The identification of which traffic must have AAA service applied to it is done on the AAA client, which is the IOS router in our example. This task has three dif- ferent elements to it, depending on which of the 3 A’s in AAA we want to apply to the traffic. Recall that we must perform authentication at a minimum because authorization and accounting depend on authentication: To repeat, here are the subtasks that we examine separately and in order in the subsequent sections:
. Configuring authentication . Configuring authorization . Configuring accounting
Once the network is set up as in Task 1, this group of AAA server settings is modular and can be used for a number of purposes. For example, once you have set up a TACACS+ server for authentication, it could be used for both remote administrative access and remote network access purposes.
Creating an AAA Login Authentication Policy on the AAA Client
Figure 3.20 illustrates the steps that are required to create an AAA login authen- tication policy on the AAA client.
2
3 4
5 1
FIGURE 3.20 Adding a login authentication method in Cisco SDM.
Follow these steps to create an AAA login authentication policy using Cisco SDM on the IOS router, our AAA client:
1. Open up the Cisco SDM home page and choose Configure-
>Additional Tasks->AAA->Authentication Policies->Login.
2. Click Addfrom the Authentication Login pane.
3. From the Namedrop-down list, choose User Definedto create a new authentication method.
4. In the Specifyfield, enter the authentication login method list name;
MY_TACACS, for example.
5. To define the methods that this policy uses, click Add. The Select Method List(s) for Authentication Login window appears.
6. From the method list, choose group tacacs+.
7. To add group tacacs+ to the method list, click OK. This will return you to the Add a Method List for Authentication Login window. The just- added method will now appear in this list.
8. To add a backup method for this policy, click Add. The Select Method List(s) for Authentication Login window appears.
9. This time, choose enablefrom the method list. This will cause the enable password to be used as the backup login authentication method.
10. To add enable to the method list, click OK. This will return you to the Add a Method List of Authentication Login window. Both group tacacs+
and enable should show up in the window. To make the enable password a back up to the group tacacs+ authentication method, make sure it appears below the group tacacs+ authentication method.
11. To add the authentication login method list, click OK.
NOTE
The CLI command that is generated by the Cisco SDM is aaa authentication login MY_TACACS group tacacs+ enable.
Applying the Authentication Method
The authentication login method list, like any policy, has no effect by itself once created. It must be applied to an entity on the device. This is a handy rule of thumb on Cisco devices. You create a policy; then you have to apply it some- where. Keeping in mind that we have set up a loginauthentication method (and using your intuition), this authentication method most likely needs to be applied to one of the line interfaces on the router. In this scenario, we apply the authen- tication method MY_TACACS, to the five default vty lines on the router.
The Cisco SDM dialog to apply the authentication method MY_TACACS to the vtys is illustrated in Figure 3.21.
To apply the authentication method to the vtys using the SDM, follow these steps:
1. Choose Configure->Additional Tasks->Router Access->VTY->Edit.
2. In the Edit VTY Lines window, choose the MY_TACACSlogin authentication method from the Authentication Policydrop-down list.
3. Click OKto deliver the commands to the router.
FIGURE 3.21 Applying the authentication method to the vtys using the Cisco SDM.
The CLI command to apply the authentication policy to the vtys would look like this:
CiscoISR#configure terminal CiscoISR(config)#line vty 0 4
CiscoISR(config-line)#login authentication MY_TACACS
Now when administrators log in to the Cisco IOS router via the vtys, they will be prompted for a username and password. These credentials will be validated using the TACACS+ protocol against the user database on the Cisco Secure ACS. It should be noted that this will not affect SDM login, only access via Telnet or SSH.
Thus, we have completed the tasks to perform the first A in AAA, authentica- tion. Let’s turn our attention to the second A in AAA, authorization. Leveraging on our TACACS+ server, we will:
. First, create and apply an authorization policy for exec (character mode).
. Second, create and apply an authorization policy for network (packet mode).
Creating and Applying an AAA Exec Authorization Policy
The method to create an exec authorization policy is illustrated in Figure 3.22.
FIGURE 3.22 Creating and applying an AAA exec authorization policy.
Using the Cisco SDM and starting at the home page, follow these steps to create and apply the default authorization method list for exec (character mode) access.
