Вы находитесь на странице: 1из 17

The Bryant Advantage CCNA Security Study Guide

Chris Bryant, CCIE #12933 www.thebryantadvantage.com


Back To Index
AAA
Overview

This is a bit of bonus reading for your CCNP SWITCH exam.
This section from my CCNA Security Study Guide covers more AAA than
you're likely to see on your CCNP SWITCH exam, but I do recommend
you spend some time studying it to go along with the Security section in
this course. Enjoy!
Authentication, Authorization, and Accounting, commonly referred to in the
Cisco world as AAA, is a common feature in today's networks. In this
section, we'll examine exactly what each "A" does, and then configure
AAA at the command-line interface and with Cisco SDM.
Each "A" is a separate function, and requires separate configuration.
Before we begin to configure AAA, let's take a look at each "A"
individually.
Authentication
Don't Lock Yourself Out!
Don't Stop Until You're Done...
Authorization
Privilege Levels And Authorization
Accounting
Hot Spots And Gotchas
Authentication
Authentication is the process of deciding if a given user should be allowed
to access the network or a network service.
As a CCNA and future CCNP, you've already configured authentication in
the form of creating a local database of usernames and passwords for
both Telnet access and PPP authentication. This is sometimes called a
self-contained AAA deployment, since no external server is involved.
It's more than likely that you'll be using a server configured for one of the
following security protocols:
TACACS+, a Cisco-proprietary, TCP-based protocol
RADIUS, an open-standard, UDP-based protocol originally
developed by the IETF
An obvious question is "If there's a TACACS+, what about TACACS?"
TACACS was the original version of this protocol and is rarely used today.
Before we head into AAA Authentication configuration, there are some
other TACACS+ / RADIUS differences you should be aware of:
While TACACS+ encrypts the entire packet, RADIUS encrypts only
the password in the initial client-server packet.
RADIUS actually combines the authentication and authorization
processes, making it very difficult to run one but not the other.
TACACS+ considers Authentication, Authorization, and Accounting
to be separate processes. This allows another method
of authentication to be used (Kerberos, for example), while still using
TACACS+ for authorization and accounting.
RADIUS does not support the Novell Async Services Interface
(NASI) protocol, the NetBIOS Frame Protocol Control protocol, X.25
Packet Assembler / Disassembler (PAD), or the AppleTalk Remote
Access Protocol (ARA or ARAP). TACACS+ supports all of these.
RADIUS implementations from different vendors may not work well
together, or at all.
RADIUS can't control the authorization level of users, but TACACS+
can.
Regardless of which "A" you're configuring, AAA must be enabled with the
global command aaa new-model. The location of the TACACS+ and / or
RADIUS server must then be configured, along with a shared encryption
key that must be agreed upon by the client and server. Since you're on
the way to the CCNP, that's what we'll use here.
R1(config)#aaa new-model
R1(config)#tacacs-server host 172.1.1.1 key CCNP
R1(config)#radius-server host 172.1.1.2 key CCNP
The aaa new-model command carries out two tasks:
enables AAA
overrides every previously configured authentication method for the
router lines - especially the vty lines!
More on that "especially the vty lines" a little later in this section.
Multiple TACACS+ and RADIUS servers can be configured, and the key
can either be included at the end of the above commands or separate
from that, as shown below.
R1(config)#tacacs-server key CCNP
R1(config)#radius-server key CCNP
Now comes the interesting part! We've got a TACACS+ server at
172.1.1.1, a RADIUS server at 172.1.1.2, and the router is configured as
a client of both with a shared key of CCNP for both. Now we need to
determine which servers will be used for Authentication, and in what
order, with the aaa authentication command. Let's take a look at the
options:
R1(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.
The first choice is whether to configure a named authentication list, or a
default list that will be used for all authentications that do not reference a
named list.
In this example, we'll create a default list.
R1(config)#aaa authentication login default ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
Remember our old friend the enable password? We can configure
Authentication to use the enable password, and we could also use a line
password. More common is the local username authentication, which will
use a database local to the router.
That sounds complicated, but to build a username/password database,
just use the username/password command!
R1(config)#username gagne password awa
R1(config)#username afflis password wwa
R1(config)#username thesz password nwa
The username / password command creates a local database that can be
