Aaa

AAA – Authentication, Authorization, Accounting
Introduction
- Access control is the way to control who is allowed to access to the network devices, and what
services are allowed to use once a user has been granted access (authenticated).
- Authentication, Authorization, and Accounting (AAA) is the standard and common network
access control security framework that has been widely implemented in Cisco networks.
- Below briefly describes the functions and roles for each AAA service:
Authentication Validates the identity of a user using login and password prompting.
Authorization Grants certain access privileges or rights to the services requested by the
authenticated user.
Accounting Tracks user access (eg: when, from where, what services have been accessed,
what actions have been performed, what commands have been executed,
when the command has been executed, how long the access has been lasted)
in the network. Accounting records can be sent either to a remote AAA or
Syslog server, and can be imported into a spreadsheet program for viewing.
- Below lists some acronyms for the main elements in AAA-based network access environment:
NAS Network Access Server. Act as a AAA client.
RADIUS Remote Authentication Dial-in User Service.
TACACS+ Terminal Access Controller Access Control System Plus.
1 Copyright © 2006 Yap Chin Hoong

yapchinhoong@hotmail.com
General AAA Configuration
- Below shows the general AAA sample configuration:

Router#conf t
Router(config)#ip tacacs source-interface Loopback0
Router(config)#tacacs-server host 10.10.10.10
Router(config)#tacacs-server key abc123
Router(config)#tacacs-server directed-request
Router(config)#aaa new-model
Router(config)#aaa session-id common
Router(config)#
- The ip tacacs source-interface {type num} global configuration command specifies the IP
address of an interface as the source address of the packets sent to the TACACS+ server. This
ensures devices such as routers, which normally have many interfaces and IP addresses, use a
specified IP address for all communications with the TACACS+ server. Additionally, the
TACACS+ server uses an IP address to identify a particular device (or NAS).
Note: Normally loopback interface addresses (eg: Loopback0) would be used for routers and
management interface addresses (eg: VLAN1) would be used for switches.
- The tacacs-server host {ip-addr} global configuration command specifies a TACACS+

server. The tacacs-server key {key} global configuration command specifies the shared
secret encryption key used for all communications between the NAS and the TACACS+ server.
Note: Multiple TACACS+ servers can also be implemented by defining a server group.
However, this topic is out of the scope of this document.
- The tacacs-server directed-request global configuration command configures a NAS to

send only the username to a specified TACACS+ server, while the no-truncate option or the
no form of this command will configure a NAS to send the whole string (both the username and
hostname) to the default TACACS+ server. The directed-request mode is the default operation
mode.
- Example: username = root, hostname = 10.10.10.11.

TACACS+ Servers: 10.10.10.10 (default), 10.10.10.11.
root@10.10.10.11 is entered as username upon the login prompt of a NAS.
With directed-request mode, the root will be sent as the username to 10.10.10.11.
With no truncate mode, root@10.10.10.11 will be sent as the username to 10.10.10.10.

- Below shows the AAA Authentication debugging messages when root@10.10.10.10 is entered
as username upon the login prompt of the NAS with the directed-request mode:
Router#debug aaa authentication
AAA Authentication debugging is on
Router#
00:05:13: AAA/AUTHEN/START (xxx): port='tty1' list='ssh_telnet' action=LOGIN
service=LOGIN
00:05:13: AAA/AUTHEN/START (xxx): found list ssh_telnet
00:05:13: AAA/AUTHEN/START (xxx): Method=tacacs+ (tacacs+)
00:05:13: AAA/AUTHEN (xxx): status = GETUSER
00:05:18: AAA/AUTHEN/CONT (xxx): continue_login (user='(undef)')
00:05:18: AAA/AUTHEN (xxx): Method=tacacs+ (tacacs+)
00:05:18: TAC+: send abort reason=Switching to directed server @ 10.10.10.10
00:05:18: AAA/AUTHEN (xxx): status = GETPASS
00:05:20: AAA/AUTHEN/CONT (xxx): continue_login (user='root')
00:05:21: AAA/AUTHEN (xxx): status = PASS
Router#
- Below shows AAA Authentication debugging messages when root@10.10.10.10 is entered as

