|
|
Authentication, Authorization, and Accounting (AAA)--Suite of network security services that provide the primary framework through which access control can be set up on your Cisco router or access server.
Network access server (NAS)--A Cisco access server or any other Cisco device that is acting as a client to the AAA server.
This feature is supported on all Cisco IOS platforms.
No RFCs or MIBs are supported by this feature.
This section explains the details of named authorization and accounting method lists.
Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Cisco IOS software supports the following six methods for authorization:
Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Like authentication and authorization method lists, method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for accounting services.
Cisco IOS software supports the following two methods for accounting:
Accounting method lists are specific to the type of accounting being requested. AAA supports five different types of accounting:
Once again, when you create a named method list, you are defining a particular list of accounting methods for the indicated accounting type.
Accounting method lists must be applied to specific lines or interfaces before any of the defined methods will be performed. The only exception is the default method list (which is named "default"). If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
The following sections describe how to define and apply named method lists:
To configure AAA authorization using named method lists, perform the following tasks beginning in global configuration mode:
| Task | Command |
|---|---|
| Create an authorization method list for a particular authorization type and enable authorization. | aaa authorization {network | exec | commands level | reverse-access} {default | list-name} [method1 [method2...] ] |
| Enter the line configuration mode for the lines to which you want to apply the authorization method list.
or Enter the interface configuration mode for the interfaces to which you want to apply the authorization method list. | line [aux | console | tty | vty] line-number [ending-line-number]
interface interface-type interface-number |
| Apply the authorization list to a line or set of lines. or Apply the authorization list to an interface or set of interfaces. | authorization {arap | commands level | exec | reverse-access} {default | list-name}
ppp authorization {default | list-name} |
Named authorization method lists are specific to the indicated type of authorization. To create a method list to enable authorization for all network-related service requests (including SLIP, PPP, PPP NCPs, and ARA protocols), use the network keyword.
To create a method list to enable authorization to determine if a user is allowed to run an EXEC shell, use the exec keyword.
To create a method list to enable authorization for specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. (This allows you to authorize all commands associated with a specified command level from 0 to 15.)
To create a method list to enable authorization for reverse Telnet functions, use the reverse-access keyword.
For information about the four types of authorization supported by the Cisco IOS software, refer to the "Configuring Authorization" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To have the network access server request authorization information via a TACACS+ security server, use the aaa authorization command with the tacacs+ method keyword. For more specific information about configuring authorization using a TACACS+ security server, refer to the "Configuring TACACS+" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To allow users to have access to the functions they request as long as they have been authenticated, use the aaa authorization {type} command with the if-authenticated method keyword. If you select this method, all requested functions are automatically granted to authenticated users.
There may be times when you do not want to run authorization from a particular interface or line. To stop authorization activities on designated lines or interfaces, use the none method keyword.
To select local authorization, which means that the router or access server consults its local user database to determine the functions a user is permitted, use the local method keyword. The functions associated with local authorization are defined by using the username global configuration command. For a list of permitted functions, refer to the "Configuring Authentication" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To have the NAS request authorization via a RADIUS security server, use the radius method keyword. For more specific information about configuring authorization using a RADIUS security server, refer to the "Configuring RADIUS" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To run authorization to determine if a user is allowed to run an EXEC shell at a specific privilege level based on a mapped Kerberos instance, use the krb5-instance method keyword. For more information, refer to the "Enable Kerberos Instance Mapping" section of the "Configuring Kerberos" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To configure AAA accounting using named method lists, perform the following tasks beginning in global configuration mode:
| Task | Command |
|---|---|
| Create an accounting method list and enable accounting. | aaa accounting {system | network | exec | connection | commands level} {default | list-name} {start-stop | wait-start | stop-only | none} [method1 [method2...] ] |
| Enter the line configuration mode for the lines to which you want to apply the accounting method list.
or Enter the interface configuration mode for the interfaces to which you want to apply the accounting method list. | line [aux | console | tty | vty] line-number [ending-line-number]
interface interface-type interface-number |
| Apply the accounting method list to a line or set of lines. or Apply the accounting method list to an interface or set of interfaces. | accounting {arap | exec | connection | commands level} {default | list-name}
ppp accounting {default | list-name} |
Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARAP (network) sessions, use the arap keyword.
To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword.
To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword.
To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword.
System accounting does not support named method lists.