used for multiple purposes, including authenticating Telnet users. We
could create a local database and use it for AAA Authentication, but in this
example we'll use the TACACS+ and RADIUS servers. To do so, we
need to drill a little deeper with the aaa authentication command.
R1(config)#aaa authentication login default group ?
WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
R1(config)#aaa authentication login default group radius ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>
R1(config)#aaa authentication login default group radius group tacacs
The group radius and group tacacs commands configure the router to use
those devices for Authentication - but it's interesting that we were able to
configure more than one Authentication source.
Actually, we can name a maximum of four methods, and they'll be used in
the order listed. In the above command, the default list will check the
RADIUS server first. If there's an error or a timeout, the second method
listed will be checked.
If a user's authentication is refused by the first method, the second
method is not used, and the user's authentication attempt will fail.
Interestingly enough, "none" is an option with the aaa authentication
command.
R1(config)#aaa authentication login default group radius ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>
If you're concerned that all prior listed methods of authentication may
result in an error or timeout, you can configure none at the end of the aaa
authentication command.
Of course, if none is the only option you select, you've effectively disabled
authentication. Here, I've configured a default list on R3 that is using only
one authentication option - none! I then apply that list to the vty lines and
attempt to telnet to R3 from R1.
R3(config)#aaa new-model
R3(config)#aaa authentication login default none
R3(config)#line vty 0 4
R3(config-line)#login authentication default
R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open
R3>
Note that I was not prompted for a vty password. Not a good idea!
And speaking of bad ideas....
Be VERY Careful When Configuring Authentication - You CAN Lock
Yourself Out!
Sorry for all the yelling, but believe me - if you put half of the AAA
authentication in place, and log out without finishing it, you can end up
locked out of your own router!
I'll illustrate on a very basic setup using R1 and R3.
These routers are directly connected at their S1 interfaces, and R3 is
configured with a vty password of tuco. To allow users to enter privilege
mode 15 (exec mode), we'll use an enable secret of CCNP.
No username is configured on R3 for vty access, so when we telnet to R3
from R1, we will be prompted only for the vty password. When we run the
enable command, we'll be prompted for the enable secret password.
R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification
Password: (vty password of tuco)
R3>en
Password: (enable secret password of CCNP)
R3#
And all is well! Now we'll start configuring AAA on R3 via the telnet
connection. The first step is to run the aaa new-model command.
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#aaa new-model
At this point, we're interrupted for some reason, so we save the config on
R3 before logging out.
R3#wr
Building configuration...
[OK]
R3#logout
[Connection to 172.12.13.3 closed by foreign host]
R1#
Once lunch -- I mean, the interruption is over, we'll log back in to R3 from
R1.
R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification
Username:
Hmm. We weren't asked for a username before. Let's try both the vty
and enable passwords for that username.
R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification
Username:
% Username: timeout expired!
Username: trump
Password:
% Access denied
Username: CCNP
Password:
% Access denied
[Connection to 172.12.13.3 closed by foreign host]
A couple of things to note...
One authentication attempt timed out in the time it took me to cut and
paste that config.
When a username/password authentication attempt failed - here, two
of them did - we were not told whether it was the username,
password, or both that were bad.
Finally, we were denied access to a router we could log into before
the interruption.
The problem here is that we're being asked for a username that doesn't
actually exist!
Once you enable AAA, you've got to define the authentication methods
immediately afterwards. Right now, no one can successfully telnet to that
router, and someone's going to have to connect to it via the console port
and finish the configuration.
So let's do just that. We've got the aaa new-model command in place, so
we'll now define a local username/password database and have that
serve as the default authentication method. We'll configure a named list
called AAA_LIST and have R3's vty lines use that list for authentication.
R3(config)#username chris password bryant
R3(config)#aaa authentication login AAA_LIST local
R3(config)#line vty 0 4
R3(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.
R3(config-line)#login authentication AAA_LIST