username upon the login prompt of the NAS with the no-truncate mode. The authentication
process failed because there is no such username – root@10.10.10.10 configured in the
10.10.10.10 TACACS+ server.
Router#
service=LOGIN
00:08:53: TAC+: send abort reason=Switching to directed server @ 10.10.10.10
00:08:55: AAA/AUTHEN/CONT (xxx): continue_login (user='root@10.10.10.10')
00:08:55: AAA/AUTHEN (xxx): status = FAIL
Router#
- The aaa new-model global configuration command is used to enable and initialize the AAA
access control service.

- The aaa session-id {common | unique} global configuration command specifies whether
the same or different session ID will be used for each AAA accounting service type. AAA
supports 6 types of accounting – EXEC, Connection, Network, Command, System, and Resource.
The common is the default mode.
Note: This command is only available for Cisco IOS Release 12.2 and later. Most workgroup
and access layer switches (eg: Catalyst 3550, Catalyst 2950) do not support this command.
- Below shows the output of the show aaa sessions and show aaa user all EXEC commands
with the aaa session-id common in effect. It shows the same session ID was used for both the
EXEC and NET AAA accounting service types.
Router>sh aaa sessions
Total sessions since last reload: 1
Session Id: 110
Unique Id: 220
User Name: root
IP Address: 10.10.10.2
Idle Time: 0
CT Call Handle: 0
Router>
Router>sh aaa user all
--------------------------------------------------
Unique id 220 is currently in use.
Accounting:
update method(s) :
NEWINFO
update interval = 0
Outstanding Stop Records : 0
EXEC: Username=root
Session Id=0000006E Unique Id=000000DC
Start Sent=1 Stop Only=N
stop_has_been_sent=N
Method List=640691B4 : Name = default
Attribute list:
xxxxxxxx 0 00000001 session-id(294) 4 110(6E)
xxxxxxxx 0 00000001 start_time(299) 4 Mar 1 1993 00:10:49
No data for type CONN
NET: Username=(n/a)
Session Id=0000006E Unique Id=000000DC
Method List=0
Attribute list:
xxxxxxxx 0 00000001 session-id(294) 4 110(6E)
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 10
No data for type CALL
<output omitted>

- Below shows the output of the show aaa sessions and show aaa user all EXEC commands
with the aaa session-id unique in effect. It shows the different session ID was used for the
EXEC and NET AAA accounting service types.
Router>sh aaa sessions
Total sessions since last reload: 3
Session Id: 112
Unique Id: 221
User Name: root
Idle Time: 0
CT Call Handle: 0
Session Id: 114
Unique Id: 221
User Name: root
Idle Time: 0
CT Call Handle: 0
Router>
Router>sh aaa user all
--------------------------------------------------
Unique id 220 is currently in use.
Accounting:
update method(s) :
NEWINFO
update interval = 0
Outstanding Stop Records : 0
EXEC: Username=root
Session Id=00000070 Unique Id=000000DD
Method List=640691B4 : Name = default
Attribute list:
xxxxxxxx 0 00000001 session-id(294) 4 112(70)
No data for type CONN
NET: Username=(n/a)
Session Id=00000072 Unique Id=000000DD
Method List=0
Attribute list:
xxxxxxxx 0 00000001 session-id(294) 4 114(72)
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 10
No data for type CALL
[output omitted]

Authentication Configuration
- Below shows the AAA Authentication sample configuration:

