|
|
This document includes the following sections:
A server-group is a list of server hosts of a particular type. Currently supported server host types are Remote Authentication Dial In User Service (RADIUS) server hosts and Terminal Access Controller Access Control System Plus (TACACS+) server hosts. A server-group is used in conjunction with a global server host list. The server-group lists the IP addresses of the selected server hosts. Figure 1 shows a typical AAA network configuration: R1 and R2 are RADIUS server hosts and T1 and T2 are TACACS+ server hosts.
The AAA server-group feature allows customers to define a distinct list of server hosts and apply this list to relevant applications. The AAA server-group feature is also backward compatible; this feature works on releases earlier than Cisco IOS Release 12.0(5)T.
The AAA server-group feature works only when the server hosts in a group are the same type: RADIUS or TACACS+.
AAA is part of the core IOS, therefore the AAA server-group feature is supported on all platforms using Cisco IOS Release 12.0(5)T.
None
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
None
Perform the following tasks to configure AAA server-groups:
To define a server host with a server-group with a group name, use the following commands in global configuration mode. The listed server must exist in global configuration mode.
| Step | Command | Purpose | ||
|---|---|---|---|---|
| Router(config)#aaa new-model | Enables AAA globally. | ||
| Router(config)#radius-server host ip-address key or Router(config)#tacacs-server host ip-address key | Specifies and defines the IP address of the server host before configuring the AAA server-group. | ||
| Router(config-if)#aaa group server {radius | tacacs+}
group-name
| Defines the AAA server-group with a group name. |
After the server-group is defined with a group name, use the following commands to enable AAA authentication, AAA authorization, and AAA accounting:
| Command | Purpose |
|---|---|
Router(config-if)# | Creates local authentication. |
Router(config-if)# | Enables local authentication. |
Router(config-if)# | Creates an authorization method list for the server-group. |
Router(config-if)# | Enables accounting for the server-group. |
Embedded error messages will guide the user to configure the server-group feature correctly. Therefore, no verification steps are needed.
A server-group is uniquely identified by its name. It is important to select the correct server host type, because the method-list definition identifies the server host types by name.
A configuration example for an AAA server-group is as follows:
Router(config)# aaa group server{tacacs+|radius}group-nameRouter(config-sg radius)# server 1.1.1.1
Router(config-sg radius)# server 2.2.2.2Router(config-sg radius)# server 3.3.3.3
Router(config)# end
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 Security Command Reference.
To group different servers hosts into distinct lists and distinct methods, use the aaa group server global configuration command. To remove a server-group from the configuration list, use the no form of this command.
aaa group server {tacacs+ | radius} group-name
tacacs+ | Use only the TACACS+ server hosts. |
radius | Use only the RADIUS server hosts. |
group-name | Character string used to name the group of servers. |
No default behavior or values.
Global configuration
| Release | Modification |
|---|---|
12.0(5)T | This command was introduced. |
A server-group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server-group is used in conjunction with a global server host list. The server-group lists the IP addresses of the selected server hosts.
The following example configures an AAA server-group:
Router(config) aaa group server{tacacs+ |radius}group-nameRouter(config-sg radius) server 1.1.1.1
Router(config-sg radius) server 2.2.2.2Router(config-sg radius) server 3.3.3.3
Router(config) end
| Command | Description |
aaa accounting | Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used. |
aaa authentication login | Sets AAA authentication at login. |
aaa authorization | Sets parameters that restrict network access to a user. |
aaa new-model | Enables the AAA access control model. |
radius-server host | Specifies and defines the IP address of the RADIUS server host before configuring an AAA server-group. |
tacacs-server host | Specifies and defines the IP address of the TACACS+ server host before configuring an AAA server-group. |
To enable AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, use the aaa accounting global configuration command. To disable accounting, use the no form of this command.
