The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure Authentication, Authorization, and Accounting (AAA) on
Cisco 1000 Series Connected Grid Routers (hereafter referred to as the Cisco CG-OS router).
This section includes the following topics:
The AAA feature allows you to verify the identity of, grant access to, and track the actions of users managing the Cisco CG-OS router. The Cisco CG-OS router supports Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
Based on the user ID and password combination that you provide, the Cisco CG-OS router performs local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A pre-shared secret key provides security for communication between the Cisco CG-OS router and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.
AAA security provides the following services:
Authentication is the process of verifying the identity of the person or device accessing the Cisco CG-OS router, which is based on the user ID and password combination provided by the entity trying to access the Cisco CG-OS router. The Cisco CG-OS routers allow you to perform local authentication (using the local lookup database) or remote authentication (using one or more RADIUS or TACACS+ servers).
AAA authorization is the process of assembling a set of attributes that describe what the user is authorized to perform. Authorization in Cisco CG-OS is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.
The accounting feature tracks and maintains a log of every management session used to access the Cisco CG-OS router. You can use this information to generate reports for troubleshooting and auditing purposes. You can store accounting logs locally on the Cisco CG-OS router or send them to remote AAA servers.
Note Cisco CG-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services on the Cisco CG-OS router:
You can specify remote AAA servers for authentication, authorization, and accounting by using server groups. A server group is a set of remote AAA servers that implement the same AAA protocol. The purpose of a server group is to provide for failover servers in case a remote AAA server fails to respond. If the first remote server in the group fails to respond, then the next remote server in the group is queried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, then that server group option is considered a failure. When required, you can specify multiple server groups. If the Cisco CG-OS router encounters errors from the servers in the first group, it tries the servers in the next server group.
AAA configuration in the Cisco CG-OS router is service-based, which means that you can have separate AAA configurations for the following services:
Table 4-1 provides the relevant CLI command for each AAA service configuration option.
You can specify the following authentication methods for the AAA services:
Note If the chosen authentication method employs all RADIUS servers, rather than a specific server group, the Cisco CG-OS router chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration. Servers from this global pool can also be configured within a RADIUS server group on the Cisco CG-OS router.
Table 4-2 shows the AAA authentication methods that you can configure for the AAA services.
Note For console login authentication and user login authentication, and user management session accounting, the Cisco CG-OS router queries each option in the order specified. The local option is the default method when other configured options fail.
Figure 4-1 shows a flow chart of the authentication and authorization process for user login. The following list explains the process:
1. When you log in to one of the required Cisco CG-OS routers, you can use the Telnet, SSHv2, or console login options. Cisco recommends employing SSHv2 for increased security.
2. When you configure the AAA server groups using the server group authentication method, the
Cisco CG-OS router sends an authentication request to the first AAA server in the group as follows:
– If the AAA server fails to respond, then the Cisco CG-OS router queries the next AAA server and so on until a remote AAA server responds to the authentication request.
– If all AAA servers in the server group fail to respond, then the Cisco CG-OS router contacts servers in the next server group.
– If all configured methods fail, then the local database on the Cisco CG-OS router is used for authentication.
3. When the Cisco CG-OS router successfully authenticates through a remote AAA server, the following possibilities apply:
– If the AAA server protocol is RADIUS, then the server downloads an authentication response to the Cisco CG-OS router that includes user roles, which are part of the cisco-av-pair attribute.
– If the AAA server protocol is TACACS+, then the Cisco CG-OS router sends another request to the same server to get the user roles specified as custom attributes for the shell.
– If the user roles are not successfully retrieved from the remote AAA server by the Cisco CG-OS router, then the Cisco CG-OS router assigns the user the vdc-operator role. For more information on user roles, refer to Chapter7, “Configuring User Accounts and RBAC”
4. When the Cisco CG-OS router successfully authenticates your username and password, the
Cisco CG-OS router logs you in and assigns you the roles configured in the local database.
Figure 4-1 Authorization and Authentication Flow for User Login
Note “No more servers left” means that there is no response from any server within available server groups.
Ensure that at least one RADIUS or TACACS+ server is IP reachable. (See the Configuring RADIUS Servers and Configuring TACACS+ Server Hosts.)