R1#telnet 172.12.13.3
Trying 172.12.13.3 ... Open

User Access Verification
Username: chris
Password: (entered bryant here)
R3>enable
Password: (entered CCNP here)
R3#
Note that neither the vty line password nor the enable password are
shown when they're entered. No asterisks, no nothing!
It's an excellent idea to leave yourself a "back door" into the network by
configuring a local database with only one username and password - one
known only by you and perhaps another administrator - and ending the
aaa authentication command with local.
That way, if something happens to the one or two primary methods,
you've always got an emergency password to use.
Using AAA For Privileged EXEC Mode And PPP
The most common usage for AAA Authentication is for login
authentication, but it can also be used as the enable password itself or to
authenticate PPP connections.
If you want to configure the router to use AAA Authentication for the
enable password, use the aaa authentication enable command. Note that
you cannot specify a named list for the enable password, only the default
list.
R1(config)#aaa authentication enable ?
default The default authentication list. (No option for named list)
R1(config)#aaa authentication enable default ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
none NO authentication.
R1(config)#aaa authentication enable default group tacacs group radius
none
The above configuration would first look to the TACACS+ server to
authenticate a user attempting to enter privileged EXEC mode, then the
RADIUS server, and then would finally allow a user to enter with no
authentication needed.
To use AAA Authentication for PPP connections, use the aaa
authentication ppp command.
R1(config)#aaa authentication ppp ?
WORD Named authentication list.
default The default authentication list.
R1(config)#aaa authentication ppp default ?
group Use Server-group
if-needed Only authenticate if needed.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
R1(config)#aaa authentication ppp default group tacacs group radius local
The above command would first look to the TACACS+ server to
authenticate PPP connections, then RADIUS, then the router's local
database.
Why You Shouldn't Stop Configuring Authentication Until You're
Done!
Configuring authentication isn't a long process, but make sure you're not
going to be interrupted! (Or as sure as you can be in our business.) If
you configure aaa new-model on a router, you can no longer configure a
single VTY line password, as shown below.
R1(config)#aaa new-model
R1(config)#line vty 0 4
R1(config-line)#login
% Incomplete command
R1(config-line)#login ?
authentication Authentication parameters.
R1(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.
R1(config-line)#login authentication default
AAA: Warning authentication list "default" is not defined for LOGIN.
Now, you'd think this would make the administrator realize that they need
to make a default list - but then again, maybe they don't realize it.
Maybe they don't know how and don't want to ask.
Maybe they headed for lunch.
It doesn't matter, because the end result is that no one can telnet in with
the router configured like this. A method list must be configured along
with the aaa new-model and login authentication commands.
Before moving on to Authorization, let's review the steps for an AAA
configuration using a TACACS+ server for telnet authentication. First, we
have to enable AAA, define the location of the TACACS+ server and
create the case-sensitive key.
R2(config)#aaa new-model
R2(config)#tacacs-server host 172.10.10.100
R2(config)#tacacs-server key PASSISCW
Next, create a default AAA method list that uses TACACS+, and will allow
users to connect with no authentication if there's a failure with TACACS+.
R2(config)#aaa authentication login default group tacacs none
Apply the default AAA list to the VTY lines, and we're all set!
R2(config)#line vty 0 4
R2(config-line)#login authentication default

Authorization
Authentication decides whether a given user should be allowed into the
network; Authorization dictates what users can do once they are in.
The aaa authorization command creates a user profile that is checked
when a user attempts to use a particular command or service. As with
Authentication, we'll have the option of creating a default list or a named
list, and AAA must be globally enabled with the aaa new-model
command.
R1(config)#aaa new-model
R1(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
R1(config)#aaa authorization exec ?
WORD Named authorization list.
default The default authorization list.
R1(config)#aaa authorization exec default ?
group Use Server-group
if-authenticated Succeed if user has authenticated.
local Use local database.
none No authorization (always succeeds).

