AAA

AAA stands for Authentication (verifying user's identity), Authorization (limiting access to certain feature) and Auditing (recording actions taken by a user).

normal authentication examples enable secret, enabling password for line connection (console, vty)

normal authentication (non-AAA) is usually used in small environment or as backup to AAA

creating user locally in a device with the command username. if you want to add a user name joe with password cisco, the command would be like this
username joe password cisco

each user can be assigned different privilege level (1-15). higher number means more privilege.

AAA uses an external server to store user name and password

RADIUS and TACACS+ are two protocols used for authentication and authorization. both are widely used. cisco generally recommends TACACS+ over RADIUS as it's cisco proprietary. RADIUS couldn't limit the commands a user can execute


to configure RADIUS / TACACS+ authentication. first enter this command
aaa new-model
then specify the host located
example for tacacs server:
tacacs-server host 192.168.1.10 key password

example for radius server:
radius-server host 10.100.200.200 key password
radius-server host 10.100.200.201 key password

you can specify more than one server. they will be queried depends on the order (if the server is unavailable, the next server will be queried). key is the password for connecting to the server itself, if required.

then create method-lists as needed. method-list will specify how AAA should treat users. should it challenge users for password and where to look for the password. there are some method i don't cover here (local, tacacs+, radius, krb5, line, none). AAA can authenticate not only login but also ppp, ARAP, etc.. Here an example of method list:
aaa authentication login My-Method group tacacs+ local

My-Method is the name of the method list.

here there are two metods tacacs+ and local. should the tacacs+ guery failed (incorrect password is not concerned as a failure) the local password list will be used.
then apply the method list to interface / line as needed. here an example
line vty 0 4
login authentication My-Login

here, i'm applying the GAD-Login method list created earlier to VTY lines 0-4. this
will have the effect challenging telnet sessions to the router with whatever authentication methods exist in the GAD-Login method list.

*be carefull when configuring AAA for the first time. You can easily lock yourself out of the router by enabling AAA authentication without configuring any users.

0 comments:

top