Configuring AAA Using the Local User Database

Unauthorized access to a network creates the potential for network intruders to gain access to sensitive network equipment and services. The Cisco AAA architecture provides a means to address this threat through systematic, scalable access security. Of course, network users and would-be intruders are not the only ones to try to access the network. Network administrators also need access to network equipment, and AAA offers a secure means to provide this.

Authentication, Authorization, and Accounting

Providing network and administrative access in a Cisco environment—regardless of whether it involves campus, dialup, or Internet access—is based on a modular architecture that is composed of three functional components—authentication, authorization, and accounting:

■ Authentication: Authentication is the process by which users and administrators prove

/ Key that they are who they claim to be. The network environment has a variety of i Topic mechanisms for providing authentication, including the use of a username and password, token cards, and challenge and response.

■ Authorization: After the user or administrator has been authenticated, authorization services are used to decide which resources he is allowed to access, as well as which operations he may perform.

■ Accounting and auditing: After being authenticated and authorized, the user or administrator begins to access the network. It is the role of accounting and auditing to record what the user or administrator actually did with this access, what he accessed, and how long he accessed it.

AAA for Cisco Routers

Cisco provides three ways to implement AAA services for Cisco routers:

■ Cisco Secure ACS Solution Engine: In this implementation, AAA services on either

/ Key the router or network access server (NAS), which acts as a gateway to guard access to I Topic protected resources, contact an external Cisco Secure ACS Solution Engine for both user and administrator authentication. The Cisco Secure ACS SE is an appliance that contains CSA. This can be an easier approach for some organizations, rather than purchasing hardware, an OS license, CSA license, and ACS license. In this more complex configuration, the administrator would also have to take steps to lock down the server, whereas the ACS SE is already secure.

■ Cisco Secure Access Control Server (ACS) for Windows Server: This software package may be used for user and administrator authentication. AAA services on the router or NAS contact an external Cisco Secure ACS for Microsoft Windows systems. You need a separate license for CSA if this is what you want.

■ Self-contained AAA: AAA services are self-contained in either a router or NAS. Implemented in this fashion, this form of authentication is also known as local authentication.

One common implementation of AAA is its use in authenticating users accessing the corporate LAN through a remote connection such as dialup or over the Internet via an IPsec VPN. Another is authenticating an administrator's access to a router console port, auxiliary port, or vty ports.

AAA access control is supported on Cisco networking products using either a local username-password database or through a remote security server database. To provide access to a small group of network users, a local security database can be configured in the router using the username xyz password strongpassword command. The username secret command may also be used to configure a username and an associated MD5-encrypted secret.

A remote security server may also be used. This implementation uses a remote security database on a separate server running an AAA security protocol. This can provide AAA services for multiple network devices and a large number of network users.

Router Access Authentication

Three general steps are required to configure a Cisco router to perform AAA using a local user database for authentication. It is critical that you secure the interfaces of all your routers—most importantly, network access servers and perimeter routers connecting to the Internet. AAA commands are used to configure the router to secure administrative access and remote LAN network access. Table 4-2 compares the router access modes, port types, and AAA command elements.

Table 4-2 AAA Commands to Secure Administrative and Remote LAN Access

Table 4-2 AAA Commands to Secure Administrative and Remote LAN Access

Access Type Mode

Mode

Network Access Server Ports

AAA Command Element

Remote administrative access

Character (line or EXEC mode)

TTY, vty, auxiliary, and console

login, exec, and enable commands

Remote network access

Packet (interface mode)

async, group-async, BRI, and PRI

ppp and network commands

Six steps are required to configure a Cisco router for local authentication: Step 1 Secure access to privileged EXEC mode.

Step 2 Use the aaa new-model command to enable AAA globally on the perimeter router.

Step 3 Configure AAA authentication lists.

Step 4 Configure AAA authorization for use after the user has passed authentication.

Step 5 Configure the AAA accounting options.

Step 6 Verify the configuration.

Using AAA to Configure Local User Database Authentication

To configure a router to use the AAA process, you must begin by issuing the aaa new-model command. This command is a critical first step in establishing a local AAA user authentication account. By establishing the local authentication method, you can reestablish your Telnet or console session and use the locally defined authentication list to access the router should a connection be lost while you're configuring AAA. Failing to do this causes the administrator to be locked out of the router. If this is the case, you need physical access to the router (console session), and you are required to perform a password recovery sequence. In the most extreme cases, the entire configuration saved in NVRAM may be lost.

