| [ LiB ] |   |
Configuring AAA
After you decide which AAA service you want to use, you can use the following steps to configure AAA on your network device:
- Step 1. Enable AAA.
- Step 2. Configure security protocol parameters.
- Step 3. Define the method lists for authentication.
- Step 4. Apply the method lists to a particular interface or line.
- Step 5. Optionally configure authorization.
- Step 6. Optionally configure accounting.
Step 1: Enabling AAA
Before you can use the AAA network security services available to you, you must enable AAA. To accomplish this, use the following command:
R8(config)#aaa new-model
NOTE
Upon enabling AAA, IOS no longer lets you use the older TACACS or extended TACACS protocols.
If desired, you can disable AAA functionality using the following command:
R8(config)#no aaa new-model
Step 2: Configuring Security Protocol Parameters
Deciding which parameters you want to configure for your selected security protocol depends on the protocol you want to use. Because the parameters are protocol-specific, they are explained in the following sections.
Step 3: Defining the Method Lists for Authentication
AAA security services offer many varied authentication methods:
Login authentication
PPP authentication
ARAP authentication
NASI authentication
You also have the option of defining the following parameters:
Specifying the amount of time for login input
Enabling password protection at the privileged level
Changing the text displayed at the password prompt
Configuring message banners for AAA authentication
Configuring AAA packet of disconnect
Enabling double authentication
Enabling automated double authentication
Some of these items are discussed further in the following sections.
Configuring Login Authentication Using AAA
Login authentication is used to enable AAA authentication regardless of the supported login authentication method you decide to use. You create one or more lists of authentication methods that will be tried at login and apply them to the login authentication command. To configure a login authentication list using AAA, use this command:
R8(config)#aaa authentication login {default | list-name} method1 [method2...]
list-name is a character string you use to name the list you are creating. The method arguments refer to the actual method the authentication algorithm tries. If you specify more than one method of authentication, they are used only if the previous method returns an error, not if it fails. You can use the none keyword as the final method in the command line to specify that authentication should succeed even if all other defined methods return an error. By using the default keyword, you can specify a default list that is applied to all interfaces automatically. Table 13-1 lists the wide variety of supported login authentication methods.
Keyword | Description |
|---|---|
enable | The enable password is used for authentication. |
line | The line password is used for authentication. |
local | The local username database is used for authentication. |
local-case | Makes the local username case-sensitive. |
none | No authentication is used. |
group radius | The list of all defined RADIUS servers is used for authentication. |
group tacacs+ | The list of all defined TACACS+ servers is used for authentication. |
group group-name | A subset of RADIUS or TACACS+ servers, defined by the aaa group server radius or aaa group server tacacs+ command, is used for authentication. |
krb5 | Kerberos 5 is used for authentication. |
krb5-telnet | When using Telnet to connect to the device, the Kerberos 5 Telnet authentication protocol is used for authentication. This keyword must be the first method in the method list. |
Configuring PPP Authentication Using AAA
Your network might require giving your users remote access through some type of dialup connection, such as async or ISDN through an access server. Both of these dialup services present a unique problem when you are trying to control access through AAA. Neither uses the command-line interface of the network device. Instead, they start a network protocol, such as PPP or ARA, as soon as the connection is established. Fortunately, the AAA security service provides a solution to this problem by offering a variety of authentication methods for use on serial interfaces using PPP.
You can use the following command to configure AAA authentication methods for serial lines using PPP. It creates a local authentication list:
R8(config)#aaa authentication ppp {default | list-name} method1 [method2...]
Table 13-2 lists the authentication methods available with PPP authentication.
Keyword | Description |
|---|---|
if-needed | No authentication is required if the user has already been authenticated on a TTY line. |
local | The local username database is used for authentication. |
local-case | A case-sensitive local username is used for authentication. |
none | No authentication is attempted. |
group radius | A defined list of all RADIUS servers is used for authentication. |
group tacacs+ | A defined list of all TACACS+ servers is used for authentication. |
group group-name | A subset of RADIUS or TACACS+ servers, defined by the aaa group server radius or aaa group server tacacs+ command, is used for authentication. |
krb5 | When used with PAP authentication, Kerberos 5 is used for authentication. |
Configuring ARAP Authentication Using AAA
You can use the following command to configure AAA authentication with the AppleTalk Remote Access Protocol (ARAP). It enables authentication for ARAP users:
R8(config)#aaa authentication arap {default | list-name} method1 [method2...]
