Authorization

Authorization comes into play after authentication. Authorization allows administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS allows certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a privilege level of 0 cannot issue many IOS commands. There are five commands at privilege level 0: disable, enable, exit, help, and logout. A user with a privilege level of 15 can perform all valid IOS commands. The local database or remote security server can grant the required privilege levels.

Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user. AAA

authorization assembles a set of attributes that describes what the user is authorized to perform. These attributes are compared with the information contained in a database for a given user, and the result is returned to AAA to determine the user's actual permissions and restrictions.

NOTE You can display the user's privilege level on a Cisco router with the show privilege command. The following code displays the privilege level when the enable password has already been entered:

R1#show privilege

Current privilege level is 15

The higher the privilege, the more capabilities a user has with the IOS command set. Accounting

Accounting occurs after authentication and authorization have been completed. Accounting allows administrators to collect information about users. Specifically, administrators can track which user logged into which router, which IOS commands a user issued, and how many bytes were transferred during a user's session. For example, accounting enables administrators to monitor which routers have had their configurations changed. Accounting information can be collected by a remote security server.

To display local account information on a Cisco router collecting accounting information, issue the show accounting IOS command. Example 4-2 displays sample output when the command is issued on Router R1. (Note that for Cisco IOS 12.2T and higher, the command has changed to show aaa user all.)

Example 4-2 show accounting Command R1#show accounting

Active Accounted actions on Interface Serial0:1, User jdoe Priv 1 Task ID 15, Network Accounting record, 00:00:18 Elapsed task_id=15 timezone=PDT service=ppp mlp-links-max=4 mlp-links-current=4 protocol=ip addr=119.0.0.2 mlp-sess-id=1 Overall Accounting Traffic

Starts Stops Updates Active Drops Exec 0 0 0 0 0

Network 8 4 0 4 0

Connect 0 0 0 0 0

Command 0 0 0 0 0

User creates:21, frees:9, Acctinfo mallocs:15, frees:6 Users freed with accounting unaccounted for:0 Queue length:0

Table 4-1 describes the fields contained in Example 4-2. Table 4-1 show accounting Fields

Field

Description

User

The user's ID

Priv

The user's privilege level (0-15)

Task ID

Each accounting session's unique identifier

Accounting Record

Type of accounting session

Elapsed

Length of time (hh:mm:ss) for this session type

Rather than maintain a separate database with usernames, passwords, and privilege levels, you can use external security servers to run external security protocols—namely RADIUS and TACACS.

These security server protocols stop unauthorized access to your network. The following sections review these two security protocols.

Security Server Protocols

In many circumstances, AAA uses security protocols to administer its security functions. If your router or access server is acting as an NAS, AAA is the means through which you establish communication between your NAS and your RADIUS, TACACS+, or Kerberos security server.

0 0

Post a comment