Router(config)#username root secret abc123
Router(config)#aaa authentication login local_console local
Router(config)#aaa authentication login ssh_telnet group tacacs+ local
Router(config)#line con 0
Router(config-line)#login authentication local_console
Router(config-line)#exit
Router(config)#line vty 0 4
Router(config-line)#login authentication ssh_telnet
Router(config)#
- The aaa authentication login {default | method-list-name} {method1} [method2…]

global configuration command creates authentication method lists that define the authentication
methods used to authenticate a user. An authentication method list is used in conjunction with the
login authentication {method-list-name} line subcommand.
- The configuration above first creates an authentication method list named local_console, which
uses the local username database as the only authentication method. The authentication method
list is then applied on the console (con 0) with the login authentication {method-list-name}
line subcommand.
- The configuration above then creates another authentication method list named ssh_telnet,
which uses the TACACS+ server group as the 1st method for user authentication. The local
username database is used as the backup method in case all TACACS+ servers in the server
group are unavailable. The authentication method list is then applied on the Telnet / SSH virtual
terminals (vty 0 4) with the login authentication {method-list-name} line subcommand.
- Below shows the AAA Authentication debugging messages for the Console access to the NAS.
The user root is granted access to the NAS via the console.
Router#debug aaa authentication
AAA Authentication debugging is on
Router#
00:15:31: AAA/AUTHEN/START (xxx): port='tty0' list='local_console'
action=LOGIN service=LOGIN
00:15:31: AAA/AUTHEN/START (xxx): found list local_console
00:15:31: AAA/AUTHEN/START (xxx): Method=LOCAL
00:15:32: AAA/AUTHEN/CONT (xxx): Method=LOCAL
Router#

- The local username database can be configured with the username {username} {password |
secret} {password} global configuration command. Below shows the AAA Authentication
debugging messages for the console access to the NAS with an unknown user:
Router#
00:18:34: AAA/AUTHEN/START (xxx): port='tty0' list='local_console'
action=LOGIN service=LOGIN
00:18:34: AAA/AUTHEN/START (xxx): found list local_console
00:18:42: AAA/AUTHEN/CONT (xxx): continue_login (user='admin')
00:18:42: AAA/AUTHEN (xxx): User not found
00:18:42: AAA/AUTHEN (xxx): status = FAIL
Router#
- Below shows the AAA Authentication debugging messages for the Telnet / SSH access to the
NAS when the TACACS+ server is available:
Router#
service=LOGIN
Router#
- Below shows the AAA Authentication debugging messages for the Telnet / SSH access to the
NAS when the TACACS+ server is unavailable. An ERROR response is first received from the
TACACS+ server. The NAS then tried the LOCAL authentication method.
service=LOGIN
00:20:57: AAA/AUTHEN (xxx): status = ERROR

Authorization Configuration
- Below shows the AAA Authorization sample configuration:

Router(config)#aaa authorization exec default group tacacs+ local
Router(config)#aaa authorization commands 15 ssh_telnet group tacacs+ none
Router(config)#aaa authorization config-commands
Router(config)#line vty 0 4
Router(config-line)#authorization commands 15 ssh_telnet
Router(config)#
- The aaa authorization exec {default | method-list-name} {method1} [method2…]

creates authorization method lists that determine whether an authenticated user will be granted an
EXEC shell.
- The configuration above modifies the default EXEC authorization method list named default,
which uses the TACACS+ server group as the 1st method, and the local database is used as the
backup method in case all TACACS+ servers in the server group are unavailable.
- Below shows the AAA Authorization debugging messages for the Telnet / SSH access to the
NAS when the TACACS+ server is available. An EXEC shell is granted to the user.
Router#debug aaa authorization
AAA Authorization debugging is on
Router#
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): Port='tty1' list='' service=EXEC
00:24:19: AAA/AUTHOR/EXEC: tty1 (xxx) user='root'
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): send AV service=shell
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): send AV cmd*
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): found list "default"
00:24:19: tty1 AAA/AUTHOR/EXEC (xxx): Method=tacacs+ (tacacs+)
00:24:19: AAA/AUTHOR/TAC+: (xxx): user=root
00:24:19: AAA/AUTHOR/TAC+: (xxx): send AV service=shell
00:24:19: AAA/AUTHOR/TAC+: (xxx): send AV cmd*
00:24:20: AAA/AUTHOR (xxx): Post authorization status = PASS_ADD
00:24:20: AAA/AUTHOR/EXEC: Authorization successful
Router#
- EXEC shell authorization can be configured in a user group or an individual user basis. User
authorization overrides group authorization.
- The EXEC shell authorization for a user group can be configured via the Group Setup  Select
a user group  Edit Settings  TACACS+ Settings  Shell (exec) option in the Cisco Secure
ACS server; while the EXEC shell authorization for an individual user can be configured via the
User Setup  Input a name in the User field  Add / Edit  TACACS+ Settings  Shell
(exec) option in the Cisco Secure ACS server *.
* Note: Ensure that the Interface Configuration  Advanced Options  Per-user
TACACS+/RADIUS Attributes option and the Interface Configuration  TACACS+ (Cisco
IOS)  User option for Shell (exec) are enabled.

