Tuesday, September 6, 2011

Configuring Authentication, Authorization and Accounting (Part 1)



To use AAA method lists, I need to first enable the aaa new-model

R1(config)#aaa new-model
R1(config)#

Next create a list for authorization. I'll call it AUTH_LIST:

R1(config)#aaa authentication login AUTH_LIST ?
  enable       Use enable password for authentication.
  group        Use Server-group
  krb5         Use Kerberos 5 authentication.
  krb5-telnet  Allow logins only if already authenticated via            Kerberos V
               Telnet.
  line         Use line password for authentication.
  local        Use local username authentication.
  local-case   Use case-sensitive local username authentication.
  none         NO authentication.

R1(config)#aaa authentication login AUTH_LIST 

The list I'm creating has several options. I'll get to the first option, <enable> later, but first I'll add <group>. <group> refers to the server to be used for authentication. I get to pick between TACACS+ or RADIUS. Additionally I could create a list of servers with the <aaa group server [tacacs+|radius]> commands, but I'll get to that later. Right now, I'm going to use a TACACS+ server, and if that's not available, I'll use the local database.

R1(config)#aaa authentication login AUTH_LIST group tacacs+ local 
R1(config)#

Before I use my method list, which I will apply to my vty lines, I want to add a TACACS+ server of 10.1.1.10, adjust the timeout from the default of 5 seconds to 3, use a password of cisco, and set the source interface for TACACS+ requests to my FastEthernet0/0 interface. Additionally, since I'm going to leverage the local user database, I'll create a user called joe with a password of blow:



R1(config)#tacacs-server host 10.1.1.10 timeout 3 key cisco 
R1(config)#ip tacacs source-interface FastEthernet0/0 
R1(config)#aaa authentication banner ^Unauthorized access is prohibited^
R1(config)#aaa authentication password-prompt "Please enter your password:"
R1(config)#aaa authentication username-prompt "Please enter your username:"
R1(config)#aaa authentication fail-message ^NOOOOOO GTFO!!!^
R1(config)#username joe password blow
R1(config)#




I'll apply the list to the vty lines...

R1(config)#line vty 0 4
R1(config-line)#login authentication AUTH_LIST 
R1(config-line)#


...and attempt to login from another device with telnet. But first, I'll debug aaa authentication and authorization on R1

R1#debug aaa authentication 
AAA Authentication debugging is on
R1#debug aaa authorization 
AAA Authorization debugging is on
R1#


R2#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1>

Here's the debug action on R1

R1#
Sep  6 15:29:51.790: %SYS-5-CONFIG_I: Configured from console by ADMIN on console
R1#
Sep  6 15:29:54.875: AAA/BIND(00000030): Bind i/f  
Sep  6 15:29:54.879: AAA/AUTHEN/LOGIN (00000030): Pick method list 'AUTH_LIST' 
R1#
Sep  6 15:30:10.545: AAA/AUTHOR (00000030): Method list id=0 not configured. Skip author
R1#

Since the Method list is not configured for authorization, I will add one, apply it to the VTY lines and see the resulting debug:

R1(config)#aaa authorization exec AUTHO_LIST local 
R1(config)#line vty 0 4
R1(config-line)#aaa authorization exec AUTHO_LIST
R1(config-line)#end
R1#

After another login, here's the debug on R1:

R1#
Sep  6 15:44:28.275: AAA/BIND(00000033): Bind i/f  
Sep  6 15:44:28.279: AAA/AUTHEN/LOGIN (00000033): Pick method list 'AUTH_LIST' 
R1#
Sep  6 15:44:31.664: AAA/AUTHOR (0x33): Pick method list 'AUTHO_LIST'
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): processing AV cmd=
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): processing AV priv-lvl=1
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): Authorization successful
R1#

Since there wasn't a list previously, it skipped authorization and allows access. Once there's a list, it verifies the user against the list and authorizes access to the level assigned. In my case, I didn't assign a privilege level, so it uses 1 by default:


R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1>show privilege
Current privilege level is 1
R1>


When I add a privilege level to joe's user, and have an authorization list applied to the line, it will authorize the user to the assigned privilege:


R1(config)#username joe privilege 5 password blow
R1(config)#


And now to reconnect:


R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1#show privilege 
Current privilege level is 5
R1#


AAA Configuration Part 2

10 comments:

  1. very helpful, Thanks! Minor mistake though. should be:
    line vty 0 4
    authorization exec AUTHO_LIST

    ReplyDelete
  2. With the relief of financial pressure while operating the new practice concurrently with employment, there will be a substantial boost in income without incurring large expenses.Contabilitate Iasi

    ReplyDelete
  3. One of the biggest breakthroughs with regard to getting help with accounting software is the advent of "remote quickbooks payroll support number"

    ReplyDelete
  4. The blog works were so decent, I wished they never finished.
    online bookkeeping

    ReplyDelete
  5. Nice And Informative Website. Please Keep Continue Such Kind Of Effort. Contact With Quickbooks Support Phone Number. We Deal In Bookkeeping Services, Company Payroll Services, Cost Accounting, Quickbooks Enterprise, Quickbooks Pos Support, Quickbooks Pro Support And Other Company Related Financial Services. Our Website- Http://www.Accountingexpert.Net Our Toll Free No +1-844-438-3711
    Quickbooks Support Phone Number +1-844-438-3711

    ReplyDelete
  6. There is consequently a need to intermittently set up a compromise of these two records to decide the accommodating things and record the essential changes through proper diary sections in either or both of the books of the branch and H.O.Company Formation

    ReplyDelete
  7. Thanks for spending your valuable time in delivering the most valuable content here. Thanks for sharing.
    QuickBooks Error Support
    QuickBooks Error Support Number
    QuickBooks Error Support Phone Number

    ReplyDelete
  8. Nice And Informative information. Please Keep Continue Such Kind Of Effort. Contact With HP Printer Customer Support Phone Number. We Deal In Printer Services, Company Payroll Services, Cost Accounting, HP Printer Customer Support team provide Data recovery, company file repair and migration support HP Printer Customer Support

    ReplyDelete
  9. Never endeavor separating what is useful for the business, neither the CPA Accountant nor the Accounting Industry.Tax CPA San Diego

    ReplyDelete