Basic AAA configuration on Cisco Router
AAA stands for Authentication,
Authorization and Accounting. It is a framework which controls the user access
on the devices.
Authentication: It is used to check the
identity of an user. It helps us in identifying the users and accordingly we
can give access to them
Authorization: It controls the device
access as per the user skill level. What access is given to which user. With
this we can control access level of different users.
Accounting: It is primarily used to log the
activity of the users. This is very useful in auditing and billing purpose.
Below are the AAA configuration on Cisco
router and switches using Tacacs server. It doesn’t include the ACS
configuration, it just explains the configuration required on the router and
switches.
Step 1: Configure the Backup credentials.
AAA doesn’t mean that we don’t require local credential. It is mandatory to
have backdoor credentials so that we can access the devices when our AAA
servers are down or unreachable.
Router(config)#username Admin password
PowerKey
|
Router (config)#tacacs-server host
192.168.1.10 key mySecretkey1
Router (config)#tacacs-server host
192.168.1.11 key mySecretkey2
|
Step 3: Choose the correct interface to be
a source of Tacacs packet. It may create problem if we have multiple interface
configured on a router. Choose the interface which has the same IP as in AAA
server.
Router (config)#ip tacacs source-interface
loopback 0
|
Step 4: Check reachability of Tacacs server
from router. If there is a firewall between the router and tacacs server then
make sure that TCP port 49 is opened to allow tacacs traffic.
Router #ping 192.168.1.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to
10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5),
round-trip min/avg/max = 1/2/4 ms
|
Step 5: Enable AAA on router globally.
Router (config)#aaa new-model
|
Step 6: Configure the Authentication methods.
Below command is applying authentication on router login. Default keyword
applies the method on all lines.
Group tacacs+ sending the authentication
request to all configured AAA servers.
LOCAL keyword specifies that in case all of
the configured tacacs servers become unreachable, user will be authenticated
using local user database. This fail back mechanism is not applicable if the
TACACS server is reachable via ping but not handling the request may be because
of wrong KEY configured on device or due to internal ACS problem.
ROUTER(config)#aaa authentication login
default group tacacs+ local
|
|
Step 7: It authorize all the commands
entered in Config mode.
Router(config)#
aaa authorization config-commands
|
Step 8: It checks the privilege level of the
user from AAA server. Without this command user will login in user mode only.
Router (config)# aaa authorization exec
default group tacacs+ local if-authenticated
|
Step 9: Below command provides
authorization to the privilege 1 user.
Router (config)# aaa authorization
commands 1 default group TACACS+ if-authenticated
|
Step 10: Below command authorize the Level
15 users. Each time user run a command, switch send the query to Tacacs server
to check if the user is authorize for it.
Router (config)# aaa authorization
commands 15 default group TACACS+ local if-authenticated
|
Step 11: It enable the accounting on all
lines.
Router(config)#
aaa accounting exec default start-stop group tacacs+
|
Step 12: It logs all the activity of level
1 user.
Router(config)#
aaa accounting commands 1 default start-stop group tacacs+
|
Step 13: It logs all the activity of level
15 users.
Router(config)#
aaa accounting commands 15 default start-stop group tacacs+
|
Step 14: Applying AAA authentication on VTY
lines.
Router(config)# line vty 0 15
Router(config-line)# login authentication
default
|
Step15. Verification: Try to access the
device using Tacacs credential