0 оценок0% нашли этот документ полезным (0 голосов)
47 просмотров17 страниц
Authentication, Authorization, and Accounting, commonly referred to in the Cisco world as AAA, is a common feature in today's networks. In this section, we'll examine exactly what each "A" does, and then configure AAA at the command-line interface and with Cisco SDM. Authentication is the process of deciding if a given user should be allowed to access the network or a network service.
Authentication, Authorization, and Accounting, commonly referred to in the Cisco world as AAA, is a common feature in today's networks. In this section, we'll examine exactly what each "A" does, and then configure AAA at the command-line interface and with Cisco SDM. Authentication is the process of deciding if a given user should be allowed to access the network or a network service.
Authentication, Authorization, and Accounting, commonly referred to in the Cisco world as AAA, is a common feature in today's networks. In this section, we'll examine exactly what each "A" does, and then configure AAA at the command-line interface and with Cisco SDM. Authentication is the process of deciding if a given user should be allowed to access the network or a network service.
Chris Bryant, CCIE #12933 www.thebryantadvantage.com
Back To Index AAA Overview
This is a bit of bonus reading for your CCNP SWITCH exam. This section from my CCNA Security Study Guide covers more AAA than you're likely to see on your CCNP SWITCH exam, but I do recommend you spend some time studying it to go along with the Security section in this course. Enjoy! Authentication, Authorization, and Accounting, commonly referred to in the Cisco world as AAA, is a common feature in today's networks. In this section, we'll examine exactly what each "A" does, and then configure AAA at the command-line interface and with Cisco SDM. Each "A" is a separate function, and requires separate configuration. Before we begin to configure AAA, let's take a look at each "A" individually. Authentication Don't Lock Yourself Out! Don't Stop Until You're Done... Authorization Privilege Levels And Authorization Accounting Hot Spots And Gotchas Authentication Authentication is the process of deciding if a given user should be allowed to access the network or a network service. As a CCNA and future CCNP, you've already configured authentication in the form of creating a local database of usernames and passwords for both Telnet access and PPP authentication. This is sometimes called a self-contained AAA deployment, since no external server is involved. It's more than likely that you'll be using a server configured for one of the following security protocols: TACACS+, a Cisco-proprietary, TCP-based protocol RADIUS, an open-standard, UDP-based protocol originally developed by the IETF An obvious question is "If there's a TACACS+, what about TACACS?" TACACS was the original version of this protocol and is rarely used today. Before we head into AAA Authentication configuration, there are some other TACACS+ / RADIUS differences you should be aware of: While TACACS+ encrypts the entire packet, RADIUS encrypts only the password in the initial client-server packet. RADIUS actually combines the authentication and authorization processes, making it very difficult to run one but not the other. TACACS+ considers Authentication, Authorization, and Accounting to be separate processes. This allows another method of authentication to be used (Kerberos, for example), while still using TACACS+ for authorization and accounting. RADIUS does not support the Novell Async Services Interface (NASI) protocol, the NetBIOS Frame Protocol Control protocol, X.25 Packet Assembler / Disassembler (PAD), or the AppleTalk Remote Access Protocol (ARA or ARAP). TACACS+ supports all of these. RADIUS implementations from different vendors may not work well together, or at all. RADIUS can't control the authorization level of users, but TACACS+ can. Regardless of which "A" you're configuring, AAA must be enabled with the global command aaa new-model. The location of the TACACS+ and / or RADIUS server must then be configured, along with a shared encryption key that must be agreed upon by the client and server. Since you're on the way to the CCNP, that's what we'll use here. R1(config)#aaa new-model R1(config)#tacacs-server host 172.1.1.1 key CCNP R1(config)#radius-server host 172.1.1.2 key CCNP The aaa new-model command carries out two tasks: enables AAA overrides every previously configured authentication method for the router lines - especially the vty lines! More on that "especially the vty lines" a little later in this section. Multiple TACACS+ and RADIUS servers can be configured, and the key can either be included at the end of the above commands or separate from that, as shown below. R1(config)#tacacs-server key CCNP R1(config)#radius-server key CCNP Now comes the interesting part! We've got a TACACS+ server at 172.1.1.1, a RADIUS server at 172.1.1.2, and the router is configured as a client of both with a shared key of CCNP for both. Now we need to determine which servers will be used for Authentication, and in what order, with the aaa authentication command. Let's take a look at the options: R1(config)#aaa authentication login ? WORD Named authentication list. default The default authentication list. The first choice is whether to configure a named authentication list, or a default list that will be used for all authentications that do not reference a named list. In this example, we'll create a default list. R1(config)#aaa authentication login default ? enable Use enable password