Exploring AAA Basics
Erick N. Borgard CCNP
AAA is a protocol used to secure access to a Cisco network device. AAA stands for Authentication, Authorization, & Accounting. The AAA model answers 3 questions.
- Who is on the network?
- What are they allowed to do on the network?
- What have they been doing on the network?
AAA allows for a granular approach to securing the devices by setting policies for either a group or individual and by allowing the administrator to use different method lists for different access types. For example, the engineer could create a method list for authentication that states the TACACS+ server at 10.0.0.1 should be used for console access and should fall back to the local database. A different method list can be used for the VTY lines stating that a RADIUS server should be used and fall back to the local database. If the default method list is used, then it applies to all device access methods.
AAA can be used with both RADIUS & TACACS+ servers to provide secure services. This blog will not go into the details of RADIUS and TACACS+, but there are some noteworthy differences between the two protocols.
- TACACS+ uses TCP port 49 for communication while RADIUS uses UDP port 1645/1646 1812/1813
- TACACS+ encrypts the entire contents of the packet. RADIUS only encrypts the password
- TACACS+ is more flexible in the protocols that it can support.
- TACACS+ is proprietary. RADIUS is defined in RFC 2138 and is an open standard
Configuring AAA on the command line is fairly simple, but the commands can be quite lengthy depending on the optional parameters used within the command set itself.
When AAA is executed, the method lists will be checked in order of configuration. Suppose we have a configuration line that looks like the following:
aaa authentication login default group tacacs+ local
The default method list will be checked in order as configured on the CLI. In this case, the TACACS server would be polled for authentication. If the TACACS server does not respond, the next method in the list will be checked. In this case, it would use the local database. It's important to understand that if authentication fails using the TACACS+ method, the local database will not be used. The local database would only be used if the TACACS+ server was unresponsive.
The engineer does not have to use the default method list when configuring AAA. A separate method list can be defined for each line authentication, authorization and accounting method.
One interesting caveat is that the Cisco IOS will not display the RADIUS commands until the aaa new-model command has been entered into the CLI. However, the TACACS server can be defined even without the aaa new-model command.
One interesting caveat is that the Cisco IOS will not display the RADIUS commands until the aaa new-model command has been entered into the CLI. However, the TACACS server can be defined even without the aaa new-model command.
**Note** When the aaa new-model command is issued at the command line, all other authentication methods will be null and the default method list will be applied to all lines. Be very careful here. Can you say password recovery?
Now let's look an an example. Suppose we have the following requirements.
user USER1 password PASS1
enable password CCIE
!
!
ip tacacs source-interface Loopback1
tacacs-server host 177.1.1.7
tacacs-server key CCIE
!
!
aaa new-model
aaa authentication login LIST1 group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
!
!
line vty 0 4
login authentication LIST1
We can test this by turning on debug aaa authentication on R1. We will test this configuration by telnetting to R1 loopback from R3. The first test will will use the incorrect password to enter privileged exec mode.
AAA/BIND(00000011): Bind i/f
AAA/AUTHEN/LOGIN (00000011): Pick method list 'LIST1'
AAA: parse name=tty98 idb type=-1 tty=-1
AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
AAA/MEMORY: create_user (0x6723D6E8) user='USER1' ruser='NULL' ds0=0 port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
AAA/AUTHEN/START (756001): port='tty98' list='' action=LOGIN service=ENABLE
AAA/AUTHEN/START (756001): using "default" list
AAA/AUTHEN/START (756001): Method=tacacs+ (tacacs+)
TAC+: send AUTHEN/START packet ver=192 id=756001
AAA/AUTHEN(756001): Status=ERROR
AAA/AUTHEN/START (756001): Method=ENABLE
AAA/AUTHEN(756001): Status=GETPASS
AAA/AUTHEN/CONT (756001): continue_login (user='(undef)')
AAA/AUTHEN(756001): Status=GETPASS
AAA/AUTHEN/CONT (756001): Method=ENABLE
AAA/AUTHEN(756001): password incorrect
AAA/AUTHEN(756001): Status=FAIL
AAA/MEMORY: free_user (0x6723D6E8) user='NULL' ruser='NULL' port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
We can see by the above debug output that the router tried to contact that TACACS+ server and returned a status of "ERROR". It then used the second method in the list which is the enable password. It then returned a "password incorrect" message and a status of "FAIL".
Let's try it again and use the correct credentials so we can see the debug output.
