Cisco Router and Security Device Manager 2.5 User Guide
Authentication, Authorization, and Accounting
Downloads: This chapterpdf (PDF - 427.0KB) The complete bookPDF (PDF - 7.45MB) | Feedback

Authentication, Authorization, and Accounting

Table Of Contents

Authentication, Authorization, and Accounting

Configuring AAA

AAA Screen Reference

AAA Root Screen

AAA Servers and Server Groups

AAA Servers

Add or Edit a TACACS+ Server

Add or Edit a RADIUS Server

Edit Global Settings

AAA Server Groups

Add or Edit AAA Server Group

Authentication and Authorization Policies

Authentication and Authorization

Authentication NAC

Authentication 802.1x

Add or Edit a Method List for Authentication or Authorization


Authentication, Authorization, and Accounting


Cisco IOS Authentication, Authorization, and Accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent manner. AAA provides a modular way of performing authentication, authorization, and accounting services.

Cisco IOS AAA provides the following benefits:

Increased flexibility and control

Scalability

Standardized authentication methods. Cisco SDM enables you to configure the Remote Authentication Dialin User Service (RADIUS), and the Terminal Access Controller Access Control System Plus (TACACS+) authentication methods.

This chapter contains the following section:

Configuring AAA

AAA Screen Reference

Configuring AAA

To configure AAA, complete the following steps:


Step 1 If you want to review the IOS CLI commands that you send to the router when you complete the configuration, go to the Cisco SDM toolbar, and click Edit > Preferences > Preview commands before delivering to router. The preview screen allows you to cancel the configuration if you want to.

Step 2 In the Cisco SDM toolbar, click Configure.

Step 3 In the Cisco SDM taskbar, click Additional Tasks.

Step 4 In the Additional Tasks tree, click AAA.

Step 5 In the AAA screen, click Enable AAA. This enables AAA on the router.

Step 6 Click + (the plus sign) next to the AAA folder to display other AAA branches.

Step 7 Click the branch for the type of configuration you need to perform.

Step 8 In the displayed AAA screen, click Add to create a configuration, or select an existing entry in the screen, and click Edit to change configuration settings.

Step 9 Make configuration settings in the displayed dialogs, and click OK to send the configuration to the router. If you checked Preview commands before delivering to router in the Edit Preferences screen, the Cisco IOS CLI commands that you are sending are displayed. Click OK to send the configuration to the router, or click Cancel to discard it.


AAA Screen Reference

The topics in this section describe the AAA configuration screens:

AAA Root Screen

AAA Servers and Server Groups

AAA Servers

Add or Edit a TACACS+ Server

Add or Edit a RADIUS Server

AAA Server Groups

Add or Edit AAA Server Group

Authentication and Authorization Policies

Authentication and Authorization

Authentication NAC

Authentication 802.1x

Add or Edit a Method List for Authentication or Authorization

AAA Root Screen

This screen is located at the top level of the AAA tree. It provides a summary view of the AAA configuration on the router. To view more detailed information or to edit the AAA configuration, click the appropriate node on the AAA tree.

Field Reference

Table 35-12 describes the fields in this screen.

Table 35-1 AAA Main Screen Fields

Element
Description

Enable AAA

Disable AAA

If AAA is enabled, the button name is Disable AAA. If AAA is disabled, the button name is Enable AAA.

AAA is enabled by default. If you click Disable AAA, Cisco SDM displays a message telling you that it will make configuration changes to ensure that the router can be accessed. Disabling AAA will prevent you from configuring your router as an Easy VPN server, and will prevent you from associating user accounts with command line interface (CLI) views.

AAA Servers and Groups

This read-only field displays a count of the AAA servers and server groups. The router relays authentication, authorization, and accounting requests to AAA servers. AAA servers are organized into groups to provide the router with alternate servers to contact if the first server contacted is not available.

Authentication Policies

This read-only field lists configured authentication policies. Authentication policies define how users are identified. To edit authentication policies, click the Login sub-node under Authentication Policies in the AAA tree.

Authorization Policies

This read-only field lists configured authorization policies. Authorization policies define the methods that are used to permit or deny a user login. To edit authorization policies, click Authorization Policies in the AAA tree.

To edit authorization policies (Exec Authorization and Network Authorization), click the Exec and Network sub-nodes respectively under the Authorization Policies node in the AAA tree.


AAA Servers and Server Groups

This window provides a description of AAA servers and AAA server groups.

To display the AAA Servers window, click the AAA Servers branch.

To display the AAA Server Groups window, click the AAA Server Groups branch.

AAA Servers

This window lets you view a snapshot of the information about the AAA servers that the router is configured to use. The IP address, server type, and other parameters are displayed for each server.

Field Reference

Table 35-2 describes the fields in this screen.

