Cisco AAA Implementation Case Study

Cisco AAA Implementation Case Study Internetworking Solutions Guide May 2000 Corporate Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 526-4100 Text Part Number: OL-0397-01 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of Ca lifornia. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Access Registrar, AccessPath, Any to Any, AtmDirector, Browse with Me, CCDA, CCDE, CCDP, CCIE, CCNA, CCNP, CCSI, CD-PAC, the Cis co logo, Cisco Certified Internetwork Expert logo, CiscoLink, the Cisco Management Connection logo, the Cisco NetWorks logo, the Cisco Powered Network logo, Cisco Systems Capital, the Cisco Systems Capital logo, Cisco Systems Networking Academy, the Cisco Systems Networking Academy logo, the Cisco Technologies logo, ConnectWay, Fast Step, FireRunner, Follow Me Browsing, FormShare, GigaStack, IGX, Intelligence in the Optical Core, Internet Quotient, IP/VC, Kernel Proxy, MGX, Natural Network Viewer, NetSonar, Network Registrar, the Networkers logo, Packet, PIX, Point and Click Internetworking, Policy Builder, Precept, RateMUX, ScriptShare, Secure Script, ServiceWay, Shop with Me, SlideCast, SMARTnet, SVX, The Cell, TrafficDirector, TransPath, ViewRunner, Virtual Loop Carrier System, Virtual Voice Line, VlanDirector, Voice LAN, Wavelength Router, Workgroup Director, and Workgroup Stack are trademarks; Changing the Way We Work, Live, Play, and Learn, Empowering the Internet Generation, The Internet Economy, and The New Internet Economy are service marks; and Aironet, ASIST, BPX, Catalyst, Cisco, Cisco IOS, the Cisco IOS logo, Cisco Systems, the Cisco Systems logo, the Cisco Systems Cisco Press logo, Enterprise/Solver, EtherChannel, EtherSwitch, FastHub, FastLink, FastPAD, FastSwitch, GeoTel, IOS, IP/TV, IPX, LightStream, LightSwitch, MICA, NetRanger, Post-Routing, Pre-Routing, Registrar, StrataView Plus, Stratm, TeleRouter, and VCO are registered trademarks of Cisco Systems, Inc. or its affiliates in the U.S. and certain other countries. All other tradem arks mentioned in this document are the property of their respective owners. The use of the word partner does not imply a partnership relationship betw een Cisco and any of its resellers. (0004R) Cisco AAA Implementation Case Study Copyright © 2000, Cisco Systems, Inc. All rights reserved. C O N T E N T S Preface xi Purpose xi Audience Scope xi xi Related Documentation and Sites xii Software Used in This Case Study xii Hardware Used in This Case Study xii Document Conventions xiii Command Syntax Conventions Cisco Connection Online xiii Documentation CD-ROM xiv xiii Providing Documentation Feedback Acknowledgements CHA PTER 1 xiv xv Cisco AAA Case Study Overview 1.1 AAA Technology Summary 1-1 1-1 1.1.1 AAA RFC References 1.2 TACACS+ Overview 1.3 RADIUS Overview 1-2 1-2 1-3 1.4 Comparison of TACACS+ and RADIUS 1.4.1 UDP and TC 1-4 P 1-4 1.4.2 Packet Encryption 1-4 1.4.3 Authentication and Authorization 1.4.4 Multiprotocol Support 1.4.5 Router Management 1.4.6 Interoperability 1-5 1-5 1-5 1-6 1.4.7 Attribute-Value Pairs (AVPs )1-6 1.5 Differences in Implementing Local and Server AAA 1.6 Scenario Description 1.7 Planning Your Network 1-6 1-8 1-9 1.8 Network Service Definitions 1-10 1.8.1 Authentication Policy 1-10 Cisco AAA Implementation Case Study OL-0397-01 iii Contents 1.8.2 Authorization Polic 1.8.3 Accounting Polic y1-11 y1-11 1.9 Security Implementation Policy Consideration 1.10 Network Equipment Selection 1.11 Task Check Li CHA PTER 2 1-13 st1-14 Implementing the Local AAA Subsystem 2-1 2.1 Implementing Local Dialup Authentication 2.2 Implementing Local Dialup Authorization 2.4 Implementing Local Router Authorization 2.5 Implementing Local Router Accounting 3 Implementing Cisco AAA Servers 2-2 2-5 2.3 Implementing Local Router Authentication CHA PTER s1-12 2-8 2-10 2-12 3-1 3.1 Installing CiscoSecure for UNIX with Oracle 3.1.1 Creating Oracle Tablespace 3-2 3-2 3.1.2 Verifying the Oracle Database Instance CHA PTER 4 3.1.3 Installing CiscoSecure for UNIX 3-5 3.1.4 Creating and Verifying Basic Us e r Implementing the Server-Based AAA Subsystem 3-3 3-10P r o 4.2 Implementing Server-Based TACACS+ Dialup Authorizatio n4-4 4.3 Implementing Server-Based RADIUS Dialup Authentication 4-6 n 4-10 4.6 Implementing Server-Based TACACS+ Router Authorizatio n 4-13 Implementing Server-Based AAA Accountin g 5-1 5.1 Implementing Server-Based TACACS+ Dial Accountin g5-1 5.2 Implementing Server-Based TACACS+ Router Accountin 5.3 AAA Disconnect Cause Code Descriptions 6 e 4-8 4.5 Implementing Server-Based TACACS+ Router Authenticatio CHA PTER l n4-2 4.4 Implementing Server-Based RADIUS Dialup Authorization 5 i 4-1 4.1 Implementing Server-Based TACACS+ Dialup Authenticatio CHA PTER f 5-6 Diagnosing and Troubleshooting AAA Operations 6-1 6.1 Overview of Authentication and Authorization Processes 6.2 Troubleshooting AAA Implementation g5-4 6-2 6-7 Cisco AAA Implementation Case Study iv OL-0397-01 Contents 6.2.1 Troubleshooting Methodology Overview 6.2.2 Cisco IOS Debug Command Summary 6.3 AAA Troubleshooting Basics 6-7 6-7 6-8 6.3.1 Troubleshooting Dial-Based Local Authentication 6-9 6.3.2 Troubleshooting Dial-Based Server Authentication 6.3.3 Troubleshooting Dial-Based Local Authorization 6-10 6-13 6.3.4 Troubleshooting Dial-Based Server Authorization 6-15 6.3.5 Troubleshooting Router-Based Local Authentication 6-19 6.3.6 Troubleshooting Router-Based Server Authentication 6.3.7 Troubleshooting Router-Based Local Authorization 6-21 6-24 6.3.8 Troubleshooting Router-Based Server Authorization 6.4 Troubleshooting Scenarios 6-26 6-29 6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication) 6-29 6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) 6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) 6-30 6-31 6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization ) 6-33 6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) 6-34 6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) 6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) APPENDIX A 6-35 6-36 AAA Device Configuration Listing s A-1 A.1 Sample Cisco IOS Configuration Listing s A-1 A.1.1 Example Local-Based Router AAA Configuration A-2 A.1.2 Example Server-Based TACACS+ NAS Configuration A.1.3 Example Server-Based RADIUS NAS Configuration A.2 Router AAA Command Implementation Descriptions A.3 NAS AAA Command Implementation Descriptions A.4 CiscoSecure for UNIX Configuration Listin A.4.1 CSU.cfg Listing A-9 A-13 A-13 g A-15 s A-16 A.4.2 CSConfig.ini Listing A-19 A.4.3 Oracle User Environment Variable A.4.4 listener.ora Listing A.5 CiscoSecure Log Files A-5 A-23 A-24 A-25 Cisco AAA Implementation Case Study OL-0397-01 v Contents APPENDIX B AAA Impact on Maintenance Task s B-1 APPENDIX C Server-Based AAA Verification Diagnostic Output C1 C.1 Server-Based TACACS+ Dialup Authentication Diagnostics C1 C.2 Server-Based TACACS+ Dialup Authorization Diagnostics C2 C.3 Server-Based RADIUS Dialup Authentication Diagnostics C4 C.4 Server-Based RADIUS Dialup Authorization Diagnostics C5 C.5 Server-Based TACACS+ Router Authentication Diagnostics C.6 Server-Based TACACS+ Router Authorization Diagnostics C.6.1 Test Results for rtr_low Gro C7 C9 u C9p C.6.2 Test Results for rtr_tech Grou C.6.3 Test Results for rtr_super Grou pC14 pC20 INDEX Cisco AAA Implementation Case Study vi OL-0397-01 F I G U R E S Figure 1-1 AAA-Based, Secure Network Access Scenario Figure 1-2 Local-Based Access Options Figure 1-3 Server-Based Access Options Figure 2-1 Local-Based Dial Access Environment Figure 2-2 Local-Based Router Environment Figure 3-1 AAA-Based, Secure Network Access Scenario Figure 4-1 Basic AAA Case Study Environment Figure 4-2 Server-Based Dial Environment (TACACS+) Figure 4-3 Server-Based Dial Environment (RADIUS) Figure 4-4 Server-Based VTY Access (Telnet) Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology Figure 6-1 Basic AAA Case Study Environment Figure 6-2 Dial Access Authentication and Authorization Flow Diagram Figure 6-3 RADIUS Dial Access Authentication and Authorization Process Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) 1-2 1-7 1-8 2-2 2-8 3-1 4-2 4-2 4-6 4-10 4-14 6-2 6-3 6-4 6-5 6-6 Cisco AAA Implementation Case Study OL-0397-01 vii Figures Cisco AAA Implementation Case Study viii OL-0397-01 T A B L E S Table 1-1 Comparison of RADIUS and TACACS+ Table 1-2 Examples of RADIUS AVPs Table 1-3 Examples of TACACS+ AVPs Table 1-4 General Service Definition Checklist Table 1-5 AAA Service Definition Checklist Table 1-6 AAA Security Checklist Table 1-7 AAA Task Checklist Table 4-1 Group Profile Command Summary Table 5-1 AAA Disconnect Cause Code Listings Table 6-1 Single User Failure; Individual Dial-in User Connection Fails Table 6-2 Multiple User Failure; All Dial-in Users Unable to Connect to NAS Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) Table 6-5 User Cannot Start PPP Table 6-6 Network Authorization Fails Table 6-7 Unable to Access Specific Host or Network Service Table 6-8 Multilink Fails Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+) Table 6-10 Network Authorization Fails (RADIUS and TACACS+) Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) Table 6-12 Multilink Fails (TACACS+) Table 6-13 Multilink Fails (RADIUS) Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+) Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS) Table 6-16 No EXEC Shell for TACACS+ Table 6-17 No EXEC Shell for RADIUS Table 6-18 Cannot Start Concurrent Sessions (TACACS+) Table 6-19 Cannot Start Concurrent Sessions (RADIUS) Table 6-20 Single User Failure; Individual Dial-in User Connection Fails Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both 1-4 1-6 1-6 1-9 1-10 1-12 1-14 4-13 5-6 6-9 6-9 6-10 6-12 6-13 6-14 6-14 6-14 6-16 6-17 6-17 6-18 6-18 6-18 6-18 6-19 6-19 6-19 6-19 6-20 6-20 6-21 Cisco AAA Implementation Case Study OL-0397-01 ix Tables Table 6-23 Single User Failure; Individual User Unable to Make a Connection Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router Table 6-25 Users Pass Authentication on Console or VTY, but Not Both Table 6-26 User Fails Router Command Table 6-27 User Disconnected After Entering a Password Table 6-28 Users Access Incorrect Privilege Level Commands Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” Table 6-30 User Fails Router Command Table 6-31 User Disconnected After Entering Password Table 6-32 Users Access Incorrect Privilege Level Commands Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” Table 6-34 Router User Unable to Initiate Shell Session with Router Table 6-35 AVPs Not Working on Console Port Table A-1 Cisco IOS Commands Required to Set AAA for a Router Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) 6-22 6-23 6-24 6-25 6-25 6-26 6-26 6-27 6-27 6-28 6-28 6-28 6-28 A-13 A-14 Cisco AAA Implementation Case Study x OL-0397-01 Preface This case study describes various Cisco-based security and accounting capabilities for monitoring and managing access within a large-scale dial environment. Purpose This Internetworking Solutions Guide (ISG) case study provides examples intended to be models for building an effective, Cisco AAA-based security environment for dial-based and router environments. In following the procedures and recommendations provided in this document, readers should be able to: • Understand the working relationship among various Cisco AAA components, including NASs, AAA servers, and the AAA database. • Configure and verify operation for these AAA components. • Troubleshoot typical problems found in AAA environments. Audience The audience for this document consists of network engineers supporting large-scale dial networks. The audience is expected to have a basic understanding of Cisco IOS software, and a working knowledge of both the UNIX operating system and CiscoSecure for UNIX user interface. Scope This case study provides: • Complete network device configurations and specific fragments to support implementation task descriptions. • Example diagnostic output showing verification of correct configuration. • Troubleshooting output supporting problem scenarios show problem configurations and other AAA environment failures. • A foundation from which effective AAA-based security solutions can be tailored to specific network requirements. The information provided here does not include advanced tuning tips—nor does it provide a primer for the uninitiated novice. In addition, site planning and preparation are beyond the scope of this case study. Cisco AAA Implementation Case Study xi Preface Related Documentation and Sites Related Documentation and Sites The following URLs provide the essentials for preparing to install Cisco Secure for UNIX and NT: • CiscoSecure ACS for UNIX http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx • CiscoSecure ACS for NT http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/csnt23 • Oracle database implementation http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csinstl.htm Software Used in This Case Study The features and capabilities described in this case require these software versions: • Cisco IOS 12.0(7)T • OS Solaris 2.5(1) • CiscoSecure for UNIX 2.3(3) • Oracle DB Server 7.3(4) • Oracle DB Client 7.3(4) • SQL*Plus: Release 3.3.4.0.1 To identify other software versions that might apply, please contact your Cisco customer