- The aaa authorization commands {privilege-level} {default | method-list-name}
{method1} [method2…] global configuration command creates authorization method lists that
determine whether to run authorization for all commands at the specified privilege level.
- The aaa authorization commands 15 ssh_telnet group tacacs+ none global

configuration command creates an authorization method list named ssh_telnet, which uses the
TACACS+ server group as the 1st authorization method to authorize all privilege level 15
commands (eg: show running-config, configure terminal). The none method, which
means no authorization is performed, is used as the backup method in case all TACACS+ servers
in the server group are unavailable.
- The ssh_telnet command authorization method list is then applied on the Telnet / SSH virtual
terminals (vty 0 4) with the authorization commands {privilege-level} {method-list-name}
line subcommand.
- Below shows the AAA Authorization debugging messages when issuing the show running-
config command (a privilege level 15 command) in the NAS when the TACACS+ server is
available. The user root is authorized to execute the command.
Router#
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): Port='tty1' list='ssh_telnet'
service=CMD
00:30:19: AAA/AUTHOR/CMD: tty1 (xxx) user='root'
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV service=shell
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=show
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=running-config
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=<cr>
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): found list "ssh_telnet"
00:30:19: tty1 AAA/AUTHOR/CMD (xxx): Method=tacacs+ (tacacs+)
Router#
- Below shows the AAA Authorization debugging messages when issuing the show running-
config privileged command (a privilege level 15 command) in the NAS when the TACACS+
server is unavailable. An ERROR response is first received from the TACACS+ server. The NAS
then tried the NONE authorization method. Finally the command is authorized to be executed.
Router#
service=CMD
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=show
00:35:45: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=running-config
00:35:55: AAA/AUTHOR (xxx): Post authorization status = ERROR
00:35:55: tty1 AAA/AUTHOR/CMD (xxx): Method=NONE
Router#

- Shell command authorization can be configured in a user group or an individual user basis. User
authorization overrides group authorization.
- Shell Command Authorization Sets can be created, edited, and deleted via the Shared Profile
Components  Shell Command Authorization Sets option in the Cisco Secure ACS server. A
shell command authorization set can be assigned to a user group via the Group Setup  Select
a user group  Edit Settings  TACACS+ Settings  Shell Command Authorization Set
section; while a shell command authorization set can be assigned to an individual user via the
User Setup  Input a name in the User field  Add / Edit  TACACS+ Settings  Shell
Command Authorization Set section.
- The aaa authorization config-commands global configuration command enables

authorization for configuration commands. Configuration command authorization is disabled by
default when the aaa authorization commands global configuration command is issued.
- Below shows the AAA Authorization debugging messages when the user root issues the
interface FastEthernet 0/1 global configuration command without configuration command
authorization in effect:
Router#
service=CMD
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=configure
00:38:50: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=terminal
Router#
00:38:57: AAA/AUTHOR: config command authorization not enabled
Router#
- Below shows the AAA Authorization debugging messages when the user root issues the
interface FastEthernet 0/1 global configuration command with configuration command
authorization in effect:
Router#
service=CMD
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd=interface
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=FastEthernet
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=0
00:42:38: tty1 AAA/AUTHOR/CMD (xxx): send AV cmd-arg=1
Router#

