Introduction to AAA Implementation

    By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password.  This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users.  The solution to this is AAA, an acronym for Authentication, Authorization and Accounting.  This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the "aaa new-model" command.

     

     

     

     

    c1841(config)#aaa new-model

     

     

    After the "aaa new-model" command has been enabled, external servers can be defined to service one or more components of the AAA triad.  In other words, external servers can be configured to perform Authentication, Authorization, and/or Accounting. An acceptable method for Authentication and Authorization that does not require external servers could be “local”, “line” or “enable”.  Therefore even with AAA configured, external servers are not required.  However, to configure an AAA server, the command would begin either with "radius-server" or "tacacs-server".

     

     


    c1841(config)#radius-server host 1.1.1.1  key cisco

    c1841(config)#tacacs-server host 2.2.2.2 key cisco

     

    The next step when enabling AAA in IOS devices is to begin building methods.  Methods are constructs that allow an administrator to attach items that require authentication, authorization and/or accounting to one or more methods for addressing this need.  For example, a login may require authentication and could be attached to the "local" authentication database.  The exec process could be assigned an authorization level from various sources, such as tacacs, radius or local.  In this case, an enable level ranging from 0 to15 would be assigned to the exec process based on a value returned by the server.  Method lists are generally configured using the format below.  Some options are omitted for brevity.

     

    aaa [ authentication | authorization | accounting ] <process> { <list name>  | default } { local | group ( radius | tacacs ) }

     

     

    As method lists are built, it quickly becomes apparent that there are different processes and options based on whether it is in regard to an authentication, authorization or accounting method.  The other thing that should be mentioned is that a method list specified as "default" will apply to all processes of the type, unless the process itself is configured otherwise.  For example, the configuration of an authentication method for "login" using the keyword "default", will apply to all login processes unless there is a login process configured explicitly to use another method.  For example:

     

    c1841(config)#username cisco password cisco

     

    //this method is attached by default

    c1841(config)#aaa authentication login default local

     

    //this method is not attached

    c1841(config)#aaa authentication login RAD group radius

     

    c1841(config)#line vty 0 4

    c1841(config-line)#login

     

    With the above five lines of configuration, telnet authentication would use a local user database.  However by attaching “RAD” to the login process as demonstrated below, users that telnet to this device would be authenticated against the radius server.

     

    //local user isn't used with this configuration

    c1841(config)#username cisco password cisco

     

    //this method is attached by default

    c1841(config)#aaa authentication login default local

     

    //but this method is explicitly attached

    c1841(config)#aaa authentication login RAD group radius

     

    c1841(config)#line vty 0 4

    c1841(config-line)#login authentication RAD

     

    To accomplish this with TACACS+,.as opposed to Radius, requires a very similar configuration.

     

    c1841(config)#aaa authentication login TAC group tacacs+

    c1841(config)#line vty 0 4

    c1841(config-line)#login authentication TAC

     

    So far, the configuration examples have only included authentication.  Expanding on this to use exec authorization allows the IOS device to place the user into a privilege level upon logging in.  Notice that "TAC" as the method name for authorization as well as authentication.  These are technically two separate method lists that happen to be named the same.  This is possible, because, they are attached to different processes.  These could have different and perhaps more descriptive name such as “TACAUTHEN” for Authentication and "TACAUTHOR" for Authorization.  Additionally, the "default" keyword could have been used and no configuration would have been required under the line.

     

    c1841(config)#aaa authentication login TAC group tacacs+

    c1841(config)#aaa authorization exec TAC group tacacs+

    c1841(config)#line vty 0 4

    c1841(config-line)#login authentication TAC

    c1841(config-line)#authorization exec TAC

     

    Another place that might be important to attach one or more AAA methods is to the http server process.  This could be used to control access through SDM.

     

    c1841(config)#aaa authentication login TAC group tacacs+

    c1841(config)#aaa authorization exec TAC group tacacs+

     

    c1841(config)#ip http authentication aaa

    c1841(config)#ip http authentication aaa login-authentication TAC

    c1841(config)#ip http authentication aaa exec-authorization TAC

     

     

    Authentication and Accounting are the first two "A's" in the AAA triad.  The third item is Accounting.  Enabling and attaching Accounting methods is very similar to Authentication and Authorization configuration.  An example might be configuring Accounting to log the start and stop of the exec process. In the example below, the "default" keyword is used so there is no need to attach it to the exec process explicitly.

     

    c1841(config)#aaa accounting exec default start-stop group tacacs+

     

    Accounting on the exec process can at most log the beginning and end of a session.  A more useful example of Accounting might be to log the commands entered on an IOS device through telnet or SSH.  The example below will log commands that are entered at privilege level 15 only.

     

    c1841(config)#aaa accounting commands 15 TAC15 group tacacs+

     

    c1841(config)#line vty 0 4

    c1841(config-line)#accounting commands 15 TAC15

     

    TACACS+ also has the ability to authorize commands.  This is a difficult concept to understand until it is seen in action.  When command authorization is configured, each command is sent to the TACACS+ server to verify that the user should be able to execute the command.  When a user attempts to enter a command in a router, the user's current privilege level is first compared against the level that the command is configured at.  This happens before command authorization. By default, Cisco routers have commands configured at level 0, 1 and 15.  Assuming that the user is logged on at an equal or higher privilege level, the command passes the privilege level check.  Next, if command Authorization is configured, the command is then sent to the AAA server for command authorization.  Since Radius lacks this ability, this is a TACACS+ only configuration option.  The example below combines TACACS+ authentication, accounting, exec authorization and command authorization (along with config-commands).  In this example, the configuration is attached to processes on the console port.  The console port is a bit unique in that authorization implicitly passes by default.  This is a mechanism to help keep administrators from being locked out of their devices.  Notice the "aaa authorization console" command that overrides this behavior.

     

     

    c1841(config)#aaa authentication login TAC group tacacs+

    c1841(config)#aaa accounting commands 15 TAC group tacacs+

     

    //assign the exec a privilege leve from tacacs+

    c1841(config)#aaa authorization exec TAC group tacacs+

     

    //check the individual commands against tacacs+

    c1841(config)#aaa authorization commands 15 TAC group tacacs+

    c1841(config)#aaa authorization commands 1 TAC group tacacs+

    c1841(config)#aaa authorization commands 0 TAC group tacacs+

     

    //explicitly permit authorization on the console

    //this is not required for vty lines

    c1841(config)#aaa authorization console

     

    //authorize the config commands too

    c1841(config)#aaa authorization config-commands

     

    //attach these methods to the console port

    c1841(config)#line con 0

    c1841(config-line)#login authentication TAC

    c1841(config-line)#accounting commands 15 TAC

    c1841(config-line)#authorization exec TAC

    c1841(config-line)#authorization commands 15 TAC

    c1841(config-line)#authorization commands 1 TAC

    c1841(config-line)#authorization commands 0 TAC

     

    AAA is a much more granular approach to allowing access to an IOS device.  Organizations with more than one or two network administrators typically have some need to track access and audit changes.  Additionally in the case of a change in employment of an individual, it is often necessary to quickly revoke access or change a password.  In these instances, a centralized approach to Authentication, Authorization and Accounting is desirable.  This centralization might involve a Cisco Secure ACS using TACACS+ or Radius.  Alternatively, this could utilize many other commercial or open source Radius platforms.  In any case, enabling and configuring AAA is fairly straightforward once it is understood how the structure and components fit together.