Authentication commands can be applied to lines or interfaces

Note: It is recommended that you always define a default list for AAA to provide "last resort" authentication on all lines and interfaces protected by AAA.

As shown in the figure, authentication commands can be applied to router lines and interfaces.

Here is a brief explanation of the examples shown in the figure:

■ line console 0: Enters line console configuration mode

■ login authentication console-in: Uses the authentication method list named "console-in" for login authentication on console port 0

■ int s3/0: Specifies port 0 of serial interface slot number 3

■ ppp authentication chap dial-in: Uses the authentication method list named "dial-in" for PPP CHAP authentication on interface s3/0

2-100 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

router(config)#

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} methodl [method2...]

router(config)# aaa authorization commands 15 default local router(config)# aaa authorization commands 1 alpha local router(config)# aaa authorization commands 15 bravo local router(config)# aaa authorization network charlie local none router(config)# aaa authorization exec delta if-authenticated

Use the aaa authorization command in global configuration mode, as shown in the figure, to set parameters that restrict administrative EXEC access to the routers or user access to the network.

The syntax for the aaa authorization command is as follows:

aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} methodl [method2. . .]

Refer to the "AAA Authorization Command Syntax" table for a full description of the command syntax.

AAA Authorization Command Syntax

Command Element

Description

network

This command element runs authorization for all network-related service requests, including SLIP, PPP Network Control Protocol (NCP), and ARAP.

exec

This command element runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand command information.

commands

This command element runs authorization for all commands at the specified privilege level.

level

This is the specific command level that should be authorized. Valid entries are 0 to 15.

reverse-access

This command element runs authorization for reverse access connections, such as reverse Telnet.

configuration

This command element downloads the configuration from the AAA server.

© 2006 Cisco Systems, Inc. Securing the Perimeter 2-101

Command Element

Description

default

This command element uses the listed authentication methods, list-name and method, as the default list of methods for authorization.

list-name

This is the character string that is used to name the list of authorization methods.

method

This specifies at least one of these keywords:

■ group group-name: Uses a subset of RADIUS or TACACS+ servers for authentication as defined by the aaa group server radius or aaa group server tacacs+ commands

■ if-authenticated: Allows the user to access the requested function if the user is authenticated

■ krb5-instance: Uses the instance defined by the kerberos instance map command

■ local: Uses the local database for authorization

■ none: No authorization performed

There is a provision for naming the authorization list after specifying the service just as there is for naming an authentication list. Also, the list of methods is not limited to a single method but may have up to four failing over methods listed, similar to what the aaa authentication command provides.

Named authorization lists allow you to define different methods for authorization and accounting and apply those methods on a per-interface or per-line basis.

A brief explanation of the examples is as follows:

■ aaa authorization commands 1 alpha local: This command uses the local username database to authorize the use of all level 1 commands for the alpha method list.

■ aaa authorization commands 15 bravo local: This command uses the local database to authorize the use of all level 15 commands for the bravo method list.

■ aaa authorization network charlie local none: This command uses the local database to authorize the use of all network services, such as SLIP, PPP, and ARAP, for the charlie method list. If the local username is not defined, this command performs no authorization and the user can use all network services.

■ aaa authorization exec delta if-authenticated: This command lets the user run the EXEC process if the user is already authenticated.

2-102 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

router(config)#

aaa accounting {auth-proxy | system | network | exec |

connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname aaa accounting {auth-proxy | system | network | exec |

connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group groupname

router(config)# group tacacs+

aaa accounting

commands 15 default stop-

only

router(config)# group tacacs+

aaa accounting

auth-proxy default start-

stop

To enable AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting command in global configuration mode. To disable AAA accounting, use the no form of this command. Refer to the "AAA Accounting Command Syntax" table for a description of the command syntax.

The first example in the figure defines a default command accounting method list where accounting services are provided by a TACACS+ security server set for privilege level 15 commands with a stop-only restriction.

The second example defines a default authentication proxy accounting method list where accounting services are provided by a TACACS+ security server for authentication proxy events with a start-stop restriction.

© 2006 Cisco Systems, Inc. Securing the Perimeter 2-103

AAA Accounting Command Syntax

Command Element

Description

auth-proxy

This command element provides information about all authenticated proxy user events.

system

This command element performs accounting for all system-level events not associated with users, such as reloads.

network

This command element runs accounting for all network-related service requests, including SLIP, PPP, PPP NCP, and ARAP.

exec

This command element runs accounting for EXEC shell sessions. This keyword might return user profile information, such as what is generated by the autocommand command.

connection

This command element provides information about all outbound connections made from the NAS, such as Telnet, local-area transport (LAT), IBM TN3270 terminal emulator, packet assembler and disassembler, and rlogin.

commands level

This command element runs accounting for all commands at the specified privilege level. Valid privilege level entries are integers from 0 to 15.

default

This command element makes the listed accounting methods, named by list-name, to be the default list of methods for accounting services.

list-name

This is the character string that is used to name the list of at least one of the accounting methods.

vrf vrf-name

(Optional) This command element specifies a VPN routing and forwarding (VRF) configuration.

Note: VRF is used only with system accounting.

start-stop

This command element sends a "start" accounting notice at the beginning of a process and a "stop" accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server.

stop-only

This command element sends a stop accounting notice at the end of the requested user process.

none

This command element disables accounting services on this line or interface.

broadcast

(Optional) This command element enables sending accounting records to multiple AAA servers. It simultaneously sends accounting records to the first server in each group. If the first server is unavailable, failover occurs using the backup servers defined within that group.

group group-name

This command element defines the character string used to name the group of accounting methods.

2-104 Securing Cisco Network Devices (SND) v2.0 © 2006 Cisco Systems, Inc.

Was this article helpful?

0 0

Post a comment