service representative. Hardware Used in This Case Study This case is built on a production environment consisting of a single authentication, authorization, and accounting (AAA) server, an Oracle-based AAA database, a Cisco network access server (NAS), and a router. The diagnostic captures and system configurations provided in this case study were derived from the following systems: • Cisco AS5300 or Cisco AS5800 network access server (NAS) • Cisco 7206 VXR router • Sun Microsystems server (UltraSPARC Enterprise 2 Model) – Two 200 MHz processors – One GB RAM – One internal 4.2 GB disk drive – CD-ROM drive The system used as a platform for CiscoSecure ACS for UNIX 2.3 must meet with the minimum system specifications described in the following URL: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/instl23.htm Cisco AAA Implementation Case Study xii Preface Document Conventions Document Conventions Convention Description italic File names, paths to files, user names, and groups names used in descriptions. Example: /var/log/csuslog < Angle brackets show nonprinting characters, such as passwords. > ! [ An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also displayed by the Cisco IOS software for certain processes.) ] Square brackets show default responses to system prompts. Command Syntax Conventions Convention Description bold Command or keyword that you must enter. This format is used for commands, paths to files, and file names when used within an example illustrating required input. italic Argument for which you supply a value. [x] Optional keyword or argument that you enter. {x | y | z} Required keyword or argument that you must enter. [x {y | z}] Optional keyword or argument that you enter with a required keyword or argument. string Set of characters that you enter. Do not use quotation marks around the character string, or the string will include the quotation marks. screen Information that appears on the screen. Important line of text in an example. ^ or Ctrl Control key—for example, ^D means press the Control and the D keys simultaneously. < > Nonprinting characters, such as passwords. ! Comment line at the beginning of a line of code. Cisco Connection Online Cisco Connection Online (CCO) is the primary, real-time support channel for Cisco Systems. Maintenance customers and partners can self-register on CCO to obtain additional information and services. Cisco AAA Implementation Case Study xiii Preface Documentation CD-ROM Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to customers and business partners of Cisco Systems. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files. CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information. You can access CCO in the following ways: • http://www.cisco.com • http://www-europe.cisco.com • http://www-china.cisco.com • Telnet: cco.cisco.com • Modem: From North America, 408 526-8070; from Europe, 33 1 64 46 40 82. Use the following terminal settings: VT100 emulation; databits: 8; parity: none; stop bits: 1; and connection rates up to 28. 8kbps. For a copy of the CCO Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com. Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact the Cisco Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com. Documentation CD-ROM Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly; therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on theWorld Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com. Providing Documentation Feedback If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. You can also submit feedback on Cisco documentation as follows: Cisco AAA Implementation Case Study xiv Preface Acknowledgements • Mail in the Cisco Reader Comment Card located at the front of this book • Send an e-mail to bug-doc@cisco.com • Send a fax to 40 8527-8089 We appreciate your comments. Acknowledgements This ISG case study was created as a collaborative effort. The following team members participated in the creation of this document: Joellen Amato, Dave Anderson, Robert “Bob” Brown, Alan Dowling, Dianne Dunlap, Paul Hafeman, Anthony Hall, Kim Lew, Robert Lewis, Dave Leyland, Brian Murphy, Dang Nguyen, Nilesh Panicker, Anjali Puri, Robert Sargent, David Sims, Tim Stevenson, Kris Thompson, Craig Tobias, and Syed Atif Ullah. Cisco AAA Implementation Case Study xv Preface Acknowledgements Cisco AAA Implementation Case Study xvi CH A P T E R 1 Cisco AAA Case Study Overview This chapter summarizes the technology behind AAA security solutions, outlines typical network definitions and network assumptions adopted for this case study, and lists tasks associated with implementing, verifying, and troubleshooting the AAA environment presented. Specific sections provided here are: • 1.1 AAA Technology Summary • 1.2 TACACS+ Overview • 1.3 RADIUS Overview • 1.4 Comparison of TACACS+ and RADIUS • 1.5 Differences in Implementing Local and Server AAA • 1.6 Scenario Description • 1.7 Planning Your Network • 1.8 Network Service Definitions • 1.9 Security Implementation Policy Considerations • 1.10 Network Equipment Selection • 1.11 Task Check List 1.1 AAA Technology Summary Dial access presents a challenge to network managers entrusted with network security. This case study illustrates essential steps in planning and implementing authentication, authorization, and accounting (AAA) technologies based on Cisco product capabilities. For the purposes of this case study, the following generic definitions apply: • Authentication: The process of validating the claimed identity of an end user or a device, such as a host, server, switch, router, and so on. • Authorization: The act of granting access rights to a user, groups of users, system, or a process. • Accounting: The methods to establish who, or what, performed a certain action, such as tracking user connection and logging system users. Figure 1-1 illustrates a generalized view of a Cisco-based AAA environment, featuring a network access server (NAS) and AAA server. This basic arrangement forms the foundation for this case study. Cisco AAA Implementation Case Study 1-1 Chapter 1 Cisco AAA Case Study Overview 1.2 TACACS+ Overview Figure 1-1 AAA-Based, Secure Network Access Scenario Network element management server (NTP, Syslog, SNMP) Oracle dB server Analog lines Clients PSTN AAA server PRI lines Modems DNS server Cisco AS5x00 with integrated modems IP intranet Default gateway Internet 35089 Internet firewall In the context of the Cisco-based AAA environment addressed here, the key operational elements are network access servers (NASs), routers, and CiscoSecure Access Control Server for UNIX servers (referred to in this document as AAA servers). Depending on the conventions and requirements of your particular design, you can select a security environment which utilizes Terminal Access Controller Access Control System Plus (TACACS+) or Remote Authentication Dial-in User Service (RADIUS). This case study addresses implementation of both environments. 1.1.1 AAA RFC References Requests for Comments (RFCs) play a crucial role in defining the behavior of devices in complex networking environments. The following RFCs are useful references for TACACS+ and RADIUS: • TACACS+: http://www.cisco.com/warp/public/459/tac-rfc.1.76.txt • TACACS: http://www.ietf.org/rfc/rfc1492.txt • MD5: http://www.ietf.org/rfc/rfc1321.txt • RADIUS: http://www.ietf.org/rfc/rfc2138.txt 1.2 TACACS+ Overview Key TACACS+ features: • TACACS+ separates AAA into three distinct functions (Authentication, Authorization and Accounting). • TACACS+ supports router command authorization integration with advanced authentication mechanisms, such as Data Encryption Standard (DES) and One-Time Password (OTP) key. • TACACS+ supports 16 different privilege levels (0-15). Cisco AAA Implementation Case Study 1-2 Chapter 1 Cisco AAA Case Study Overview 1.3 RADIUS Overview • TACACS+ permits the control of services, such as Point-to-Point Protocol (PPP), shell, standard log in, enable, AppleTalk Remote Access (ARA) protocol, Novell Asynchronous Services Interface (NASI), remote command (RCMD), and firewall proxy. • TACACS+ permits the blocking of services to a specific port, such as a TTY or VTY interface on a router. The most common services supported by TACACS+ are PPP for IP and router EXEC shell access using console or VTY ports. EXEC shell allows users to connect to router shells and select services, such as PPP, Telnet, TN3270, or manage the router itself. Many TACACS+ servers are available on the market today; however, the AAA server is designed specifically to be scalable and compatible with Cisco's broad line of routers, access servers, and switches. Hence, this case utilizes the Cisco AAA server as the TACACS+ server of choice. When configured correctly, the AAA server validates AAA and responds to requests from routers and access servers with a pass or fail signal. The AAA server contains an internal database sized to 5000 users; therefore, an external Oracle database is used in our case study for user account attributes and billing information. The AAA server acts as a proxy server by using TACACS+ to authenticate, authorize, and account for access to Cisco routers and network access servers. 1.3 RADIUS Overview The RADIUS protocol was developed by Livingston Enterprises, Inc., as an access server authentication and accounting protocol. The RADIUS specification (RFC 2138) is a proposed standard protocol and RADIUS accounting standard (RFC 2139) is informational. Although TACACS+ is considered to be more versatile, RADIUS is the AAA protocol of choice for enterprise ISPs because it uses fewer CPU cycles and is less memory intensive. Communication between a network access server (NAS) and a RADIUS server is based on the User Datagram Protocol (UDP). Generally, the RADIUS protocol is considered a connectionless service. Issues related to server availability, retransmission, and timeouts are handled by the RADIUS-enabled devices rather than the transmission protocol. RADIUS is a client/server protocol. The RADIUS client is typically a NAS and the RADIUS server is usually a daemon process running on a UNIX or Windows NT machine. The client passes user information to designated RADIUS servers and acts on the response that is returned. RADIUS servers receive user connection requests, authenticate the user, and then return the configuration information necessary for the client to deliver services to the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers. Cisco AAA Implementation Case Study 1-3 Chapter 1 Cisco AAA Case Study Overview 1.4 Comparison of TACACS+ and RADIUS 1.4 Comparison of TACACS+ and RADIUS Table 1-1 summarizes the differences between RADIUS and TACACS+. Table 1-1 Comparison of RADIUS andTACACS+ RADIUS TACACS+ RADIUS uses UDP. TACACS+ uses TCP. RADIUS encrypts only the password in the access-request packet; less secure. TACACS+ encrypts the entire body of the packet; more secure. RADIUS combines authentication and authorization. TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting. Industry standard (created by Livingston). Cisco Proprietary. RADIUS does not support ARA access, Net BIOS TACACS+ offers multiprotocol support. Frame Protocol Control protocol, NASI, and X.25 PAD connections. RADIUS does not allow users to control which commands can be executed on a router. TACACS+ provides two ways to control the authorization of router commands: on a per-user or per-group basis. 1.4.1 UDP and TCP RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best effort delivery. RADIUS requires additional programmable variables, such as retransmit attempts and time-outs to compensate for best-effort transport, and it lacks the level of built-in support that reliable transport offers: • Using TCP provides a separate acknowledgment that a request has been received, within (approximately) a network RTT, regardless of bandwidth. (TCP ACK). • TCP provides immediate indication of a crashed (or not running) server (RST packets).You can determine when a server has crashed and come back up if you use long-lived TCP connections. UDP cannot tell the difference between a server that is out-of-service, slow, or non-existent server. • By using TCP keepalives, you can detect server crashes out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the servers that are known to be up and running. • TCP is more scalable than UDP. 1.4.2 Packet Encryption RADIUS encrypts only the password in the access-request packet from the client to the server. The remainder of the packet is in the clear. Other information, such as username, authorized services, and accounting, can be captured by a third party. RADIUS can use encrypted passwords by using the UNIX /etc/password file; however, this process is slow because in involves a linear search of the file. Cisco AAA Implementation Case Study 1-4 Chapter 1 Cisco AAA Case Study Overview 1.4 Comparison of TACACS+ and RADIUS TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets in the clear. However, normal operation fully encrypts the body of the packet for more secure communications. 