At a minimum, these commands should be entered, in this order: Router(config)# aaa new-model

Router(config)# username username password password Router(config)# aaa authentication login default local

The following is a complete list of aaa authentication commands for Cisco IOS Release 12.2 and later:

aaa authentication aaa authentication aaa authentication aaa authentication aaa authentication aaa authentication aaa authentication aaa authentication aaa authentication aaa authentication arap banner enable default fail-message local-override login nasi password-prompt ppp username-prompt

For a complete description of each aaa authentication command, refer to Table 4-3.

,-— Table 4-3 AAA Authentication Commands

Command

Description

aaa authentication arap

AppleTalk Remote Access Protocol (ARAP) users using RADIUS or TACACS+ use the aaa authentication arap global configuration command to enable an AAA authentication method. The no form of this command is used to disable this authentication.

aaa authentication banner

Use this command to create a personalized login banner.

aaa authentication enable default

Use the aaa authentication enable default global configuration command to enable AAA authentication to determine if a user can access the privileged command level. The no form of this command may be used to disable this authorization method.

aaa authentication fail-message

This command creates a message that is displayed when a user login fails.

aaa authentication local-override

This command is used to configure the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. The no form of this command may be used to disable the override.

aaa authentication login

Use the aaa authentication login global configuration command to set AAA authentication at login. The no form of this command is used to disable AAA authentication.

aaa authentication nasi

To specify AAA authentication for NetWare Access Server Interface (NASI) clients who connect using the access server, use the aaa authentication nasi global configuration command. The no form of this command is used to disable authentication for NASI clients.

aaa authentication password-prompt

Use the aaa authentication password-prompt global configuration command to change the text displayed when users are prompted for a password. The no form of this command is used to return to the default password prompt text.

Table 4-3 AAA Authentication Commands (Continued)

Table 4-3 AAA Authentication Commands (Continued)

Command

Description

aaa authentication PPP

Use the aaa authentication ppp global configuration command to specify one or more AAA authentication methods for use on serial interfaces running PPP. The no form of this command is used to disable authentication.

aaa authentication username-prompt

Use the aaa authentication username-prompt global configuration command to change the text displayed when users are prompted to enter a username. The no form of this command is used to return to the default username prompt text.

Although understanding all these commands can be quite useful, it is important that you learn the following three commands and how to implement them in an AAA environment:

■ The aaa authentication login command f Key i Topic

■ The aaa authentication ppp command

■ The aaa authentication enable default command

After you have enabled AAA globally on the access server, you need to define the authentication method lists and apply them to lines and interfaces. These are security profiles that indicate the service, PPP, dot1x, or login and authentication method. You may specify up to five authentication methods (local, group TACACS+, group RADIUS, line, or enable authentication) to apply to a line or interface. Although our focus in this section is on the local user database, if you are working with multiple authentication methods, it is a best practice to have either local or enable authentication as the final method to recover from a severed link to the chosen method server.

Defining a Method List

To define an authentication method list using the aaa authentication command, you need to follow three steps:

Step 1 In global configuration mode, use the aaa authentication command to configure an AAA authentication method list:

• Indicate the service (PPP, dot1x, and so on) or login authentication.

• Either use the default method list name or specify a method list name. Be aware that a defined method list overrides the default method list after it is applied to an interface. If this is not applied, the default method list applies.

• A list name may be any alphanumeric string you want to use. You may configure multiple strings on the router, but each must have a unique name.

• Method lists are sequential lists that describe the authentication methods that should be queried when authenticating a user. These allow an administrator to designate one or more security protocols to be used for authentication, allowing for a backup system for authentication should the initial method have an error or not be reachable.

Step 2 Specify the authentication method (local, group TACACS+, group RADIUS, line, or enable authentication), and how the router should handle requests when a method is not operating. For instance, is a AAA server down?

Up to four methods may be specified.

