Downloads |
Table Of Contents
Supported Standards, MIBs and RFCs
AAA Server Group
This document includes the following sections:
•
Supported Standards, MIBs and RFCs
Feature Overview
The AAA server-group feature introduces a way to group existing server hosts. The feature allows you to select a subset of the configured server hosts and use them for a particular service.
A server-group is a list of server hosts of a particular type. Currently supported server-host types are Remote Authentication Dial In User Service (RADIUS) server hosts and Terminal Access Controller Access Control System Plus (TACACS+) server hosts. A server-group is used in conjunction with a global server-host list. The server-group lists the IP addresses of the selected server hosts. Figure 1 shows a typical AAA network configuration: R1 and R2 are RADIUS server hosts, and T1 and T2 are TACACS+ server hosts.
Figure 1 Typical AAA Network Configuration
Benefits
The AAA server-group feature allows customers to define a distinct list of server hosts and apply this list to relevant applications. The AAA server-group feature is also backward compatible; this feature works on releases earlier than Cisco IOS Release 12.0(5)T.
Related Documents
•
•
Restrictions
The AAA server-group feature works only when the server hosts in a group are the same type: RADIUS or TACACS+.
Supported Platforms
AAA is part of the core IOS; therefore, the AAA server-group feature is supported on all platforms using Cisco IOS Release 12.0(5)T.
Supported Standards, MIBs and RFCs
Standards
None
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see the Cisco MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
None
Configuration Tasks
Perform the following tasks to configure AAA server-groups:
•
Configuring AAA Server Groups
Note
To define a server host with a server group with a group name, enter the following commands in global configuration mode. The listed server must exist in global configuration mode:
After you define the server group with a group name, enter the following commands to enable AAA authentication, AAA authorization, and AAA accounting:
Verifying AAA Server Groups
Embedded error messages guide you to configure the server-group feature correctly. Therefore, no verification steps are needed.
Configuration Examples
A server-group is uniquely identified by its name. It is important to select the correct server host type because the method-list definition identifies the server host types by name.
A configuration example for an AAA server group is as follows:
Router(config)# aaa group server {tacacs+ | radius} group-nameRouter(config-sg radius)# server 1.1.1.1Router(config-sg radius)# server 2.2.2.2Router(config-sg radius)# server 3.3.3.3Router(config)# endCommand Reference
This section documents new and modified commands. All other commands used with this feature are documented in the Cisco IOS Release 12.0 Security Command Reference.
New Commands
Modified Commands
aaa group server
To group different server hosts into distinct lists and distinct methods, enter the aaa group server global configuration command. To remove a server group from the configuration list, enter the no form of this command.
aaa group server {tacacs+ | radius} group-name
no aaa group server {tacacs+ | radius} group-name
Syntax Description
tacacs+
Use only the TACACS+ server hosts.
radius
Use only the RADIUS server hosts.
group-name
Character string used to name the group of servers.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
The AAA server-group feature introduces a way to group existing server hosts. The feature enables you to select a subset of the configured server hosts and use them for a particular service.
A server group is a list of server hosts of a particular type. Currently supported server host types are RADIUS server hosts and TACACS+ server hosts. A server group is used in conjunction with a global server host list. The server group lists the IP addresses of the selected server hosts.
Examples
The following example shows the configuration of an AAA server-group:
Router(config) aaa group server {tacacs+ | radius} group-nameRouter(config-sg radius) server 1.1.1.1Router(config-sg radius) server 2.2.2.2Router(config-sg radius) server 3.3.3.3Router(config) endRelated Commands
aaa accounting
To enable AAA accounting of requested services for billing or security purposes when you use RADIUS or TACACS+, enter the aaa accounting global configuration command. To disable accounting, enter the no form of this command.
aaa accounting {system | network | exec | connection | commands level} {default | list-name}
{start-stop | wait-start | stop-only | none} [group group-name]no aaa accounting {system | network | exec | commands level} [group group-name]
Syntax Description
Defaults
AAA accounting is disabled. If the aaa accounting command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter the aaa accounting command to enable accounting and to create named method lists defining specific accounting methods on a per-line or per-interface basis.
Table 1 AAA Accounting Method Keywords
group name radius
Uses RADIUS to provide accounting service.
group name tacacs+
Uses TACACS+ to provide accounting services.
Cisco IOS software supports the following two methods for accounting:
•
•
Method lists for accounting define the way accounting is performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. Create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding the names of methods, such as RADIUS or TACACS+) and method identifies the method(s) tried in the given sequence.
Named accounting method lists are specific to the indicated type of accounting. To create a method list to provide accounting information for ARA (network) sessions, enter the arap keyword. To create a method list to provide accounting records about user EXEC terminal sessions on the network access server, including username, date, and start and stop times, enter the exec keyword. To create a method list to provide accounting information about specific, individual EXEC commands associated with a specific privilege level, enter the commands keyword. To create a method list to provide accounting information about all outbound connections made from the network access server, enter the connection keyword.
Note
For minimal accounting, include the stop-only keyword to send a stop accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS or TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. For even more accounting control, you can include the wait-start keyword, which ensures that the start accounting notice is received by the RADIUS or TACACS+ server before granting the process request from the user. Accounting is only stored on the RADIUS or TACACS+ server. The none keyword disables accounting services for the specified line or interface.
