|
|
This chapter focuses on the following server-based AAA implementation topics:
 |
Caution The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment. |
 |
Note See "Implementing the Local AAA Subsystem," for specifics of local AAA implementation. See "1.1 AAA Technology Summary," in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation. |
Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based AAA components, including a AAA server and its associated AAA database.
The following section focuses on server-based dialup authentication configuration. In this context, server-based refers to actions dependent upon an external AAA server. These actions are described in a series of general steps along with related commands, server configurations, and diagnostic steps as appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.
These steps help you to accomplish the following tasks:
1. Configure TACACS+ server-based authentication on NAS.
2. Configure a user profile in the database.
3. Verify the AAA server-based user configuration.
4. Verify and troubleshoot authentication from the AAA server.
Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ ! tacacs-server host 172.22.53.101 key ciscorules
|
Note See "A.3 NAS AAA Command Implementation Descriptions" in "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands. |
Step 2 Configure a user profile in the database.
Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules -a 'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n'
|
Caution When entering AddProfile to create users or groups, it is possible to successfully create users or groups that have invalid database parameters that result in profile errors viewable in /var/log/csuslog. |
Step 3 Verify the AAA server-based user configuration.
Enter this server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial
user = tac_dial{
profile_id = 23
profile_cycle = 1
password = pap "********"
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}
}
Step 4 Verify and troubleshoot authentication from the AAA server.
Enter the tail command:.
<CSUserver>$tail -f /var/log/csuslog
|
Note See "C.1 Server-Based TACACS+ Dialup Authentication Diagnostics" for a description of relevant diagnostic output. |
Step 5 Verify and troubleshoot PPP authentication from the NAS.
Enter the debug aaa authentication and debug ppp authentication commands to confirm authentication from the NAS perspective.
|
Note See "C.1 Server-Based TACACS+ Dialup Authentication Diagnostics" for relevant diagnostic output. |
This section focuses on implementing of server-based dialup authorization and presents applicable configuration segments, server commands and file listings, and diagnostic steps.
These steps help you to accomplish the following tasks:
1. Configure TACACS+ server-based authorization on the NAS.
2. Configure a user profile in the database.
3. Verify the AAA server-based user configuration.
4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.
5. Verify and troubleshoot shell-initiated PPP authorization on the NAS.
Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authorization with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ aaa authorization exec default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated ! tacacs-server host x.x.x.x key ciscorules
|
Note See "A.3 NAS AAA Command Implementation Descriptions" in "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands. |
Step 2 Configure a user profile in the database.
Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules -pw pap,ciscorules -a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n'
Step 3 Verify the AAA server-based user configuration.
Enter this UNIX server command to view the AAA server-based user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest
An example of a ViewProfile output of the user profile looks like this:
User Profile Information
user = dialtest{
profile_id = 25
profile_cycle = 1
password = pap "********"
service=shell {
default_cmd=permit
}
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}
}
Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.
Enter the following UNIX server command to confirm that the authorization is operating correctly:
<CSUServer>$tail -f /var/log/csuslog
|
Note See "C.2 Server-Based TACACS+ Dialup Authorization Diagnostics." |
Step 5 Verify and troubleshoot shell-initiated PPP authorization on the NAS.
Enter the debug aaa authorization command to verify server-based authorization is operating correctly for dial access.
|
Note See "C.2 Server-Based TACACS+ Dialup Authorization Diagnostics." |
This section focuses on the configuration of server-based, RADIUS dialup authentication configuration. In this context, server-based refers to actions that depend on an external AAA server. Figure 4-3 illustrates a simplified server-based dial environment.
These steps help you to accomplish the following tasks:
1. Configure RADIUS server-based authentication on access server.
2. Configure a user profile in the database.
Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with RADIUS:
aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48 ! line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output lat pad telnet rlogin udptn v120 lapb-ta radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules
|
Note See "A.3 NAS AAA Command Implementation Descriptions" in "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands. |
Step 2 Configure a user profile in the database.