Table 13-3 lists ARAP's supported login authentication methods.
Keyword | Description |
|---|---|
auth-guest | Guest logins are allowed if the user has already logged into EXEC. |
guest | Guest logins are allowed. |
line | The line password is used for authentication. |
local | The local username database is used for authentication. |
local-case | A case-sensitive local username is used for authentication. |
group radius | A defined list of all RADIUS servers is used for authentication. |
group tacacs+ | A defined list of all TACACS+ servers is used for authentication. |
Configuring NASI Authentication Using AAA
When a user attempts to log into the device using the NetWare Asynchronous Services Interface (NASI), you can use the following commands. It enables authentication for NASI users:
R8(config)#aaa authentication nasi {default | list-name} method1 [method2...]
Table 13-4 lists the NASI authentication methods you may choose from.
Keyword | Description |
|---|---|
enable | The enable password is used for authentication. |
line | The line password is used for authentication. |
local | The local username database is used for authentication. |
local-case | Makes the local username case-sensitive. |
none | No authentication is used. |
group radius | The list of all defined RADIUS servers is used for authentication. |
group tacacs+ | The list of all defined TACACS+ servers is used for authentication. |
group group-name | A subset of RADIUS or TACACS+ servers, defined by the aaa group server radius or aaa group server tacacs+ command, is used for authentication. |
Specifying the Amount of Time for Login Input
By default, the system waits 30 seconds for login input before timing out. You can use the following command to change this amount of time:
R8(config-line)#timeout login response seconds
Enabling Password Protection at the Privileged Level
You can require a user to be authenticated by the AAA subsystem when entering the privileged EXEC command level (the "enable" level) using the following command:
R8(config)#aaa authentication enable default method1 [method2...]
Requests for authentication sent to a RADIUS server include a username of $enab15$. Requests sent to a TACACS+ server include the username that is entered for login authentication.
Table 13-5 lists the supported enable authentication methods.
Keyword | Description |
|---|---|
enable | The enable password is used for authentication. |
line | The line password is used for authentication. |
none | No authentication is used. |
group radius | The list of all defined RADIUS servers is used for authentication. |
group tacacs+ | The list of all defined TACACS+ servers is used for authentication. |
group group-name | A subset of RADIUS or TACACS+ servers, defined by the aaa group server radius or aaa group server tacacs+ command, is used for authentication. |
Step 4: Applying the Method Lists to a Particular Interface or Line
After you have defined your method list, the next step is to apply it to either a line or an interface. You can use one of the following commands to enter line or interface configuration mode.
Use this command to enter line configuration mode if you want to apply your method list to a line:
R8(config)#line [aux | console | tty | vty] line-number [ending-line-number]
Use this command to enter interface configuration mode if you want to apply your method list to an interface:
R8(config)#interface interface-type interface-number
You can use the following command to apply your login method list to a line or set of lines:
R8(config-line)#login authentication {default | list-name}
You can use the following command to apply the PPP authentication list to a line or set of lines. protocol1 and protocol2 represent the CHAP, MS-CHAP, and PAP protocols.
R8(config-if)#ppp authentication {protocol1 [protocol2...]} [if-needed] {default | list-name} [callin] [one-time]
You can use the following command to optionally enable autoselection of ARAP under a line:
R8(config-line)#autoselect arap
You can use the following command to optionally start the ARAP session automatically during user login:
R8(config-line)#autoselect during-login
You can use the following command to optionally enable TACACS+ authentication on a line:
R8(config-line)#arap authentication list-name
You can use the following command to optionally enable NASI authentication on a line:
R8(config-line)#nasi authentication list-name
Step 5: Optionally Configuring Authorization
AAA authorization builds on AAA authentication by allowing you to limit which of your services a user can access. With AAA authorization, a user's profile is used to retrieve information from the local user database or the security server to configure the user's session to grant access to a requested service. Access is allowed only if you granted the access in the user's profile.