1.4.3 Authentication and Authorization RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information, making it difficult to decouple authentication and authorization. TACACS+ uses the AAA architecture, which separates authentication, authorization, and accounting. This architecture allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS passes authentication on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate the NAS by using the TACACS+ authentication mechanism. The NAS informs the TACACS+ server that it has successfully passed authentication on a Kerberos server, and the server then provides authorization information. During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control, compared to RADIUS, over the commands that can be executed on the access server while decoupling the authorization process from the authentication mechanism. 1.4.4 Multiprotocol Support RADIUS does not support the following protocols (which are supported byTACACS+): • AppleTalk Remote Access (ARA) protocol • Net BIOS Frame Protocol Control protocol • Novell Asynchronous Services Interface (NASI) • X.25 PAD connection 1.4.5 Router Management RADIUS does not allow users to control which commands can be executed on a router and which cannot; therefore, when compared with TACACS+, RADIUS is not as useful for router management and is not as flexible for terminal services. TACACS+ provides two ways to control the authorization of router commands on a per-user or per-group basis. The first way is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second way is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed. Cisco AAA Implementation Case Study 1-5 Chapter 1 Cisco AAA Case Study Overview 1.5 Differences in Implementing Local and Server AAA 1.4.6 Interoperability The RADIUS standard does not guarantee interoperability. Although several vendors implement RADIUS clients, this does not ensure they are interoperable. There are approximately 45 standard RADIUS ATTRIBUTES. Using standard ATTRIBUTES improves the likelihood of interoperability. Using proprietary extensions reduces interoperability. 1.4.7 Attribute-Value Pairs (AVPs) Throughout this case study, implementation tasks and diagnostic procedures refer to attribute-value pairs (AVPs). Each AVP consists of a type identifier associated with one or more assignable values. AVPs specified in user and group profiles define the authentication and authorization characteristics for their respective users and groups. TACACS+ and RADIUS implement an array ofAVPs, each with separate type definitions and characteristics. Table 1-2 and Table 1-3 illustrate several typical AVPs. Table 1-2 Examples of RADIUS AVPs Attribute Type of Value User-Name String Password String CHAP-Password String Client-Id IP address Login-Host IP address Login-Service Integer Login-TCP-Port Integer Table 1-3 Examples of TACACS+ AVPs Attribute Type of Value Inacl Integer Addr-pool String Addr IP address Idletime Integer protocol Keyword timeout Integer Outacl Integer 1.5 Differences in Implementing Local and Server AAA AAA requirements differ between local-based and server-based environments. Throughout this case study, procedures and examples refer to scenarios based on this important distinction. In local-based AAA access, users are permitted or denied access based on local AAA IOS account configuration. For the purposes of this case study, local-based AAA access features these attributes: Cisco AAA Implementation Case Study 1-6 Cisco AAA Case Study Overview 1.5 Differences in Implementing Local and Server AAA • User accounts are stored in router or NAS configurations. • AVPs only are supported from EXEC shell terminal access. • Limited set of AVPs are supported. • AAA negotiation is performed internally by the Cisco IOS and is not protocol specific. Figure 1-2 illustrates three local-based connectivity situations to consider: • Local-based console access • Local-based virtual terminal type (VTY) connections • Local-based dial access Figure 1-2 Local-Based Access Options Local-based console access IP Local-based VTY access (Telnet) IP PSTN Modem IP Local-based dial access 31348 Chapter 1 In server-based AAA access, users and groups are permitted or denied access based on AAA negotiations between s router or NAS and the AAA server. See the following attributes of server-based AAA access features: • User or group profiles and accounting records stored in an internal or external database • AVPs supported on both standard and EXEC shell-initiated PPP sessions • Wide array ofAVPs supported, including vendor-specific (non-Cisco) AVPs Figure 1-3 illustrates the three server-based connectivity situations: • Server-based console access • Server-based VTY connections • Server-based dial access Cisco AAA Implementation Case Study 1-7 Chapter 1 Cisco AAA Case Study Overview 1.6 Scenario Description Figure 1-3 Server-Based Access Options Server-based console access IP AAA server Server-based VTY access (Telnet) IP AAA server Server-based dial access PSTN Modem AAA server 31347 IP Each connectivity scenario illustrated in Figure 1-2 and Figure 1-3 involves situation-specific requirements. As a result, each scenario also contains situation-specific implementation and troubleshooting considerations. The diagnostic chapters that follow present a series of implementation steps (configuring, verifying, and testing) symptoms, problems, and suggested diagnostic processes that reflect both these differences and similarities. 1.6 Scenario Description The baseline network environment for a hypothetical access network scenario is used as a foundation for assessing the application of various security and management features available from Cisco. Figure 1-1 (presented in “1.1 AAA Technology Summary”) illustrates the underlying network environment and relationship between AAA components. The high-level AAA objectives: • Enable secure dialup service to access an intranet and the Internet by using the public switched telephone network (PSTN). • Build a manageable, redundant, and secure access strategy that supports large dialup access implementations. • Provide versatile means of controlling administrative access to routers. Cisco AAA Implementation Case Study 1-8 Chapter 1 Cisco AAA Case Study Overview 1.7 Planning Your Network • Account for configuration changes in routers. 1.7 Planning Your Network A network design engineer meets with each company to complete the following tasks: • Complete a needs assessment dial questionnaire. • Create a user-network service definition. • Recommend a network implementation and operation strategy. The following tables present two checklists that were completed for this case study. Tabl e1-4 focuses on general networking issues. Table 1-5 focuses on AAA implementation issues. Both checklists apply to a hypothetical network referred to in this case as Access Network. Table 1-4 General Service Definition Checklist General Access Network Checklist Questions Access Network Policy What media do you want to use to provide dialup service? Plain old telephone service (POTS) analog modems ISDN How many dial-in users does the new equipment need to support over the next 3 months, 1 year, and 5 years? 3 months: 2000 users 1 Year: 5,000 users 5 Years: 10,000 users What kind of remote nodes do you want to support? Modems, terminal adapters, ISDN modems When users connect to modems, what will they be Support EXEC shell sessions (async terminal allowed to do? service) Support PPP sessions Will you allow users to change their own passwords? If yes, how? Yes What kind of dialup operating systems do you want to support? Windows, UNIX, Macintosh Do you want to support remote routers? Asynch DDR or multiple B-channel access Do you want to use an external authentication database such as Windows NT or Novel NDS? Yes, Oracle Do you want to support per user protocol and attribute definitions? Yes Do you want to support dial out? No Do you want to support PPP timeouts? No EXEC shell (character-mode session) Do you want to work with an existing accounting Yes system? Do you have an existing network element server? Yes Cisco AAA Implementation Case Study 1-9 Chapter 1 Cisco AAA Case Study Overview 1.8 Network Service Definitions Table 1-5 AAA Service Definition Checklist Access Network AAA Checklist Questions Access Network Policy What AAA protocols do you plan to deploy? RADIUS and TACACS+ Where do you want the users’ passwords to be stored? External Oracle database Do you plan to support one-time passwords? If so, No what tool do you plan to use to support this requirement? Do you intend to implement database replication? No Do you require support for token caching? No What type of accounts currently exist? UNIX, NT Do you plan to implement an AAA server? If so, Yes, CiscoSecure for UNIX on which product? What database do you plan to use? External, Oracle 1.8 Network Service Definitions Based on the checklist information provided in Ta ble1-4 and Ta ble1-5, the following service definitions (stated as policies) can be asserted for this environment. Dialup and router shell access AAA requirements are characterized in the following sections: • 1.8.1 Authentication Policy • 1.8.2 Authorization Policy • 1.8.3 Accounting Policy 1.8.1 Authentication Policy Separate the authentication policy into two distinct sections: router administration and dialup PPP. Policies relating to router administration involve creating support for the following two authentication elements: • DES passwords stored in external database • Local user if connection to AAA server is down Policies relating to dialup PPP involve creating support for the following two authentication elements: • Password Authentication Protocol (PAP) for dialup PPP authentication • Challenge Handshake Authentication Protocol (CHAP) for remote ISDN devices Cisco AAA Implementation Case Study 1-10 Chapter 1 Cisco AAA Case Study Overview 1.8 Network Service Definitions 1.8.2 Authorization Policy Separate the authorization policy into two distinct sections: router administration and dialup PPP. Policies relating to router administration involve creating support for the following authorization elements: • Privilege level 15 command authorization • Three levels of router administration command control (low, medium, and high) • Privilege level 15 assigned to local users, which is valid only if an AAA server is down Policies relating to dialup PPP involve creating support for the following authorization elements: • Apply autocommand ppp negotiate to all groups other than router administrators • Access control list filtering as required • AVP support for all dial access devices 1.8.3 Accounting Policy Accounting records are exported from an Oracle database using SQL queries. Separate the accounting policy into two distinct sections: router administration and dialup PPP. Policies relating to router administration involve creating support for the following accounting elements: • Failed log in attempts • Privilege level 15 commands • Failed command authorization • Start, stop, and elapsed times of sessions • Source IP address of routers Policies relating to dialup PPP involve creating support for the following accounting elements: • Failed log in attempts • Start, stop, and elapsed time of sessions • Disconnect cause codes • Caller ID if applicable Cisco AAA Implementation Case Study 1-11 Chapter 1 Cisco AAA Case Study Overview 1.9 Security Implementation Policy Considerations 1.9 Security Implementation Policy Considerations Table 1-6 present checklists summarizing the key security policy elements of this case. Table 1-6 AAA Security Checklist Access Network AAA Checklist Questions Access Network Policy What is the current security policy for passwords? PAP for dial-in PPP users CHAP passwords for dialup routers DES passwords for router administrators What services will be denied? Concurrent sessions for dial-in users EXEC shell access for dial-in PPP users Access to specific hosts within the corporate intranetwork Access to specific network services, such as Telnet, FTP, and rlogin What type of mechanism will exist if AAA server Local privilege level 15 account is down? Authentication and authorization disabled on console port Are local accounts allowed in routers and NASs? Yes What accounting information is required? Username Privilege level of clients Session start and stop times Elapsed time Privilege level 15 command usage Configuration changes Failed log in attempts Failed command authorizations What type of accounting mechanism will be used? Customer written SQL query to Oracle database Who is responsible for reviewing daily logs? Network managers Will users be allowed concurrent sessions? Dialup PPP = No Dialup router = Yes Router administrator = Yes What type of administrative access will be assigned to router administrators? Full control assigned to senior router administrators Basic control assigned to junior router administrators Customized command control for mid-level router administrators Support for Multilink? Cisco AAA Implementation Case Study 1-12 Yes Chapter 1 Cisco AAA Case Study Overview 1.10 Network Equipment Selection In addition to these considerations, security-related attributes addressed in this case include: • Per-User Static IP Address Policy—Static IP addresses are assigned to required personnel to access specific areas within the internetwork. • Password Authentication and Command Authorization Policy—DES password support is segregated into two elements: privilege level and command