Documente Academic
Documente Profesional
Documente Cultură
Introduction
- Access control is the way to control who is allowed to access to the network devices, and what
services are allowed to use once a user has been granted access (authenticated).
- Authentication, Authorization, and Accounting (AAA) is the standard and common network
access control security framework that has been widely implemented in Cisco networks.
- Below briefly describes the functions and roles for each AAA service:
Authentication Validates the identity of a user using login and password prompting.
Authorization Grants certain access privileges or rights to the services requested by the
authenticated user.
Accounting Tracks user access (eg: when, from where, what services have been accessed,
what actions have been performed, what commands have been executed,
when the command has been executed, how long the access has been lasted)
in the network. Accounting records can be sent either to a remote AAA or
Syslog server, and can be imported into a spreadsheet program for viewing.
- Below lists some acronyms for the main elements in AAA-based network access environment:
NAS Network Access Server. Act as a AAA client.
RADIUS Remote Authentication Dial-in User Service.
TACACS+ Terminal Access Controller Access Control System Plus.
- The ip tacacs source-interface {type num} global configuration command specifies the IP
address of an interface as the source address of the packets sent to the TACACS+ server. This
ensures devices such as routers, which normally have many interfaces and IP addresses, use a
specified IP address for all communications with the TACACS+ server. Additionally, the
TACACS+ server uses an IP address to identify a particular device (or NAS).
Note: Normally loopback interface addresses (eg: Loopback0) would be used for routers and
management interface addresses (eg: VLAN1) would be used for switches.
- The aaa new-model global configuration command is used to enable and initialize the AAA
access control service.
- Below shows the output of the show aaa sessions and show aaa user all EXEC commands
with the aaa session-id common in effect. It shows the same session ID was used for both the
EXEC and NET AAA accounting service types.
Router>sh aaa sessions
Total sessions since last reload: 1
Session Id: 110
Unique Id: 220
User Name: root
IP Address: 10.10.10.2
Idle Time: 0
CT Call Handle: 0
Router>
Router>sh aaa user all
--------------------------------------------------
Unique id 220 is currently in use.
Accounting:
update method(s) :
NEWINFO
update interval = 0
Outstanding Stop Records : 0
EXEC: Username=root
Session Id=0000006E Unique Id=000000DC
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=640691B4 : Name = default
Attribute list:
xxxxxxxx 0 00000001 session-id(294) 4 110(6E)
xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:10:49
No data for type CONN
NET: Username=(n/a)
Session Id=0000006E Unique Id=000000DC
Start Sent=0 Stop Only=N
stop_has_been_sent=N
Method List=0
Attribute list:
xxxxxxxx 0 00000001 session-id(294) 4 110(6E)
xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:10:47
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 10
No data for type CALL
<output omitted>
- The configuration above first creates an authentication method list named local_console, which
uses the local username database as the only authentication method. The authentication method
list is then applied on the console (con 0) with the login authentication {method-list-name}
line subcommand.
- The configuration above then creates another authentication method list named ssh_telnet,
which uses the TACACS+ server group as the 1st method for user authentication. The local
username database is used as the backup method in case all TACACS+ servers in the server
group are unavailable. The authentication method list is then applied on the Telnet / SSH virtual
terminals (vty 0 4) with the login authentication {method-list-name} line subcommand.
- Below shows the AAA Authentication debugging messages for the Console access to the NAS.
The user root is granted access to the NAS via the console.
Router#debug aaa authentication
AAA Authentication debugging is on
Router#
00:15:31: AAA/AUTHEN/START (xxx): port='tty0' list='local_console'
action=LOGIN service=LOGIN
00:15:31: AAA/AUTHEN/START (xxx): found list local_console
00:15:31: AAA/AUTHEN/START (xxx): Method=LOCAL
00:15:31: AAA/AUTHEN (xxx): status = GETUSER
00:15:32: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:15:32: AAA/AUTHEN (xxx): status = GETUSER
00:15:32: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:15:32: AAA/AUTHEN (xxx): status = GETPASS
00:15:34: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:15:34: AAA/AUTHEN (xxx): status = GETPASS
00:15:34: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:15:34: AAA/AUTHEN (xxx): status = PASS
Router#
- Below shows the AAA Authentication debugging messages for the Telnet / SSH access to the
NAS when the TACACS+ server is available:
Router#
00:20:08: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN
service=LOGIN
00:20:08: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:20:08: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:20:08: AAA/AUTHEN (xxx): status = GETUSER
00:20:10: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:20:10: AAA/AUTHEN (xxx): status = GETUSER
00:20:10: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:20:10: AAA/AUTHEN (xxx): status = GETPASS
00:20:11: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:20:11: AAA/AUTHEN (xxx): status = GETPASS
00:20:11: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:20:11: AAA/AUTHEN (xxx): status = PASS
Router#
- Below shows the AAA Authentication debugging messages for the Telnet / SSH access to the
NAS when the TACACS+ server is unavailable. An ERROR response is first received from the
TACACS+ server. The NAS then tried the LOCAL authentication method.
