Cisco AAA Implementation Case Study
Implementing the Server-Based AAA Subsystem
Downloads: This chapterpdf (PDF - 285.0KB) The complete bookPDF (PDF - 1.74MB) | Feedback

Implementing the Server-Based AAA Subsystem

Table Of Contents

Implementing the Server-Based AAA Subsystem

4.1 Implementing Server-Based TACACS+ Dialup Authentication

4.2 Implementing Server-Based TACACS+ Dialup Authorization

4.3 Implementing Server-Based RADIUS Dialup Authentication

4.4 Implementing Server-Based RADIUS Dialup Authorization

4.5 Implementing Server-Based TACACS+ Router Authentication

4.6 Implementing Server-Based TACACS+ Router Authorization


Implementing the Server-Based AAA Subsystem


This chapter focuses on the following server-based AAA implementation topics:

4.1 Implementing Server-Based TACACS+ Dialup Authentication

4.2 Implementing Server-Based TACACS+ Dialup Authorization

4.3 Implementing Server-Based RADIUS Dialup Authentication

4.4 Implementing Server-Based RADIUS Dialup Authorization

4.5 Implementing Server-Based TACACS+ Router Authentication

4.6 Implementing Server-Based TACACS+ Router Authorization


Caution The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment.


Note See Chapter 2, "Implementing the Local AAA Subsystem," for specifics of local AAA implementation. See "1.1 AAA Technology Summary," in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation.


Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based AAA components, including a AAA server and its associated AAA database.

Figure 4-1 Basic AAA Case Study Environment

4.1 Implementing Server-Based TACACS+ Dialup Authentication

The following section focuses on server-based dialup authentication configuration. In this context, server-based refers to actions dependent upon an external AAA server. These actions are described in a series of general steps along with related commands, server configurations, and diagnostic steps as appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment.

Figure 4-2 Server-Based Dial Environment (TACACS+)

These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authentication on NAS.

2. Configure a user profile in the database.

3. Verify the AAA server-based user configuration.

4. Verify and troubleshoot authentication from the AAA server.

5. Verify and troubleshoot PPP authentication from the NAS.


Step 1 Configure TACACS+ server-based authentication on NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with TACACS+:

aaa new-model
aaa authentication login default group tacacs+ 
aaa authentication ppp default if-needed group tacacs+ 
!
tacacs-server host 172.22.53.101 key ciscorules


Note See "A.3 NAS AAA Command Implementation Descriptions" in Appendix A, "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands.


Step 2 Configure a user profile in the database.

Create a user in the AAA server by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules -a 
'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp 
{\n }\n }\n'

Caution When entering AddProfile to create users or groups, it is possible to successfully create users or groups that have invalid database parameters that result in profile errors viewable in /var/log/csuslog.

Step 3 Verify the AAA server-based user configuration.

Enter this server command to view the AAA server-based user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial

user = tac_dial{
profile_id = 23
profile_cycle = 1
password = pap "********"
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}

}              

Step 4 Verify and troubleshoot authentication from the AAA server.

Enter the tail command:.

<CSUserver>$tail -f /var/log/csuslog


Note See "C.1 Server-Based TACACS+ Dialup Authentication Diagnostics" for a description of relevant diagnostic output.


Step 5 Verify and troubleshoot PPP authentication from the NAS.

Enter the debug aaa authentication and debug ppp authentication commands to confirm authentication from the NAS perspective.


Note See "C.1 Server-Based TACACS+ Dialup Authentication Diagnostics" for relevant diagnostic output.



4.2 Implementing Server-Based TACACS+ Dialup Authorization

This section focuses on implementing of server-based dialup authorization and presents applicable configuration segments, server commands and file listings, and diagnostic steps.

These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authorization on the NAS.

2. Configure a user profile in the database.

3. Verify the AAA server-based user configuration.

4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.

5. Verify and troubleshoot shell-initiated PPP authorization on the NAS.


Step 1 Configure TACACS+ server-based authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authorization with TACACS+:

aaa new-model
aaa authentication login default group tacacs+
aaa authentication ppp default if-needed group tacacs+
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization network default group tacacs+ if-authenticated
!
tacacs-server host x.x.x.x key ciscorules


Note See "A.3 NAS AAA Command Implementation Descriptions" in Appendix A, "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands.


Step 2 Configure a user profile in the database.