for authentication. group Use Server-group line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. Remember our old friend the enable password? We can configure Authentication to use the enable password, and we could also use a line password. More common is the local username authentication, which will use a database local to the router. That sounds complicated, but to build a username/password database, just use the username/password command! R1(config)#username gagne password awa R1(config)#username afflis password wwa R1(config)#username thesz password nwa The username / password command creates a local database that can be used for multiple purposes, including authenticating Telnet users. We could create a local database and use it for AAA Authentication, but in this example we'll use the TACACS+ and RADIUS servers. To do so, we need to drill a little deeper with the aaa authentication command. R1(config)#aaa authentication login default group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. R1(config)#aaa authentication login default group radius ? enable Use enable password for authentication. group Use Server-group line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. <cr> R1(config)#aaa authentication login default group radius group tacacs The group radius and group tacacs commands configure the router to use those devices for Authentication - but it's interesting that we were able to configure more than one Authentication source. Actually, we can name a maximum of four methods, and they'll be used in the order listed. In the above command, the default list will check the RADIUS server first. If there's an error or a timeout, the second method listed will be checked. If a user's authentication is refused by the first method, the second method is not used, and the user's authentication attempt will fail. Interestingly enough, "none" is an option with the aaa authentication command. R1(config)#aaa authentication login default group radius ? enable Use enable password for authentication. group Use Server-group line Use line password for authentication. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. <cr> If you're concerned that all prior listed methods of authentication may result in an error or timeout, you can configure none at the end of the aaa authentication command. Of course, if none is the only option you select, you've effectively disabled authentication. Here, I've configured a default list on R3 that is using only one authentication option - none! I then apply that list to the vty lines and attempt to telnet to R3 from R1. R3(config)#aaa new-model R3(config)#aaa authentication login default none R3(config)#line vty 0 4 R3(config-line)#login authentication default R1#telnet 172.12.13.3 Trying 172.12.13.3 ... Open R3> Note that I was not prompted for a vty password. Not a good idea! And speaking of bad ideas.... Be VERY Careful When Configuring Authentication - You CAN Lock Yourself Out! Sorry for all the yelling, but believe me - if you put half of the AAA authentication in place, and log out without finishing it, you can end up locked out of your own router! I'll illustrate on a very basic setup using R1 and R3. These routers are directly connected at their S1 interfaces, and R3 is configured with a vty password of tuco. To allow users to enter privilege mode 15 (exec mode), we'll use an enable secret of CCNP. No username is configured on R3 for vty access, so when we telnet to R3 from R1, we will be prompted only for the vty password. When we run the enable command, we'll be prompted for the enable secret password. R1#telnet 172.12.13.3 Trying 172.12.13.3 ... Open
User Access Verification Password: (vty password of tuco) R3>en Password: (enable secret password of CCNP) R3# And all is well! Now we'll start configuring AAA on R3 via the telnet connection. The first step is to run the aaa new-model command. R3#conf t Enter configuration commands, one per line. End with CNTL/Z. R3(config)#aaa new-model At this point, we're interrupted for some reason, so we save the config on R3 before logging out. R3#wr Building configuration... [OK] R3#logout [Connection to 172.12.13.3 closed by foreign host] R1# Once lunch -- I mean, the interruption is over, we'll log back in to R3 from R1. R1#telnet 172.12.13.3 Trying 172.12.13.3 ... Open
User Access Verification Username: Hmm. We weren't asked for a username before. Let's try both the vty and enable passwords for that username. R1#telnet 172.12.13.3 Trying 172.12.13.3 ... Open
User Access Verification Username: % Username: timeout expired! Username: trump Password: % Access denied Username: CCNP Password: % Access denied [Connection to 172.12.13.3 closed by foreign host] A couple of things to note... One authentication attempt timed out in the time it took me to cut and paste that config. When a username/password authentication attempt failed - here, two of them did - we were not told whether it was the username, password, or both that were bad. Finally, we were denied access to a router we could log into before the interruption. The problem here is that we're being asked for a username that doesn't actually exist! Once you enable AAA, you've got to define the authentication methods immediately afterwards. Right now, no one can successfully telnet to that router, and someone's going to have to connect to it via the console port and finish the configuration. So let's do just that. We've got the aaa new-model command in place, so we'll now define a local username/password database and have that serve as the default authentication method. We'll configure a named list called AAA_LIST and have R3's vty lines use that list for authentication. R3(config)#username chris password bryant R3(config)#aaa authentication login AAA_LIST local R3(config)#line vty 0 4 R3(config-line)#login authentication ? WORD Use an authentication list with this name. default Use the default authentication list. R3(config-line)#login authentication AAA_LIST