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a 'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary="DICTIONARY.Cisco"\n }\n'
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'
Step 3 Verify the AAA server-based user configuration.
a. Enter this server command to view the AAA server-based NAS configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105
User Profile Information
user = NAS.172.22.53.105{
profile_id = 76
profile_cycle = 1
NASName="172.22.53.105" {
SharedSecret="ciscorules"
RadiusVendor="Cisco"
Dictionary="DICTIONARY.Cisco"
}
}
b. Enter this command to verify the AAA server user configuration:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial
User Profile Information
user = rad_dial{
profile_id = 62
profile_cycle = 1
password = pap "********"
radius=Cisco {
reply_attributes= {
6=2
7=1
}
}
}
Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.
|
Note See "C.3 Server-Based RADIUS Dialup Authentication Diagnostics." |
These steps help you to accomplish the following tasks:
1. Configure RADIUS server-based authorization on the NAS.
2. Configure a user profile in the database.
3. Verify the AAA server-based user configuration.
4. Verify and troubleshoot RADIUS network authorization on the NAS.
5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.
Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS authorization assigning access-list 110 to the user, rad_dial:
aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius if-authenticated ! radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules ! access-list 110 permit tcp any any eq telnet access-list 110 permit tcp any any eq ftp access-list 110 permit tcp any any eq ftp-data access-list 110 deny tcp any any
|
Note See "A.3 NAS AAA Command Implementation Descriptions" in "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands. |
Step 2 Configure a user profile in the database.
Create a user in the AAA server by entering the following AddProfile command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n'
Step 3 Verify the AAA server-based user configuration.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial
User Profile Information
user = rad_dial{
profile_id = 62
profile_cycle = 1
password = pap "********"
radius=Cisco {
reply_attributes= {
6=2
7=1
9,1="ip:inacl=110"
}
}
}
|
Note The Cisco AVP inacl=110 is included to enable an input access-list. |
Step 4 Verify and troubleshoot RADIUS network authorization on the NAS.
Enter the debug aaa authorization command to verify dial access server-based authorization is operating correctly for dial access.
|
Note See "C.4 Server-Based RADIUS Dialup Authorization Diagnostics." |
Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command.
|
Note See "C.4 Server-Based RADIUS Dialup Authorization Diagnostics." |
This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for a router.
These steps help you to accomplish the following tasks:
1. Configure TACACS+ server-based authentication on the router.
2. Configure and verify the group rtr_basic:
3. Create the member rtr_test and assign this user to group rtr_basic.
Include the following Cisco IOS configuration commands in your configuration to enforce AAA server-based command authorization on a router (excluding the console port):
aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 login authentication NO_AUTHENT
|
Note See "A.2 Router AAA Command Implementation Descriptions" in "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands. |
Step 2 Configure and verify the group rtr_basic:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a 'service=shell{\ndefault cmd=deny\n}\n'
Profile Successfully Added
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basic
Group Profile Information
group = rtr_low{
profile_id = 66
profile_cycle = 1
service=shell {
default cmd=deny
}
}
Step 3 Create the member rtr_test and assign this user to group rtr_basic.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr rtr_basic Profile Successfully Added
Step 4 Verify user rtr_test.
Enter the following command:
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test
User Profile Information
user = rtr_test{
profile_id = 66
profile_cycle = 1
member = rtr_basic
password = des "********"
}
Step 5 Log in to the router and verify proper authentication.
