AAA Double Authentication Secured
by Absolute Timeout
First Published: March 1, 2004
Last Updated: May 4, 2009
The AAA Double Authentication Secured by Absolute Timeout feature allows you to secure the double authentication mechanism by protecting it with a per-user session timeout. This feature optimizes the connection to the network by service providers to only connections that are authorized, and it increases the security of the overall access to the network by ensuring that no unwanted sessions are connected.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for AAA Double Authentication Secured by Absolute Timeout" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•Prerequisites for AAA Double Authentication Secured by Absolute Timeout
•Restrictions for AAA Double Authentication Secured by Absolute Timeout
•Information About AAA Double Authentication Secured by Absolute Timeout
•How to Apply AAA Double Authentication Secured by Absolute Timeout
•Examples for AAA Double Authentication Secured by Absolute Timeout
•Additional References
•Feature Information for AAA Double Authentication Secured by Absolute Timeout
Prerequisites for AAA Double Authentication Secured
by Absolute Timeout
•You need access to a Cisco RADIUS or TACACS+ server and should be familiar with configuring RADIUS or TACACS+.
•You should be familiar with configuring authentication, authorization, and accounting (AAA).
•You should be familiar with enabling AAA automated double authentication.
Restrictions for AAA Double Authentication Secured
by Absolute Timeout
•The AAA Double Authentication Secured by Absolute Timeout feature, like the existing double authentication feature, is for PPP connections only. Automated double authentication cannot be used with other protocols, such as X.25 or Serial Line Internet Protocol (SLIP).
•There may be a minimal impact on performance if a TACACS+ server is used. However, there is no performance impact if a RADIUS server is used.
Information About AAA Double Authentication Secured
by Absolute Timeout
To configure the AAA Double Authentication Secured by Absolute Timeout feature, you should understand the following concept:
•AAA Double Authentication
AAA Double Authentication
With the current AAA double authentication mechanism, a user must pass the first authentication using a host username and password. The second authentication, after Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP), uses a login username and password. In the first authentication, a PPP session timeout will be applied to the virtual access interface if it is configured locally or remotely. The AAA Double Authentication Secured by Absolute Timeout feature allows you to secure the double authentication mechanism by protecting it with a per-user session timeout. The per-user timeout, which can be customized, supersedes the generic absolute timeout value. This method works on the same principle as per-user access control lists (ACLs) in double authentication.
How to Apply AAA Double Authentication Secured
by Absolute Timeout
This section contains the following procedures:
•Applying AAA Double Authentication Secured by Absolute Timeout
•Verifying AAA Double Authentication Secured by Absolute Timeout
Applying AAA Double Authentication Secured by Absolute Timeout
To apply the absolute timeout, you need to configure "Session-Timeout" in the login user profile as a link control protocol (LCP) per-user attribute. There is no new or modified command-line interface (CLI) for this feature, but before you use the access-profile command when enabling AAA double authentication, you must first reauthorize LCP per-user attributes (for example, Session-Timeout) and then reauthorize Network Control Protocols (NCPs) to apply other necessary criteria, such as ACLs and routes. See the "Examples for AAA Double Authentication Secured by Absolute Timeout" section.
Note Timeout configuration in a TACACS+ user profile is a little different from the configuration in a RADIUS user profile. In a RADIUS profile, only one "Session-Timeout" is configured, along with the autocommand "access-profile." The timeout will be applied to the EXEC session and to the PPP session. In TACACS+, however, the timeout must be configured under the service types "exec" and "ppp" (LCP) to apply a timeout to the EXEC session and to the PPP session. If the timeout is configured only under the service type "ppp," the timeout value is not available while doing an EXEC authorization—and the timeout will not be applied to the EXEC session.
Verifying AAA Double Authentication Secured by Absolute Timeout
To verify that AAA double authentication has been secured by absolute timeout and to see information about various attributes associated with the authentication, perform the following steps. These show and debug commands can be used in any order.
Note When idle timeout is configured on a full virtual access interface and a subvirtual access interface, the show users command displays the idle time for both the interfaces. However, if the idle timeout is not configured on both interfaces, then the show users command will display the idle time for the full virtual access interface only.