aaa accounting {system | network | exec | connection | commands level} {default | list-name}
system | Performs accounting for all system-level events not associated with users, such as reloads. |
network | Runs accounting for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP NCPs, and AppleTalk Remote Access (ARA). |
exec | Runs accounting for an EXEC session (user shells). This keyword could return user profile information such as autocommand information. |
connection | Provides information about all outbound connections made from the network access server, such as Telnet, local-area transport (LAT), TN3270, packet assembler/disassembler (PAD), and rlogin. |
commands | Runs accounting for all commands at the specified privilege level. |
level | Specific command level to track for accounting. Valid entries are 0 through 15. |
default | Uses the listed accounting methods that follow this argument as the default list of methods for accounting services. |
list-name | Character string used to name the list of accounting methods. |
start-stop | Sends a start accounting notice at the beginning of a requested process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server. |
wait-start | As in start-stop, sends both a start and a stop accounting notice to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting notice is acknowledged. A stop accounting notice also is sent. |
stop-only | Sends a stop accounting notice at the end of the requested user process. |
none | Disables accounting services on the specified line or interface. |
group | (Optional) Group of servers. |
group-name | (Optional) Character string used to name the group of accounting methods. |
AAA accounting is disabled. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Global configuration
| Release | Modification |
|---|---|
10.3 | This command was introduced. |
12.0(5)T | The group keyword was added. |
Use the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis. Method keywords are described in Table 1.
| Keyword | Description |
|---|---|
group name radius | Uses RADIUS to provide accounting service. |
group name tacacs+ | Uses TACACS+ to provide accounting services. |
Cisco IOS software supports the following two methods for accounting:
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method identifies the method(s) tried in the given sequence.
Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARA (network) sessions, use the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times, use the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, use the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, use the connection keyword.
For minimal accounting, include the stop-only keyword to send a stop accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. For even more accounting control, you can include the wait-start keyword, which ensures that the start accounting notice is received by the RADIUS or TACACS+ server before granting the process request from the user. Accounting is only stored on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When aaa accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide.
The following example defines a default commands accounting method list, where commands accounting services are provided by a TACACS+ security server, set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only tacacs+
| Command | Description |
aaa authentication | Sets AAA authentication at login. |
aaa authorization | Sets parameters that restrict a network access to a user. |
aaa new-model | Enables the AAA access control model. |
To set AAA authentication at login, use the aaa authentication login global configuration command. To disable AAA authentication, use the no form of this command.
aaa authentication login {default | list-name} group group-name
default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
list-name | Character string used to name the list of authentication methods activated when a user logs in. |
method | AAA authentication method that uses at least one of the keywords described in Table 2. |
group | Group of servers. |
group-name | Character string used to name the group of servers for authentication when a user logs in. |
If the default list is not set, only the local user database is checked, which has the same effect as the following command:
aaa authentication login default local
Global configuration
| Release | Modification |
|---|---|
10.3 | This command was introduced. |
12.0(5)T | The group keyword was added. |
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries, in the given sequence. Method keywords are described in Table 2.
To create a default list that is used if no list is assigned to a line, use the login authentication command with the default argument followed by the methods you want to use in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access and no authentication is performed. To display currently configured lists of authentication methods, use the more system:running-config command.
| Keyword | Description |
|---|---|
enable | Uses the enable password for authentication. |
krb5 | Uses Kerberos 5 for authentication. |
line | Uses the line password for authentication. |
local | Uses the local username database for authentication. |
none | Uses no authentication. |
group-name radius | Uses RADIUS authentication. |
group-name tacacs+ | Uses TACACS+ authentication. |
krb5-telnet | Uses the Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router. |
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list, but it sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable none
The following example sets authentication at login to use the Kerberos 5 Telnet authentication protocol when Telnet is used to connect to the router:
aaa authentication login default KRB5-TELNET krb5
| Command | Description |
aaa authentication local-override | Configures the Cisco IOS software to check the local user database for authentication before attempting another form of authentication. |
aaa new-model | Enables the AAA access control model. |
login authentication | Enables AAA authentication for logins. |
To set parameters that restrict a network access to a user, use the aaa authorization global configuration command. To disable authorization for a function, use the no form of this command.