Accounting Configuration
- Below shows the AAA Accounting sample configuration:

Router(config)#aaa accounting update newinfo
Router(config)#aaa accounting exec default start-stop group tacacs+
Router(config)#aaa accounting system default start-stop group tacacs+
Router(config)#aaa accounting commands 15 default start-stop group tacacs+
- The aaa accounting update newinfo global configuration command configures a NAS to
send accounting records to the TACACS+ server whenever there is new accounting information
to report. Additionally, another version of the command – aaa accounting update periodic
{min}, configure a NAS to generate periodic accounting records continuously during active
sessions, which can cause heavy congestion if many users are logged into the network.
- The aaa accounting exec default start-stop group tacacs+ global configuration
command configures a NAS to run accounting for both the start and stop of all the EXEC shell
sessions in the NAS. The accounting records can be viewed via the TACACS+ Accounting
Report. Access the report via the Report and Activity  TACACS+ Accounting option in the
Cisco Secure ACS server.
- Below shows the AAA Accounting debugging messages when the user root starts (after being
authenticated) and stops an EXEC shell session.
Router#debug aaa accounting
00:50:14: AAA/ACCT/EXEC/START User root, port tty1
00:50:14: AAA/ACCT/EXEC: Found list "default"
00:50:14: AAA/ACCT/EXEC/START User root, Port tty1,
task_id=x timezone=MY service=shell
00:50:14: AAA/ACCT: user root, acct type 0 (xxx): Method=tacacs+ (tacacs+)
00:50:14: TAC+: (xxx): received acct response status = SUCCESS
00:50:30: AAA/ACCT/EXEC/STOP User root, Port tty1:
task_id=x timezone=MY service=shell disc-cause=1 disc-cause-ext=xxx
elapsed_time=xx nas-rx-speed=0 nas-tx-speed=0
Router#
- The aaa accounting system default start-stop group tacacs+ global configuration
command enables accounting for all system-level events not associated with users, eg: system
reboots. Below shows the AAA Accounting debugging messages when the router is reloaded.
The reload event record can be viewed via both the TACACS+ Accounting Report and
TACACS+ Administration Report in the Cisco Secure ACS server.
Router#reload
Proceed with reload? [confirm]
00:55:21: %SYS-5-RELOAD: Reload requested

00:55:21: AAA/ACCT/unknown: task_id=x timezone=MY service=system
event=sys_acct reason=shutdown
00:55:21: AAA/ACCT: user , acct type 4 (xxx): Method=tacacs+ (tacacs+)

- The aaa accounting commands {privilege-level} {default | method-list-name} {start-
stop | stop-only | none} group {radius | tacacs+ | server-group-name} global
configuration command creates accounting method lists that determine whether to run
accounting for all commands at the specified privilege level.
- Below describes all the accounting notice methods:

Method Description
start-stop Provides maximum accounting services. Sends a “start” and a “stop” accounting
notice at both the beginning and the end of the requested process respectively.
stop-only Provides minimal accounting services. Only sends a “stop” accounting notice at
the end of the requested process.
none Disables accounting services.
- The aaa accounting commands 15 default start-stop group tacacs+ global

configuration command configures the NAS to run accounting for all privilege level 15
commands (eg: show running-config, configure terminal) and send the accounting records
to the TACACS+ server.
- Below shows the AAA Accounting debugging messages when the user root issues the show
running-config privileged command (a privilege level 15 command) in the NAS:
Router#
00:05:02: AAA/ACCT/CMD: User root, Port tty1, Priv 15:
"show running-config <cr>"
00:05:02: AAA/ACCT/CMD: Found list "default"
Router#