SUMMARY STEPS
1. enable
2. show users
3. show interfaces virtual-access number [configuration]
4. debug aaa authentication
5. debug aaa authorization
6. debug aaa per-user
7. debug ppp authentication
8. debug radius
or
debug tacacs
DETAILED STEPS
|
|
|
Step 1 |
enable
Router> enable |
Enables privileged EXEC mode. •Enter your password if prompted. |
Step 2 |
show users enable
Router# show users |
Displays information about the active lines on the router. |
Step 3 |
show interfaces virtual-access number [configuration]
Router# show interfaces virtual-access 2 configuration |
Displays status, traffic data, and configuration information about a specified virtual access interface. |
Step 4 |
debug aaa authentication
Router# debug aaa authentication |
Displays information about AAA TACACS+ authentication. |
Step 5 |
debug aaa authorization
Router# debug aaa authorization |
Displays information about AAA TACACS+ authorization. |
Step 6 |
debug aaa per-user
Router# debug aaa per-user |
Displays the attributes that are applied to each user as the user authenticates. |
Step 7 |
debug ppp authentication
Router# debug ppp authentication |
Displays whether a user is passing authentication. |
Step 8 |
debug radius
Router# debug radius
or debug tacacs
Router# debug tacacs |
Displays information associated with the RADIUS server. or Displays information associated with the TACACS+ server. |
Examples
The following sample output is from the show users command:
Line User Host(s Idle Location
* 0 con 0 aaapbx2 idle 00:00:00 aaacon2 10
8 vty 0 broker_def idle 00:00:08 192.168.1.8
Interface User Mode Idle Peer Address
Vi2 broker_default VDP 00:00:01 192.168.1.8 <=========
Se0:22 aaapbx2 Sync PPP 00:00:23
The following sample output is from the show interfaces virtual-access command:
Router# show interfaces virtual-access 2 configuration
Virtual-Access2 is a Virtual Profile (sub)interface
Derived configuration: 150 bytes
interface Virtual-Access2
! The above line shows that the per-user session timeout has been applied.
! The above line shows that the absolute timeout has been applied.
Examples for AAA Double Authentication Secured by Absolute Timeout
This section includes the following examples:
•RADIUS User Profile: Example
•TACACS+ User Profile: Example
RADIUS User Profile: Example
The following sample output shows that a RADIUS user profile has been applied and that AAA double authentication has been secured by an absolute timeout:
aaapbx2 Password = "password1",
cisco-avpair = "ip:inacl#1=permit tcp any any eq telnet"
cisco-avpair = "ip:inacl#2=permit icmp any any"
broker_default Password = "password1",
Service-Type = Administrative,
cisco-avpair = "shell:autocmd=access-profile",
cisco-avpair = "ip:inacl#1=permit tcp any any"
cisco-avpair = "ip:inacl#2=permit icmp any any"
broker_merge Password = "password1",
Service-Type = Administrative,
cisco-avpair = "shell:autocmd=access-profile merge",
cisco-avpair = "ip:inacl#1=permit tcp any any"
cisco-avpair = "ip:inacl#2=permit icmp any any"
cisco-avpair = "ip:route#3=10.4.0.0 255.0.0.0"
cisco-avpair = "ip:route#4=10.5.0.0 255.0.0.0"
cisco-avpair = "ip:route#5=10.6.0.0 255.0.0.0"
broker_replace Password = "password1",
Service-Type = Administrative,
cisco-avpair = "shell:autocmd=access-profile replace",
cisco-avpair = "ip:inacl#1=permit tcp any any"
cisco-avpair = "ip:inacl#2=permit icmp any any"
cisco-avpair = "ip:route#3=10.4.0.0 255.0.0.0"
cisco-avpair = "ip:route#4=10.5.0.0 255.0.0.0"
cisco-avpair = "ip:route#5=10.6.0.0 255.0.0.0"
TACACS+ User Profile: Example
The following sample output shows that a TACACS+ user profile has been applied and that AAA double authentication has been secured by an absolute timeout.