For minimal accounting, use the stop-only keyword, which instructs the specified method (RADIUS or TACACS+) to send a stop record accounting notice at the end of the requested user process. For more accounting information, use the start-stop keyword to send a start accounting notice at the beginning of the requested event and a stop accounting notice at the end of the event. You can further control access and accounting by using the wait-start keyword, which ensures that the RADIUS or TACACS+ security server acknowledges the start notice before granting the user's process request. To stop all accounting activities on this line or interface, use the none keyword.
For more information, refer to the "Configuring Accounting" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To have the NAS send accounting information from a TACACS+ security server, use the tacacs+ method keyword. For more specific information about configuring TACACS+ for accounting services, refer to the "Configuring TACACS+" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
To have the NAS send accounting information from a RADIUS security server, use the radius method keyword. For more specific information about configuring RADIUS for accounting services, refer to the "Configuring RADIUS" chapter in the Cisco IOS Release 11.3 Security Configuration Guide.
aaa new-model aaa authentication login admins local aaa authentication ppp dialins radius local aaa authorization network scoobee radius local aaa accounting network charley start-stop radius username root password ALongPassword radius-server host alcatraz radius-server key myRaDiUSpassWoRd interface group-async 1 group-range 1 16 encapsulation ppp ppp authentication chap dialins ppp authorization scoobee ppp accounting charley line 1 16 autoselect ppp autoselect during-login login authentication admins modem dialin
The lines in this sample RADIUS AAA configuration are defined as follows:
This section documents the following new and modified commands:
All other commands used with this feature are documented in the Cisco IOS Release 11.3 command references.
To enable AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting.
aaa accounting {system | network | exec | connection | commands level} {default | list-name}| system | Performs accounting for all system-level events not associated with users, such as reloads. |
| network | Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. |
| exec | Runs accounting for EXEC session (user shells). This keyword might return user profile information such as autocommand information. |
| connection | Provides information about all outbound connections made from the NAS, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin. |
| commands | Runs accounting for all commands at the specified privilege level. |
| level | Specific command level to track for accounting. Valid entries are 0 through 15. |
| default | Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. |
| list-name | Character string used to name the following list of accounting methods. |
| start-stop | Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting notice was received by the accounting server. |
| wait-start | As in start-stop, sends both a start and a stop accounting notice to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting notice is acknowledged. A stop accounting notice is also sent. |
| stop-only | Sends a stop accounting notice at the end of the requested user process. |
| none | Disables accounting services on this line or interface. |
| method | At least one of the keywords described in Table 1. |
AAA accounting is disabled. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Global configuration
This command first appeared in Cisco IOS Release 10.3.
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis. Method keywords are described in Table 1.
| Keyword | Description |
|---|---|
| radius | Uses RADIUS to provide accounting service. |
| tacacs+ | Uses TACACS+ to provide accounting services. |
Cisco IOS software supports the following two methods for accounting:
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as radius or tacacs+) and method identifies the method(s) tried in the given sequence.
Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARAP (network) sessions, use the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, start and stop times, use the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword.
For minimal accounting, include the stop-only keyword to send a stop record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. For even more accounting control, you can include the wait-start keyword, which ensures that the start notice is received by the RADIUS or TACACS+ server before granting the user's process request. Accounting is done only to the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When aaa accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix in the Cisco IOS Release 11.3 Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ AV Pairs" appendix in the Cisco IOS Release 11.3 Security Configuration Guide.
In the following example, a default commands accounting method list is defined, where commands accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only tacacs+
aaa authentication
aaa authorization
aaa new-model
Use the aaa authorization global configuration command to set parameters that restrict a user's network access. Use the no form of this command to disable authorization for a function.
aaa authorization {network | exec | commands level | reverse-access} {default | list-name} [method1 [method2...] ]| network | Runs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol. |
| exec | Runs authorization to determine if the user is allowed to run an EXEC shell. This facility might return user profile information such as autocommand information. |
| commands | Runs authorization for all commands at the specified privilege level. |
| level | Specific command level that should be authorized. Valid entries are 0 through 15. |
| reverse-access | Runs authorization for reverse access connections, such as reverse Telnet. |
| default | Uses the listed authorization methods that follow this argument as the default list of methods for authorization. |
| list-name | Character string used to name the following list of authorization methods. |
| method | One of the keywords listed in Table 2. |
Authorization is disabled for all actions (equivalent to the method keyword none). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Global configuration
This command first appeared in Cisco IOS Release 10.0.
Use the aaa authorization command to enable authorization and to create named methods lists, defining authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Use the aaa authorization command to create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization method(s) tried in the given sequence.