Much like method lists you configure for authentication, a method list for authorization defines the manner in which authorization will be performed, as well as the sequence in which these methods will be executed. Several different authorization types are available for you to define in your method lists:
Commands Used to apply authorization to the EXEC mode commands a user may use. Command authorization is attempted for all EXEC mode commands associated with a specific privilege level.
EXEC Applies to the user's attributes during an EXEC terminal session.
Network Used with network connections.
Auth-proxy Used to apply security policies on a per-user basis.
Reverse-access Used with reverse-Telnet sessions.
AAA gives you five different methods you can use with authorization:
None Authorization information is not requested or required.
Local A local database, defined by the username command, is consulted for authorization.
If-Authenticated If the user was previously authenticated, he or she is allowed access to the function without further authorization.
TACACS+ A TACACS+ security daemon is used for authorization defined by associating attribute-value pairs with a user's assigned rights.
RADIUS A RADIUS security server is used for authorization defined by associating attribute-value pairs with a user's assigned rights.
Before you can configure AAA authorization, you must perform the following tasks:
Enable AAA on your network device.
Configure AAA authentication, because authorization requires authentication to work properly.
Define the characteristics of your security server if you are defining RADIUS or TACACS+ authorization.
Define a local database. Use the username command if you are using local authorization.
Both RADIUS and TACACS+ authorization use attributes to define the specific rights you want to grant your users. The attributes for both RADIUS and TACACS+ are defined on the security server, associated with your user, and sent to your network device, when requested. There the attributes are applied to your user's connection. Because both TACACS+ and RADIUS support many different attributes, you should consult your server's documentation to determine which attributes you can use.
Configuring AAA Authorization
Three steps are required to configure AAA authorization:
- Step 1. Configure AAA authorization with named method lists.
- Step 2. Disable AAA authorization for global configuration commands.
- Step 3. Configure AAA authorization for reverse Telnet.
Each of these steps is looked at in further detail in the following sections.
Step 1: Configuring AAA Authorization with Named Method Lists
You can use the following command to configure AAA authorization for a particular authorization type and enable authorization using named method lists:
R8(config)#aaa authorization {auth-proxy | network | exec | commands level | reverse-access | configuration | ipmobile} {default | list-name} [method1 [method2...]]
You can use one of the following commands to alternatively apply your authorization list to an interface or set of interfaces:
R8(config-line)#authorization {arap | commands level | exec | reverse-access} {default | list-name}
or
R8(config-line)#ppp authorization {default | list-name}
Step 2: Disabling AAA Authorization for Global Configuration Commands
If you decide to implement AAA authorization for all EXEC mode commands, you might encounter a problem in which AAA authorization becomes confused by the fact that some configuration commands are identical to some EXEC-level commands. You can prevent this behavior by stopping your network device from attempting configuration command authorization using the following command:
R8(config)#no aaa authorization config-commands
Step 3: Configuring AAA Authorization for Reverse Telnet
In most circumstances, you will use Telnet to gain remote access to your network devices. Other times, you might be required to establish a reverse-Telnet session to a device. A reverse-Telnet session is simply a Telnet connection that you establish in the opposite direction you normally would, such as from inside your network to an access server on your network edge, to gain access to a modem. You would also use reverse Telnet to provide your users with dial-out capability using Telnet to access modem ports attached to your access server.
Authentication during reverse Telnet is accomplished using the standard AAA login procedure specified for Telnet. In other words, the user provides a username and password to establish either a Telnet or reverse-Telnet session. Reverse Telnet builds on AAA authentication by providing a second level of security by requiring the additional step of authorization before authentication is completed. Reverse-Telnet authorization also provides the following benefits:
It ensures that users attempting to gain access to reverse-Telnet activities are authorized to access a specific asynchronous port using reverse Telnet.
It provides a second method of managing reverse-Telnet authorization.