R1#telnet 172.12.13.3 Trying 172.12.13.3 ... Open
User Access Verification Username: chris Password: (entered bryant here) R3>enable Password: (entered CCNP here) R3# Note that neither the vty line password nor the enable password are shown when they're entered. No asterisks, no nothing! It's an excellent idea to leave yourself a "back door" into the network by configuring a local database with only one username and password - one known only by you and perhaps another administrator - and ending the aaa authentication command with local. That way, if something happens to the one or two primary methods, you've always got an emergency password to use. Using AAA For Privileged EXEC Mode And PPP The most common usage for AAA Authentication is for login authentication, but it can also be used as the enable password itself or to authenticate PPP connections. If you want to configure the router to use AAA Authentication for the enable password, use the aaa authentication enable command. Note that you cannot specify a named list for the enable password, only the default list. R1(config)#aaa authentication enable ? default The default authentication list. (No option for named list) R1(config)#aaa authentication enable default ? enable Use enable password for authentication. group Use Server-group line Use line password for authentication. none NO authentication. R1(config)#aaa authentication enable default group tacacs group radius none The above configuration would first look to the TACACS+ server to authenticate a user attempting to enter privileged EXEC mode, then the RADIUS server, and then would finally allow a user to enter with no authentication needed. To use AAA Authentication for PPP connections, use the aaa authentication ppp command. R1(config)#aaa authentication ppp ? WORD Named authentication list. default The default authentication list. R1(config)#aaa authentication ppp default ? group Use Server-group if-needed Only authenticate if needed. local Use local username authentication. local-case Use case-sensitive local username authentication. none NO authentication. R1(config)#aaa authentication ppp default group tacacs group radius local The above command would first look to the TACACS+ server to authenticate PPP connections, then RADIUS, then the router's local database. Why You Shouldn't Stop Configuring Authentication Until You're Done! Configuring authentication isn't a long process, but make sure you're not going to be interrupted! (Or as sure as you can be in our business.) If you configure aaa new-model on a router, you can no longer configure a single VTY line password, as shown below. R1(config)#aaa new-model R1(config)#line vty 0 4 R1(config-line)#login % Incomplete command R1(config-line)#login ? authentication Authentication parameters. R1(config-line)#login authentication ? WORD Use an authentication list with this name. default Use the default authentication list. R1(config-line)#login authentication default AAA: Warning authentication list "default" is not defined for LOGIN. Now, you'd think this would make the administrator realize that they need to make a default list - but then again, maybe they don't realize it. Maybe they don't know how and don't want to ask. Maybe they headed for lunch. It doesn't matter, because the end result is that no one can telnet in with the router configured like this. A method list must be configured along with the aaa new-model and login authentication commands. Before moving on to Authorization, let's review the steps for an AAA configuration using a TACACS+ server for telnet authentication. First, we have to enable AAA, define the location of the TACACS+ server and create the case-sensitive key. R2(config)#aaa new-model R2(config)#tacacs-server host 172.10.10.100 R2(config)#tacacs-server key PASSISCW Next, create a default AAA method list that uses TACACS+, and will allow users to connect with no authentication if there's a failure with TACACS+. R2(config)#aaa authentication login default group tacacs none Apply the default AAA list to the VTY lines, and we're all set! R2(config)#line vty 0 4 R2(config-line)#login authentication default
Authorization Authentication decides whether a given user should be allowed into the network; Authorization dictates what users can do once they are in. The aaa authorization command creates a user profile that is checked when a user attempts to use a particular command or service. As with Authentication, we'll have the option of creating a default list or a named list, and AAA must be globally enabled with the aaa new-model command. R1(config)#aaa new-model R1(config)#aaa authorization ? auth-proxy For Authentication Proxy Services commands For exec (shell) commands. config-commands For configuration mode commands. configuration For downloading configurations from AAA server exec For starting an exec (shell). network For network services. (PPP, SLIP, ARAP) reverse-access For reverse access connections R1(config)#aaa authorization exec ? WORD Named authorization list. default The default authorization list. R1(config)#aaa authorization exec default ? group Use Server-group if-authenticated Succeed if user has authenticated. local Use local database. none No authorization (always succeeds).