Enter the login command to access the router command interface and monitor the output of debug aaa authentication from a separate shell session. Monitor the output of the AAA server by consulting the csuslog file using the tail command.
|
Note See "C.5 Server-Based TACACS+ Router Authentication Diagnostics." |
The following examples, including authorization-related IOS command listings and AAA server profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups are created with low (rtr_low), medium (rtr_tech), and high (rtr_super) access. The default_cmd AVP (defined in the AAA server profile) is used to control access to privilege level 15 commands. In this case, privilege level 15 is the highest level of command access privilege allowed and is reserved for super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated with each of the administrative groups defined in this section.
| Group | |||
|---|---|---|---|
| Cisco IOS Command | rtr_super | rtr_tech | rtr_low |
| debug all | Denied | Denied | Denied |
| debug * | Permitted | Permitted | Denied |
| clear * | Permitted | Permitted | Denied |
| reload | Permitted | Denied | Denied |
| show running-config write terminal | Permitted | Denied | Denied |
| copy running-config startup-config write memory | Permitted | Permitted | Denied |
| configure terminal | Permitted | Denied | Denied |
Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization between a router and an AAA server. Troubleshooting and verifying is divided into three stages: authentication, EXEC authorization and command authorization. Each stage is accompanied by information particular to that stage:
These steps help you to accomplish the following tasks:
1. Configure TACACS+ server-based authorization from the console port on the router.
2. Configure, verify, and test operation of the AAA server group rtr_low.
3. Configure, verify, and test operation of the AAA server group rtr_tech.
4. Configure, verify, and test operation of AAA server Group rtr_super.
|
Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see "AAA Impact on Maintenance Tasks." |
Include the following Cisco IOS configuration commands in your configuration to enforce router-based security with TACACS+:
aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none aaa authorization commands 15 NO_AUTHOR none aaa authorization exec default group tacacs+ aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default group tacacs+ ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT
|
Note See "A.2 Router AAA Command Implementation Descriptions" in "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands. |
Step 2 Configure, verify, and test operation of the AAA server group rtr_low.
The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the requirements specified in Table 4-1:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a 'service=shell{\ndefault cmd=deny\n}\n'
Profile Successfully Added
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low
Group Profile Information
group = rtr_low{
profile_id = 66
profile_cycle = 1
service=shell {
default cmd=deny
}
}
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw des,ciscorules Profile Successfully Added
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweeb
User Profile Information
user = rtr_dweeb{
profile_id = 66
profile_cycle = 1
member = rtr_low
password = des "********"
}
e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:
<CSUserver>$tail -f /var/log/csuslog
|
Note See "C.6 Server-Based TACACS+ Router Authorization Diagnostics." |
Step 3 Configure, verify, and test operation of the AAA server group rtr_tech.
The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the requirements specified in Table 4-1:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny all\n}\ncmd=configure{\ndeny .*}\n}\n'
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_tech
Group Profile Information
group = rtr_tech{
profile_id = 47
profile_cycle = 1
service=shell {
default cmd=permit
cmd=debug {
deny all
permit .*
}
cmd=reload {
deny all
}
cmd=configure {
deny .*
}
}
}
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw des,ciscorules Profile Successfully Added
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techie
User Profile Information
user = rtr_techie{
profile_id = 39
profile_cycle = 1
member = rtr_tech
password = des "********"
}
e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:
<CSUserver>$tail -f /var/log/csuslog
|
Note See "C.6 Server-Based TACACS+ Router Authorization Diagnostics." |
Step 4 Configure, verify, and test operation of AAA server Group rtr_super.
The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with the requirements specified in Table 4-1:
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n'
Profile Successfully Added
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_super
Group Profile Information
group = rtr_super{
profile_id = 40
profile_cycle = 1
service=shell {
default cmd=permit
cmd=debug {
deny all
permit .*
}
}
}
<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek -pr rtr_super -pw des,ciscorules Profile Successfully
<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geek
User Profile Information
user = rtr_geek{
profile_id = 45
profile_cycle = 1
member = rtr_super
password = des "********"
}
e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:
<CSUserver>$tail -f /var/log/csuslog
|
Note See "C.6 Server-Based TACACS+ Router Authorization Diagnostics." |
Posted: Thu Jun 8 20:19:50 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.