00:20:52: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN
service=LOGIN
00:20:52: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:20:52: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:20:57: AAA/AUTHEN (xxx): status = ERROR
00:20:57: AAA/AUTHEN/START (xxx): Method=LOCAL
00:20:57: AAA/AUTHEN (xxx): status = GETUSER
00:21:02: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:21:02: AAA/AUTHEN (xxx): status = GETUSER
00:21:02: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:21:02: AAA/AUTHEN (xxx): status = GETPASS
00:21:04: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:21:04: AAA/AUTHEN (xxx): status = GETPASS
00:21:04: AAA/AUTHEN/CONT (xxx): Method=LOCAL
00:21:04: AAA/AUTHEN (xxx): status = PASS
- The configuration above modifies the default EXEC authorization method list named default,
which uses the TACACS+ server group as the 1st method, and the local database is used as the
backup method in case all TACACS+ servers in the server group are unavailable.
- Below shows the AAA Authorization debugging messages for the Telnet / SSH access to the
NAS when the TACACS+ server is available. An EXEC shell is granted to the user.
Router#debug aaa authorization
AAA Authorization debugging is on
Router#
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): Port='tty1' list='' service=EXEC
00:24:19: AAA/AUTHOR/EXEC: tty1 (xxx) user='root'
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): send AV service=shell
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): send AV cmd*
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): found list "default"
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): Method=tacacs+ (tacacs+)
00:24:19: AAA/AUTHOR/TAC+: (xxx): user=root
00:24:19: AAA/AUTHOR/TAC+: (xxx): send AV service=shell
00:24:19: AAA/AUTHOR/TAC+: (xxx): send AV cmd*
00:24:20: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
00:24:20: AAA/AUTHOR/EXEC: Authorization successful
Router#
- EXEC shell authorization can be configured in a user group or an individual user basis. User
authorization overrides group authorization.
- The EXEC shell authorization for a user group can be configured via the Group Setup Select
a user group Edit Settings TACACS+ Settings Shell (exec) option in the Cisco Secure
ACS server; while the EXEC shell authorization for an individual user can be configured via the
User Setup Input a name in the User field Add / Edit TACACS+ Settings Shell
(exec) option in the Cisco Secure ACS server *.
* Note: Ensure that the Interface Configuration Advanced Options Per-user
TACACS+/RADIUS Attributes option and the Interface Configuration TACACS+ (Cisco
IOS) User option for Shell (exec) are enabled.
- The ssh_telnet command authorization method list is then applied on the Telnet / SSH virtual
terminals (vty 0 4) with the authorization commands {privilege-level} {method-list-name}
line subcommand.
- Below shows the AAA Authorization debugging messages when issuing the show running-
config command (a privilege level 15 command) in the NAS when the TACACS+ server is
available. The user root is authorized to execute the command.
Router#
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet'
service=CMD
00:30:19: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=show
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=running-config
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=<cr>
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:30:19: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#
- Below shows the AAA Authorization debugging messages when issuing the show running-
config privileged command (a privilege level 15 command) in the NAS when the TACACS+
server is unavailable. An ERROR response is first received from the TACACS+ server. The NAS
then tried the NONE authorization method. Finally the command is authorized to be executed.
Router#
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet'
service=CMD
00:35:45: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=show
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=running-config
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=<cr>
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:35:55: AAA/AUTHOR (xxx): Post authorization status = ERROR
00:35:55: tty1 AAA/AUTHOR/CMD (xxx): Method=NONE
00:35:55: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#
- Shell Command Authorization Sets can be created, edited, and deleted via the Shared Profile
Components Shell Command Authorization Sets option in the Cisco Secure ACS server. A
shell command authorization set can be assigned to a user group via the Group Setup Select
a user group Edit Settings TACACS+ Settings Shell Command Authorization Set
section; while a shell command authorization set can be assigned to an individual user via the
User Setup Input a name in the User field Add / Edit TACACS+ Settings Shell
Command Authorization Set section.
- Below shows the AAA Authorization debugging messages when the user root issues the
interface FastEthernet 0/1 global configuration command without configuration command
authorization in effect:
Router#
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet'
service=CMD
00:38:50: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=configure
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=terminal
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=<cr>
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:38:51: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#
00:38:57: AAA/AUTHOR: config command authorization not enabled
Router#
- Below shows the AAA Authorization debugging messages when the user root issues the
interface FastEthernet 0/1 global configuration command with configuration command
authorization in effect:
Router#
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet'
service=CMD
00:42:38: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=interface
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=FastEthernet
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=0
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=1
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=<cr>
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
00:42:38: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
Router#
- The aaa accounting update newinfo global configuration command configures a NAS to
send accounting records to the TACACS+ server whenever there is new accounting information
to report. Additionally, another version of the command – aaa accounting update periodic
{min}, configure a NAS to generate periodic accounting records continuously during active
sessions, which can cause heavy congestion if many users are logged into the network.