Cisco Secure ACS Server Configuration
- Access the Cisco Secure ACS server with TCP Port 2002. Ex: http://10.10.10.10:2002/
- Below shows the steps for adding a user account:

i) Click User Setup.
ii) Input a name in the User field.
iii) Click Add / Edit.
iv) Input the supplementary user info if applicable.
v) Input the password in the first set of Password and Confirm Password fields.
vi) Assign the user to a user group (if applicable).
vii) Click Submit.
viii) Test the new user account by login into an AAA Authentication-enabled NAS.
- Below shows the steps for adding a new AAA client (or NAS):
i) Click Network Configuration.
ii) Select the Network Device Group for the new AAA client.
iii) Click Add Entry below the AAA Clients Table.
iv) Input the hostname of the AAA client in the AAA Client Hostname field.
v) Input the IP address of the AAA client in the AAA Client IP Address field.
vi) Input the shared secret encryption key used for all communications between the AAA
client and the TACACS+ server in the Key field.
vii) Enable the Log Update/Watchdog Packets from this AAA Client option.
viii) Click Submit + Restart.
ix) Test the new AAA client by login into the AAA client (or NAS) with a known user, and
verify the AAA operations with a series of reports in the Reports and Activity option.
- Below shows the steps for adding a new shell command authorization set:
i) Click Shared Profile Components.
ii) Select Shell Command Authorization Sets option.
iii) Click Add.
iv) Input the name for the command authorization set in the Name field.
v) Input the description for the command authorization set in the Description field.
vi) Input the full command word in the field above the Add Command button.
vii) Click Add Command.
viii) To add an argument for a command, select a command from the command list, and type
the argument in the box to the right of the command.
ix) Click Submit.
Appendix
- The aaa accounting update [newinfo] periodic {min} global configuration command
configure a NAS to generate periodic accounting records continuously during active sessions.
This can provide an approximate session length (or elapsed time) of a session if an AAA client
fails (eg: power off), which no stop packet will be received to indicate the end of the session.
The logged watchdog packets can be viewed via the TACACS+ Accounting Report. Access the
report via the Report and Activity  TACACS+ Accounting option.
Note: This command works in conjunction with the Log Update/Watchdog Packets from this
AAA Client option for AAA client configuration in the Cisco Secure ACS server.

Aaa

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Aaa

Încărcat de

Drepturi de autor:

Formate disponibile

AAA – Authentication, Authorization, Accounting

1 Copyright © 2006 Yap Chin Hoong

- Below shows the general AAA sample configuration:

- The tacacs-server host {ip-addr} global configuration command specifies a TACACS+

- The tacacs-server directed-request global configuration command configures a NAS to

- Example: username = root, hostname = 10.10.10.11.

2 Copyright © 2006 Yap Chin Hoong

- Below shows AAA Authentication debugging messages when root@10.10.10.10 is entered as

3 Copyright © 2006 Yap Chin Hoong

4 Copyright © 2006 Yap Chin Hoong

5 Copyright © 2006 Yap Chin Hoong

- Below shows the AAA Authentication sample configuration:

- The aaa authentication login {default | method-list-name} {method1} [method2…]

6 Copyright © 2006 Yap Chin Hoong

7 Copyright © 2006 Yap Chin Hoong

- Below shows the AAA Authorization sample configuration:

- The aaa authorization exec {default | method-list-name} {method1} [method2…]

8 Copyright © 2006 Yap Chin Hoong

- The aaa authorization commands 15 ssh_telnet group tacacs+ none global

9 Copyright © 2006 Yap Chin Hoong

- The aaa authorization config-commands global configuration command enables

10 Copyright © 2006 Yap Chin Hoong

- Below shows the AAA Accounting sample configuration:

00:55:21: %SYS-5-RELOAD: Reload requested

11 Copyright © 2006 Yap Chin Hoong

- Below describes all the accounting notice methods:

- The aaa accounting commands 15 default start-stop group tacacs+ global

12 Copyright © 2006 Yap Chin Hoong

- Below shows the steps for adding a user account:

S-ar putea să vă placă și