Method keywords are described in Table 2.
| Keyword | Description |
|---|---|
| tacacs+ | Requests authorization information from the TACACS+ server. |
| if-authenticated | Allows the user to access the requested function if the user is authenticated. |
| none | No authorization is performed. |
| local | Uses the local database for authorization. |
| radius | Uses RADIUS to get authorization information. |
| krb5-instance | Uses the instance defined by the kerberos instance map command. |
Cisco IOS software supports the following six methods for authorization:
Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS daemon as part of the authorization process. The daemon can do one of the following:
For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Cisco IOS Release 11.3 Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ AV Pairs" appendix in the Cisco IOS Release 11.3 Security Configuration Guide.
The following example defines the network authorization method list named scoobee, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization will be performed
aaa authorization network scoobee radius local
aaa accounting
aaa authentication
aaa new-model
To enable AAA accounting services to a specific line or group of lines, use the accounting line configuration command. Use the no form of this command to disable this feature.
accounting {arap | commands level | connection | exec} [default | list-name]| arap | Enables accounting on line(s) configured for Appletalk Remote Access protocol (ARAP). |
| commands | Enables accounting on the selected line(s) for all commands at the specified privilege level. |
| level | Specifies the command level to track for accounting. Valid entries are 0 through 15. |
| connection | Enables both CHAP and PAP, and performs PAP authentication before CHAP. |
| exec | Enables accounting for all system-level events not associated with users, such as reloads on the selected line(s). |
| default | The name of the default method list, created with the aaa accounting command. |
| list-name | (Optional) Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command. |
Accounting is disabled.
Line configuration
This command first appeared in Cisco IOS Release 11.3T.
After you enable the aaa accounting command and define a named accounting method list (or use the default method list) for a particular type of accounting, you must apply the defined lists to the appropriate lines for accounting services to take place. Use the accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
The following example enables command accounting services (for level 15) using the accounting method list named charlie on line 10:
line 10 accounting commands 15 charlie
arap authentication
authorization
login authentication
nasi authentication
To enable AAA authorization to a specific line or group of lines, use the authorization line configuration command. Use the no form of this command to disable this feature.
authorization {arap | commands level | exec | reverse-access} [default | list-name]| arap | Enables authorization for line(s) configured for AppleTalk Remote Access Protocol (ARAP). |
| commands | Enables authorization on the selected line(s) for all commands at the specified privilege level. |
| level | Specific command level to be authorized. Valid entries are 0 through 15. |
| exec | Enables authorization to determine if the user is allowed to run an EXEC shell on the selected line(s). |
| reverse-access | Enables authorization to determine if the user is allowed reverse access privileges. |
| default | The name of the default method list, created with the aaa authorization command. |
| list-name | Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command. |
Authorization is not enabled.
Line configuration
This command first appeared in Cisco IOS Release 11.3T.
After you enable the aaa authorization command and define a named authorization method list (or use the default method list) for a a particular type of authorization, you must apply the defined lists to the appropriate lines for authorization to take place. Use the authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected line or group of lines.
The following example enables command authorization (for level 15) using the method list named charlie on line 10:
line 10 authorization commands 15 charlie
accounting
arap authentication
login authentication
nasi authentication
To enable AAA accounting services on the selected interface, use the ppp accounting interface configuration command. Use the no form of this command to disable this feature.
ppp accounting [default | list-name]]| default | The name of the method list is created with the aaa accounting command. |
| list-name | Specifies the name of a list of accounting methods to use. If no list name is specified, the system uses the default. The list is created with the aaa accounting command. |
Accounting is disabled.
Interface configuration
This command first appeared in Cisco IOS Release 11.3T.
After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie:
interface async 4 encapsulation ppp ppp accounting charlie
aaa accounting
To enable AAA authorization on the selected interface, use the ppp authorization interface configuration command. Use the no form of this command to disable this feature.
ppp authorization [default | list-name]| default | The name of the method list is created with the aaa authorization command. |
| list-name | (Optional) Specifies the name of a list of authorization methods to use. If no list name is specified, the system uses the default. The list is created with the aaa authorization command. |
Authorization is disabled.
Interface configuration
This command first appeared in Cisco IOS Release 11.3T.
After you enable the aaa authorization command and define a named authorization method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for authorization to take place. Use the ppp authorization command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
The following example enables authorization on asynchronous interface 4 and uses the method list named charlie:
interface async 4 encapsulation ppp ppp authorization charlie
aaa authorization
|
|