Tuesday, September 6, 2011

Configuring Authentication, Authorization and Accounting (Part 1)



To use AAA method lists, I need to first enable the aaa new-model

R1(config)#aaa new-model
R1(config)#

Next create a list for authorization. I'll call it AUTH_LIST:

R1(config)#aaa authentication login AUTH_LIST ?
  enable       Use enable password for authentication.
  group        Use Server-group
  krb5         Use Kerberos 5 authentication.
  krb5-telnet  Allow logins only if already authenticated via            Kerberos V
               Telnet.
  line         Use line password for authentication.
  local        Use local username authentication.
  local-case   Use case-sensitive local username authentication.
  none         NO authentication.

R1(config)#aaa authentication login AUTH_LIST 

The list I'm creating has several options. I'll get to the first option, <enable> later, but first I'll add <group>. <group> refers to the server to be used for authentication. I get to pick between TACACS+ or RADIUS. Additionally I could create a list of servers with the <aaa group server [tacacs+|radius]> commands, but I'll get to that later. Right now, I'm going to use a TACACS+ server, and if that's not available, I'll use the local database.

R1(config)#aaa authentication login AUTH_LIST group tacacs+ local 
R1(config)#

Before I use my method list, which I will apply to my vty lines, I want to add a TACACS+ server of 10.1.1.10, adjust the timeout from the default of 5 seconds to 3, use a password of cisco, and set the source interface for TACACS+ requests to my FastEthernet0/0 interface. Additionally, since I'm going to leverage the local user database, I'll create a user called joe with a password of blow:



R1(config)#tacacs-server host 10.1.1.10 timeout 3 key cisco 
R1(config)#ip tacacs source-interface FastEthernet0/0 
R1(config)#aaa authentication banner ^Unauthorized access is prohibited^
R1(config)#aaa authentication password-prompt "Please enter your password:"
R1(config)#aaa authentication username-prompt "Please enter your username:"
R1(config)#aaa authentication fail-message ^NOOOOOO GTFO!!!^
R1(config)#username joe password blow
R1(config)#




I'll apply the list to the vty lines...

R1(config)#line vty 0 4
R1(config-line)#login authentication AUTH_LIST 
R1(config-line)#


...and attempt to login from another device with telnet. But first, I'll debug aaa authentication and authorization on R1

R1#debug aaa authentication 
AAA Authentication debugging is on
R1#debug aaa authorization 
AAA Authorization debugging is on
R1#


R2#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1>

Here's the debug action on R1

R1#
Sep  6 15:29:51.790: %SYS-5-CONFIG_I: Configured from console by ADMIN on console
R1#
Sep  6 15:29:54.875: AAA/BIND(00000030): Bind i/f  
Sep  6 15:29:54.879: AAA/AUTHEN/LOGIN (00000030): Pick method list 'AUTH_LIST' 
R1#
Sep  6 15:30:10.545: AAA/AUTHOR (00000030): Method list id=0 not configured. Skip author
R1#

Since the Method list is not configured for authorization, I will add one, apply it to the VTY lines and see the resulting debug:

R1(config)#aaa authorization exec AUTHO_LIST local 
R1(config)#line vty 0 4
R1(config-line)#aaa authorization exec AUTHO_LIST
R1(config-line)#end
R1#

After another login, here's the debug on R1:

R1#
Sep  6 15:44:28.275: AAA/BIND(00000033): Bind i/f  
Sep  6 15:44:28.279: AAA/AUTHEN/LOGIN (00000033): Pick method list 'AUTH_LIST' 
R1#
Sep  6 15:44:31.664: AAA/AUTHOR (0x33): Pick method list 'AUTHO_LIST'
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): processing AV cmd=
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): processing AV priv-lvl=1
Sep  6 15:44:31.668: AAA/AUTHOR/EXEC(00000033): Authorization successful
R1#

Since there wasn't a list previously, it skipped authorization and allows access. Once there's a list, it verifies the user against the list and authorizes access to the level assigned. In my case, I didn't assign a privilege level, so it uses 1 by default:


R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1>show privilege
Current privilege level is 1
R1>