authorization. Within that context, three levels of privilege are supported in this case: low, medium, and high, with high having full control assigned. Command authorization at privilege level 15 is enforced. A local user with privilege level 15 is used in the event that the connection to the AAA server is down. 1.10 Network Equipment Selection Figure 1-1 (presented in “1.1 AAA Technology Summary”) shows the specific devices used in the dialup access environment. Based on the requirements detailed in Table 1-4, Table 1-5, and Table 1-6, the following network entities were selected for this case study: • Remote clients using modems to access the IP intranet and IP Internet through the public switched telephone network (PSTN). • An AAA server. • An password authentication server. • An external Oracle database server acts as the repository for all user profile information. • An element management server performs basic dial access system management by using the network time protocol (NTP), system logs (syslog), and simple network management protocol (SNMP). • A remote AAA server performs basic user authentication. • A default gateway forwards packets to the IP intranet and IP Internet. Cisco AAA Implementation Case Study 1-13 Chapter 1 Cisco AAA Case Study Overview 1.11 Task Check List 1.11 Task Check List Table 1-7 summarizes AAA management implementation and operation activities for the hypothetical network in this case study. This case focuses on illustrating implementation of specific AAA-related security and management options over an Access Path implementation. Refer to Cisco AS5x00 Case Study for Basic IP Modem Service for specifics regarding commissioning Cisco access servers to support modem services at the following URL: http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/as5xipmo/index.htm Table 1-7 AAA Task Checklist Task Topic Chapter 2, “Implementing the Local AAA Subsystem” 2.1 Implementing Local Dialup Authentication 2.2 Implementing Local Dialup Authorization 2.3 Implementing Local Router Authentication 2.4 Implementing Local Router Authorization 2.5 Implementing Local Router Accounting Chapter 3, “Implementing Cisco AAA Servers” 3.1 Installing CiscoSecure for UNIX with Oracle Chapter 4, “Implementing the Server-Based AAA Subsystem” 4.1 Implementing Server-Based TACACS+ Dialup Authentication 4.2 Implementing Server-Based TACACS+ Dialup Authorization 4.3 Implementing Server-Based RADIUS Dialup Authentication 4.4 Implementing Server-Based RADIUS Dialup Authorization 4.5 Implementing Server-Based TACACS+ Router Authentication 4.6 Implementing Server-Based TACACS+ Router Authorization Cisco AAA Implementation Case Study 1-14 Chapter 1 Cisco AAA Case Study Overview 1.11 Task Check List Table 1-7 AAA Task Checklist Task Topic Chapter 5, “Implementing Server-Based AAA 5.1 Implementing Server-Based TACACS+ Accounting” Dial Accounting 5.2 Implementing Server-Based TACACS+ Router Accounting Chapter 6, “Diagnosing and Troubleshooting AAA Operations” 6.1 Overview of Authentication and Authorization Processes 6.2 Troubleshooting AAA Implementation • 6.2.1 Troubleshooting Methodology Overview • 6.2.2 Cisco IOS Debug Command Summary 6.3 AAA Troubleshooting Basics 6.4 Troubleshooting Scenarios Cisco AAA Implementation Case Study 1-15 Chapter 1 1.11 Task Check List Cisco AAA Implementation Case Study 1-16 Cisco AAA Case Study Overview CH A P T E R 2 Implementing the Local AAA Subsystem This chapter focuses on local AAA implementation and describes the following topics: Note • 2.1 Implementing Local Dialup Authentication • 2.2 Implementing Local Dialup Authorization • 2.3 Implementing Local Router Authentication • 2.4 Implementing Local Router Authorization See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation. Server-based authentication, authorization, and accounting issues are described in the following chapters: Caution • Chapter 3, “Implementing Cisco AAA Servers” • Chapter 4, “Implementing the Server-Based AAA Subsystem” • Chapter 5, “Implementing Server-Based AAA Accounting” • Chapter 6, “Diagnosing and Troubleshooting AAA Operations” The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment. Cisco AAA Implementation Case Study 2-1 Chapter 2 Implementing the Local AAA Subsystem 2.1 Implementing Local Dialup Authentication 2.1 Implementing Local Dialup Authentication These steps help you to establish local-based dial authentication as illustrated in Figure 2-1: 1. Configure basic dial access. 2. Verify basic dial access. Figure 2-1 Local-Based Dial Access Environment PSTN Modem Local-based dial access Step 1 35054 IP Configure basic dial access. Include the following Cisco IOS configuration commands in your configuration to construct dial access local authentication control: aaa new-model aaa authentication login default local aaa authentication ppp default if-needed local username diallocal password xxxxxx interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48 line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptn Cisco AAA Implementation Case Study 2-2 Chapter 2 Implementing the Local AAA Subsystem 2.1 Implementing Local Dialup Authentication Note Step 2 See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Verify basic dial access. a. To verify user access, initiate a login process as follows: maui-nas-01#login User Access Verification Username:diallocal Password: <password> b. To determine that local dial access authentication is operating correctly, enter the debug aaa authentication and debug ppp authentication commands. The following debug output contains only pertinent information: maui-nas-01# Debugs in NAS then initiate dialup: maui-nas-01#debug aaa authentication AAA Authentication debugging is on maui-nas-01#debug ppp authentication PPP authentication debugging is on maui-nas-01#show debug General OS: AAA Authentication debugging is on PPP: PPP authentication debugging is on Cisco AAA Implementation Case Study 2-3 Chapter 2 Implementing the Local AAA Subsystem 2.1 Implementing Local Dialup Authentication The following shell-initiated PPP session example shows the AAA debug output that confirms correct configuration for local authentication: Note The method used is LOCAL. 113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user='' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list='' action=LOGIN service=LOGIN 113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list 113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL 113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='(undef)') 113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER 113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS 113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login (user='diallocal') 113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS 113136: Feb 4 10:11:32.582 CST: As1 PPP: Treating connection as a callin 113137: Feb 4 10:11:32.582 CST: AAA/MEMORY: dup_user (0x61DF306C) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1 source='AAA dup lcp_reset' 113138: Feb 4 10:11:32.582 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication needed. user='diallocal' port='tty1' rem_addr='async/81560' 113139: Feb 4 10:11:32.582 CST: AAA/MEMORY: free_user (0x619C4940) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113140: Feb 4 10:11:33.158 CST: AAA/MEMORY: dup_user (0x6193A788) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1 source='AAA dup lcp_reset' 113141: Feb 4 10:11:33.158 CST: AAA/MEMORY: free_user (0x61DF306C) user='dialuser' ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=PPP priv=1 113142: Feb 4 10:11:33.158 CST: As1 AAA/AUTHEN: Method=IF-NEEDED: no authentication needed. user='diallocal' port='tty1' rem_addr='async/81560' Cisco AAA Implementation Case Study 2-4 Chapter 2 Implementing the Local AAA Subsystem 2.2 Implementing Local Dialup Authorization The following example of a non-shell-initiated PPP session shows AAA debug output that confirms correct configuration for local authentication: Note The method used is LOCAL. 113151: Feb 4 10:13:27.670 CST: AAA/MEMORY: create_user (0x61DFE188) user='' ruser='' port='tty2' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113152: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): port='tty2' list='' action=LOGIN service=LOGIN 113153: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): using "default" list 113154: Feb 4 10:13:27.670 CST: AAA/AUTHEN/START (776784700): Method=LOCAL 113155: Feb 4 10:13:27.670 CST: AAA/AUTHEN (776784700): status = GETUSER 113156: Feb 4 10:13:27.710 CST: AAA/AUTHEN/ABORT: (776784700) because Autoselected. 113157: Feb 4 10:13:27.710 CST: AAA/MEMORY: free_user (0x61DFE188) user='' ruser='' port='tty2' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1 113158: Feb 4 10:13:29.842 CST: As2 PPP: Treating connection as a callin 113159: Feb 4 10:13:34.834 CST: As2 PAP: I AUTH-REQ id 1 len 18 from "diallocal" 113160: Feb 4 10:13:34.834 CST: As2 PAP: Authenticating peer diallocal 113161: Feb 4 10:13:34.838 CST: AAA: parse name=Async2 idb type=10 tty=2 113162: Feb 4 10:13:34.838 CST: AAA: name=Async2 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=2 channel=0 113163: Feb 4 10:13:34.838 CST: AAA: parse name=Serial0:3 idb type=12 tty=-1 113164: Feb 4 10:13:34.838 CST: AAA: name=Serial0:3 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=3 113165: Feb 4 10:13:34.838 CST: AAA/MEMORY: create_user (0x61ABBCE4) user='dialuser' ruser='' port='Async2' rem_addr='async/81560' authen_type=PAP service=PPP priv=1 113166: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): port='Async2' list='' action=LOGIN service=PPP 113167: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): using "default" list 113168: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = UNKNOWN 113169: Feb 4 10:13:34.838 CST: AAA/AUTHEN/START (1001880850): Method=LOCAL 113170: Feb 4 10:13:34.838 CST: AAA/AUTHEN (1001880850): status = PASS 113171: Feb 4 10:13:34.838 CST: As2 PAP: O AUTH-ACK id 1 len 5 2.2 Implementing Local Dialup Authorization These processes help you to accomplish the following tasks: 1. Configure dial access configuration for local authorization on the NAS. 2. Verify and troubleshoot local authorization from NAS. 3. Verify that access list 110 is assigned. Note Attribute-value pairs (AVPs) only are supported with EXEC shell initiated PPP sessions for local accounts. Configure dial access clients to “Bring Up a Terminal Window After Dial”. Cisco AAA Implementation Case Study 2-5 Chapter 2 Implementing the Local AAA Subsystem 2.2 Implementing Local Dialup Authorization Step 1 Configure dial access configuration for local authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to construct dial access local authorization: aaa aaa aaa aaa aaa new-model authentication login default local authentication ppp default if-needed local authorization exec default local if-authenticated authorization network default local if-authenticated username dialclient access-class 110 password ciscorocks username dialclient autocommand ppp negotiate access-list 110 deny tcp any any eq telnet access-list 110 permit tcp any any Note Step 2 See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Verify and troubleshoot local authorization from NAS. To verify local dial access authorization is operating correctly, enter the debug aaa authorization command. The following EXEC sequence illustrates that the appropriate command is enabled: 5800-NAS#show debug General OS: AAA Authorization debugging is on The following example of a shell-initiated session shows the AAA debug output that confirms correct configuration for local authorization. Some points to note about this debug output: • Method used is LOCAL. • Autocommand used is PPP negotiate. • Access list used is 110. • Authorization is successful. The following tests illustrate operations described in “2.4 Implementing Local Router Authorization” and include relevant router output: 1. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled). 2. EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed. 3. User diallocal is authorized PPP Network Service. 