
IP SLA 101
IP Accounting 101
Logging 101
SNMP and RMON 101
Cisco CLI Tips and Tricks
AutoInstall
Enhanced Object Tracking
Network Architecture
Hierarchical Network Architecture
Powered By GitBook
AAA 101

Enabling AAA new-model

AAA stands for Authentication, Authorization and Accounting. Authentication is the process of identifying users based on some credentials (passwords, digital certificates, tokens). Authorization is the process of allowing an authenticated user to access specific services or a specific level of administration, while accounting is the process of tracking and logging a user’s actions while authenticated. To enable the new-model of AAA implementation on a Cisco device, use:
R(config)# aaa new-model

Methods

Authentication methods can be grouped in 2 categories: Group methods and Non-Group methods. Group methods include protocols such as RADIUS, TACACS+ or Kerberos. These protocols require an external server that handles authentication requests. The non-group methods include local login (usernames defined locally), enable passwords or line passwords.

Radius

To define a radius server that will process AAA requests, use the following commands:
R(config)# radius-server host {HOST|IP-ADDR} [auth-port PORT] [acct-port PORT] [timeout SEC] [retransmit RETRIES] [key KEY] [alias {HOST|IP-ADDR}]
! Configures a radius server
All Radius servers are by default part of the radius group, but custom groups that include subsets of the radius group can be configured:
R(config)# aaa group server radius RADIUS-GROUP
R(config-sg-radius)# server IP-ADDR [auth-port PORT] [acct-port PORT]

TACACS+

TACACS+ is configured in a similar way:
R(config)# tacacs-server host {HOST|IP-ADDR} [single-connection] [port PORT] [timeout SEC] [key KEY]
All TACACS+ servers are by default part of the tacacs+ group, but custom groups that include subsets of the tacacs+ group can be configured:
R(config)# aaa group server tacacs+ TACACS+GROUP
R(config-sg-tacacs)# server {HOST|IP-ADDR}

Local and Local-case

Just define the usernames on the local router:
R(config)# username USER [privilege {1-15}] [password PASS | secret SECRET]
The local method use the case-insensitive users locally defined, while the local-case method uses case-sensitive values.

Enable Password

R(config)# enable [password PASS | secret SECRET]

Line Passwords

Line password uses the passwords defined on each line:
R(config-line)# password PASS

Authentication

Authentication lists

An authentication list consists of one or more authentication methods that are used, in order, for authentication. The first method in the list is used and if the result is an accept or a reject, the other methods are not used. They are used only if the previous methods are not available (like a server response timeout). Authentication lists can be defined for several features that may require authentication. A default list is already applied for each feature, but other lists can be defined, or the default list can be populated.
R(config)# aaa authentication LIST-TYPE {default|LIST-NAME} METHODS-LIST
! Some LIST-TYPEs can be:
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable (privileged mode)
login Set authentication lists for logins.
ppp Set authentication lists for ppp.
! METHODS LIST can include:
enable Use enable password for authentication.
group {GROUP-NAME|radius|tacacs+} Use Radius/Tacacas+ Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication
Unless a LIST-NAME is specified, the router uses the default lists, but the default configuration of the default lists doesn’t show up in the configuration (by default). If you define the default lists yourself, they will show up in the config. If you don’t, the router uses the Permanenet lists, which are predefined.
! For PPP and VTY line authenticaion, it uses the Permanent Local list, which is similar to:
R(config)# aaa authentication ppp default local
! For Console line authentication, it uses the Permanent None list, which is similar to:
R(config)# aaa authentication ppp default none
! For Enable authentication, it uses the Permanent Enable list, which is similar to:
R(config)# aaa authentication enable default enable

Applying authentication lists

Line Authentication (console, vty)

R(config)# line {con | vty LINE-START [LINE-END]}
R(config-line)# login authentication {default|LOGIN-LIST-NAME}
! attach the LOGIN-LIST-NAME to a line

PPP Authentication

R(config-if)# ppp authentication {chap|pap|...} {default | PPP-LIST-NAME}
! authenticate using the PPP-LIST-NAME

Privilege mode Authentication

You can’t define custom lists, but you can change the authentication enable default list.

Authorization

Authorization Lists

Authorization lists are created similarly to authentication lists:
R(config)# aaa authorization LIST-TYPE {LIST-NAME|default} METHODS-LIST
! LIST-TYPE can be:
commands For exec (shell) commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
! methods in METHODS-LIST are similar to authorization methods, but there's a new one:
if-authenticated Succeed if user has already authenticated.

Applying authorization lists

Authorization usually works hand in hand with. But it can be also used with default privilege levels.

Authorize access to EXEC mode

By default, the VTY privilege level is set to 1. You can change this level if you set
R(config-line)# privilege level LEVEL
This means all users that login via the VTY will be assigned this privilege LEVEL.
You can use a dynamic method of assigning users with an authentication level (radius, tacacs, local) or you can fallback to the line configuration (if-authenticated). First define the EXEC-LIST-NAME method list, and then you apply it on the vty line:
R(config-line)# authorization exec {EXEC-LIST-NAME|default}
The same is true for console lines too, except by default authorization always succeeds and assigns the users to level 15 (Applies to router only, not switches), regardless of the authorization exec list defined on the console line. To enable the use of the list, you must also run:
R(config)# aaa authorization console

Authorize commands

R(config-line)# authorization commands PRIV-LEVEL {COMMANDS-LIST-NAME|default}
When command authorization is enabled, the router will check if the user is authorized to run the specified command. It is useless to authorize both exec and commands against the local database since the privilege level defined there will be the same for both authorization types. It makes sense to authorize commands against another server where allowed commands for each user can be defined. A user is able to run all commands enabled for its privilege level and all inferior levels, but authorization will only be checked for the commands enabled at the PRIV-LEVEL specified in the authorization command. By default, only exec commands are checked. To enable authorization for configuration commands also, use:
R(config)# aaa authorization config-commands

Authorize PPP

To enable authorization for PPP, use:
R(config-if)# ppp autorization {default|LIST-NAME}

Accounting

Accounting keeps track of the users’s actions while connected to the system.

Accounting Lists

To define an accounting list, use:
R(config)# aaa accounting LIST-TYPE {default|LIST-NAME} {start-stop|stop-only|none} METHOD-LIST
!LIST-TYPE:
network For network services. (PPP, SLIP, ARAP)
connection For outbound connections. (telnet, rlogin)
exec For starting an exec (shell).
system For system events.
commands For exec (shell) commands.
! METHOD-LIST:
group radius Uses RADIUS
group tacacs+ Uses TACACS+

Applying accounting lists

Line accounting

To enable line accounting, use:
R(config)# accounting {exec|connection|commands|resource} {default|LIST-NAME}
! exec = info about EXEC sessions
! commands = info about commands issued
! connections = info about outbound connections
! resource = info about passed and failed authentications

Interface accounting

PPP Accounting

To enable PPP accounting, use:
R(config-if)# ppp accounting {default|LIST-NAME}
! info about PPP sessions, including packet and byte count
Security - Previous
Zone Based Firewall
Next - Security
Controlling CLI Access
Last modified 10mo ago
Copy link
On this page
Enabling AAA new-model
Methods
Radius
TACACS+
Local and Local-case
Enable Password
Line Passwords
Authentication
Authentication lists
Applying authentication lists
Authorization
Authorization Lists
Applying authorization lists
Accounting
Accounting Lists
Applying accounting lists