Figure 3.22 is labeled to correspond to the numbers in the following list of steps:
1. Choose Configure->Additional Tasks->AAA->Authorization Polices->Exec.
2. Click Addin the Exec Authorization pane.
3. Choose Defaultfrom the Namedrop-down list in the Add a Method List for Exec Authorization window.
4. To define the methods that this policy uses, click Add.
5. Choose group tacacs+from the method list in the Select Method List(s) for Exec Authorization window.
6. Click OKon the next two windows in succession to return to the Exec Authorization pane.
NOTE
The following steps assume that we have already configured an authorization policy on the Cisco Secure ACS (we have!). If you create and apply an AAA exec authorization poli- cy before you have configured one on the authorization server, you will lock yourself out of the router. This is very embarrassing.
2
3
5 4
6
1
Now, when administrators access the CLI, they will only be allowed to execute the commands they are authorized to use as defined in the user’s authorization policy on the Cisco Secure ACS.
Creating and Applying an AAA Network Authorization Policy
Let’s now turn our attention to defining what a user is authorized to do on the network segment protected by the Cisco IOS router.
The method to create a network authorization policy is illustrated in Figure 3.23.
NOTE
The Cisco SDM will generate this CLI command:
aaa authorization exec default group tacacs+
2
3
4 5
6
1
FIGURE 3.23 Creating and applying an AAA network authorization policy.
Starting on the Cisco SDM home page, complete the following steps to config- ure the default authorization method list for network (packet mode) access.
Figure 3.23 has labels corresponding to the numbers of the following steps:
1. Choose Configure->Additional Tasks->AAA Authorization Policies-
>Network.
2. Click Addin the Network Authorization pane.
3. Choose Defaultfrom the Namedrop-down list in the Add a Method List for Network Authorization window.
4. To define the methods that this policy uses, click Add.
5. Choose group tacacs+from the method list in the Select Method List(s) for Network Authorization window.
6. Click OKon the next two windows in succession to return to the Network Authorization pane.
NOTE
The Cisco SDM will generate this CLI command:
aaa authorization network default group tacacs+
AAA Accounting Configuration
When properly configured, Cisco Secure ACS acts as a central repository of tracked events as they occur on the network. For example, our comprehensive network security policy might stipulate that all failed login attempts to (and through) the routers are to be tracked, with detailed information about the attempt such as user credentials, time of day, and date. Without keeping track of this information, we might not be able to provide data to aid in a forensic inves- tigation should our network be compromised or otherwise attacked.
As with authentication and authorization, you must first create a method list (the policy), and then apply it to the right entity. As we have seen, method lists can be multi-purpose, so a method list may support all three As in AAA.
AAA involves six different types of accounting, as follows:
. Network.Runs accounting for all network-related service requests, includ- ing Serial Line Internet Protocol (SLIP), PPP, PPP Network Control Protocols (NCPs), and AppleTalk Remote Access Protocol (ARAP).
. Connection.Provides information about all outbound connections made from the network access server, such as Telnet.
. Exec.Runs accounting for the EXEC shell session.
. System.Performs accounting for all system-level events not associated with users, such as reloads.
. Commands.Runs accounting for all commands at the specified privilege level.
. Resource.Performs accounting for resource use by remote users of the system. (The command syntax for setting resource accounting is differ- ent than the other items listed.)
These different types of accounting are reflected in the command syntax of the aaa accountingcommand:
aaa accounting { system | network | exec | connection | commands level } {default | list-name} {start-stop | stop-only | none} [method1 [method2]]
Use the following form of the command to perform accounting for system resource use by remote users:
aaa accounting resource method-list start-stop [broadcast] group groupname
To set up accounting using the CLI, follow these basic steps (with examples):
1. Create an accounting method list and enable accounting.
CiscoISR(config)#aaa accounting connection default start-stop group tacacs+
2. Enter line configuration mode or interface configuration mode for the lines or interface to which the accounting method list will be applied.
CiscoISR(config)#line vty 0 4
3. Apply the account method list to the line(s) or interface(s).
CiscoISR(config-line)#accounting connection default
Troubleshooting/Debugging Local AAA, RADIUS, and TACACS+
Here are a handful of useful commands for troubleshooting and debugging local AAA, RADIUS, and TACACS+.
For a high-level view of login activity, use the following CLI command:
debug aaa authentication
Here is an example of the output of the debug aaa authenticationcommand.