Privilege Levels And AAA Authorization
Privilege levels define what commands a user can actually run on a
router. There are three predefined privilege levels on Cisco routers, two
of which you've been using since you started your Cisco studies - even if
you didn't know it!
When you're in user exec mode, you're actually in privilege level 1, as
verified with show privilege:
R2>show privilege
Current privilege level is 1
By moving to privileged exec mode with the enable command, you move
from level 1 to level 15, the highest level:
R2>show privilege
Current privilege level is 1
R2>enable
R2#show privilege
Current privilege level is 15
There's actually a third predefined privilege level, Level Zero, which allows
the user to run the commands exit, logout, disable, enable, and logout.
Obviously, a user at Level Zero can't do much.
There's a huge gap in network access between levels 1 and 15, and the
remaining levels 2-14 can be configured to fill that gap. Levels 2 - 14 can
be configured to allow a user assigned a particular privilege level to run
some commands, but not all of them.
Assume you have a user who should not be allowed to use the ping
command, which by default can be run from privilege level 1:
R2>ping 172.1.1.1 (Success of the ping has been edited)
By moving the ping command to privilege level 5, a user must have at
least that level of privilege in order to use ping. To change the privilege
level of a command, use the privilege command. (IOS Help shows
approximately 30 options following privilege, so I won't put all of those
here.)
R2(config)#privilege ?
address-family Address Family configuration mode
configure Global configuration mode
congestion Frame Relay congestion configuration mode
dhcp DHCP pool configuration mode
exec Exec mode
R2(config)#privilege exec ?
level Set privilege level of command
reset Reset privilege level of command
R2(config)#privilege exec level ?
<0-15> Privilege level
R2(config)#privilege exec level 5 ?
LINE Initial keywords of the command to modify
R2(config)#privilege exec level 5 ping
A user must now have at least a privilege level of 5 to send a ping. Let's
test that from both level 1 and 15.
R2>ping 172.1.1.1
^
% Invalid input detected at '^' marker.
R2#ping 172.1.1.1 (Success of ping edited)
Note that the user is not told they're being denied access to this command
because of privilege level. The ping works successfully from Level 15.
There are two options for assigning privilege levels to users, one involving
AAA and one not. To enable AAA Authorization to use privilege levels,
use the aaa authorization command followed by the appropriate option:
R2(config)#aaa authorization ?
auth-proxy For Authentication Proxy Services
commands For exec (shell) commands.
config-commands For configuration mode commands.
configuration For downloading configurations from AAA server
exec For starting an exec (shell).
network For network services. (PPP, SLIP, ARAP)
reverse-access For reverse access connections
The full command to use the TACACS+ server to assign privilege levels,
followed by the local database, is as follows:
R2(config)#aaa authorization commands 5 default group tacacs+ local
Getting authorization to work exactly the way you want it to does take
quite a bit of planning and testing due to the many options.
Privilege levels can also be assigned via the router's local database. To
do so, use the privilege option in the middle of the username/password
command.
R2(config)#username chris privilege 5 password bryant
That would assign a privilege level of 5 to that particular user.
The Authorization feature of AAA can also assign IP addresses and other
network parameters to Mobile IP users. How this occurs is beyond the
scope of the ISCW exam, but you can refer to RFC 2905 for more details.
Perhaps more details than you'd like to know!
Accounting
Authentication decides who can get in and who can't; authorization
decides what users can do once they get in; accounting tracks the
resources used by the authorized user.
This tracking can be used for security purposes (detecting users doing
things they shouldn't be doing), or for tracking network usage in order to
bill other departments in your company.
As with authentication and authorization, accounting requires that AAA be
globally enabled. The aaa accounting command is used to define the
accounting parameters -- and IOS Help shows us that there are quite a
few options!
Earlier in this section, we talked about privilege lists, and accounting can
be configured to track any given privilege level. Even that seemingly
simple task takes a good deal of IOS digging, as shown below.
Overall, AAA supports six different accounting formats, as shown below in
IOS Help.
R2(config)#aaa accounting ?
auth-proxy For authentication proxy events.
commands For exec (shell) commands.
connection For outbound connections. (telnet, rlogin)
delay-start Delay PPP Network start record until peer IP address
is known.
exec For starting an exec (shell).
nested When starting PPP from EXEC, generate NETWORK records
before
EXEC-STOP record.
network For network services. (PPP, SLIP, ARAP)
resource For resource events.
send Send records to accounting server.
suppress Do not generate accounting records for a specific type
of user
system For system events.
update Enable accounting update records.
Here's a brief look at each category and what accounting information can
be recorded.
Commands: Information regarding EXEC mode commands issued by a
user.
Connection: Information regarding all outbound connections made from
network access server. Includes Telnet and rlogin.
EXEC: Information about user EXEC terminal sessions.
Network: Information regarding all PPP, ARAP, and SLIP sessions.
Resource: Information regarding start and stop records for calls passing
authentication, and stop records for calls that fail authentication.
System: Non-user-related system-level events are recorded.
To finish the aaa accounting command, let's assume we want to enable
auditing of privileged mode commands. As IOS Help will show you, to do
this you have to know the level number of the mode you wish to audit, and
privileged exec mode is level 15.
R2(config)#aaa accounting commands ?
<0-15> Enable level
R2(config)#aaa accounting commands 15
% Incomplete command.
R2(config)#aaa accounting commands 15 ?
WORD Named Accounting list.
default The default accounting list.
R2(config)#aaa accounting commands 15 default ?
none No accounting.
start-stop Record start and stop without waiting
stop-only Record stop when service terminates.
wait-start Same as start-stop but wait for start-record commit.
R2(config)#aaa accounting command 15 default start-stop ?
broadcast Use Broadcast for Accounting
group Use Server-group
R2(config)#aaa accounting command 15 default start-stop group tacacs
Both authorization and accounting offer so many different options that it's
impossible to go into all of them here, and you're not responsible for
complex configurations involving either one on your ISCW exam.
You should know the basic commands and that AAA must be globally
enabled before either can be configured. Also, there are no enable, login,
or local options with accounting - we're limited to using TACACS+ and/or
RADIUS servers for accounting purposes.
R2(config)#aaa accounting exec default start-stop group ?
WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