Privilege Levels And AAA Authorization Privilege levels define what commands a user can actually run on a router. There are three predefined privilege levels on Cisco routers, two of which you've been using since you started your Cisco studies - even if you didn't know it! When you're in user exec mode, you're actually in privilege level 1, as verified with show privilege: R2>show privilege Current privilege level is 1 By moving to privileged exec mode with the enable command, you move from level 1 to level 15, the highest level: R2>show privilege Current privilege level is 1 R2>enable R2#show privilege Current privilege level is 15 There's actually a third predefined privilege level, Level Zero, which allows the user to run the commands exit, logout, disable, enable, and logout. Obviously, a user at Level Zero can't do much. There's a huge gap in network access between levels 1 and 15, and the remaining levels 2-14 can be configured to fill that gap. Levels 2 - 14 can be configured to allow a user assigned a particular privilege level to run some commands, but not all of them. Assume you have a user who should not be allowed to use the ping command, which by default can be run from privilege level 1: R2>ping 172.1.1.1 (Success of the ping has been edited) By moving the ping command to privilege level 5, a user must have at least that level of privilege in order to use ping. To change the privilege level of a command, use the privilege command. (IOS Help shows approximately 30 options following privilege, so I won't put all of those here.) R2(config)#privilege ? address-family Address Family configuration mode configure Global configuration mode congestion Frame Relay congestion configuration mode dhcp DHCP pool configuration mode exec Exec mode R2(config)#privilege exec ? level Set privilege level of command reset Reset privilege level of command R2(config)#privilege exec level ? <0-15> Privilege level R2(config)#privilege exec level 5 ? LINE Initial keywords of the command to modify R2(config)#privilege exec level 5 ping A user must now have at least a privilege level of 5 to send a ping. Let's test that from both level 1 and 15. R2>ping 172.1.1.1 ^ % Invalid input detected at '^' marker. R2#ping 172.1.1.1 (Success of ping edited) Note that the user is not told they're being denied access to this command because of privilege level. The ping works successfully from Level 15. There are two options for assigning privilege levels to users, one involving AAA and one not. To enable AAA Authorization to use privilege levels, use the aaa authorization command followed by the appropriate option: R2(config)#aaa authorization ? auth-proxy For Authentication Proxy Services commands For exec (shell) commands. config-commands For configuration mode commands. configuration For downloading configurations from AAA server exec For starting an exec (shell). network For network services. (PPP, SLIP, ARAP) reverse-access For reverse access connections The full command to use the TACACS+ server to assign privilege levels, followed by the local database, is as follows: R2(config)#aaa authorization commands 5 default group tacacs+ local Getting authorization to work exactly the way you want it to does take quite a bit of planning and testing due to the many options. Privilege levels can also be assigned via the router's local database. To do so, use the privilege option in the middle of the username/password command. R2(config)#username chris privilege 5 password bryant That would assign a privilege level of 5 to that particular user. The Authorization feature of AAA can also assign IP addresses and other network parameters to Mobile IP users. How this occurs is beyond the scope of the ISCW exam, but you can refer to RFC 2905 for more details. Perhaps more details than you'd like to know! Accounting Authentication decides who can get in and who can't; authorization decides what users can do once they get in; accounting tracks the resources used by the authorized user. This tracking can be used for security purposes (detecting users doing things they shouldn't be doing), or for tracking network usage in order to bill other departments in your company. As with authentication and authorization, accounting requires that AAA be globally enabled. The aaa accounting command is used to define the accounting parameters -- and IOS Help shows us that there are quite a few options! Earlier in this section, we talked about privilege lists, and accounting can be configured to track any given privilege level. Even that seemingly simple task takes a good deal of IOS digging, as shown below. Overall, AAA supports six different accounting formats, as shown below in IOS Help. R2(config)#aaa accounting ? auth-proxy For authentication proxy events. commands For exec (shell) commands. connection For outbound connections. (telnet, rlogin) delay-start Delay PPP Network start record until peer IP address is known. exec For starting an exec (shell). nested When starting PPP from EXEC, generate NETWORK records before EXEC-STOP