AAA stands for Authentication,
Authorization and Accounting. It is a framework which controls the user access
on the devices.
Authentication: It is used to check the
identity of an user. It helps us in identifying the users and accordingly we
can give access to them
Authorization: It controls the device
access as per the user skill level. What access is given to which user. With
this we can control access level of different users.
Accounting: It is primarily used to log the
activity of the users. This is very useful in auditing and billing purpose.
Below are the AAA configuration on Cisco
router and switches using Tacacs server. It doesn’t include the ACS
configuration, it just explains the configuration required on the router and
switches.
Step 1: Configure the Backup credentials.
AAA doesn’t mean that we don’t require local credential. It is mandatory to
have backdoor credentials so that we can access the devices when our AAA
servers are down or unreachable.
Router(config)#username
Admin password PowerKey
|
Step 2: Configure Tacacs servers. We can
configure multiple Tacacs server.
Router (config)#tacacs-server
host 192.168.1.10 key mySecretkey1
Router (config)#tacacs-server
host 192.168.1.11 key mySecretkey2
|
Step 3: Choose the correct interface to be
a source of Tacacs packet. It may create problem if we have multiple interface
configured on a router. Choose the interface which has the same IP as in AAA
server.
Router (config)#ip
tacacs source-interface loopback 0
|
Step 4: Check reachability of Tacacs server
from router. If there is a firewall between the router and tacacs server then
make sure that TCP port 49 is opened to allow tacacs traffic.
Router #ping
192.168.1.10
Type escape
sequence to abort.
Sending 5,
100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate
is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
|
Step 5: Enable AAA on router globally.
Router (config)#aaa
new-model
|
Step 6: Configure the Authentication methods.
Below command is applying authentication on router login. Default keyword
applies the method on all lines.
Group tacacs+ sending the authentication
request to all configured AAA servers.
LOCAL keyword specifies that in case all of
the configured tacacs servers become unreachable, user will be authenticated
using local user database. This fail back mechanism is not applicable if the
TACACS server is reachable via ping but not handling the request may be because
of wrong KEY configured on device or due to internal ACS problem.
ROUTER(config)#aaa
authentication login default group tacacs+ local
|
Step 7: It authorize all the commands
entered in Config mode.
Router(config)# aaa
authorization config-commands
|
Step 8: It checks the privilege level of the
user from AAA server. Without this command user will login in user mode only.
Router (config)#
aaa authorization exec default group tacacs+ local if-authenticated
|
Step 9: Below command provides
authorization to the privilege 1 user.
Router
(config)# aaa authorization commands 1 default group TACACS+ if-authenticated
|
Step 10: Below command authorize the Level
15 users. Each time user run a command, switch send the query to Tacacs server
to check if the user is authorize for it.
Router
(config)# aaa authorization commands 15 default group TACACS+ local if-authenticated
|
Step 11: It enable the accounting on all
lines.
Router(config)# aaa
accounting exec default start-stop group tacacs+
|
Step 12: It logs all the activity of level
1 user.
Router(config)# aaa
accounting commands 1 default start-stop group tacacs+
|
Step 13: It logs all the activity of level
15 users.
Router(config)# aaa
accounting commands 15 default start-stop group tacacs+
|
Step 14: Applying AAA authentication on VTY
lines.
Router(config)#
line vty 0 15
Router(config-line)#
login authentication default
|
Step15. Verification: Try to access the
device using Tacacs credential
No comments:
Post a Comment