Step 3 Apply the authentication method lists to each of the following:

a. Lines: TTY, vty, console, auxiliary, and async lines, or the console port for login and asynchronous lines (in most cases) for ARAP

b. Interfaces: Interfaces sync, async, and virtual configured for PPP, Serial Line Interface Protocol (SLIP), NASI, or ARAP

Setting AAA Authentication for Login

The aaa authentication login command is issued in global configuration mode to set AAA authentication for login to a router's administration port. The following is a list of these commands:

Key Topic

■ aaa authentication login default enable is used to specify a default login authentication method list using the enable password.

■ aaa authentication login console-in local specifies the login authentication method list named console-in using the local username-password database on the router.

■ aaa authentication login tty-in is used to specify a login authentication list named tty-in using the line password configured on the router.

The following is an example of the syntax to be used for the aaa authentication command:

aaa authentication login {default I list-name} method1 [method2...]

Table 4-4 lists the aaa authentication login command elements and details their usage.

Table 4-4 aaa authentication login Command Elements

Table 4-4 aaa authentication login Command Elements

Command Element

Description

Default

Specifies the default list of methods to be used when a user logs in based on the methods that follow this argument.

list-name

Used to name the list of authentication methods activated when a user logs in.

Method

One keyword must be specified. To use the local user database, use the local keyword.

enable: The enable password is used for authentication.

krb5: Kerberos 5 is used for authentication.

krb5-telnet: Kerberos 5 Telnet authentication protocol is used when using Telnet to connect to the router.

line: The line password is used for authentication.

local: The local username database is used for authentication.

local-case: Provides case-sensitive local username authentication.

none: No authentication is used.

group radius: The list of all RADIUS servers is used for authentication.

group tacacs+: The list of all TACACS+ servers is used for authentication.

group group-name: Uses either a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ command.

Configuring AAA Authentication on Serial Interfaces Running PPP

You may specify one or more AAA authentication methods for use on serial interfaces running PPP. To do this, you use the aaa authentication ppp command from global configuration mode. Here are the choices:

■ aaa authentication ppp default local: This command is used to specify a default PPP authentication method list using the local username-password database on the router.

■ aaa authentication ppp dial-in local none: This command is used to specify a PPP authentication method list named dial-in. It should be used on the initial login attempt, using the local username-password database on the router. If the local username is not defined, no authentication is used.

Using the aaa authentication enable default Command

To enable AAA authentication to determine if a user can access the privileged command level, you use the aaa authentication enable default command. This command should be issued from global configuration mode.

The following is an example of the syntax to be used for this command:

aaa authentication enable default methodl [method2...] Authentication commands may be applied to both router lines and interfaces. As a best practice, you should always define a default list for AAA to provide a means of "last resort" authentication on all lines and interfaces protected by AAA. Example 4-1 shows the application of the authentication commands to router lines and interfaces.

Example 4-1 Applying Authentication Commands to Router Lines and Interfaces router(config)# line console 0

router(config-line)# login authentication console-in router(config)# int s3/0

router(config-if)# ppp authentication chap dial-in

Let's examine these commands:

■ line console 0 is issued to enter line console configuration mode.

■ login authentication console-in specifies an authentication list named console-in for login authentication on console port 0.

■ int s3/0 is issued to enter interface configuration mode on port 0 of serial interface slot number 3.

■ ppp authentication chap dial-in specifies an authentication method list named dial-in for use with PPP CHAP authentication on interface s3/0.

Implementing the aaa authorization Command

To set parameters that will restrict administrative EXEC access to the routers or user access to the network, you may use the aaa authorization command from global configuration mode. The following is the syntax:

aaa authorization {network I exec I commands level I reverse-access I configuration} {default I list-name} method1 [method2...]

Table 4-5 explains the syntax of the aaa authorization command.

Table 4-5 aaa authorization Command Elements

Table 4-5 aaa authorization Command Elements

Command Element

Description

Network

Used to implement authorization for all network-related service requests, such as SLIP, PPP Network Control Protocol (NCP), and ARAP.

Exec

Used to implement authorization to determine if the user is allowed to run an EXEC shell.

Commands

Used to implement authorization for all commands for a specific privilege level.

Level

Used to specify the command level that should be authorized. Values may range from 0 to 15.

reverseaccess

Used to implement authorization for reverse access connections, such as reverse Telnet.

configuration

Used to download the configuration from the AAA server.