record. network For network services. (PPP, SLIP, ARAP) resource For resource events. send Send records to accounting server. suppress Do not generate accounting records for a specific type of user system For system events. update Enable accounting update records. Here's a brief look at each category and what accounting information can be recorded. Commands: Information regarding EXEC mode commands issued by a user. Connection: Information regarding all outbound connections made from network access server. Includes Telnet and rlogin. EXEC: Information about user EXEC terminal sessions. Network: Information regarding all PPP, ARAP, and SLIP sessions. Resource: Information regarding start and stop records for calls passing authentication, and stop records for calls that fail authentication. System: Non-user-related system-level events are recorded. To finish the aaa accounting command, let's assume we want to enable auditing of privileged mode commands. As IOS Help will show you, to do this you have to know the level number of the mode you wish to audit, and privileged exec mode is level 15. R2(config)#aaa accounting commands ? <0-15> Enable level R2(config)#aaa accounting commands 15 % Incomplete command. R2(config)#aaa accounting commands 15 ? WORD Named Accounting list. default The default accounting list. R2(config)#aaa accounting commands 15 default ? none No accounting. start-stop Record start and stop without waiting stop-only Record stop when service terminates. wait-start Same as start-stop but wait for start-record commit. R2(config)#aaa accounting command 15 default start-stop ? broadcast Use Broadcast for Accounting group Use Server-group R2(config)#aaa accounting command 15 default start-stop group tacacs Both authorization and accounting offer so many different options that it's impossible to go into all of them here, and you're not responsible for complex configurations involving either one on your ISCW exam. You should know the basic commands and that AAA must be globally enabled before either can be configured. Also, there are no enable, login, or local options with accounting - we're limited to using TACACS+ and/or RADIUS servers for accounting purposes. R2(config)#aaa accounting exec default start-stop group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts.
Hot Spots And Gotchas An AAA Authentication statement generally has more than one option listed. They're checked in the order in which they are listed, from left to right. If the first option is unavailable, the next is checked. However, if the first option FAILS the user's authentication attempt, the user is denied authentication and the process ends. If you enable AAA with the aaa new-model command and then do not complete the Authentication configuration, no one can authenticate. It's also legal to specify none as the only authentication option, but that basically disables authentication! HQ(config)#aaa authentication login default none You can use a named list with aaa authentication login, but not with aaa authentication enable. HQ(config)#aaa authentication login ? WORD Named authentication list. default The default authentication list. HQ(config)#aaa authentication enable ? default The default authentication list. Real-world note that may come in handy on exam day: Don't get too clever and name your lists "AAA". That tends to confuse others. For example, in the aaa authentication login command, I would not use this command: HQ(config)#aaa authentication login AAA group tacacs+ none That command uses a list named "AAA" for authentication. Again, it's just not something I like to do, but it is legal. What does each "A" mean? Authentication - Can the user come in? Authorization - What can the user do when they come in? Can they assign privilege levels? IP addresses? Delete configurations? Assign ACLs? Change the username/password database, perhaps? Accounting - What network resources did the user access, and for how long? The Accounting information that can be recorded falls into six main categories: command - accounting for all commands at a specified privilege level exec - accounting for exec sessions system - Non-user system events, that is network - All network-related service requests (NCP, ARA, SLIP) connection - outbound connections (Telnet, rlogin) resource - stop and start records With accounting, we can save information to RADIUS or TACACS+ servers. HQ(config)#aaa accounting exec default start-stop group ? WORD Server-group name radius Use list of all Radius hosts. tacacs+ Use list of all Tacacs+ hosts. And finally, a quick RADIUS vs. TACACS+ comparison: RADIUS: Open-standard protocol Runs on UDP Can't control authorization level of users Authentication and authorization are combined, so running a separate authorization protocol is not practical TACACS+: Cisco-proprietary protocol Runs on TCP Can control authorization level of users Authentication and authorization are separate processes, so running a separate authorization protocol is possible Copyright 2010 The Bryant Advantage. All Rights Reserved.