Hot Spots And Gotchas
An AAA Authentication statement generally has more than one option
listed. They're checked in the order in which they are listed, from left to
right. If the first option is unavailable, the next is checked. However, if
the first option FAILS the user's authentication attempt, the user is denied
authentication and the process ends.
If you enable AAA with the aaa new-model command and then do not
complete the Authentication configuration, no one can authenticate.
It's also legal to specify none as the only authentication option, but that
basically disables authentication!
HQ(config)#aaa authentication login default none
You can use a named list with aaa authentication login, but not with aaa
authentication enable.
HQ(config)#aaa authentication login ?
WORD Named authentication list.
default The default authentication list.
HQ(config)#aaa authentication enable ?
default The default authentication list.
Real-world note that may come in handy on exam day:
Don't get too clever and name your lists "AAA". That tends to confuse
others. For example, in the aaa authentication login command, I would
not use this command:
HQ(config)#aaa authentication login AAA group tacacs+ none
That command uses a list named "AAA" for authentication. Again, it's just
not something I like to do, but it is legal.
What does each "A" mean?
Authentication - Can the user come in?
Authorization - What can the user do when they come in? Can they
assign privilege levels? IP addresses? Delete configurations?
Assign ACLs? Change the username/password database, perhaps?
Accounting - What network resources did the user access, and for
how long?
The Accounting information that can be recorded falls into six main
categories:
command - accounting for all commands at a specified privilege level
exec - accounting for exec sessions
system - Non-user system events, that is
network - All network-related service requests (NCP, ARA, SLIP)
connection - outbound connections (Telnet, rlogin)
resource - stop and start records
With accounting, we can save information to RADIUS or TACACS+
servers.
HQ(config)#aaa accounting exec default start-stop group ?
WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.
And finally, a quick RADIUS vs. TACACS+ comparison:
RADIUS:
Open-standard protocol
Runs on UDP
Can't control authorization level of users
Authentication and authorization are combined, so running a
separate authorization protocol is not practical
TACACS+:
Cisco-proprietary protocol
Runs on TCP
Can control authorization level of users
Authentication and authorization are separate processes, so running
a separate authorization protocol is possible
Copyright 2010 The Bryant Advantage. All Rights Reserved.

Вам также может понравиться