Table 35-2 AAA Servers Fields

Element
Description

Global Settings

Click Global Settings to make global settings for TACACS+ and RADIUS servers. In the Edit Global Settings window, you can specify how long to attempt contact with an AAA server before going on to the next server, the key to use when contacting TACACS+ or RADIUS servers, and the interface on which TACACS+ or RADIUS packets will be received. These settings will apply to all servers for which server-specific settings have not been made.

Add

Click Add to add a TACACS+ or a RADIUS server to the list.

Edit

Click Edit to edit the information for the selected AAA server.

Delete

Click Delete to delete the information for the selected AAA server.

Server IP

The IP address of the AAA server.

Parameters

This column lists the timeout, key, and other parameters for each server.


Add or Edit a TACACS+ Server

Add or edit information for a TACACS+ server in this window.

Field Reference

Table 35-3 describes the fields in this screen.

Table 35-3 Add or Edit a TACACS+ Server Fields

Element
Description

Server IP or Host

Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address.

Single Connection to Server

Check this box if you want the router to maintain a single open connection to the TACACS+ server, rather than opening and closing a TCP connection each time it communicates with the server. A single open connection is more efficient because it allows the TACACS+ server to handle a higher number of TACACS+ operations.

 

Note This option is supported only if the TACACS+ server is running CiscoSecure version 1.0.1 or later.


Server-specific setup

Check Server-specific setup if you want to override AAA server global settings, and specify a server-specific timeout value and encryption key. You can make the following settings:

 

Timeout (seconds)—Enter the number of seconds that the router should attempt to contact this server before going on to the next server in the group list. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.

 

Configure Key—Optional. Enter the key to use to encrypt traffic between the router and this server. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.

 

New Key/Confirm Key—Enter the key and reenter it for confirmation.


Add or Edit a RADIUS Server

Add or edit information for a RADIUS server in this window.

Field Reference

Table 35-4 describes the fields in this screen.

Table 35-4 Add or Edit a RADIUS Server Fields

Element
Description

Server IP or Host

Enter the IP address or the host name of the server. If the router has not been configured to use a Domain Name Service (DNS) server, enter an IP address.

Authorization Port

Specify the server port to use for authorization requests. The default is 1645.

Accounting Port

Specify the server port to use for accounting requests. The default is 1646.

Timeout in seconds

Optional. Enter the number of seconds that the router should attempt to contact this server before going on to the next server in the group list. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.

Configure Key

Optional. Enter the key to use to encrypt traffic between the router and this server. If you do not enter a value, the router will use the value configured in the AAA Servers Global Settings window.

New Key and Confirm Key—Enter the key and reenter it for confirmation.


Edit Global Settings

You can specify communication settings that will apply to all communications between the router and AAA servers in this window. Any communications settings made for a specific router will override settings made in this window.

Field Reference

Table 35-12 describes the fields in this screen.

Table 35-5 Global Settings Fields

Element
Description

TACACS+ Server

RADIUS Server

Click the appropriate button to specify the server type for which you are setting global parameters. If you select TACACS+ Server, the parameters will apply to all communication with TACACS+ servers that do not have server specific parameters set. If you select RADIUS Server, the parameters will apply to all communication with RADIUS servers that do not have server specific parameters set.

Timeout (seconds)

Enter the number of seconds to wait for a response from the RADIUS or TACACS+ server

Key

Enter the encryption key for all communication between the router and the TACACS+ or RADIUS servers.

Select the source interface

Check this box if you want to specify a single interface on which the router is to receive TACACS+ or RADIUS packets.

Interface—Select the router interface on which the router is to receive TACACS+ or RADIUS packets.If the Select the source interface box is not checked, this field will be disabled.


AAA Server Groups

This window displays the AAA server groups configured on this router. If no AAA servers have been configured, this window is empty.

Field Reference

Table 35-6 describes the fields in this screen.

Table 35-6 AAA Server Groups Fields

Element
Description

Add

Click the Add button to create a RADIUS server group. After you create this group, the name and group members are displayed in this window.

Edit

Click Edit to modify the information for the highlighted server group.

Delete

Click Delete to remove the highlighted server group.

Group Name

The name of the server group. Server group names allow you to use a single name to reference multiple servers.

Type

The type of servers in the selected group, either TACACS+, or RADIUS.

Group Members

The IP addresses or host names of the AAA servers in this group.


Add or Edit AAA Server Group

Create or modify an AAA server group in this window.

Field Reference

Table 35-7 describes the fields in this screen.

Table 35-7 Add or Edit AAA Server Group Fields

Element
Description

Group Name

Enter a name for the group.

Server Type

Select the Server type, either RADIUS, or TACACS+.


Note This field may be protected and set to a specific type, depending on the configuration that you are performing.


Select the servers that need to be placed in this AAA server group

This area lists the IP addresses of all the AAA servers configured on the router of the type chosen, along with the Authorization and Accounting ports used. Check the Select box next to the servers that you want to add.


