cc/td/doc/cisintwk/intsolns
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Preface      xi

Purpose      xi

Audience      xi

Scope      xi

Related Documentation and Sites      xii

Software Used in This Case Study      xii

Hardware Used in This Case Study      xii

Document Conventions      xiii

Command Syntax Conventions      xiii

Cisco Connection Online      xiii

Documentation CD-ROM      xiv

Providing Documentation Feedback      xiv

Acknowledgements      xv

chapter 1

Cisco AAA Case Study Overview      1-1

1.1 AAA Technology Summary      1-1

1.1.1 AAA RFC References      1-2

1.2 TACACS+ Overview      1-2

1.3 RADIUS Overview      1-3

1.4 Comparison of TACACS+ and RADIUS      1-4

1.4.1 UDP and TCP      1-4

1.4.2 Packet Encryption      1-4

1.4.3 Authentication and Authorization      1-5

1.4.4 Multiprotocol Support      1-5

1.4.5 Router Management      1-5

1.4.6 Interoperability      1-6

1.4.7 Attribute-Value Pairs (AVPs)      1-6

1.5 Differences in Implementing Local and Server AAA      1-6

1.6 Scenario Description      1-8

1.7 Planning Your Network      1-9

1.8 Network Service Definitions      1-10

1.8.1 Authentication Policy      1-10

1.8.2 Authorization Policy      1-11

1.8.3 Accounting Policy      1-11

1.9 Security Implementation Policy Considerations      1-12

1.10 Network Equipment Selection      1-13

1.11 Task Check List      1-14

chapter 2

Implementing the Local AAA Subsystem      2-1

2.1 Implementing Local Dialup Authentication      2-2

2.2 Implementing Local Dialup Authorization      2-5

2.3 Implementing Local Router Authentication      2-8

2.4 Implementing Local Router Authorization      2-10

2.5 Implementing Local Router Accounting      2-12

chapter 3

Implementing Cisco AAA Servers      3-1

3.1 Installing CiscoSecure for UNIX with Oracle      3-2

3.1.1 Creating Oracle Tablespace      3-2

3.1.2 Verifying the Oracle Database Instance      3-3

3.1.3 Installing CiscoSecure for UNIX      3-5

3.1.4 Creating and Verifying Basic User Profile      3-10

chapter 4

Implementing the Server-Based AAA Subsystem      4-1

4.1 Implementing Server-Based TACACS+ Dialup Authentication      4-2

4.2 Implementing Server-Based TACACS+ Dialup Authorization      4-4

4.3 Implementing Server-Based RADIUS Dialup Authentication      4-6

4.4 Implementing Server-Based RADIUS Dialup Authorization      4-8

4.5 Implementing Server-Based TACACS+ Router Authentication      4-10

4.6 Implementing Server-Based TACACS+ Router Authorization      4-13

chapter 5

Implementing Server-Based AAA Accounting      5-1

5.1 Implementing Server-Based TACACS+ Dial Accounting      5-1

5.2 Implementing Server-Based TACACS+ Router Accounting      5-4

5.3 AAA Disconnect Cause Code Descriptions      5-6

chapter 6

Diagnosing and Troubleshooting AAA Operations      6-1

6.1 Overview of Authentication and Authorization Processes      6-2

6.2 Troubleshooting AAA Implementation      6-7

6.2.1 Troubleshooting Methodology Overview      6-7

6.2.2 Cisco IOS Debug Command Summary      6-7

6.3 AAA Troubleshooting Basics      6-8

6.3.1 Troubleshooting Dial-Based Local Authentication      6-9

6.3.2 Troubleshooting Dial-Based Server Authentication      6-10

6.3.3 Troubleshooting Dial-Based Local Authorization      6-13

6.3.4 Troubleshooting Dial-Based Server Authorization      6-15

6.3.5 Troubleshooting Router-Based Local Authentication      6-19

6.3.6 Troubleshooting Router-Based Server Authentication      6-21

6.3.7 Troubleshooting Router-Based Local Authorization      6-24

6.3.8 Troubleshooting Router-Based Server Authorization      6-26

6.4 Troubleshooting Scenarios      6-29

6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication)     6-29

6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication)      6-30

6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication)      6-31

6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization)      6-33

6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization)      6-34

6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization)      6-35

6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization)      6-36

appendix A

AAA Device Configuration Listings      A-1

A.1 Sample Cisco IOS Configuration Listings      A-1

A.1.1 Example Local-Based Router AAA Configuration      A-2

A.1.2 Example Server-Based TACACS+ NAS Configuration      A-5

A.1.3 Example Server-Based RADIUS NAS Configuration      A-9

A.2 Router AAA Command Implementation Descriptions      A-13

A.3 NAS AAA Command Implementation Descriptions      A-13

A.4 CiscoSecure for UNIX Configuration Listings      A-15

A.4.1 CSU.cfg Listing      A-16

A.4.2 CSConfig.ini Listing      A-19

A.4.3 Oracle User Environment Variable      A-23

A.4.4 listener.ora Listing      A-24

A.5 CiscoSecure Log Files      A-25

appendix B

AAA Impact on Maintenance Tasks      B-1

appendix C

Server-Based AAA Verification Diagnostic Output      C1

C.1 Server-Based TACACS+ Dialup Authentication Diagnostics      C1

C.2 Server-Based TACACS+ Dialup Authorization Diagnostics      C2

C.3 Server-Based RADIUS Dialup Authentication Diagnostics      C4

C.4 Server-Based RADIUS Dialup Authorization Diagnostics      C5

C.5 Server-Based TACACS+ Router Authentication Diagnostics      C7

C.6 Server-Based TACACS+ Router Authorization Diagnostics      C9

C.6.1 Test Results for rtr_low Group      C9

C.6.2 Test Results for rtr_tech Group      C14

C.6.3 Test Results for rtr_super Group      C20

index


hometocprevnextglossaryfeedbacksearchhelp
Posted: Fri Jun 2 20:55:18 PDT 2000
Copyright 1989 - 2000©Cisco Systems Inc.