Create a user in the AAA server by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules -pw 
pap,ciscorules -a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n 
set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n'

Step 3 Verify the AAA server-based user configuration.

Enter this UNIX server command to view the AAA server-based user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest

An example of a ViewProfile output of the user profile looks like this:

User Profile Information
user = dialtest{
profile_id = 25
profile_cycle = 1
password = pap "********"
service=shell {
default_cmd=permit
}
service=ppp {
protocol=ip {
set addr-pool=default
set inacl=110
}
protocol=lcp {
}
}

}                            

Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server.

Enter the following UNIX server command to confirm that the authorization is operating correctly:

<CSUServer>$tail -f /var/log/csuslog


Note See "C.2 Server-Based TACACS+ Dialup Authorization Diagnostics."


Step 5 Verify and troubleshoot shell-initiated PPP authorization on the NAS.

Enter the debug aaa authorization command to verify server-based authorization is operating correctly for dial access.


Note See "C.2 Server-Based TACACS+ Dialup Authorization Diagnostics."



4.3 Implementing Server-Based RADIUS Dialup Authentication

This section focuses on the configuration of server-based, RADIUS dialup authentication configuration. In this context, server-based refers to actions that depend on an external AAA server. Figure 4-3 illustrates a simplified server-based dial environment.

These steps help you to accomplish the following tasks:

1. Configure RADIUS server-based authentication on access server.

2. Configure a user profile in the database.

3. Verify the AAA server-based user configuration.

4. Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.

Figure 4-3 Server-Based Dial Environment (RADIUS)


Step 1 Configure RADIUS server-based authentication on access server.

Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with RADIUS:


aaa new-model
aaa authentication login default group radius 
aaa authentication ppp default if-needed group radius 
!
interface Group-Async1
 ip unnumbered Loopback0
 no ip directed-broadcast
 encapsulation ppp
 ip tcp header-compression passive
 no logging event link-status
 dialer in-band
 dialer idle-timeout 900
 async mode interactive
 no snmp trap link-status
 peer default ip address pool default
 no fair-queue
 no cdp enable
 ppp max-bad-auth 3
 ppp authentication pap chap
 group-range 1 48
!
line 1 48
 exec-timeout 48 0
 autoselect during-login
 autoselect ppp
 absolute-timeout 240
 modem InOut
 modem autoconfigure type mica
 transport preferred telnet
 transport input all
 transport output lat pad telnet rlogin udptn v120 lapb-ta

radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules

Note See "A.3 NAS AAA Command Implementation Descriptions" in Appendix A, "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands.


Step 2 Configure a user profile in the database.

a. Create a RADIUS NAS configuration by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a 
'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary
="DICTIONARY.Cisco"\n }\n'

b. Create a user in the AAA server by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules  
-a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n'

Description of attributes specified in AddProfile configuration:

6=2 (meaning Framed-Protocol=ppp)

7=1 [meaning User-Service-Type (Framed-User)]

Step 3 Verify the AAA server-based user configuration.

a. Enter this server command to view the AAA server-based NAS configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105
User Profile Information
user = NAS.172.22.53.105{
profile_id = 76 
profile_cycle = 1 
NASName="172.22.53.105" {
SharedSecret="ciscorules"
RadiusVendor="Cisco"
Dictionary="DICTIONARY.Cisco"
} 
 
}

b. Enter this command to verify the AAA server user configuration:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial
User Profile Information
user = rad_dial{
profile_id = 62 
profile_cycle = 1 
password = pap "********" 
radius=Cisco {
reply_attributes= {
6=2
7=1
} 
} 
 
}

Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective.


Note See "C.3 Server-Based RADIUS Dialup Authentication Diagnostics."



4.4 Implementing Server-Based RADIUS Dialup Authorization

These steps help you to accomplish the following tasks:

1. Configure RADIUS server-based authorization on the NAS.

2. Configure a user profile in the database.

3. Verify the AAA server-based user configuration.

4. Verify and troubleshoot RADIUS network authorization on the NAS.

5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command.


Step 1 Configure RADIUS server-based authorization on the NAS.

Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS authorization assigning access-list 110 to the user, rad_dial:

aaa new-model
aaa authentication login default group radius
aaa authentication ppp default if-needed group radius
aaa authorization exec default group radius
aaa authorization network default group radius if-authenticated
!
radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules
!
access-list 110 permit tcp any any eq telnet
access-list 110 permit tcp any any eq ftp
access-list 110 permit tcp any any eq ftp-data
access-list 110 deny   tcp any any

Note See "A.3 NAS AAA Command Implementation Descriptions" in Appendix A, "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands.


