AAA
Authentication, Authorization, Accounting (aka Triple A)
Local database
General information on “AAA Local database”:
- Locally created users can be used to administer the device
- They are only valid on the device they were created
- Different privilege levels can be assigned to different users
- Defining no privilege level when creating a user automatically assigns level 15 to him
- Important: By default the aaa authorization command only applies to VTY lines. If authorization is needed for console line it needs to be configured separately via the aaa authorization console command.
Default privilege levels:
- Level-0: Only a few commands available, mostly used to enable access to a higher level
- Level-1: Only show commands are available
- Level-15: Full access to the device
Custom privilege levels:
- Every level between 2 and 14 is not pre-defined and can be customized
- It’s possible to create different command sets for different users
- All use level-1 as basis but additional commands must be explicitly defined
“AAA Local database” CLI configuration commands:
## Enabling AAA globally:
Router(config)# aaa new-model
## Configuring a local user with privilege level
Router(config)# username <name> privilege <level> secret <password>
## Configuring AAA Authentication globally
Router(config)# aaa authentication login default local
## Configuring AAA Authorization globally
Router(config)# aaa authorization exec default local
Router(config)# aaa authorization console
## Configuring a custom AAA privilege level set
Router(config)# privilege <command-set> level <level> <command>
## Configuring AAA local accounting
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-cfg)# log enable
Router(config-archive-log-cfg)# log size <queue-size>
Router(config-archive-log-cfg)# hidekeys
Router(config-archive-log-cfg)# notify syslog
“AAA Local database” CLI show commands:
## Showing own current privilege level
Router# show privilege
TACACS+ and RADIUS
Terminal Access Controller Access Control System Plus
Remote Authentication Dial-In User Service
Benefits of AAA:
- Increased flexibility and control of access configuration
- Scalability
- Standardized Authorization methods
- Multiple backup systems
// Graphics missing - Coming soon //
Process of AAA:
- User sends a login request.
- NAS validates the credentials against a AAA server.
- AAA server responds with valid/invalid message.
- NAS grants user access to the requested resource.
- User has access to the resource.
AAA in detail:
- Authentication: Validating the login credentials.
- Authorization: Assigning rights/privileges to the previously logged in user.
- Accounting: Tracking/Recording the user session.
- Authentication can be done without Authorization and Account.
- Authorization and Accounting depend on Authentication.
Comparison of TACACS+ vs RADIUS:
| TACACS+ | RADIUS | |
|---|---|---|
| Developer | Cisco | Livingston Enterprise (today a industry standard) |
| Protocol/Ports | TCP 49 (for all 3 AAA services) | UDP 1812 (for Authentication + Authorization), UDP 1813 (for Accounting) |
| AAA Support | All 3 AAA services are separate | Trunk |
| Challenge Response | Two-way, bidirectional (tcp), multiple challenge responses | Authentication + Authorization combined, Accounting separate |
| Encryption | Encrypts entire packet | Encrypts only password |
RADIUS for console and VTY access
“AAA RADIUS for console and VTY access” CLI configuration commands:
## Enabling AAA globally:
Router(config)# aaa new-model
## Configuring a local (fallback/backup) user with privilege level:
Router(config)# username <name> privilege <level> secret <password>
## Configuring a RADIUS server:
Router(config)# radius server <server-name>
Router(config-radius-tacacs)# address <ipv4/6> <ip> [auth-port <port> acct-port <port>]
Router(config-radius-tacacs)# key <key>
## Associating the configured RADIUS server with a RADIUS server group:
Router(config)# aaa group server radius <group-name>
Router(config-sg-radius)# server name <server-name>
## Configuring the AAA login authentication to use RADIUS with local user fallback:
Router(config)# aaa authentication login [default | <list-name>] group <group> local
Good to know: With the keyword default all the authentication configuration gets automatically applied to all lines (except console). To use specific servers and manually apply them to the lines, a list must be used.
TACACS+ for console and VTY access
“AAA TACACS+ for console and VTY access” CLI configuration commands:
## Enabling AAA globally:
Router(config)# aaa new-model
## Configuring a local (fallback/backup) user with privilege level:
Router(config)# username <name> privilege <level> secret <password>
## Configuring a TACACS+ server:
Router(config)# tacacs server <server-name>
Router(config-tacacs-server)# address <ipv4/6> <ip>
Router(config-tacacs-server)# port <port>
Router(config-tacacs-server)# key <key>
## Associating the configured TACACS+ server with a TACACS+ server group:
Router(config)# aaa group server tacacs+ <group-name>
Router(config-sg-tacacs+)# server name <server-name>
## Configuring the AAA login authentication to use TACACS+ with local user fallback:
Router(config)# aaa authentication login [default | <list-name>] group <group> local
Local privilege authorization fallback
General information on “Local privilege authorization fallback”:
- A local user should always be created BEFORE configuring AAA services
- It is used in case the AAA servers are inaccessible (not reachable, server problem, etc.)
- If no local user is defined there’ll be no possibility of accessing the device
“AAA Local privilege authorization fallback” CLI configuration commands:
## Configuring a local fallback user
Router(config)# username <name> privilege <level> secret <password>