- The aaa accounting exec default start-stop group tacacs+ global configuration
command configures a NAS to run accounting for both the start and stop of all the EXEC shell
sessions in the NAS. The accounting records can be viewed via the TACACS+ Accounting
Report. Access the report via the Report and Activity TACACS+ Accounting option in the
Cisco Secure ACS server.
- Below shows the AAA Accounting debugging messages when the user root starts (after being
authenticated) and stops an EXEC shell session.
Router#debug aaa accounting
00:50:14: AAA/ACCT/EXEC/START User root, port tty1
00:50:14: AAA/ACCT/EXEC: Found list "default"
00:50:14: AAA/ACCT/EXEC/START User root, Port tty1,
task_id=x timezone=MY service=shell
00:50:14: AAA/ACCT: user root, acct type 0 (xxx): Method=tacacs+ (tacacs+)
00:50:14: TAC+: (xxx): received acct response status = SUCCESS
00:50:30: AAA/ACCT/EXEC/STOP User root, Port tty1:
task_id=x timezone=MY service=shell disc-cause=1 disc-cause-ext=xxx
elapsed_time=xx nas-rx-speed=0 nas-tx-speed=0
00:50:30: AAA/ACCT: user root, acct type 0 (xxx): Method=tacacs+ (tacacs+)
00:50:30: TAC+: (xxx): received acct response status = SUCCESS
Router#
- The aaa accounting system default start-stop group tacacs+ global configuration
command enables accounting for all system-level events not associated with users, eg: system
reboots. Below shows the AAA Accounting debugging messages when the router is reloaded.
The reload event record can be viewed via both the TACACS+ Accounting Report and
TACACS+ Administration Report in the Cisco Secure ACS server.
Router#reload
Proceed with reload? [confirm]
- Below shows the AAA Accounting debugging messages when the user root issues the show
running-config privileged command (a privilege level 15 command) in the NAS:
Router#
00:05:02: AAA/ACCT/CMD: User root, Port tty1, Priv 15:
"show running-config <cr>"
00:05:02: AAA/ACCT/CMD: Found list "default"
00:05:03: AAA/ACCT: user root, acct type 3 (xxx): Method=tacacs+ (tacacs+)
00:05:04: TAC+: (xxx): received acct response status = SUCCESS
Router#
- Access the Cisco Secure ACS server with TCP Port 2002. Ex: http://10.10.10.10:2002/
- Below shows the steps for adding a new AAA client (or NAS):
i) Click Network Configuration.
ii) Select the Network Device Group for the new AAA client.
iii) Click Add Entry below the AAA Clients Table.
iv) Input the hostname of the AAA client in the AAA Client Hostname field.
v) Input the IP address of the AAA client in the AAA Client IP Address field.
vi) Input the shared secret encryption key used for all communications between the AAA
client and the TACACS+ server in the Key field.
vii) Enable the Log Update/Watchdog Packets from this AAA Client option.
viii) Click Submit + Restart.
ix) Test the new AAA client by login into the AAA client (or NAS) with a known user, and
verify the AAA operations with a series of reports in the Reports and Activity option.
- Below shows the steps for adding a new shell command authorization set:
i) Click Shared Profile Components.
ii) Select Shell Command Authorization Sets option.
iii) Click Add.
iv) Input the name for the command authorization set in the Name field.
v) Input the description for the command authorization set in the Description field.
vi) Input the full command word in the field above the Add Command button.
vii) Click Add Command.
viii) To add an argument for a command, select a command from the command list, and type
the argument in the box to the right of the command.
ix) Click Submit.
Appendix
- The aaa accounting update [newinfo] periodic {min} global configuration command
configure a NAS to generate periodic accounting records continuously during active sessions.
This can provide an approximate session length (or elapsed time) of a session if an AAA client
fails (eg: power off), which no stop packet will be received to indicate the end of the session.
The logged watchdog packets can be viewed via the TACACS+ Accounting Report. Access the
report via the Report and Activity TACACS+ Accounting option.
Note: This command works in conjunction with the Log Update/Watchdog Packets from this
AAA Client option for AAA client configuration in the Cisco Secure ACS server.
13 Copyright © 2006 Yap Chin Hoong
yapchinhoong@hotmail.com
14 Copyright © 2006 Yap Chin Hoong
yapchinhoong@hotmail.com