Default

Used to list the authentication methods, list-name and method, as the default list of methods for authorization.

list-name

Provides a character string used to name the list of authorization methods.

method

Specifies the method to be used for authentication using one of the following keywords:

group group-name: Specifies a subset of RADIUS or TACACS+ servers to be used for authentication. These are defined with the aaa group server RADIUS or aaa group server tacacs+ commands.

if-authenticated: The user is permitted to access the requested function if he or she has been validly authenticated.

krb5-instance: Used in conjunction with the Kerberos instance map command to specify the instance to be used.

local: Specifies the use of the local user database for authorization.

none: Authorization is not performed.

Additionally, you can name authorization lists after specifying the service. You may list up to four failover methods.

Here are some examples of the aaa authorization command:

router(config)# aaa authorization commands 15 default local router(config)# aaa authorization commands 1 mickey local router(config)# aaa authorization commands 15 goofy local router(config)# aaa authorization network pluto local none router(config)# aaa authorization exec donald if-authenticated

These commands are as follows:

■ aaa authorization commands 15 default local: The local user database is used to authorize the use of all level 15 commands for the default method list.

■ aaa authorization commands 1 mickey local: The local username database is used to authorize all level 1 commands for the mickey method list.

■ aaa authorization commands 15 goofy local: The local user database is used to authorize the use of all level 15 commands for the goofy method list.

■ aaa authorization network pluto local none: The local user database is used to authorize the use of all network services, such as SLIP, PPP, and ARAP, for the method list named Pluto. If no local username is defined, this command does not perform authorization, and the user can use all network services.

■ aaa authorization exec donald if-authenticated: If the user has already been authenticated, this command allows the user to run the EXEC process.

Working with the aaa accounting Command

In addition to authorization and authentication, AAA provides accounting capabilities for either billing or security purposes, or both. To enable AAA accounting of a requested service when you are working with RADIUS or TACACS+, you issue the aaa accounting command from global configuration mode:

aaa accounting {auth-proxy I system I network I exec I

connection fcommands level} {default I list-name} [vrf vrf-name] {start-stop I stop-only I none} [broadcast] group group-name

Table 4-6 explains the options that can be used with the aaa accounting command.

Table 4-6 aaa accounting Command Elements

Command Element

Description

auth-proxy

Provides information about all authenticated proxy user events.

system

Performs accounting for all system-level events that are not associated with users.

network

Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCP, and ARAP.

Table 4-6 aaa accounting Command Elements

Table 4-6 aaa accounting Command Elements

Command Element

Description

exec

Provides accounting for EXEC shell sessions.

connection

Provides information about all outbound connections made from the NAS.

commands level

Runs accounting for all commands at the specified privilege level. Privilege level entries are integers and may range from 0 to 15.

default

Sets the default list of methods for accounting services based on the listed accounting methods specified by list-name.

list-name

The list of at least one of the accounting methods.

vrf vrf-name

This optional command element, used only with system accounting, may be used to specify a VPN routing and forwarding (VRF) configuration.

start-stop

Sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The start accounting record is sent in the background. Regardless of whether the start accounting notice was received by the accounting server, the requested user process begins.

stop-only

Sends a stop accounting notice at the end of the requested user process.

none

Disables accounting services on this line or interface.

broadcast

This optional command element allows the sending of accounting records to multiple AAA servers. Accounting records are simultaneously sent to the first server in each group. Should the first server be unavailable, failover occurs using the backup servers defined within that group.

group group-name

Defines the character string used to name the group of accounting methods.

The following are a couple of examples of how this command may be implemented:

router(config)# aaa accounting commands 15 default stop-only group tacacs+ router(config)# aaa accounting auth-proxy default start-stop group tacacs+

The first example defines a default command accounting method list. Accounting services in this case are provided by a TACACS+ security server, and it has been set for privilege level 15 commands. A stop-only restriction is also implemented in this example.

The second example defines a default authentication proxy accounting method list in which accounting services are provided by a TACACS+ security server for authentication proxy events with a start-stop restriction. If you are unfamiliar with authentication proxy or the auth-proxy command, it is used to authenticate inbound or outbound users, or both.