Step 2 Configure a user profile in the database.

Create a user in the AAA server by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules  -a 
'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n'

Step 3 Verify the AAA server-based user configuration.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial
User Profile Information
user = rad_dial{
profile_id = 62
profile_cycle = 1
password = pap "********"
radius=Cisco {
reply_attributes= {
6=2
7=1
9,1="ip:inacl=110"
}
}

}

Note The Cisco AVP inacl=110 is included to enable an input access-list.



Step 4 Verify and troubleshoot RADIUS network authorization on the NAS.

Enter the debug aaa authorization command to verify dial access server-based authorization is operating correctly for dial access.


Note See "C.4 Server-Based RADIUS Dialup Authorization Diagnostics."


Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command.


Note See "C.4 Server-Based RADIUS Dialup Authorization Diagnostics."



4.5 Implementing Server-Based TACACS+ Router Authentication

This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for a router.

These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authentication on the router.

2. Configure and verify the group rtr_basic:

3. Create the member rtr_test and assign this user to group rtr_basic.

4. Verify user rtr_test.

5. Log in to the router and verify proper authentication.

Figure 4-4 Server-Based VTY Access (Telnet)


Step 1 Configure TACACS+ server-based authentication on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce AAA server-based command authorization on a router (excluding the console port):


aaa new-model
aaa authentication login default group tacacs+ 
aaa authentication login NO_AUTHENT none

!
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
tacacs-server host 172.22.53.201 key ciscorules
!
line con 0
 login authentication NO_AUTHENT

Note See "A.2 Router AAA Command Implementation Descriptions" in Appendix A, "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands.


Step 2 Configure and verify the group rtr_basic:

a. Create the group rtr_basic by entering the following AddProfile command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a 
'service=shell{\ndefault cmd=deny\n}\n'
Profile Successfully Added

b. Verify the group rtr_basic by entering the ViewProfile command

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basic
Group Profile Information
group = rtr_low{
profile_id = 66
profile_cycle = 1
service=shell {
default cmd=deny
}

}

Step 3 Create the member rtr_test and assign this user to group rtr_basic.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr 
rtr_basic
Profile Successfully Added

Step 4 Verify user rtr_test.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test
User Profile Information
user = rtr_test{
profile_id = 66
profile_cycle = 1
member = rtr_basic
password = des "********"
}

Step 5 Log in to the router and verify proper authentication.

Enter the login command to access the router command interface and monitor the output of debug aaa authentication from a separate shell session. Monitor the output of the AAA server by consulting the csuslog file using the tail command.


Note See "C.5 Server-Based TACACS+ Router Authentication Diagnostics."



4.6 Implementing Server-Based TACACS+ Router Authorization

The following examples, including authorization-related IOS command listings and AAA server profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups are created with low (rtr_low), medium (rtr_tech), and high (rtr_super) access. The default_cmd AVP (defined in the AAA server profile) is used to control access to privilege level 15 commands. In this case, privilege level 15 is the highest level of command access privilege allowed and is reserved for super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated with each of the administrative groups defined in this section.

Table 4-1 Group Profile Command Summary

 
Group
Cisco IOS Command
rtr_super
rtr_tech
rtr_low

debug all

Denied

Denied

Denied

debug *

Permitted

Permitted

Denied

clear *

Permitted

Permitted

Denied

reload

Permitted

Denied

Denied

show running-config
write terminal

Permitted

Denied

Denied

copy running-config startup-config
write memory

Permitted

Permitted

Denied

configure terminal

Permitted

Denied

Denied


Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization between a router and an AAA server. Troubleshooting and verifying is divided into three stages: authentication, EXEC authorization and command authorization. Each stage is accompanied by information particular to that stage:

Cisco IOS Configuration Fragments (on left)

Troubleshooting and verification methods for the router and AAA server (on right)

Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology

These steps help you to accomplish the following tasks:

1. Configure TACACS+ server-based authorization from the console port on the router.

2. Configure, verify, and test operation of the AAA server group rtr_low.

3. Configure, verify, and test operation of the AAA server group rtr_tech.

4. Configure, verify, and test operation of AAA server Group rtr_super.


Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see "AAA Impact on Maintenance Tasks."