aaa authorization {network | exec | commands level | reverse-access} {default | list-name} group group-name
network | Runs authorization for all network-related service requests, including Serial Line Internet Protocol (SLIP), PPP, PPP NCPs, and AppleTalk Remote Access (ARA). |
exec | Runs authorization to determine if the user is allowed to run an EXEC shell. This facility could return user profile information such as autocommand information. |
commands | Runs authorization for all commands at the specified privilege level. |
level | Specific command level that should be authorized. Valid entries are |
reverse-access | Runs authorization for reverse access connections, such as reverse Telnet. |
default | Uses the listed authorization methods that follow this argument as the default list of methods for authorization. |
list-name | Character string used to name the list of authorization methods. |
method1 [method2...] | AAA authorization method that uses one of the keywords listed in Table 3. |
group | Group of servers. |
group-name | Character string used to name the group of authorization methods. |
Authorization is disabled for all actions (equivalent to the method keyword none). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Global configuration
| Release | Modification |
|---|---|
10.3 | This command was introduced. |
12.0(5)T | The group keyword was added. |
Use the aaa authorization command to enable authorization and to create named method lists that define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable you to designate one or more security protocol to be used for authorization, thus ensuring a backup system if the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Use the aaa authorization command to create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization method(s) tried in the given sequence. Method keywords are described in Table 3.
| Keyword | Description |
|---|---|
if-authenticated | Allows the user to access the requested function if the user is authenticated. |
none | No authorization is performed. |
local | Uses the local username database for authorization. |
group-name radius | Uses RADIUS to get authorization information. |
group-name tacacs+ | Requests authorization information from the TACACS+ server. |
krb5-instance | Uses the instance defined by the kerberos instance map command. |
Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods will be performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS+ daemon as part of the authorization process. The daemon can perform one of the following actions:
For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide.
The following example defines the network authorization method list named scoobee, which specifies that RADIUS authorization will be used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization will be performed.
aaa authorization network scoobee radius local
| Command | Description |
aaa accounting | Enables AAA accounting of requested services for billing or security purposes when RADIUS or TACACS+ is used. |
aaa authentication | Sets AAA authentication at login. |
aaa new-model | Enables the AAA access control model. |
To configure the IP address of the RADIUS server, use the server AAA server-group command. To remove the IP address of the RADIUS server, use the no form of this command.
server ip-address
ip-address | IP address of the selected server. |
None
AAA server-group sub-mode.
| Release | Modification |
|---|---|
12.0(5)T | This command was introduced. |
Use the server command to specify the IP address of the RADIUS server. A matching radius-server host entry must also be configured in the global list. If there is no response from the first host entry, the next host entry will be tried.
The following example configures server host entries for the RADIUS server:
Router(config)# aaa new-model Router(config)# aaa authentication ppp default group g1 Router(config)# aaa group server radius g1Router(config-sg radius)# server 1.0.0.1 Router(config-sg radius)# server 2.0.0.1
Router(config)# radius-server host 1.0.0.1 auth-port 1000 acct-port 1001... Router(config)# radius-server host 1.0.0.1 auth-port 1645 acct-port 1646... Router(config)# radius-server host 2.0.0.1 auth-port 1645 acct-port 1646...
| Command | Description |
aaa new-model | Enables the AAA access control model. |
aaa server group | Groups different servers hosts into distinct lists and distinct methods. |
radius-server host | Specifies and defines the IP address of the RADIUS server host before configuring an AAA server-group. |
AV pairs---attribute-value pairs.
NAS---network access server.
RADIUS---Remote Access Dial-In User Service.
TACACS+---Terminal Access Controller Access Control System Plus.
Posted: Mon Jul 26 17:19:39 PDT 1999
Copyright 1989-1999©Cisco Systems Inc.