4. User diallocal is authorized LCP. 5. User diallocal is authorized IPCP. The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Cisco AAA Implementation Case Study 2-6 Chapter 2 Implementing the Local AAA Subsystem 2.2 Implementing Local Dialup Authorization Note 1. The debug command output can vary depending on Cisco IOS versions. User diallocal is authorized EXEC Shell Service (Terminal Window After Dial enabled). NAS debug output: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 2. As10 AAA/AUTHOR/EXEC (693880654): AAA/AUTHOR/EXEC: As10 (693880654) As10 AAA/AUTHOR/EXEC (693880654): As10 AAA/AUTHOR/EXEC (693880654): As10 AAA/AUTHOR/EXEC (693880654): As10 AAA/AUTHOR/EXEC (693880654): As10 AAA/AUTHOR (693880654): Post Port='tty10' list='' service=EXEC user='diallocal' send AV service=shell send AV cmd* found list "default" Method=LOCAL authorization status = PASS_ADD EXEC Authorization in action; access-list 110 and autocommand=ppp negototiate AVPs processed. NAS debug output: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 3. AAA/AUTHOR/EXEC: AAA/AUTHOR/EXEC: AAA/AUTHOR/EXEC: AAA/AUTHOR/EXEC: AAA/AUTHOR/EXEC: Processing AV Processing AV Processing AV Processing AV Authorization service=shell cmd* autocmd=ppp acl=110 successful User diallocal is authorized PPP Network Service. NAS debug output: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 07:10:52: 4. As10 AAA/AUTHOR/PPP (2856468577): Port='tty10' list='' service=NET AAA/AUTHOR/PPP: As10 (2856468577) user='diallocal' As10 AAA/AUTHOR/PPP (2856468577): send AV service=ppp As10 AAA/AUTHOR/PPP (2856468577): send AV protocol=ip As10 AAA/AUTHOR/PPP (2856468577): send AV addr-pool*default As10 AAA/AUTHOR/PPP (2856468577): found list "default" As10 AAA/AUTHOR/PPP (2856468577): Method=LOCAL As10 AAA/AUTHOR (2856468577): Post authorization status = PASS_REPL User diallocal is authorized LCP. NAS debug output: 07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV service=ppp 07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV protocol=ip 07:10:52: AAA/AUTHOR/Async10: PPP: Processing AV addr-pool*default 07:10:54: AAA/MEMORY: free_user (0x61851148) user='diallocal' ruser='' port='tty 10' rem_addr='65004/65301' authen_type=ASCII service=LOGIN priv=1 07:10:56: AAA/MEMORY: free_user (0x61532710) user='diallocal' ruser='' port='tty 10' rem_addr='65004/65301' authen_type=ASCII service=PPP priv=1 07:10:56: As10 AAA/AUTHOR/FSM: (0): LCP succeeds trivially 07:10:58: As10 AAA/AUTHOR/LCP: Authorize LCP 07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Port='tty10' list='' service=NET 07:10:58: AAA/AUTHOR/LCP: As10 (3185006257) user='diallocal' 07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV service=ppp 07:10:58: As10 AAA/AUTHOR/LCP (3185006257): send AV protocol=lcp 07:10:58: As10 AAA/AUTHOR/LCP (3185006257): found list "default" 07:10:58: As10 AAA/AUTHOR/LCP (3185006257): Method=LOCAL 07:10:58: As10 AAA/AUTHOR (3185006257): Post authorization status = PASS_REPL Cisco AAA Implementation Case Study 2-7 Chapter 2 Implementing the Local AAA Subsystem 2.3 Implementing Local Router Authentication 5. User diallocal is authorized IPCP. NAS debug output: 07:10:58: 07:10:58: 07:10:58: 07:10:58: 07:10:58: 07:10:58: 07:10:58: 07:10:58: 07:10:58: As10 AAA/AUTHOR/LCP: Processing AV service=ppp As10 AAA/AUTHOR/LCP: Processing AV protocol=lcp As10 AAA/AUTHOR/FSM: (0): Can we start IPCP? As10 AAA/AUTHOR/FSM (321297806): Port='tty10' list='' service=NET AAA/AUTHOR/FSM: As10 (321297806) user='diallocal' As10 AAA/AUTHOR/FSM (321297806): send AV service=ppp As10 AAA/AUTHOR/FSM (321297806): send AV protocol=ip As10 AAA/AUTHOR/FSM (321297806): found list "default" As10 AAA/AUTHOR/FSM (321297806): Method=LOCAL 07:10:58: As10 AAA/AUTHOR (321297806): Post authorization status = PASS_REPL 07:10:58: As10 AAA/AUTHOR/FSM: We can start IPCP Step 3 Verify that access list 110 is assigned. To verify that access list 110 is being used to control access, enter the show line command as follows: maui-nas-03#show line 10 Tty Typ Tx/Rx A Modem A 10 TTY - inout Note Roty AccO AccI - 110 - Uses 1 Noise 0 Overruns 0/0 Int - Access lists can be defined as either input or output access lists. As configured and applied in this environment, access list 110 is an output access list assigned with the acl=110 AVP. In the show line listing, AccO refers to output access list 110. In this case, AccI is not set (indicated by a dash). 2.3 Implementing Local Router Authentication These processes help you to establish local-based router authentication as illustrated in Figur e2-2: 1. Configure basic router access. 2. Verify local authentication operation. Figure 2-2 Local-Based Router Environment Local-based VTY access (Telnet) 35053 IP Cisco AAA Implementation Case Study 2-8 Chapter 2 Implementing the Local AAA Subsystem 2.3 Implementing Local Router Authentication Step 1 Configure basic router access. Include the following Cisco IOS configuration commands in your configuration to enforce local on all interfaces except the console port: username rtr_super privilege 15 password ciscorules ! aaa new-model aaa authentication login default local aaa authentication login NO_AUTHENT none ! line con 0 login authentication NO_AUTHENT Note Step 2 The NO_AUTHENT list disables authentication on the console port. See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding Cisco IOS AAA commands. Verify local authentication operation. a. To verify user access, initiate a login process as follows: maui-rtr-03#login User Access Verification Username: rtr_super Password: <password> maui-rtr-03# Cisco AAA Implementation Case Study 2-9 Chapter 2 Implementing the Local AAA Subsystem 2.4 Implementing Local Router Authorization b. To determine that local dial access authentication is operating correctly, enter the debug aaa authentication command as follows: maui-rtr-03#debug aaa authentication AAA Authentication debugging is on maui-rtr-03#show debug General OS: AAA Authentication debugging is on maui-rtr-03#terminal monitor Feb 17 15:34:47.147: AAA: parse name=tty3 idb type=-1 tty=-1 Feb 17 15:34:47.147: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0 Feb 17 15:34:47.147: AAA/MEMORY: create_user (0x61F88D2C) user='' ruser='' port='tty3' rem_addr='172.22.61.17' authen_type=ASCII service=LOGIN priv=1 Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): port='tty3' list='' action=LOGIN service=LOGIN Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): using "default" list Feb 17 15:34:47.147: AAA/AUTHEN/START (3701879404): Method=LOCAL Feb 17 15:34:47.147: AAA/AUTHEN (3701879404): status = GETUSER Feb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): continue_login (user='(undef)') Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETUSER Feb 17 15:34:49.679: AAA/AUTHEN/CONT (3701879404): Method=LOCAL Feb 17 15:34:49.679: AAA/AUTHEN (3701879404): status = GETPASS Feb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): continue_login (user='rtr_super') Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = GETPASS Feb 17 15:34:51.467: AAA/AUTHEN/CONT (3701879404): Method=LOCAL Feb 17 15:34:51.467: AAA/AUTHEN (3701879404): status = PASS 2.4 Implementing Local Router Authorization Local router authorization is implemented through router command authorization configuration. The following example: • Shows how to create two privilege levels (1 and 15) with local access and how to control the access to global configuration mode. • Provides a method to gain access by using the enable password if the local login fails. Follow a methodical approach when dealing with TACACS+ in routers to prevent the need to perform password recovery. Note Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see Appendix B, “AAA Impact on Maintenance Tasks.” These processes are intended to help you to accomplish the following tasks: 1. Configure local router authorization at privilege level 15. 2. Verify local router authorization is set to privilege level 15. Cisco AAA Implementation Case Study 2-10 Chapter 2 Implementing the Local AAA Subsystem 2.4 Implementing Local Router Authorization Step 1 Configure local router authorization at privilege level 15. Include the following Cisco IOS configuration commands in your configuration to enforce local authorization at privilege level 15 on all interfaces except the console port: ! username rtr_super privilege 15 password ciscorules ! aaa new-model aaa authentication login default local enable aaa authentication login NO_AUTHENT none aaa authorization exec default local if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization commands 15 NO_AUTHOR none aaa authorization commands 15 local if-authenticated ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT Note Step 2 You must first log out, and then log back into the router following the inclusion of the aaa authorization commands 15 local if-authenticated command (illustrated in the preceding configuration fragment). Doing this ensures that you log in as the user rtr_super (in this case study example). The NO_AUTHENT list disables authentication on the console port. The NO_AUTHOR list disables EXEC and command authorization on the console port. See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Verify local router authorization is set to privilege level 15. Enter the following commands to verify correct authorization: maui-rtr-03#debug aaa authorization AAA Authorization debugging is on maui-rtr-03#show debug General OS: AAA Authorization debugging is on maui-rtr-03#login User Access Verification Username: rtr_super Password: The following tests illustrate operations described in “2.4 Implementing Local Router Authorization” and include relevant router output. 1. User rtr_super is authorized EXEC shell access. 2. User rtr_super logs is assigned priv-lvl 15 AVP. 3. User rtr_super successfully performs privilege level 15 command. Cisco AAA Implementation Case Study 2-11 Chapter 2 Implementing the Local AAA Subsystem 2.5 Implementing Local Router Accounting The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Note 1. The debug command output can vary depending on Cisco IOS versions. User rtr_super is authorized EXEC shell access. Router debug output: Mar 13 14:08:54.871 CST: AAA/MEMORY: create_user (0x6188BD2C) user='' ruser='' port='tty2' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=15 Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Port='tty2' list='' service=EXEC Mar 13 14:09:00.511 CST: AAA/AUTHOR/EXEC: tty2 (294199586) user='rtr_super' Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV service=shell Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): send AV cmd* Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): found list "default" Mar 13 14:09:00.511 CST: tty2 AAA/AUTHOR/EXEC (294199586): Method=LOCAL Mar 13 14:09:00.511 CST: AAA/AUTHOR (294199586): Post authorization status = PASS_ADD 2. User rtr_super logs is assigned priv-lvl 15AVP. Router debug output: Mar 13 14:09:00.511 Mar 13 14:09:00.511 Mar 13 14:09:00.511 Mar 13 14:09:00.511 Mar 13 14:09:01.648 service=CMD 3. CST: CST: CST: CST: CST: AAA/AUTHOR/EXEC: Processing AV service=shell AAA/AUTHOR/EXEC: Processing AV cmd* AAA/AUTHOR/EXEC: Processing AV priv-lvl=15 AAA/AUTHOR/EXEC: Authorization successful tty2 AAA/AUTHOR/CMD (2192867088): Port='tty2' list='' User rtr_super successfully performs privilege level 15 command. Router debug output: Mar 13 14:09:01.648 Mar 13 14:09:01.648 Mar 13 14:09:01.648 Mar 13 14:09:01.648 Mar 13 14:09:01.648 Mar 13 14:09:01.648 Mar 13 14:09:01.648 Mar 13 14:09:01.648 PASS_ADD CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty2 (2192867088) user='rtr_super' tty2 AAA/AUTHOR/CMD (2192867088): send AV service=shell tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd=configure tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=terminal tty2 AAA/AUTHOR/CMD (2192867088): send AV cmd-arg=<cr> tty2 AAA/AUTHOR/CMD (2192867088): found list "default" tty2 AAA/AUTHOR/CMD (2192867088): Method=LOCAL AAA/AUTHOR (2192867088): Post authorization status = 2.5 Implementing Local Router Accounting These processes help you to accomplish the following tasks: 1. Configure basic local accounting for router access. 2. Verify and troubleshoot local accounting from VTY (Telnet) based access to the router. Cisco AAA Implementation Case Study 2-12 Chapter 2 Implementing the Local AAA Subsystem 2.5 Implementing Local Router Accounting Step 1 Configure basic local accounting for router access. Include the following Cisco IOS configuration commands in your configuration to construct local based router accounting for EXEC and command authorization for privilege level 15 commands: username rtr_super privilege level 15 password ciscorules aaa aaa aaa aaa aaa aaa aaa aaa aaa aaa aaa new-model authentication login default local enable authentication login NO_AUTHENT none authorization exec default local if-authenticated authorization exec NO_AUTHOR none authorization commands 15 default local if-authenticated authorization commands 15 NO_AUTHOR none accounting exec default start-stop group tacacs+ accounting exec NO_ACCOUNT none accounting commands 15 default stop-only group tacacs+ accounting commands 15 NO_ACCOUNT none line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR accounting commands 1 NO_ACCOUNT accounting commands 15 NO_ACCOUNT accounting exec NO_ACCOUNT login authentication NO_AUTHENT Note Step 2 In the preceding configuration fragment, the start-stop option is entered for EXEC shell sessions and the stop-only option is entered for privilege-level 15 commands. The router sends a start packet in the beginning of a shell service and a stop packet when the session terminates. A stop packet is only sent upon completion of a privilege level 15 command in the router. Additionally, note the use of the NO_ACCOUNT list to disable AAA accounting on the console port. Verify and troubleshoot local accounting from VTY (Telnet) based access to the router. Enter the debug aaa accounting command to verify local router accounting is operating as expected. The following EXEC sequence illustrates that the appropriate commands are enabled: maui-rtr-03#show debug General OS: AAA Accounting debugging is on The following tests illustrate operations described in “2.5 Implementing Local Router Accounting” and include relevant router output. 1. User rtr_super is authorized EXEC shell access. 