|
|
Preface xi
Purpose xi
Audience xi
Scope xi
Related Documentation and Sites xii
Software Used in This Case Study xii
Hardware Used in This Case Study xii
Document Conventions xiii
Command Syntax Conventions xiii
Providing Documentation Feedback xiv
chapter 1
Cisco AAA Case Study Overview 1-1
1.1 AAA Technology Summary 1-1
1.4 Comparison of TACACS+ and RADIUS 1-4
1.4.3 Authentication and Authorization 1-5
1.4.4 Multiprotocol Support 1-5
1.4.7 Attribute-Value Pairs (AVPs) 1-6
1.5 Differences in Implementing Local and Server AAA 1-6
1.8 Network Service Definitions 1-10
1.8.1 Authentication Policy 1-10
1.8.2 Authorization Policy 1-11
1.9 Security Implementation Policy Considerations 1-12
1.10 Network Equipment Selection 1-13
1.11 Task Check List 1-14
chapter 2
Implementing the Local AAA Subsystem 2-1
2.1 Implementing Local Dialup Authentication 2-2
2.2 Implementing Local Dialup Authorization 2-5
2.3 Implementing Local Router Authentication 2-8
2.4 Implementing Local Router Authorization 2-10
2.5 Implementing Local Router Accounting 2-12
chapter 3
Implementing Cisco AAA Servers 3-1
3.1 Installing CiscoSecure for UNIX with Oracle 3-2
3.1.1 Creating Oracle Tablespace 3-2
3.1.2 Verifying the Oracle Database Instance 3-3
3.1.3 Installing CiscoSecure for UNIX 3-5
3.1.4 Creating and Verifying Basic User Profile 3-10
chapter 4
Implementing the Server-Based AAA Subsystem 4-1
4.1 Implementing Server-Based TACACS+ Dialup Authentication 4-2
4.2 Implementing Server-Based TACACS+ Dialup Authorization 4-4
4.3 Implementing Server-Based RADIUS Dialup Authentication 4-6
4.4 Implementing Server-Based RADIUS Dialup Authorization 4-8
4.5 Implementing Server-Based TACACS+ Router Authentication 4-10
4.6 Implementing Server-Based TACACS+ Router Authorization 4-13
chapter 5
Implementing Server-Based AAA Accounting 5-1
5.1 Implementing Server-Based TACACS+ Dial Accounting 5-1
5.2 Implementing Server-Based TACACS+ Router Accounting 5-4
5.3 AAA Disconnect Cause Code Descriptions 5-6
chapter 6
Diagnosing and Troubleshooting AAA Operations 6-1
6.1 Overview of Authentication and Authorization Processes 6-2
6.2 Troubleshooting AAA Implementation 6-7
6.2.1 Troubleshooting Methodology Overview 6-7
6.2.2 Cisco IOS Debug Command Summary 6-7
6.3 AAA Troubleshooting Basics 6-8
6.3.1 Troubleshooting Dial-Based Local Authentication 6-9
6.3.2 Troubleshooting Dial-Based Server Authentication 6-10
6.3.3 Troubleshooting Dial-Based Local Authorization 6-13
6.3.4 Troubleshooting Dial-Based Server Authorization 6-15
6.3.5 Troubleshooting Router-Based Local Authentication 6-19
6.3.6 Troubleshooting Router-Based Server Authentication 6-21
6.3.7 Troubleshooting Router-Based Local Authorization 6-24
6.3.8 Troubleshooting Router-Based Server Authorization 6-26
6.4 Troubleshooting Scenarios 6-29
6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication) 6-29
6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 6-30
6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 6-31
6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) 6-33
6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 6-34
6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 6-35
6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 6-36
appendix A
AAA Device Configuration Listings A-1
A.1 Sample Cisco IOS Configuration Listings A-1
A.1.1 Example Local-Based Router AAA Configuration A-2
A.1.2 Example Server-Based TACACS+ NAS Configuration A-5
A.1.3 Example Server-Based RADIUS NAS Configuration A-9
A.2 Router AAA Command Implementation Descriptions A-13
A.3 NAS AAA Command Implementation Descriptions A-13
A.4 CiscoSecure for UNIX Configuration Listings A-15
A.4.2 CSConfig.ini Listing A-19
A.4.3 Oracle User Environment Variable A-23
A.4.4 listener.ora Listing A-24
A.5 CiscoSecure Log Files A-25
appendix B
AAA Impact on Maintenance Tasks B-1
appendix C
Server-Based AAA Verification Diagnostic Output C1
C.1 Server-Based TACACS+ Dialup Authentication Diagnostics C1
C.2 Server-Based TACACS+ Dialup Authorization Diagnostics C2
C.3 Server-Based RADIUS Dialup Authentication Diagnostics C4
C.4 Server-Based RADIUS Dialup Authorization Diagnostics C5
C.5 Server-Based TACACS+ Router Authentication Diagnostics C7
C.6 Server-Based TACACS+ Router Authorization Diagnostics C9
C.6.1 Test Results for rtr_low Group C9
C.6.2 Test Results for rtr_tech Group C14
C.6.3 Test Results for rtr_super Group C20
index
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Posted: Fri Jun 2 20:55:18 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.