Ensure that the Cisco CG-OS router is recognized as a client of the AAA servers.
Ensure that you configure the pre-share secret key on the Cisco CG-OS router and the remote AAA servers.
Ensure that the remote server responds to AAA requests from the Cisco CG-OS router. (See Manually Monitoring RADIUS Server or Groups and the Manually Monitoring TACACS+ Servers or Groups.)
The Cisco CG-OS software does not support all-numeric usernames, whether created with TACACS+ or RADIUS, or created locally, and does not create local users with all-numeric names. When an all-numeric username exists on an AAA server and it is entered during login, the Cisco CG-OS router does not log in the user.
When you have a user account configured on a local Cisco CG-OS router that has the same name as a remote user account on an AAA server, Cisco CG-OS applies the user roles for the local user account to the remote user, instead of the user roles configured on the AAA server.
Table 4-3 lists the default settings for AAA parameters.
This section includes the following topics:
To configure AAA authentication and accounting, follow these steps:
Step 2 Enable the Default User Role for Authentication. (See Enabling the Default User Role for Authentication.)
Step 3 Enable the Login Authentication Failure Messages. (See Enabling Login Authentication Failure Messages.)
Step 4 Configure default login authentication methods for user logins. (See Configuring Default Login Authentication Methods.)
Step 5 Configure default AAA accounting default methods. (See Configuring AAA Accounting Default Methods.)
This example shows how to configure default login authentication methods for the Cisco CG-OS router.
You can enable the default user role that allows remote users who do not have a user role to log in to the Cisco CG-OS router through a RADIUS or TACACS+ server. The default user role on the Cisco CG-OS router is network-operator. For more information on user roles, see Chapter7, “Configuring User Accounts and RBAC”
Note Although references to a default VDC might be seen in CLI displays, the Cisco CG-OS router does not support the configuration of more than one VDC. The Cisco CG-OS router only supports a default VDC.
This example shows how to enable the default user role of network-operator for remote authentication to the Cisco CG-OS router through a AAA (RADIUS or TACACS+) server.
When you enable login failure messages on the Cisco CG-OS router, the following messages display when access to remote AAA servers fails and the local user database takes precedence:
This example shows how to enable authentication failure messages on the Cisco CG-OS router that will appear on a user (client) terminal when authentication with a RADIUS or TACACS+ server fails.
The Cisco CG-OS router supports TACACS+ and RADIUS methods for accounting and reports user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs, which are stored on the designated AAA server.
When you activate AAA accounting, the Cisco CG-OS router reports these attributes as accounting records, which are then stored in an accounting log on the defined AAA security server.
You can create default method lists defining specific accounting methods, which include the following:
Note When you configure server groups and the server groups do not respond, by default, the local database on the Cisco CG-OS router is used for authentication.
This example shows how to configure the Cisco CG-OS router to use default accounting methods employed by RADIUS servers.
You can use Vendor-Specific Attributes (VSAs) to specify user roles on AAA servers.
The Internet Engineering Task Force (IETF) draft standard specifies attribute 26 as the method for communicating VSAs between the network access server and the RADIUS server. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:
The protocol is a Cisco attribute for a particular type of authorization, the separator is = (equal sign) for mandatory attributes, and
*
(asterisk) indicates optional attributes.
When you use RADIUS servers for authentication on the Cisco CG-OS router, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, along with authentication results. This authorization information is specified through VSAs.
Cisco CG-OS supports the following VSA protocol options:
Cisco CG-OS supports the following attributes:
The following examples show the roles attribute as supported by FreeRADIUS:
Note When you specify a VSA as shell:roles*"network-operator" vdc-admin or "shell:roles*\"network-operator vdc-admin\"", this VSA is flagged as an optional attribute and other Cisco devices ignore this attribute.
You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco CG-OS router using this format:
If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.
For more information on user roles, see Chapter7, “Configuring User Accounts and RBAC”
The Cisco CG-OS router maintains a local log for the AAA accounting activity.
You can display the contents of the log or clear the contents of the log by entering one of the commands below:
Note The AAA accounting log is local to the Cisco CG-OS router.
To display AAA configuration information, enter any or all of the following commands:
For detailed information about the fields in the output from these commands, see the
Command Lookup Tool
on Cisco.com.