2. User rtr_super successfully performs configure terminal, a privilege level 15 command. The following diagnostic results are presented in the order in which they are generated during a typical authorization and command request process. Specific output fragments are separated out with brief explanatory notes to help you identify relevant information. Cisco AAA Implementation Case Study 2-13 Chapter 2 Implementing the Local AAA Subsystem 2.5 Implementing Local Router Accounting Note 1. The debug command output can vary depending on Cisco IOS versions. User rtr_super is authorized EXEC shell access. Router debug output: Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, port tty3 Apr 11 16:48:32.483: AAA/ACCT/EXEC: Found list "default" Apr 11 16:48:32.483: AAA/ACCT/EXEC/START User rtr_super, Port tty3, task_id=362 start_time=955471712 timezone=CST service=shell Apr 11 16:48:32.483: AAA/ACCT: user rtr_super, acct type 0 (1526108857): Method=tacacs+ (tacacs+) Apr 11 16:48:33.487: TAC+: (1526108857): received acct response status = SUCCESS 2. User rtr_super successfully performs configure terminal, a privilege level 15 command. Router debug output: Apr 11 16:51:52.741: AAA/ACCT/CMD: User rtr_super, Port tty3, Priv 15: "configure terminal <cr>" Apr 11 16:51:52.741: AAA/ACCT/CMD: Found list "default" Apr 11 16:51:52.741: AAA/ACCT: user rtr_super, acct type 3 (2701117300): Method=tacacs+ (tacacs+) Apr 11 16:51:53.545: TAC+: (2701117300): received acct response status = SUCCESS Cisco AAA Implementation Case Study 2-14 3 CH A P T E R Implementing Cisco AAA Servers This chapter describes the basic process of installing CiscoSecure for UNIX (CSU). See Chapter 1, “Cisco AAA Case Study Overview” for information regarding this case study’s network requirements and environment details for this case study. Figure 3-1 illustrates the general networking environment in which this CSU is implemented. These sections focus on the following topics: • 3.1 Installing CiscoSecure for UNIX with Oracle • 3.1.4 Creating and Verifying Basic User Profile Figure 3-1 AAA-Based, Secure Network Access Scenario Network element management server (NTP, Syslog, SNMP) Oracle dB server Clients PSTN AAA server PRI lines Modems DNS server Cisco AS5x00 with integrated modems IP intranet Default gateway Internet firewall Internet Cisco AAA Implementation Case Study 3-1 35089 Analog lines Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle 3.1 Installing CiscoSecure for UNIX with Oracle These processes of help you to install CiscoSecure for UNIX: • 3.1.1 Creating Oracle Tablespace • 3.1.2 Verifying the Oracle Database Instance • 3.1.3 Installing CiscoSecure for UNIX • 3.1.4 Creating and Verifying Basic User Profile 3.1.1 Creating Oracle Tablespace You must create an Oracle tablespace with a minimum size of 200 MB. The notes listed in this section are for reference. Note Ensure that an experienced Oracle database administrator (DBA) tunes and configures the database. For detailed Oracle installation notes, go to the following location: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csbsdoc.htm Example of creating a Oracle tablespace: <CSUserver>$su - oracle Sun Microsystems Inc. SunOS 5.5.1 <CSUserver>$$ORACLE_HOME/bin/svrmgrl Generic May 1996 Oracle Server Manager Release 2.3.4.0.0 - Production Copyright (c) Oracle Corporation 1994, 1995. All rights reserved. Oracle7 Server Release 7.3.4.0.1 - Production With the distributed option PL/SQL Release 2.3.4.0.0 - Production SVRMGR>connect internal Connected. SVRMGR>create tablespace cstb datafile '/export/home/ORADATA/cs.dbf' size 200m; Statement processed. SVRMGR>create user csecure identified by csecure default tablespace cstb; Statement processed. SVRMGR>grant dba to csecure identified by csecure; Statement processed. SVRMGR>exit Server Manager complete. Cisco AAA Implementation Case Study 3-2 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle 3.1.2 Verifying the Oracle Database Instance Before you install CiscoSecure for UNIX, make sure the Oracle server is running and you have the following five pieces of information: Step 1 • The Oracle user account for CiscoSecure (csecure) • The password for the Oracle account (csecure) • TNS service name for the Oracle server (ciscosj) • The location of $ORACLE_HOME (/opt/oracle/product/7.3.4) • The number of Connections to use for ORACLE RDBMS (50) To verify the software directory environment variable ($ORACLE_HOME) where Oracle is installed, enter the following command. Log in to the $ORACLE_HOME as follows: <CSUserver>$env | grep ORACLE_HOME ORACLE_HOME=/opt/oracle/product/7.3.4 Note Step 2 This environment variable should have been configured during Oracle installation by the DBA. On the Oracle server, verify that SMON (a mandatory Oracle background process) is running by entering the following command: <CSUserver>$ps -ef |grep smon oracle 819 1 0 Feb 26 ? 0:00 ora_smon_ciscosj The command returns the ora_smon_<SID> process if the server is running. Notice the database instance specification of ciscosj. If the server is down, log in with the Oracle UNIX account (in this case, with username of csecure and password of csecure) and start the database by using Server Manager (svrmgrl) and Oracle listener (lsnrctl) as follows: <CSUserver>$$ORACLE_HOME/bin/svrmgrl SVRMGR>connect internal SVRMGR>startup ORACLE instance started. Total System Global Area 4576056 Fixed Size 39816 Variable Size 4118448 Database Buffers 409600 Redo Buffers 8192 Database mounted. Database opened. bytes bytes bytes bytes bytes Cisco AAA Implementation Case Study 3-3 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle <CSUserver>$$ORACLE_HOME/bin/lsnrctl start LSNRCTL for Solaris:Version 2.3.4.0.0 - Production on 12-APR-00 09:40:46 Copyright (c) Oracle Corporation 1994. All rights reserved. Starting /opt/oracle/product/7.3.4/bin/tnslsnr:please wait... TNSLSNR for Solaris:Version 2.3.4.0.0 - Production System parameter file is /opt/oracle/product/7.3.4/network/admin/listener.ora Log messages written to /opt/oracle/product/7.3.4/network/log/listener.log Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=10)(KEY=ciscoaus)) Listening on:(ADDRESS=(PROTOCOL=ipc)(DEV=13)(KEY=PNPKEY)) Listening on:(ADDRESS=(PROTOCOL=tcp)(DEV=15)(HOST=172.22.53.204)(PORT=1521)) Connecting to (ADDRESS=(PROTOCOL=IPC)(KEY=ciscosj)) STATUS of the LISTENER -----------------------Alias LISTENER Version TNSLSNR for Solaris:Version 2.3.4.0.0 - Production Start Date 12-APR-00 09:40:50 Uptime 0 days 0 hr. 0 min. 0 sec Trace Level off Security OFF SNMP OFF Listener Parameter File /opt/oracle/product/7.3.4/network/admin/listener.ora Listener Log File /opt/oracle/product/7.3.4/network/log/listener.log Services Summary... ciscoaus has 1 service handler(s) The command completed successfully Step 3 To verify that the Oracle database account information is created for CiscoSecure by the DBA, enter Security Manager using the sqlplus process: <CSUserver>$sqlplus csecure/csecure@ciscosj SQL>select * from user_sys_privs; USERNAME PRIVILEGE ADM ------------------------------ ---------------------------------------- --CSECURE UNLIMITED TABLESPACE NO Note Ensure that the assigned resource role/privilege for the username and password is as shown. The command returns a table with a column listing the privileges granted to the Oracle database account. The default tablespace assigned to the Oracle database account must be at least 200MB. The size is verified by the installation script. Step 4 To confirm tnsnames service is operating correctly, invoke the tnsping utility as follows: <CSUserver>$$ORACLE_HOME/bin/tnsping ciscosj TNS Ping Utility for Solaris: Version 2.3.4.0.0 - Production on 29-FEB-00 09:25:28 Copyright (c) Oracle Corporation 1995. All rights reserved. Attempting to contact (ADDRESS=(PROTOCOL=TCP)(Host=CSUserver)(Port=1521)) OK (80 msec) Cisco AAA Implementation Case Study 3-4 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle Step 5 Ensure the number of Oracle RDBMS connections assigned to CiscoSecure is less than the PROCESSES variable defined in the initciscosj.ora file. This parameter specifies the maximum number of user processes that can simultaneously connect to an Oracle Server. If the value for PROCESSES is set to 20, then only 13 or 14 concurrent connections can be assigned to CiscoSecure. For this case study, at least four of the connections are reserved for mandatory background server processes. In addition, the PROCESSES variable is set to 50 and the number of Oracle RDBMS connections is set to 50 during the installation. 3.1.3 Installing CiscoSecure for UNIX The general steps and output that follow apply to the installation dialog for CiscoSecure for UNIX (CSU) on a Sun Solaris workstation. Installation consists of the following steps: 1. Start the CSU installation process by invoking the pkgadd program. 2. Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function: 3. Create /var/log/csuslog file. 4. Configure the AAA server for maximum level debugging. 5. Restart the AAA server. 6. Restart the syslog daemon. Cisco AAA Implementation Case Study 3-5 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle Step 1 Start the CSU installation process by invoking the pkgadd program. The process that follows illustrates the general installation sequence. Extraneous output was omitted where noted for brevity. Note The following installation process requires approximately 20 minutes. <CSUserver>$pkgadd -d CiscoSecure-2.3.3.solaris The following packages are available: 1 CSCEacs CiscoSecure Access Control Software (sun4) 2.3(3) Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]:1 Processing package instance <CSCEacs> from </opt/install/ciscosecure/CiscoSecure -2.3.3.solaris> CiscoSecure Access Control Software (sun4) 2.3(3) Copyright(c) 1996-1999 Cisco Systems, Inc. CiscoSecure Access Control Server Version 2.3(3) All Rights Reserved. Copyright (c) 1994-1999 Netscape Communications Corporation Copyright (c) 1988-1999 Sybase, Inc. Trade Mark WebLogic, Inc. Notice: By using this product, you agree to be bound by the terms of the license supplied with this product. If you do not agree to these terms, promptly return the unused product, manuals, related equipment, and hardware (with proof of purchase) to the place of purchase for a full refund. To install this product, you must agree to accept the terms of the enclosed license [accept=y,exit=n,exit=q]: y checking patches... ************************************************************************ * Notice: * * This installation program saves your Database files from a previous * * CiscoSecure install. If you have not installed CiscoSecure before, * * you should answer YES to the next question. If you have performed * * a 'package remove' and are installing a new version of CiscoSecure * * and want to retain your previous Database files, you should answer * * NO to the next question. * ************************************************************************ Is this a new install (y/n/q) (default: yes, q to quit)?y Enter the directory name in which to install CiscoSecure [?,q]/opt/ciscosecure Cisco AAA Implementation Case Study 3-6 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle IP Address to use for CiscoSecure (default: 172.23.25.41) [?,q] If the hostname of this server is not the same as its fully qualified domain name (FQDN), enter the FQDN, e.g., www.cisco.com. Otherwise, press enter to use the default (default: CSUserver) [?,q] Enter the AAA Server License key (default: <none>) [?,q] Enter the TACACS+ NAS name to use (default: <none>) [?,q] Enter the TACACS+ NAS Secret key (default: SECRET12345) [?,q]ciscorules Select any or all Token Cards to use 1 CryptoCard 2 Secure-Computing SafeWord 3 SDI SDI Token Card Enter selection (default: none) [?,??,q]: Choose Database 1 SQLAnywhere 2 ORACLE 3 SYBASE Sybase SQL Anywhere Oracle Enterprise Sybase Enterprise Enter selection (default: SQLAnywhere) [?,??,q]:2 Enter the username for the ORACLE DB account [?,q]csecure Enter the password for the ORACLE DB account [?,q]csecure Enter the TNS service name for the Oracle Server [?,q]ciscosj Enter the ORACLE_HOME directory [?,q]/opt/oracle/product/7.3.4 Enter an available TCP/IP Port to be reserved for the CiscoSecure DB Server process (default: 9900) [0-65535,?,q] Enter a unique name for the CiscoSecure DB Server Process (default: CSdbServer) [?,q] Enter the number of Connections to use for ORACLE RDBMS (default: 4) [?,q]50 Enter the directory Path to use for the AAA server profile caching (default: /, q to quit)? Modify any selections below? New CiscoSecure Install CiscoSecure Directory CiscoSecure IP Address CiscoSecure Web Server Name Profile Cache Directory AAA License Key TACACS+ NAS Name TACACS+ NAS Secret Key Token Cards selected Data Base DB User Account Name DB User Account Passwd Oracle TNS Name Oracle Home CiscoSecure DB Server IP Address CiscoSecure DB Server Port CiscoSecure DB Server Proc Name YES /opt/ciscosecure 172.23.25.41 CSUserver / <none> <none> SECRET12345 none ORACLE csecure csecure ciscosj /opt/oracle/product/7.3.4 172.23.25.41 9900 CSdbServer Cisco AAA Implementation Case Study 3-7 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle DB Server Connections 50 Modify any values [y,n,q]: n cs_install.log being written to /tmp directory Using </opt/ciscosecure> as the package base directory. ## Processing package information. ## Processing system information. 