When I add a privilege level to joe's user, and have an authorization list applied to the line, it will authorize the user to the assigned privilege:


R1(config)#username joe privilege 5 password blow
R1(config)#


And now to reconnect:


R3#telnet 10.1.12.1
Trying 10.1.12.1 ... Open
Unauthorized access is prohibited
Please enter your username:joe
Please enter your password:


R1#show privilege 
Current privilege level is 5
R1#


AAA Configuration Part 2

26 comments:

  1. very helpful, Thanks! Minor mistake though. should be:
    line vty 0 4
    authorization exec AUTHO_LIST

    ReplyDelete
  2. With the relief of financial pressure while operating the new practice concurrently with employment, there will be a substantial boost in income without incurring large expenses.Contabilitate Iasi

    ReplyDelete
  3. One of the biggest breakthroughs with regard to getting help with accounting software is the advent of "remote quickbooks payroll support number"

    ReplyDelete
  4. The blog works were so decent, I wished they never finished.
    online bookkeeping

    ReplyDelete
  5. There is consequently a need to intermittently set up a compromise of these two records to decide the accommodating things and record the essential changes through proper diary sections in either or both of the books of the branch and H.O.Company Formation

    ReplyDelete
  6. Nice And Informative information. Please Keep Continue Such Kind Of Effort. Contact With HP Printer Customer Support Phone Number. We Deal In Printer Services, Company Payroll Services, Cost Accounting, HP Printer Customer Support team provide Data recovery, company file repair and migration support HP Printer Customer Support

    ReplyDelete
  7. Never endeavor separating what is useful for the business, neither the CPA Accountant nor the Accounting Industry.Tax CPA San Diego

    ReplyDelete
  8. I can’t believe focusing long enough to research; much less write this kind of article. You’ve outdone yourself with this material without a doubt. It is one of the greatest contents. https://192-168-i-i.com/cisco-router-default-password/

    ReplyDelete
  9. I really like your website I am very Inspire for your blog. Seriously your blog is awesome..

    Improved Features in QuickBooks Desktop 2020 | QuickBooks Error H101, H202, H303, or H505

    ReplyDelete
  10. Hi my loved one! I want to say that this article is amazing, nice written and come with approximately all important infos.
    I would like to look more posts like this . Install epson printer

    ReplyDelete
  11. Nice & Informative Blog !
    QuickBooks Error 12152 is an annoying issue that affects the performance of your system. In case you are looking for the best ways to solve QuickBooks Error 12152, call us to get your issue fixed quickly.

    ReplyDelete
  12. Nice & Informative Blog !
    QuickBooks Error 1328 is an annoying problem that is reported by millions of users worldwide.Our team makes sure to give you the best assistance for QuickBooks glitches at an affordable rate.

    ReplyDelete
  13. Having payroll update errors? QuickBooks update error 15106 is the error that shows when there is any problem in updating the payroll. you can resolve this problem just by few simple steps.

    ReplyDelete
  14. this blog information is very informative, if someone faces in their accounting tool quickbooks software then can diagnoise all their problem solution here install diagnostic tool for quickbooks

    ReplyDelete
  15. The global Plastic Pallets Market size was valued at USD 6.7 billion in 2020 and is expected to expand at a compound annual growth rate (CAGR) of 5.6% from 2021 to 2028. Growing demand for hygienic, contamination-free, and durable pallets by the food and beverage, pharmaceutical, and chemical industries is expected to drive the market. Plastic pallets are made of durable materials, such as high-density polyethylene (HDPE) and polypropylene (PP), and are designed to facilitate mechanical handling of goods by the front loader, forklift, jack, and other material handling equipment.

    Also check about Returnable Packaging Market

    ReplyDelete
  16. Great article and lovely post. I would like to congratulate you on your post and I want to tell you that I am also here to promote or we can say for digital marketing..


    QuickBooks Error 6175


    QuickBooks Error 15243


    QuickBooks Error 15276


    QuickBooks Error 6010, 100


    QuickBooks Error 15311

    ReplyDelete
  17. The screen displays this error as QuickBooks error 15240. you might see lots of issues while working on the error 1904 failed to register desktop. These issues occur because of unknown causes.

    ReplyDelete