When aaa accounting is activated, the network access server monitors either RADIUS accounting attributes or TACACS+ AV pairs pertinent to the connection, depending on the security method you have implemented. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server.
For a list of supported RADIUS accounting attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ accounting AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide.
Examples
The following example shows a default commands accounting method list defined, where command accounting services are provided by a TACACS+ security server, and are set for privilege level 15 commands with a stop-only restriction.
aaa accounting commands 15 default stop-only tacacs+Related Commands
aaa authentication login
To set AAA authentication at login, enter the aaa authentication login global configuration command. To disable AAA authentication, enter the no form of this command.
aaa authentication login {default | list-name} group group-name
no aaa authentication login {default | list-name} [group group-name | method1 method2]
Syntax Description
Defaults
If the default list is not set, only the local user database is checked, which has the same effect as the following command:
aaa authentication login default local
Note
Command Modes
Global configuration
Command History
Usage Guidelines
Enter the default and optional list names that you create with the aaa authentication login command with the login authentication command.
Create a list by entering the aaa authentication list-name method command for a particular protocol, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods that the authentication algorithm tries in the given sequence. Method keywords are described in .
To create a default list that is used if no list is assigned to a line, enter the login authentication command with the default argument followed by the methods you want to use in default situations.
Use the additional methods of authentication only if the previous method returns an error—not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If you do not set authentication specifically for a line, the default is to deny access and no authentication is performed. To display currently configured lists of authentication methods, enter the more system:running-config command.
Examples
The following example shows an AAA authentication list created called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication:
aaa authentication login MIS-access tacacs+ enable noneThe following example shows the same list created, but it is set as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable noneThe following example shows the authentication set at login to use the Kerberos 5 Telnet authentication protocol when Telnet is used to connect to the router:
aaa authentication login default KRB5-TELNET krb5Related Commands
aaa authorization
To set parameters that restrict a network access to a user, enter the aaa authorization global configuration command. To disable authorization for a function, enter the no form of this command.
aaa authorization {network | exec | commands level | reverse-access} {default | list-name} group group-name
no aaa authorization {network | exec | commands level | reverse-access} [group group-name | method1 method2]Syntax Description
Defaults
Authorization is disabled for all actions (equivalent to the method keyword none). If the aaa authorization command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Command Modes
Global configuration
Command History
Usage Guidelines
Enter the aaa authorization command to enable authorization and to create named method lists that define authorization methods that can be used when a user accesses the specified function. Method lists for authorization define the ways authorization is performed and the sequence in which these methods will be performed. A method list is simply a named list describing the authorization methods to be queried (such as RADIUS or TACACS+) in sequence. Method lists enable you to designate one or more security protocol to be used for authorization; thus it ensures a backup system if the initial method fails. Cisco IOS software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Note
Enter the aaa authorization command to create a list by entering the list-name and the method, where list-name is any character string used to name this list (excluding all method names) and method identifies the list of authorization methods tried in the given sequence.
Method lists are specific to the type of authorization being requested. AAA supports four different types of authorization:
•
•
•
•
When you create a named method list, you are defining a particular list of authorization methods for the indicated authorization type.
Once defined, method lists must be applied to specific lines or interfaces before any of the defined methods are performed.
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS or TACACS+ daemon as part of the authorization process. The daemon can perform one of the following actions:
•
•
•
For a list of supported RADIUS attributes, refer to the "RADIUS Attributes" appendix in the Security Configuration Guide. For a list of supported TACACS+ AV pairs, refer to the "TACACS+ Attribute-Value Pairs" appendix in the Security Configuration Guide.
Note
Examples
The following example shows a network authorization method list defined and named scoobee, which specifies that RADIUS authorization is used on serial lines using PPP. If the RADIUS server fails to respond, then local network authorization is performed:
aaa authorization network scoobee radius localRelated Commands
server
To configure the IP address of the RADIUS server, enter the server AAA server-group command. To remove the IP address of the RADIUS server, enter the no form of this command.
server ip-address
no server ip-address
Syntax Description
Defaults
None
Command Modes
AAA server-group sub-mode.
Command History
Usage Guidelines
Enter the server command to specify the IP address of the RADIUS server. Also configure a matching radius-server host entry in the global list. If there is no response from the first host entry, the next host entry is tried.
Examples
The following example shows server host entries configured for the RADIUS server:
Router(config)# aaa new-modelRouter(config)# aaa authentication ppp default group g1Router(config)# aaa group server radius g1Router(config-sg radius)# server 1.0.0.1Router(config-sg radius)# server 2.0.0.1Router(config)# radius-server host 1.0.0.1 auth-port 1000 acct-port 1001...Router(config)# radius-server host 1.0.0.1 auth-port 1645 acct-port 1646...Router(config)# radius-server host 2.0.0.1 auth-port 1645 acct-port 1646...Related Commands
Glossary
AV pairs—attribute-value pairs.
NAS—network access server.
RADIUS—Remote Access Dial-In User Service.
TACACS+—Terminal Access Controller Access Control System Plus.