6 package pathnames are already properly installed. ## Verifying disk space requirements. ## Checking for conflicts with packages already installed. ## Checking for setuid/setgid programs. This package contains scripts which will be executed with super-user permission during the process of installing this package. Do you want to continue with the installation of <CSCEacs> [y,n,?]y Installing CiscoSecure Access Control Software as <CSCEacs> ## Executing preinstall script. ## Installing part 1 of 1. Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter. [ verifying class <TSERVER> ] ## Executing postinstall script. Creating the initial database tables and views........ Loading properties from /opt/ciscosecure/config/CSConfig.ini Finished loading properties. Data Source = ORACLE Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj csecure password = ******** username = Connected to jdbc:weblogic:oracle:ciscosj Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) Version 2.5.4 sql = select tablespace_name, floor(sum(bytes)/(1024*1024)) from sys.dba_free_sp ace where tablespace_name = (select default_tablespace from sys.dba_users where username = USER) group by tablespace_name Total free space in CSTB tablespace is 199 MB. Creating /opt/ciscosecure/utils/sql.scripts/ora_init.sql% Executing SQL statements.. Cisco AAA Implementation Case Study 3-8 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle Note Process output is omitted at this point because it is not relevant to the installation task presented in this chapter. Successfully done. Initializing RADIUS data in the database........ Loading properties from /opt/ciscosecure/config/CSConfig.ini Finished loading properties. Data Source = ORACLE Driver Type = JDBC-Weblogic-Oracle URL = jdbc:weblogic:oracle:ciscosj csecure password = ******** username = Connected to jdbc:weblogic:oracle:ciscosj Driver Weblogic, Inc. Java-OCI JDBC Driver (weblogicoci26) Version 2.5.4 Radius data version: 23 Adding SERVER_LIST Adding DICTIONARY_LIST Adding SERVER.172.23.25.41 Adding DICTIONARY.IETF Adding DICTIONARY.Cisco Adding DICTIONARY.Ascend Adding DICTIONARY.Cisco11.1 Adding DICTIONARY.Cisco11.2 Adding DICTIONARY.Cisco11.3 Adding DICTIONARY.Ascend5 No update to dictionary list Update radius version: INSERT INTO cs_id (id, type) VALUES (?, ?) Successfully done. Installation is complete. However, further configuration may be necessary. For more information on the steps necessary to finish configuration, read the /opt/ciscosecure/DOCS/README.txt file. Results of this install are saved in the /tmp/cs_install.log file and in /opt/ciscosecure/logfiles/cs_install.log. NOTE: For AAA Server tuning, refer to http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/app_b.htm# xtocid192003 Installation of <CSCEacs> was successful. Step 2 Configure CSU logging by editing /etc/syslog.conf to enable AAA syslog function: Enter the following command: #added by rbrown@cisco.com on 02/28/00 local0.debug /var/log/csuslog Note Step 3 Do not use whitespace to separate the above statements in /etc/syslog.conf. Use only tabs. Create /var/log/csuslog file. Cisco AAA Implementation Case Study 3-9 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle Enter the touch command to create the csulog file. <CSUserver>$touch /var/log/csuslog;chmod 777 csuslog Step 4 Configure the AAA server for maximum level debugging. Modify /opt/ciscosecure/config/CSU.cfg as follows: NUMBER config_logging_configuration = 0x7fffffff Step 5 Restart the AAA server. Enter the following command to restart the AAA server: <CSUserver>$/etc/rc0.d/K80CiscoSecure Stopping CiscoSecure Processes: CiscoSecure AutoRestart Stopped Fast Track Server Stopped Fast Track Admin Program Stopped Acme Server Stopped AAA Server Stopped DBServer Stopped <CSUserver>$/etc/rc2.d/S80CiscoSecure Starting CiscoSecure Processes: Fast Track Admin Started FastTrack Server (Delayed Start) DBServer Started AAA Server starts in 15 Seconds: AAA Server Started Acme Server Started Cisco AutoRestart started Step 6 123456789012345 Restart the syslog daemon. Enter the follow command to restart the syslog daemon: <CSUserver>$ps -ef |grep syslog root 150 1 0 Feb 26 ? <CSUserver>$kill -HUP 150 0:00 /usr/sbin/syslogd 3.1.4 Creating and Verifying Basic User Profile These processes help you to accomplish basic user profile creation and verification: 1. Create user csu_test. 2. Verify user csu_test. 3. Configure the router for basic authentication. 4. Log in to the router and verify user access. 5. Review the AAA server log. Cisco AAA Implementation Case Study 3-10 Chapter 3 Implementing Cisco AAA Servers 3.1 Installing CiscoSecure for UNIX with Oracle Step 1 Create user csu_test. Enter the following commands to add the user csu_test: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u csu_test -pw des,ciscorocks Profile Successfully Added Step 2 Verify user csu_test. Enter the following commands to verify settings for user csu_test: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u csu_test User Profile Information user = csu_test{ profile_id = 18 profile_cycle = 1 password = des "********" } Step 3 Configure the router for basic authentication. Log in to the router and include the following commands: aaa new-model aaa authentication login default group tacacs+ local tacacs-server host 172.22.53.201 key ciscorules Step 4 Log in to the router and verify user access. Enter the user name and password: Username:csu_test Password:<password> Step 5 Review the AAA server log. Enter the tail command to assess the csulog file: Note This CSU log fragment illustrates user csu_test being authenticated and permitted privilege level 15 access. <CSUserver>$tail -f /var/log/csuslog Feb 29 16:52:28 CSUserver last message repeated 20 times1 Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - ACCOUNTING request (55d45ae8) Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_test Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - acct_token_cache_session_add_del: user: csu_test Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - AUTHENTICATION START request (8f414e3e) Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG Feb 29 16:52:30 CSUserver User Access Verification Feb 29 16:52:30 CSUserver CiscoSecure: DEBUG - Username: Feb 29 16:52:31 CSUserver CiscoSecure: WARNING - No swap files/partitions allocated Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) Feb 29 16:52:33 CSUserver CiscoSecure: DEBUG - Password: Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - AUTHENTICATION CONTINUE request (8f414e3e) Feb 29 16:52:35 CSUserver CiscoSecure: DEBUG - Authentication - LOGIN successful;[NAS = coe-ccie-35.cisco.com, Port = tty2, User = csu_test, Priv = 15] Cisco AAA Implementation Case Study 3-11 Chapter 3 3.1 Installing CiscoSecure for UNIX with Oracle Cisco AAA Implementation Case Study 3-12 Implementing Cisco AAA Servers CH A P T E R 4 Implementing the Server-Based AAA Subsystem This chapter focuses on the following server-based AAA implementation topics: • 4.1 Implementing Server-Based TACACS+ Dialup Authentication • 4.2 Implementing Server-Based TACACS+ Dialup Authorization • 4.3 Implementing Server-Based RADIUS Dialup Authentication • 4.4 Implementing Server-Based RADIUS Dialup Authorization • 4.5 Implementing Server-Based TACACS+ Router Authentication • 4.6 Implementing Server-Based TACACS+ Router Authorization Caution The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment. Note See Chapter 2, “Implementing the Local AAA Subsystem,” for specifics of local AAA implementation. See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation. Cisco AAA Implementation Case Study 4-1 Chapter 4 Implementing the Server-Based AAA Subsystem 4.1 Implementing Server-Based TACACS+ Dialup Authentication Figure 4-1 provides the general scenario this case study is built around and illustrates the server-based AAA components, including a AAA server and its associated AAA database. Figure 4-1 Basic AAA Case Study Environment Network element management server (NTP, Syslog, SNMP) Oracle dB server Analog lines Clients PSTN AAA server PRI lines Modems DNS server Cisco AS5x00 with integrated modems IP intranet Default gateway Internet 35089 Internet firewall 4.1 Implementing Server-Based TACACS+ Dialup Authentication The following section focuses on server-based dialup authentication configuration. In this context, server-based refers to actions dependent upon an external AAA server. These actions are described in a series of general steps along with related commands, server configurations, and diagnostic steps as appropriate. Figure 4-2 illustrates a simplified TACACS+ server-based dial environment. Figure 4-2 Server-Based Dial Environment (TACACS+) Server-based dial access PSTN Modem AAA server Cisco AAA Implementation Case Study 4-2 35051 IP Chapter 4 Implementing the Server-Based AAA Subsystem 4.1 Implementing Server-Based TACACS+ Dialup Authentication These steps help you to accomplish the following tasks: Step 1 1. Configure TACACS+ server-based authentication on NAS. 2. Configure a user profile in the database. 3. Verify the AAA server-based user configuration. 4. Verify and troubleshoot authentication from the AAA server. 5. Verify and troubleshoot PPP authentication from the NAS. Configure TACACS+ server-based authentication on NAS. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with TACACS+: aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ ! tacacs-server host 172.22.53.101 key ciscorules Note Step 2 See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u tac_dial -pw pap,ciscorules –a 'service=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’ Caution Step 3 When entering AddProfile to create users or groups, it is possible to successfully create users or groups that have invalid database parameters that result in profile errors viewable in /var/log/csuslog. Verify the AAA server-based user configuration. Enter this server command to view the AAA server-based user configuration: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u tac_dial user = tac_dial{ profile_id = 23 profile_cycle = 1 password = pap "********" service=ppp { protocol=ip { set addr-pool=default set inacl=110 } protocol=lcp { } } } Cisco AAA Implementation Case Study 4-3 Chapter 4 Implementing the Server-Based AAA Subsystem 4.2 Implementing Server-Based TACACS+ Dialup Authorization Step 4 Verify and troubleshoot authentication from the AAA server. Enter the tail command:. <CSUserver>$tail -f /var/log/csuslog Note Step 5 See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for a description of relevant diagnostic output. Verify and troubleshoot PPP authentication from the NAS. Enter the debug aaa authentication and debug ppp authentication commands to confirm authentication from the NAS perspective. Note See “C.1 Server-Based TACACS+ Dialup Authentication Diagnostics” for relevant diagnostic output. 4.2 Implementing Server-Based TACACS+ Dialup Authorization This section focuses on implementing of server-based dialup authorization and presents applicable configuration segments, server commands and file listings, and diagnostic steps. These steps help you to accomplish the following tasks: Step 1 1. Configure TACACS+ server-based authorization on the NAS. 2. Configure a user profile in the database. 3. Verify the AAA server-based user configuration. 4. Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. 5. Verify and troubleshoot shell-initiated PPP authorization on the NAS. Configure TACACS+ server-based authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authorization with TACACS+: aaa new-model aaa authentication login default group tacacs+ aaa authentication ppp default if-needed group tacacs+ aaa authorization exec default group tacacs+ if-authenticated aaa authorization network default group tacacs+ if-authenticated ! tacacs-server host x.x.x.x key ciscorules Note See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Cisco AAA Implementation Case Study 4-4 Chapter 4 Implementing the Server-Based AAA Subsystem 4.2 Implementing Server-Based TACACS+ Dialup Authorization Step 2 Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u dialtest -pw des,ciscorules –pw pap,ciscorules –a 'service=shell{\ndefault cmd=permit\n}\nservice=ppp{\n protocol=ip{\n set addr-pool=default \n set inacl=110 \n}\n protocol=lcp {\n }\n }\n’ Step 3 Verify the AAA server-based user configuration. Enter this UNIX server command to view the AAA server-based user configuration: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dialtest An example of a ViewProfile output of the user profile looks like this: User Profile Information user = dialtest{ profile_id = 25 profile_cycle = 1 password = pap "********" service=shell { default_cmd=permit } service=ppp { protocol=ip { set addr-pool=default set inacl=110 } protocol=lcp { } } } Step 4 Verify and troubleshoot a shell-initiated PPP session authorization from the AAA server. Enter the following UNIX server command to confirm that the authorization is operating correctly: <CSUServer>$tail -f /var/log/csuslog Note Step 5 See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.” Verify and troubleshoot shell-initiated PPP authorization on the NAS. Enter the debug aaa authorization command to verify server-based authorization is operating correctly for dial access. Note See “C.2 Server-Based TACACS+ Dialup Authorization Diagnostics.” Cisco AAA Implementation Case Study 4-5 Chapter 4 Implementing the Server-Based AAA Subsystem 4.3 Implementing Server-Based RADIUS Dialup Authentication 4.3 Implementing Server-Based RADIUS Dialup Authentication This section focuses on the configuration of server-based, RADIUS dialup authentication configuration. In this context, server-based refers to actions that depend on an external AAA server. Figur e4-3 illustrates a simplified server-based dial environment. These steps help you to accomplish the following tasks: 1. Configure RADIUS server-based authentication on access server. 