You can configure your network device to request authorization information from a TACACS+ or RADIUS server before allowing a user to establish a reverse-Telnet session by using the following command:
R8(config)#aaa authorization reverse-access method1 [method2...]
Although enabling this feature lets your network device request reverse-Telnet authorization information from the security server, you still have to configure the specific privileges for your user regarding reverse Telnet.
Step 6: Optionally Configuring Accounting
AAA accounting lets you track the services your users are accessing and the amount of network resources they are consuming. Your network device reports your users' activities to your TACACS+ or RADIUS security server in the form of accounting records. Each accounting record is composed of accounting AV pairs and is stored on the security server.
Much like authentication and authorization, AAA accounting uses method lists to define the manner and order in which accounting will be performed. Named accounting method lists let you designate specific security protocols for specific lines or interfaces, with the default method list, the only exception, automatically applied to all interfaces that you have not defined a named method list explicitly for. You can define a method list for each specific type of accounting you are interested in. Six different types of AAA accounting are supported:
Network Supplies information on all PPP, SLIP, or ARAP sessions.
EXEC Supplies information on user EXEC sessions on your network devices.
Commands Supplies information about commands a user issues while in EXEC mode for a specific privilege level.
Connection Supplies information about outbound connections, such as Telnet, made from your network device.
System Supplies information about system-level events. System accounting can be defined only with the default list for AAA accounting.
Resource Supplies "start" and "stop" records for calls that have passed user authentication. Also provides "stop" records for calls that fail to authenticate.
After they are defined, you must apply your AAA accounting method lists to specific lines or interfaces before any of your defined methods are performed. If you use the aaa accounting command for a particular accounting type without specifying a named method list, the default method list is automatically applied. If you do not define a default method list, you cannot use accounting.
Currently, only two accounting methods are supported:
TACACS+ User activity is reported to the TACACS+ security server in the form of accounting records. Each accounting record is composed of accounting AV pairs and is stored on the security server.
RADIUS User activity is reported to the RADIUS security server in the form of accounting records. Each accounting record is composed of accounting AV pairs and is stored on the security server.
"Start" and "stop" records are provided by AAA accounting for calls that have passed user authentication so that you may manage and maintain your network. These "start" and "stop" records, called start-stop records, send a "start" record at every call setup and a corresponding "stop" record at the call's completion. A second start-stop record lets you track a user's management progress. Both of these start-stop accounting records can be associated with each other through the use of a unique session ID for the call. Additionally, "stop" records are provided for calls that fail to reach the user authentication stage of a call setup sequence. If you choose to do so, you can disable the sending of a "start" record, because most of the information in the typical "start" record is also included in the "stop" record.
AAA Broadcast Accounting
If your networking environment has several AAA servers, you can take advantage of the AAA broadcast feature. The AAA broadcast feature for accounting allows accounting information to be broadcast to several AAA servers at the same time.
Broadcasting can be used for a group of RADIUS or TACACS+ servers. Each server group can define backup servers for failover independently of other groups.
Before you can successfully configure AAA accounting through named method lists, you complete the following tasks:
Configure and enable AAA on your network devices.
If you are using RADIUS or TACACS+ authorization, you must define the characteristics of your RADIUS or TACACS+ security server.
Configuring AAA Accounting
You follow these steps to configure AAA accounting:
- Step 1. Configure AAA accounting named method lists.
- Step 2. Suppress generation of accounting records for null username sessions.
- Step 3. Generate interim accounting records.
- Step 4. Generate accounting records for the failed login or session.
- Step 5. Specify accounting NETWORK-Stop records before EXEC-Stop records.
- Step 6. Configure AAA resource failure stop accounting.
- Step 7. Configure AAA resource accounting for start-stop records.
- Step 8. Configure AAA broadcast accounting.
Each of these configuration tasks is discussed in further detail in the following sections.