AAA/BIND(00000012): Bind i/f
AAA/AUTHEN/LOGIN (00000012): Pick method list 'LIST1'
AAA: parse name=tty98 idb type=-1 tty=-1
AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
AAA/MEMORY: create_user (0x6728C130) user='USER1' ruser='NULL' ds0=0 port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
AAA/AUTHEN/START (3981081858): port='tty98' list='' action=LOGIN service=ENABLE
AAA/AUTHEN/START (3981081858): using "default" list
AAA/AUTHEN/START (3981081858): Method=tacacs+ (tacacs+)
TAC+: send AUTHEN/START packet ver=192 id=-313885438
AAA/AUTHEN(3981081858): Status=ERROR
AAA/AUTHEN/START (3981081858): Method=ENABLE
AAA/AUTHEN(3981081858): Status=GETPASS
AAA/AUTHEN/CONT (3981081858): continue_login (user='(undef)')
AAA/AUTHEN(3981081858): Status=GETPASS
AAA/AUTHEN/CONT (3981081858): Method=ENABLE
AAA/AUTHEN(3981081858): Status=PASS
AAA/MEMORY: free_user (0x6728C130) user='NULL' ruser='NULL' port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
From the above output, we can see that the router tried to contact the TACACS+ server and returned a status of "ERROR", meaning the TACACS+ server did not respond so the router used the second method in the list. This time authentication was successful. We can verify that by seeing the Status=PASS message in the debug output.
Now let's look an an example. Suppose we have the following requirements.
- Configure AAA on R1
- Set the enable password to CCIE
- Create a user in the local database called USER1 password PASS1
- USER1 should use a method list called LIST1
- USER1 should first try and authenticate to a TACACS+ server located at 177.1.1.7
- Use the key string CCIE for the TACACS+ server
- User authentication should use the local database if the TACACS+ fails to respond.
- The username and password should be case sensitive
- Authentication requests should be sourced from the loopback interface
- The method lists should be applied to the VTY line
- Ensure that privilege level access uses the TACACS+ server and fall back to the enable password
user USER1 password PASS1
enable password CCIE
!
!
ip tacacs source-interface Loopback1
tacacs-server host 177.1.1.7
tacacs-server key CCIE
!
!
aaa new-model
aaa authentication login LIST1 group tacacs+ local-case
aaa authentication enable default group tacacs+ enable
!
!
line vty 0 4
login authentication LIST1
We can test this by turning on debug aaa authentication on R1. We will test this configuration by telnetting to R1 loopback from R3. The first test will will use the incorrect password to enter privileged exec mode.
AAA/BIND(00000011): Bind i/f
AAA/AUTHEN/LOGIN (00000011): Pick method list 'LIST1'
AAA: parse name=tty98 idb type=-1 tty=-1
AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
AAA/MEMORY: create_user (0x6723D6E8) user='USER1' ruser='NULL' ds0=0 port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
AAA/AUTHEN/START (756001): port='tty98' list='' action=LOGIN service=ENABLE
AAA/AUTHEN/START (756001): using "default" list
AAA/AUTHEN/START (756001): Method=tacacs+ (tacacs+)
TAC+: send AUTHEN/START packet ver=192 id=756001
AAA/AUTHEN(756001): Status=ERROR
AAA/AUTHEN/START (756001): Method=ENABLE
AAA/AUTHEN(756001): Status=GETPASS
AAA/AUTHEN/CONT (756001): continue_login (user='(undef)')
AAA/AUTHEN(756001): Status=GETPASS
AAA/AUTHEN/CONT (756001): Method=ENABLE
AAA/AUTHEN(756001): password incorrect
AAA/AUTHEN(756001): Status=FAIL
AAA/MEMORY: free_user (0x6723D6E8) user='NULL' ruser='NULL' port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
We can see by the above debug output that the router tried to contact that TACACS+ server and returned a status of "ERROR". It then used the second method in the list which is the enable password. It then returned a "password incorrect" message and a status of "FAIL".
Let's try it again and use the correct credentials so we can see the debug output.
AAA/BIND(00000012): Bind i/f
AAA/AUTHEN/LOGIN (00000012): Pick method list 'LIST1'
AAA: parse name=tty98 idb type=-1 tty=-1
AAA: name=tty98 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=98 channel=0
AAA/MEMORY: create_user (0x6728C130) user='USER1' ruser='NULL' ds0=0 port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
AAA/AUTHEN/START (3981081858): port='tty98' list='' action=LOGIN service=ENABLE
AAA/AUTHEN/START (3981081858): using "default" list
AAA/AUTHEN/START (3981081858): Method=tacacs+ (tacacs+)
TAC+: send AUTHEN/START packet ver=192 id=-313885438
AAA/AUTHEN(3981081858): Status=ERROR
AAA/AUTHEN/START (3981081858): Method=ENABLE
AAA/AUTHEN(3981081858): Status=GETPASS
AAA/AUTHEN/CONT (3981081858): continue_login (user='(undef)')
AAA/AUTHEN(3981081858): Status=GETPASS
AAA/AUTHEN/CONT (3981081858): Method=ENABLE
AAA/AUTHEN(3981081858): Status=PASS
AAA/MEMORY: free_user (0x6728C130) user='NULL' ruser='NULL' port='tty98' rem_addr='10.0.13.3' authen_type=ASCII service=ENABLE priv=15 vrf= (id=0)
From the above output, we can see that the router tried to contact the TACACS+ server and returned a status of "ERROR", meaning the TACACS+ server did not respond so the router used the second method in the list. This time authentication was successful. We can verify that by seeing the Status=PASS message in the debug output.
No comments:
Post a Comment