Tuesday, September 6, 2011

Configuring Authentication, Authorization and Accounting (Part 1)



To use AAA method lists, I need to first enable the aaa new-model

R1(config)#aaa new-model
R1(config)#

Next create a list for authorization. I'll call it AUTH_LIST:

R1(config)#aaa authentication login AUTH_LIST ?
  enable       Use enable password for authentication.
  group        Use Server-group
  krb5         Use Kerberos 5 authentication.
  krb5-telnet  Allow logins only if already authenticated via            Kerberos V
               Telnet.
  line         Use line password for authentication.
  local        Use local username authentication.
  local-case   Use case-sensitive local username authentication.
  none         NO authentication.

R1(config)#aaa authentication login AUTH_LIST 

The list I'm creating has several options. I'll get to the first option, <enable> later, but first I'll add <group>. <group> refers to the server to be used for authentication. I get to pick between TACACS+ or RADIUS. Additionally I could create a list of servers with the <aaa group server [tacacs+|radius]> commands, but I'll get to that later. Right now, I'm going to use a TACACS+ server, and if that's not available, I'll use the local database.

R1(config)#aaa authentication login AUTH_LIST group tacacs+ local 
R1(config)#

Before I use my method list, which I will apply to my vty lines, I want to add a TACACS+ server of 10.1.1.10, adjust the timeout from the default of 5 seconds to 3, use a password of cisco, and set the source interface for TACACS+ requests to my FastEthernet0/0 interface. Additionally, since I'm going to leverage the local user database, I'll create a user called joe with a password of blow:



R1(config)#tacacs-server host 10.1.1.10 timeout 3 key cisco 
R1(config)#ip tacacs source-interface FastEthernet0/0 
R1(config)#aaa authentication banner ^Unauthorized access is prohibited^
R1(config)#aaa authentication password-prompt "Please enter your password:"
R1(config)#aaa authentication username-prompt "Please enter your username:"
R1(config)#aaa authentication fail-message ^NOOOOOO GTFO!!!^
R1(config)#username joe password blow
R1(config)#




I'll apply the list to the vty lines...

R1(config)#line vty 0 4
R1(config-line)#login authentication AUTH_LIST 
R1(config-line)#


...and attempt to login from another device with telnet. But first, I'll debug aaa authentication and authorization on R1

R1#debug aaa authentication 
AAA Authentication debugging is on
R1#debug aaa authorization 
AAA Authorization debugging is on
R1#


R2#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1>

Here's the debug action on R1

R1#
Sep  6 15:29:51.790: %SYS-5-CONFIG_I: Configured from console by ADMIN on console
R1#
Sep  6 15:29:54.875: AAA/BIND(00000030): Bind i/f  
Sep  6 15:29:54.879: AAA/AUTHEN/LOGIN (00000030): Pick method list 'AUTH_LIST' 
R1#
Sep  6 15:30:10.545: AAA/AUTHOR (00000030): Method list id=0 not configured. Skip author
R1#

Since the Method list is not configured for authorization, I will add one, apply it to the VTY lines and see the resulting debug:

R1(config)#aaa authorization exec AUTHO_LIST local 
R1(config)#line vty 0 4
R1(config-line)#aaa authorization exec AUTHO_LIST
R1(config-line)#end
R1#

After another login, here's the debug on R1:

R1#
Sep  6 15:44:28.275: AAA/BIND(00000033): Bind i/f  
Sep  6 15:44:28.279: AAA/AUTHEN/LOGIN (00000033): Pick method list 'AUTH_LIST' 
R1#
Sep  6 15:44:31.664: AAA/AUTHOR (0x33): Pick method list 'AUTHO_LIST'
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): processing AV cmd=
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): processing AV priv-lvl=1
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): Authorization successful
R1#

Since there wasn't a list previously, it skipped authorization and allows access. Once there's a list, it verifies the user against the list and authorizes access to the level assigned. In my case, I didn't assign a privilege level, so it uses 1 by default:


R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1>show privilege
Current privilege level is 1
R1>


When I add a privilege level to joe's user, and have an authorization list applied to the line, it will authorize the user to the assigned privilege:


R1(config)#username joe privilege 5 password blow
R1(config)#


And now to reconnect:


R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1#show privilege 
Current privilege level is 5
R1#


AAA Configuration Part 2

1 comment:

  1. very helpful, Thanks! Minor mistake though. should be:
    line vty 0 4
    authorization exec AUTHO_LIST

    ReplyDelete