Remote Host
The following allows the remote host to be authenticated by the local host during first-stage authentication and provides the remote host authorization profile.
service = ppp protocol = lcp
service = ppp protocol = ip
inacl#1="permit tcp any any eq telnet"
service = ppp protocol = ipx
access-profile Command Without Any Arguments
Using the access-profile command without any arguments causes the removal of any access lists that are found in the old configuration (both per-user and per-interface) and ensures that the new profile contains only access-list definitions.
autocmd = "access-profile"
! This is the autocommand that executes when broker_default logs in.
service = ppp protocol = lcp
service = ppp protocol = ip
! Put access lists, static routes, and other requirements that are
! needed here. Read the software specifications for details. If you leave
! this blank, the user will have no access lists (not even the ones that were
! installed prior to the creation of this user profile)!
inacl#1="permit tcp any any"
inacl#2="permit icmp host 10.0.0.0 any"
service = ppp protocol = ipx
! Put access lists, static routes, and other requirements that are
! needed here. Read the software specifications for details. If you leave
! this blank, the user will have no access lists (not even the ones that were
! installed prior to the creation of this user profile)!
access-profile Command with merge Keyword
With the "merge" option, all old access lists are removed (as before), but then almost any AV pair is allowed to be uploaded and installed. This merge will allow for the uploading of any custom static routes, Service Advertisement Protocol (SAP) filters, and other requirements that the user may need in his or her profile. This merge must be used with care because it leaves everything open in terms of conflicting configurations.
autocmd = "access-profile merge"
! This is the autocommand that executes when broker_merge logs in.
service = ppp protocol = lcp
service = ppp protocol = ip
! Put access lists, static routes, and other requirements that are
! needed here. Read the software specifications for details. If you leave
! this blank, the user will have no access lists (not even the ones that were
! installed prior to the creation of this user profile)!
route#1="10.4.0.0 255.0.0.0"
route#2="10.5.0.0 255.0.0.0"
route#3="10.6.0.0 255.0.0.0"
inacl#5="permit tcp any any"
inacl#6="permit icmp host 10.60.0.0 any"
service = ppp protocol = ipx
! Put access lists, static routes, and other requirements that are
! needed here. Read the software specifications for details. If you leave
! this blank, the user will have no access lists (not even the ones that were
! installed prior to the creation of this user profile)!
access-profile Command with the replace Keyword
If you use the access-profile command with the replace keyword, the command works as it does currently; that is, any old configuration is removed and any new configuration is installed.
Note When the access-profile command is configured, the new configuration is checked for address pools and address attribute-value (AV) pairs. Because addresses cannot be renegotiated at this point, the command will fail to work when it encounters such an address AV pair.
autocmd = "access-profile replace"
! This is the autocommand that executes when broker_replace logs in.
service = ppp protocol = lcp
service = ppp protocol = ip
! Put access lists, static routes, and other requirements that are
! needed here. Read the software specifications for details. If you leave
! this blank, the user will have no access lists (not even the ones that were
! installed prior to the creation of this user profile)!
route#1="10.7.0.0 255.0.0.0"
route#2="10.8.0.0 255.0.0.0"
route#3="10.9.0.0 255.0.0.0"
inacl#4="permit tcp any any"
service = ppp protocol = ipx
! Put access lists, static routes, and other requirements that are
! needed here. Read the software specifications for details. If you leave
! this blank, the user will have no access lists (not even the ones that were
! installed prior to the creation of this user profile)!
Note Timeout configuration in a TACACS+ user profile is a little different from the configuration in a RADIUS user profile. In a RADIUS profile, only one "Session-Timeout" is configured, along with the autocommand access-profile. The timeout will be applied to the EXEC session and to the PPP session. In TACACS+, however, the timeout must be configured under the service types "exec" and "ppp" (LCP) to apply a timeout to the EXEC session and to the PPP session. If the timeout is configured only under the service type "ppp," the timeout value is not available while doing an EXEC authorization—and the timeout will not be applied to the EXEC session.
Additional References
The following sections provide references related to AAA Double Authentication Secured by Absolute Timeout.
Related Documents
Standards
MIBs
|
|
None |
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs |
RFCs
Technical Assistance
|
|
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password. |
http://www.cisco.com/techsupport |
Feature Information for AAA Double Authentication Secured
by Absolute Timeout
Table 1 lists the release history for this feature.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 1 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.
Table 1 Feature Information for AAA Double Authentication Secured by Absolute Timeout
|
|
|
AAA Double Authentication Secured by Absolute Timeout |
12.3(7)T 12.2(28)SB Cisco IOS XE Release 2.3 |
The AAA Double Authentication Secured by Absolute Timeout feature allows you to secure the double authentication mechanism by protecting it with a per-user session timeout. This feature optimizes the connection to the network by service providers to only connections that are authorized, and it increases the security of the overall access to the network by ensuring that no unwanted sessions are connected. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2004-2009 Cisco Systems, Inc. All rights reserved.