The highlighted output indicates that someone logged on to this ISR and that the authentication method used was local_auth:
ciscoISR#debug aaa authentication AAA Authentication debugging is on
443521: Aug 7 08:56:19.498 NewYork: AAA/BIND(000032C8): Bind i/f 443522: Aug 7 08:56:20.110 NewYork: AAA/BIND(000032C9): Bind i/f 443523: Aug 7 08:56:22.117 NewYork: AAA/BIND(000032CA): Bind i/f 443524: Aug 7 08:56:24.628 NewYork: AAA/BIND(000032CB): Bind i/f 443525: Aug 7 08:56:24.628 NewYork: AAA/AUTHEN/LOGIN (000032CB): Pick method list ‘local_auth’
For more detailed debugging of TACACS+ in particular, use the following CLI command:
debug tacacs
For even more detailed information about the TACACS+ helper process, you can use the following CLI command. Be careful with its use, because it gener- ates copious amounts of output.
debug tacacs event
For more detailed debugging of RADIUS in particular, use the following CLI command:
debug radius
For even more detailed information about the RADIUS helper process, you can use the following CLI command. Be careful with its use, because it generates copious amounts of output:
debug radius event
AAA Configuration Snapshot
Here is a snapshot of a partial configuration with the commands in Tasks 1, 2, and 3 for setting up external AAA and including the preceding AAA accounting configuration. If the commands don’t make sense, review them in the preceding sections:
aaa new-model
!
aaa authentication login MY_TACACS tacacs+ local aaa authorization exec tacacs+
aaa authorization network tacacs+
aaa accounting connection default start-stop group tacacs+
!
tacacs-server host 192.168.99.133 tacacs-server key cisco123
!
line vty 0 4
login authentication MY_TACACS accounting connection default
Exam Prep Questions
1. Match the following deployment scenarios for a Cisco IOS router with the correct description:
1. Single Perimeter: ___
2. Two Perimeters: ___
3. Screen Subnet: ___
Descriptions:
A. The router establishes the trusted network boundary at the Internet and protects a single LAN.
B. A DMZ is established on a firewall that, in turn, is deployed inside the Cisco IOS router.
C. A firewall establishes a second perimeter behind the router.
2. Which of the following is not a feature of Cisco Integrated Services routers? (Choose all that apply.)
❍ A. USB Port (most models)
❍ B. Unified Network Services
❍ C. Integrated PoE VoIP port
❍ D. Integrated Security
❍ E. Firewire port
3. True or false. By default, Cisco router passwords must contain at least 10 characters.
4. Which statement about the service password-encryption command is correct?
❍ A. It encrypts all passwords in the router’s configuration file with an AES (Advanced Encryption Standard) 256-bit level encryption.
❍ B. With the exception of the hashed enable secret, all passwords on the router are encrypted.
❍ C. All passwords on the router are encrypted.
❍ D. It has no effect unless the service password secret-encrypt command is also issued.
❍ E. None of the above.
5. You have entered the following commands to create a view called ISP:
CiscoISR(config)parser view ISP
CiscoISR(config-view)#secret 0 hardtoguess
Which one of the following commands enable users of this view to access the config- ure mode from a terminal?
❍ A. commands configure include all terminal
❍ B. commands exec include all configure
❍ C. commands include exec configure
❍ D. commands exec include configure terminal
❍ E. None of the above.
6. Referring to the following list, select the five items that comprise the five basic services that SDM manages:
❍ A. Wireless
❍ B. Intrusion Protection Services (IPS)
❍ C. Routing
❍ D. Switching
❍ E. Security
❍ F. Interfaces
❍ G. AAA
❍ H. QoS
7. What (in the right order) does AAA stand for?
❍ A. Access, accountability, administration
❍ B. Administration, access, accounting
❍ C. Accounting, access, administration
❍ D. Authentication, authorization, accounting
❍ E. Authorization, accounting, administration
❍ F. None of the above.
8. Which of the following is true about the Cisco Secure ACS Solution Engine? (Choose all that are correct.)
❍ A. Must be installed on an existing installation of Windows Server.
❍ B. Must be installed on an existing installation of Windows Server or Sun Solaris.
❍ C. An appliance-based solution that supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period.
❍ D. An appliance-based solution.
❍ E. TACACS+ only
❍ F. None of the above.
9. Fill in the blanks with the correct words from the list:
When designing an AAA solution, remote administrative access is also known as _____ mode. Another name for remote network access is _____ mode.
❍ A. Packet, character
❍ B. Character, network
❍ C. Network, character
❍ D. Character, packet
❍ E. Packet, network
10. What command will display a list of all local AAA users who have been locked out?
❍ A. show aaa local user lockout
❍ B. show aaa user all
❍ C. show aaa sessions
❍ D. show aaa local lockout
❍ E. None of the above.