Authentication and Authorization Policies

The Authentication Policies and the Authorization Policies windows summarize the authentication policy information on the router.

Field Reference

Table 35-8 describes the fields in this screen.

Table 35-8 Authentication and Authorization Policy Fields

Element
Description

Authentication Type

The type of authentication policy.

Number of Policies

The number of policies of this type.

Usage

The usage description for these policies.


Authentication and Authorization

The Login and the Exec and Network authorization windows display the method lists used to authenticate logins, NAC requests and authorize Exec command level and network requests. You can review and manage these method lists from these windows.

Field Reference

Table 35-9 describes the fields in this screen.

Table 35-9 Authentication and Authorization Fields

Element
Description

Add

Edit

Delete

Use these buttons to create, edit, and remove method lists.

List Name

The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user.

Method 1

The method that the router will attempt first. If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails. If no servers in the first method respond, then the router uses the next method in the list. Methods can be ordered when you create or edit a method list.

Method 2

Method 3

Method 4

The methods, in order, that the router will use if the servers referenced in method 1 do not respond. If there are fewer than four methods, the positions for which no list has been configured are kept empty.


Authentication NAC

The Authentication NAC window displays the EAPoUDP method lists configured on the router.You can specify additional method lists in this window if you want the router to attempt the methods that you enter before resorting to the default method list.

Field Reference

Table 35-10 describes the fields in this screen.

Table 35-10 NAC Authentication Fields

Element
Description

Add

Edit

Delete

Use these buttons to create, edit, and remove method lists.

List Name

The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. If the NAC wizard was used to create a NAC configuration, the list name "default" is displayed in this column.

Method 1

The method that the router will attempt first. If the NAC wizard was used to create a NAC configuration, the method name "group SDM_NAC_Group" is displayed in this column.

If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails. If no servers in the first method respond, then the router uses the next method in the list. Methods can be ordered when you create or edit a method list.

Method 2

Method 3

Method 4

The methods, in order, that the router will use if the servers referenced in method 1 do not respond. If there are fewer than four methods, the positions for which no list has been configured are kept empty.


Authentication 802.1x

The Authentication 802.1x window displays the method lists configured for 802.1x authentication.


Note You cannot specify additional method lists for 802.1x configuration.


Field Reference

Table 35-11 describes the fields in this screen.

Table 35-11 802.1x Authentication Fields

Element
Description

Add

Edit

Delete

Use these buttons to create, edit, and remove method lists.

List Name

The method list name. A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user.

If the LAN wizard has been used to create an 802.1x configuration, the list name "default" is displayed in this column.

Method 1

The method that the router will attempt first. If one of the servers in this method authenticates the user (sends a PASS response), authentication is successful. If a server returns a FAIL response, authentication fails. If no servers in the first method respond, then the router uses the next method in the list. Methods can be ordered when you create or edit a method list.

If the LAN wizard has been used to create an 802.1x configuration, the Method name "group SDM_802.1x" is displayed in this column.

Method 2

Method 3

Method 4

The methods that the router will use if the servers referenced in method 1 do not respond. If there are fewer than four methods, the positions for which no list has been configured are kept empty.


Add or Edit a Method List for Authentication or Authorization

A method list is a sequential list describing the authentication methods to be queried in order to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.

Cisco IOS software uses the first listed method to authenticate users. If that method fails to respond, the Cisco IOS software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method, or all methods defined in the method list are exhausted.

It is important to note that the Cisco IOS software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle—meaning that the security server or local username database responds by denying the user access—the authentication process stops and no other authentication methods are attempted.

Field Reference

Table 35-12 describes the fields in this screen.

Table 35-12 Add a Method List for Authentication or Authorization Fields

Element
Description

Name

Specify

Choose the name Default in the Name list, or choose User Defined, and enter a method list name in the Specify field.

Methods

A method is a configured server group. Up to four methods can be specified and placed in the list in the order you want the router to use them. The router will attempt the first method in the list. If the authentication request receives a PASS or a FAIL response, the router does not query further. If the router does not receive a response by using the first method, it uses the next method in the list, and continues to the end of the list until it receives a PASS or a FAIL response.

Add

Click Add to add a method to the list. If there are no configured server groups to add, you can configure a server group in the window displayed.

Delete

Click this button to delete a method from the list.

Move Up

Move Down

The router attempts the methods in the order they are listed in this window. Click Move Up to move a method up the list. Click Move Down to move a method further down the list.

The method "none" will always be last in the list. No other method in the list can be moved below it. This is an IOS restriction. IOS will not accept any method name after the method name "none" has been added to a Method List.

Enable Password Aging

Check Enable Password Aging to have the Easy VPN Server notify the user when their password has expired and prompt them to enter a new password.