Step 1: Configuring AAA Accounting Named Method Lists
AAA accounting named method lists are specific to the indicated type of accounting:
network Used to create a method list to enable authorization for all network-related service requests.
exec Used to create a method list to provide accounting records detailing user EXEC terminal sessions on the network devices.
commands Used to create a method list for accounting information about specific, individual EXEC commands associated with a specific privilege level.
connection Used to create a method list for accounting information about all outbound connections made from the network device.
resource Used to create a method list that provides accounting records for calls that have passed user authentication or calls that failed to be authenticated.
If you want to receive only a minimal amount of accounting information, you can use the stop-only keyword. This keyword instructs the specified method, whether RADIUS or TACACS+, to send a stop record accounting notice only at the end of the requested user process. If you want to receive more accounting information, you can use the start-stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the completion of the event. If you do not want to receive any accounting information from a line or interface, you can use the none keyword.
You use the method argument to refer to the actual method that AAA uses to determine whether to report accounting information. AAA accounting supports the following methods:
group radius Specifies a list of all RADIUS servers for accounting.
group tacacs+ Specifies a list of all TACACS+ servers for accounting.
group group-name Specifies a subset of RADIUS or TACACS+ servers for accounting that you define using the server group group-name.
AAA accounting supports the following methods to determine where to send accounting records:
group tacacs Tells the network device to send accounting information to a TACACS+ security server.
group radius Tells the network device to send accounting information to a RADIUS security server.
group group-name Specifies a subset of RADIUS or TACACS+ servers to use as the accounting method.
You can use the following commands to create an accounting method list and enable accounting:
R8(config)#aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [method1 [method2...]]
After you create your accounting method list, you can use one of the following commands to apply the method list to a line or interface:
R8(config-line)#accounting {arap | commands level | connection | exec} {default | list-name}
or
R8(config-if)#ppp accounting {default | list-name}
Step 2: Suppressing Generation of Accounting Records for Null Username Sessions
AAA accounting generates accounting records for all users on the system, including users whose username string is NULL, because of protocol translation. You can use the following command to prevent the generation of accounting records for NULL username sessions:
R8(config)#aaa accounting suppress null-username
Step 3: Generating Interim Accounting Records
When you use the aaa accounting update command, your network device sends interim accounting records for all users currently using the device. You can use the newinfo keyword to send interim accounting records to your accounting server whenever new accounting information is generated.
When you use the periodic keyword, interim accounting records are generated periodically as often as defined by the number argument. The interim accounting record is composed of all the accounting information recorded for that user up to the time the interim accounting record is sent. You can use the following command to enable generation of periodic interim accounting records:
R8(config)#aaa accounting update {[newinfo] [periodic] number}
Step 4: Generating Accounting Records for the Failed Login or Session
AAA accounting does not, by default, generate accounting records for users who fail login authentication or who succeed in login authentication but fail PPP negotiation for some reason. You can use the following command to generate accounting stop records for users who fail to authenticate at login or during session negotiation:
R8(config)#aaa accounting send stop-record authentication failure
Step 5: Specifying Accounting NETWORK-Stop Records Before EXEC-Stop Records
If you are required by your company policies to keep your network start-stop records together, such as for billing purposes, you can specify that NETWORK records be generated before EXEC-stop records. You can use the following command to nest accounting records for user sessions:
R8(config)#aaa accounting nested
Step 6: Configuring AAA Resource Failure Stop Accounting
You can use the following command to enable resource failure stop accounting to generate a "stop" record for any call that does not reach user authentication:
R8(config)#aaa accounting resource method-list stop-failure group server-group
Step 7: Configuring AAA Resource Accounting for Start-Stop Records
You can use the following command to enable full resource accounting for start-stop records:
R8(config)#aaa accounting resource method-list start-stop group server-group
Step 8: Configuring AAA Broadcast Accounting
You can use the following command to configure AAA broadcast accounting by modifying the aaa accounting command with the broadcast keyword:
R8(config)#aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] method1 [method2...]
You also can configure AAA broadcast accounting for dialed number identification service (DNIS) on a per-call basis by modifying the aaa dnis map accounting network command with the broadcast keyword:
R8(config)#aaa dnis map dnis-number accounting network [start-stop | stop-only | none] [broadcast] method1 [method2...]
| [ LiB ] | |