11. Which protocols are supported in the AAA dialog between a Cisco IOS router and Cisco Secure ACS? (Choose all that apply.)
❍ A. LDAP
❍ B. Active Directory
❍ C. OBDC
❍ D. RADIUS
❍ E. TACACS+
❍ F. Kerberos
12. Which of the following statements is most correct concerning RADIUS and TACACS+?
❍ A. RADIUS has rich accounting and TACACS+ is capable of customizable user- level policies such as command authorization.
❍ B. RADIUS encrypts the whole communication between the AAA client and server, whereas TACACS+ only encrypts the password.
❍ C. RADIUS uses UDP for transport and TACACS+ uses TCP.
❍ D. RADIUS is a proprietary standard, whereas TACACS+ is Open Source.
❍ E. RADIUS uses UDP ports 1645 and 1646 exclusively
13. Which of the following are not included in the three main task areas in setting up for external AAA? (Choose all that apply.)
❍ A. Configure the AAA network.
❍ B. Install AAA supplicant software on IP hosts that will authenticate to the IOS router.
❍ C. Identify traffic to which AAA is applied.
❍ D. Set up users.
❍ E. Install Cisco Secure ACS Solution Engine module on the Cisco IOS router.
14. Select the one answer with the correct two terms to fill in the following blanks.
There are two distinct types of AAA authorization policies:
.________ policies that define access rules to the router.
.________ policies that define access rules throughthe router.
Choices:
❍ A. Network, Exec
❍ B. Packet, Character
❍ C. Character, Packet
❍ D. Exec, Network
❍ E. Administrative, User
Answers to Exam Prep Questions
1. 1—A; 2—C; 3—B.
2. The answers are C and E. Cisco ISRs do not contain integrated Power over Ethernet (PoE) ports or VoIP ports or Firewire ports. Some of the features are available as option cards on modular ISRs.
3. False. It is also a trick question! Cisco recommends that passwords should be at least 10 characters in length, but there is no default rule. Passwords can be blank. That is why this chapter stresses basics such as best practices for passwords.
4. Answer B is correct. Answer D is a trick because that command doesn’t exist and answer A is just plain wrong. Answer C is tricky too because we learn in this chapter that passwords on the router are not encrypted unless we use the service password- encryption command.
5. The correct answer is B. This is a bit of a trick question because answer B enables configuration from not only the terminal but also from other sources. The syntax of the other (but wrong) answers is all mixed up.
6. Choices A, C, D, E, and H are correct. The other items can be configured in the SDM, but they are not considered one of the five basic services that the SDM manages.
7. The correct answer is D.
8. The correct answer is D. Answer C is meant to confuse because Cisco Secure ACS Express is being described and is also an appliance-based solution. Answers A, B, and E are simply wrong.
9. The correct answer is D.
10. Answer A is the correct answer. Answer B is the command that displays detailed statis- tics of all logged in users. Answer C is used to display current sessions of users who have been authenticated, authorized, or accounted by the AAA module. The command in answer D doesn’t exist.
11. This is a trick question. The question is not which protocols does Cisco Secure ACS work with to authenticate to an external database. If that was the question, you could choose everything in the list. Answers D and E are correct because only RADIUS and TACACS+ are choices for protocols that work between the AAA client (the Cisco IOS router) and the AAA server (Cisco Secure ACS).
12. Answers A and C are correct. Answer B is backwards. It’s TACACS+ that encrypts the whole communication, whereas RADIUS encrypts only the password. Answer D is incorrect but for a tricky reason. Although RADIUS is open source, TACACS+ isn’t quite a proprietary standard because Cisco has published it as an RFC (Request for
Comment), part of the IETF standards track. Answer E is incorrect because RADIUS can use either ports 1645 and 1646 or ports 1812 and 1813 for authentication/authori- zation and accounting, respectively.
13. Answers B and E are correct. Answer B is correct because you do not need special software on an IP host in order to enable AAA for the network. Answer E is correct because the Cisco Secure ACS Solution Engine is an appliance that comprises a self- contained AAA server solution. It is not an add-on module for a router, and the router is the AAA client in this scenario anyway.
14. Answer D is correct. The use of the terms “packet” and “character” are deliberately misleading because these refer to types of access in general (see Figure 3.10), but not specific types of AAA authorization policies. Answer E is simply wrong but sounds like it might be right to someone who hasn’t read the Exam Cram.