Step 1 Configure TACACS+ server-based authorization from the console port on the router.

Include the following Cisco IOS configuration commands in your configuration to enforce router-based security with TACACS+:

aaa new-model
aaa authentication login default group tacacs+ 
aaa authentication login NO_AUTHENT none
aaa authorization commands 15 NO_AUTHOR none
aaa authorization exec default group tacacs+
aaa authorization exec NO_AUTHOR none
aaa authorization commands 15 default group tacacs+
!
ip http server
ip http authentication aaa
ip tacacs source-interface Loopback0
!
tacacs-server host 172.22.53.201 key ciscorules
!
line con 0
 authorization commands 15 NO_AUTHOR
 authorization exec NO_AUTHOR
 login authentication NO_AUTHENT


Note See "A.2 Router AAA Command Implementation Descriptions" in Appendix A, "AAA Device Configuration Listings" for notes regarding key Cisco IOS AAA commands.


Step 2 Configure, verify, and test operation of the AAA server group rtr_low.

The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the requirements specified in Table 4-1:

a. Create the group rtr_low.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a 
'service=shell{\ndefault cmd=deny\n}\n'
Profile Successfully Added

b. Verify the group rtr_low.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low
Group Profile Information
group = rtr_low{
profile_id = 66
profile_cycle = 1
service=shell {
default cmd=deny
}

}

c. Create the member rtr_dweeb and assign this user to group rtr_low.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw 
des,ciscorules
Profile Successfully Added

d. Verify the user rtr_dweeb.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweeb
User Profile Information
user = rtr_dweeb{
profile_id = 66
profile_cycle = 1
member = rtr_low
password = des "********"
}

e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions:

Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file.

Log in to the router by using a new terminal window with the rtr_dweeb account and enter the commands shown in Table 4-1.

From the AAA server, enter the following command to obtain the matching csuslog content:

<CSUserver>$tail -f /var/log/csuslog

Note See "C.6 Server-Based TACACS+ Router Authorization Diagnostics."



Step 3 Configure, verify, and test operation of the AAA server group rtr_tech.

The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the requirements specified in Table 4-1:

a. Create the group rtr_tech.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell 
{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny 
all\n}\ncmd=configure{\ndeny .*}\n}\n'

b. Verify the group rtr_tech.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_tech
Group Profile Information
group = rtr_tech{
profile_id = 47
profile_cycle = 1
service=shell {
default cmd=permit
cmd=debug {
deny all
permit .*
}
cmd=reload {
deny all
}
cmd=configure {
deny .*
}
}

}

c. Create the member rtr_techie and assign this user to group rtr_tech.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw 
des,ciscorules
Profile Successfully Added

d. Verify the user rtr_techie.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techie
User Profile Information
user = rtr_techie{
profile_id = 39
profile_cycle = 1
member = rtr_tech
password = des "********"
}

e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions:

Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file.

Log in to the router by using a new terminal window with the rtr_techie account and enter the commands shown in Table 4-1.

From the AAA server, enter the following command to obtain the matching csuslog content:

<CSUserver>$tail -f /var/log/csuslog

Note See "C.6 Server-Based TACACS+ Router Authorization Diagnostics."


Step 4 Configure, verify, and test operation of AAA server Group rtr_super.

The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with the requirements specified in Table 4-1:

a. Create the group rtr_super.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell 
{\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n'
Profile Successfully Added

b. Verify the group rtr_super.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_super
Group Profile Information
group = rtr_super{
profile_id = 40
profile_cycle = 1
service=shell {
default cmd=permit
cmd=debug {
deny all
permit .*
}
}

}

c. Create the member rtr_geek and assign this user to group rtr_super.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek  -pr rtr_super -pw 
des,ciscorules
Profile Successfully

d. Verify the user rtr_geek.

Enter the following command:

<CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geek
User Profile Information
user = rtr_geek{
profile_id = 45
profile_cycle = 1
member = rtr_super
password = des "********"
} 

e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands:

Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file.

Log in to the router by using a new terminal window with the rtr_geek account and enter the commands shown in Table 4-1.

From the AAA server, enter the following command to obtain the matching csuslog content:

<CSUserver>$tail -f /var/log/csuslog

Note See "C.6 Server-Based TACACS+ Router Authorization Diagnostics."