Using the CLI to Troubleshoot AAA for Cisco Routers

The primary command used when troubleshooting AAA on Cisco routers is the debug command. Three separate debug commands may be used to troubleshoot the various aspects of AAA:

..■•— ■ debug aaa authentication: Use this command to display debugging messages for the

\ Topic authentication functions of AAA.

■ debug aaa authorization: Use this command to display debugging messages for the authorization functions of AAA.

■ debug aaa accounting: Use this command to display debugging messages for the accounting functions of AAA.

Each of these commands should be executed from privileged EXEC mode to display the required information. To disable debugging for any of these functions, use the no form of the command, such as no debug aaa authentication.

Example 4-2 shows sample output from the debug aaa authentication command. Example 4-2 Using the debug aaa authentication Command

router# debug aaa authentication

113123

Feb 4 1

0:11

19

305

CST

AAA/MEMORY: create_user (0x619C4940) user=''

ruser=

1 port='tty1

rem_addr=

async/81560' authen_type=ASCII service=LOGIN

priv=

1

113124

Feb 4 1

0:11

19

305

CST

AAA/AUTHEN/START (2784097690): port='tty1'

list=

11

action=

=LOGIN service=LOGIN

113125

Feb 4 1

0:11

19

305

CST

AAA/AUTHEN/START (2784097690): using "default"

list

113126

Feb 4 1

0:11

19

305

CST

AAA/AUTHEN/START (2784097690): Method=LOCAL

113127

Feb 4 1

0:11

19

305

CST

AAA/AUTHEN (2784097690): status = GETUSER

113128

Feb 4 1

0:11

26

305

CST

AAA/AUTHEN/CONT (2784097690): continue_login

(user=

(undef)'

)

113129

Feb 4 1

0:11

26

305

CST

AAA/AUTHEN (2784097690): status = GETUSER

113130

Feb 4 1

0:11

26

305

CST

AAA/AUTHEN/CONT (2784097690): Method=LOCAL

113131

Feb 4 1

0:11

26

305

CST

AAA/AUTHEN (2784097690): status = GETPASS

113132

Feb 4 1

0:11

28

145

CST

AAA/AUTHEN/CONT (2784097690): continue_login

(user=

diallocal1)

113133

Feb 4 1

0:11

28

145

CST

AAA/AUTHEN (2784097690): status = GETPASS

113134

Feb 4 1

0:11

28

145

CST

AAA/AUTHEN/CONT (2784097690): Method=LOCAL

113135

Feb 4 1

0:11

28

145

CST

AAA/AUTHEN (2784097690): status = PASS

In Example 4-2, a user has attempted to log in to the router using the ttyl port. The user tries to access user mode (privilege level 1) using a plain-text authentication method (PAP in this case). The router identifies the default list to be used for authentication. The default list has been configured for authentication against the local user database. Status messages of GETUSER and GETPASS indicate that the router collects the username and password. A check of the local user database, denoted as LOCAL in the debugging output, verifies that the credentials are correct and the user is permitted to access the router. This is indicated in the PASS status in the debugging output.

Using Cisco SDM to Configure AAA

In addition to working with the CLI, you can configure and edit AAA using the Cisco Router and Security Device Manager (SDM). To configure or edit AAA using the Cisco SDM, first you issue the aaa new-model command from the CLI. Then you can configure or edit AAA using Cisco SDM by choosing Additional Tasks > AAA. Next, click the Enable AAA button in the upper-right corner to enable AAA on the router. The SDM takes precautionary steps to prevent locking the router or disconnecting the SDM session.

Figure 4-1 shows the process of enabling AAA with Cisco SDM. Figure 4-1 Enabling AAA with Cisco SDM

Figure 4-1 shows the process of enabling AAA with Cisco SDM. Figure 4-1 Enabling AAA with Cisco SDM

Figure 4-2 shows the AAA Authentication Login Screen with two login authentication method lists configured on the router. One is the default method list, and the other is the sdm_vpn_xauth_ml_l method list. Each of these method lists uses the local user database to provide login authentication. The screen shown is where you can configure new login authentication method lists, as well as edit or delete existing login authentication method lists on the router.

Figure 4-2 AAA Authentication Login Screen

Figure 4-2 AAA Authentication Login Screen

0 0

Post a comment