2. Configure a user profile in the database. 3. Verify the AAA server-based user configuration. 4. Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective. Figure 4-3 Server-Based Dial Environment (RADIUS) Server-based dial access PSTN Modem AAA server Cisco AAA Implementation Case Study 4-6 35051 IP Chapter 4 Implementing the Server-Based AAA Subsystem 4.3 Implementing Server-Based RADIUS Dialup Authentication Step 1 Configure RADIUS server-based authentication on access server. Include the following Cisco IOS configuration commands in your configuration to enforce server-based dial access authentication control with RADIUS: aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp ip tcp header-compression passive no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 48 ! line 1 48 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output lat pad telnet rlogin udptn v120 lapb-ta radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules Note Step 2 See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Configure a user profile in the database. a. Create a RADIUS NAS configuration by entering the following AddProfile command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u NAS.172.22.53.105 -a 'NASName="172.22.53.105"\nSharedSecret="ciscorules"\nRadiusVendor="Cisco"\nDictionary ="DICTIONARY.Cisco"\n }\n' b. Create a user in the AAA server by entering the following AddProfile command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules -a 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n}\n}\n' Description of attributes specified in AddProfile configuration: – 6=2 (meaning Framed-Protocol=ppp) – 7=1 [meaning User-Service-Type (Framed-User)] Cisco AAA Implementation Case Study 4-7 Chapter 4 Implementing the Server-Based AAA Subsystem 4.4 Implementing Server-Based RADIUS Dialup Authorization Step 3 Verify the AAA server-based user configuration. a. Enter this server command to view the AAA server-based NAS configuration: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u NAS.172.22.53.105 User Profile Information user = NAS.172.22.53.105{ profile_id = 76 profile_cycle = 1 NASName="172.22.53.105" { SharedSecret="ciscorules" RadiusVendor="Cisco" Dictionary="DICTIONARY.Cisco" } } b. Enter this command to verify the AAA server user configuration: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial User Profile Information user = rad_dial{ profile_id = 62 profile_cycle = 1 password = pap "********" radius=Cisco { reply_attributes= { 6=2 7=1 } } } Step 4 Enter the debug aaa authentication and debug ppp authorization commands to confirm authentication from NAS perspective. Note See “C.3 Server-Based RADIUS Dialup Authentication Diagnostics.” 4.4 Implementing Server-Based RADIUS Dialup Authorization These steps help you to accomplish the following tasks: 1. Configure RADIUS server-based authorization on the NAS. 2. Configure a user profile in the database. 3. Verify the AAA server-based user configuration. 4. Verify and troubleshoot RADIUS network authorization on the NAS. 5. Verify that access-list 110 is assigned to user rad_dial with the show caller user command. Cisco AAA Implementation Case Study 4-8 Chapter 4 Implementing the Server-Based AAA Subsystem 4.4 Implementing Server-Based RADIUS Dialup Authorization Step 1 Configure RADIUS server-based authorization on the NAS. Include the following Cisco IOS configuration commands in your configuration to enforce RADIUS authorization assigning access-list 110 to the user, rad_dial: aaa new-model aaa authentication login default group radius aaa authentication ppp default if-needed group radius aaa authorization exec default group radius aaa authorization network default group radius if-authenticated ! radius-server host 172.22.53.201 auth-port 1645 acct-port 1646 key ciscorules ! access-list 110 permit tcp any any eq telnet access-list 110 permit tcp any any eq ftp access-list 110 permit tcp any any eq ftp-data access-list 110 deny tcp any any Note Step 2 See “A.3 NAS AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Configure a user profile in the database. Create a user in the AAA server by entering the following AddProfile command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rad_dial -pw pap,ciscorules 'radius=Cisco{\n reply_attributes={\n 6=2 \n 7=1 \n 9,1="ip:inacl=110"}\n}\n' Step 3 -a Verify the AAA server-based user configuration. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial User Profile Information user = rad_dial{ profile_id = 62 profile_cycle = 1 password = pap "********" radius=Cisco { reply_attributes= { 6=2 7=1 9,1="ip:inacl=110" } } } Note Step 4 The Cisco AVP inacl=110 is included to enable an input access-list. Verify and troubleshoot RADIUS network authorization on the NAS. Enter the debug aaa authorization command to verify dial access server-based authorization is operating correctly for dial access. Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.” Cisco AAA Implementation Case Study 4-9 Chapter 4 Implementing the Server-Based AAA Subsystem 4.5 Implementing Server-Based TACACS+ Router Authentication Step 5 Verify that access-list 110 is assigned to user rad_dial with the show caller user command. Note See “C.4 Server-Based RADIUS Dialup Authorization Diagnostics.” 4.5 Implementing Server-Based TACACS+ Router Authentication This section focuses on how to configure and verify TACACS+ Cisco IOS authentication by using a router and a AAA server. Figure 4-4 illustrates a simplified server-based VTY-access environment for a router. These steps help you to accomplish the following tasks: 1. Configure TACACS+ server-based authentication on the router. 2. Configure and verify the group rtr_basic: 3. Create the member rtr_test and assign this user to group rtr_basic. 4. Verify user rtr_test. 5. Log in to the router and verify proper authentication. Figure 4-4 Server-Based VTY Access (Telnet) Server-based VTY access (Telnet) AAA server Cisco AAA Implementation Case Study 4-10 35050 IP Chapter 4 Implementing the Server-Based AAA Subsystem 4.5 Implementing Server-Based TACACS+ Router Authentication Step 1 Configure TACACS+ server-based authentication on the router. Include the following Cisco IOS configuration commands in your configuration to enforce AAA server-based command authorization on a router (excluding the console port): aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 login authentication NO_AUTHENT See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Note Step 2 Configure and verify the group rtr_basic: a. Create the group rtr_basic by entering the following AddProfile command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_basic -a 'service=shell{\ndefault cmd=deny\n}\n' Profile Successfully Added b. Verify the group rtr_basic by entering the ViewProfile command <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_basic Group Profile Information group = rtr_low{ profile_id = 66 profile_cycle = 1 service=shell { default cmd=deny } } Step 3 Create the member rtr_test and assign this user to group rtr_basic. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_test -pw des,ciscorules -pr rtr_basic Profile Successfully Added Cisco AAA Implementation Case Study 4-11 Chapter 4 Implementing the Server-Based AAA Subsystem 4.5 Implementing Server-Based TACACS+ Router Authentication Step 4 Verify user rtr_test. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_test User Profile Information user = rtr_test{ profile_id = 66 profile_cycle = 1 member = rtr_basic password = des "********" } Step 5 Log in to the router and verify proper authentication. Enter the login command to access the router command interface and monitor the output of debug aaa authentication from a separate shell session. Monitor the output of the AAA server by consulting the csuslog file using the tail command. Note See “C.5 Server-Based TACACS+ Router Authentication Diagnostics.” Cisco AAA Implementation Case Study 4-12 Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization 4.6 Implementing Server-Based TACACS+ Router Authorization The following examples, including authorization-related IOS command listings and AAA server profiles, illustrate how to define administrative control over Cisco routers. Three administrative groups are created with low (rtr_low), medium (rtr_tech), and high (rtr_super) access. The default_cmd AVP (defined in the AAA server profile) is used to control access to privilege level 15 commands. In this case, privilege level 15 is the highest level of command access privilege allowed and is reserved for super users or network managers. Table 4-1 compares the Cisco IOS command permissions associated with each of the administrative groups defined in this section. Table 4-1 Group Profile Command Summary Group Cisco IOS Command debug all rtr_super rtr_tech rtr_low Denied Denied Denied debug * Permitted Permitted Denied clear * Permitted Permitted Denied reload Permitted Denied Denied show running-config write terminal copy running-config startup-config write memory configure terminal Permitted Denied Denied Permitted Permitted Denied Permitted Denied Denied Figure 4-5 provides a flowchart that depicts AAA server-based authentication and authorization between a router and an AAA server. Troubleshooting and verifying is divided into three stages: authentication, EXEC authorization and command authorization. Each stage is accompanied by information particular to that stage: • Cisco IOS Configuration Fragments (on left) • Troubleshooting and verification methods for the router and AAA server (on right) Cisco AAA Implementation Case Study 4-13 Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization Figure 4-5 TACACS+ Authentication and Authorization Verification Methodology Cisco IOS Client Decision Flow Troubleshoot/Verify Authentication Did No authentication succeed? Router user requests login to TACACS+ server. aaa new-model aaa authentication login default group tacacs+ tacacs-server host ip-address key secret-key Yes From Cisco IOS Client debug aaa authentication From AAA Server tail -f /var/log/csuslog Verify user user=rtr_geek password=des EXEC Authorization AAA authorization begins (EXEC) aaa authorization exec default group tacacs+ if-authenticated From Cisco IOS Client debug aaa authorization Did No authorization succeed? From AAA Server tail -f /var/log/csuslog Verify user or group service=shell Yes Command Authorization AAA authorization command begins (command) Did No authorization succeed? Yes From Cisco IOS Client debug aaa authorization From AAA Server tail -f /var/log/csuslog Verify user or group default_cmd=permit or priv_lvl=15 or cmd=permit AAA accounting begins These steps help you to accomplish the following tasks: 1. Configure TACACS+ server-based authorization from the console port on the router. 2. Configure, verify, and test operation of the AAA server group rtr_low. 3. Configure, verify, and test operation of the AAA server group rtr_tech. 4. Configure, verify, and test operation of AAA server Group rtr_super. Cisco AAA Implementation Case Study 4-14 35076 aaa authorization commands 15 default tacacs+ if-authenticated Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization Note Step 1 Some versions of boot ROMs do not recognize all AAA commands. Be sure to disable AAA authentication and authorization before changing to boot ROM mode. For configuration notes regarding disabling AAA to access boot ROM mode, see Appendix B, “AAA Impact on Maintenance Tasks.” Configure TACACS+ server-based authorization from the console port on the router. Include the following Cisco IOS configuration commands in your configuration to enforce router-based security with TACACS+: aaa new-model aaa authentication login default group tacacs+ aaa authentication login NO_AUTHENT none aaa authorization commands 15 NO_AUTHOR none aaa authorization exec default group tacacs+ aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default group tacacs+ ! ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! tacacs-server host 172.22.53.201 key ciscorules ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT Note See “A.2 Router AAA Command Implementation Descriptions” in Appendix A, “AAA Device Configuration Listings” for notes regarding key Cisco IOS AAA commands. Cisco AAA Implementation Case Study 4-15 Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization Step 2 Configure, verify, and test operation of the AAA server group rtr_low. The following steps illustrate configuring, verifying, and testing group rtr_low for compliance with the requirements specified in Tabl e4-1: a. Create the group rtr_low. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_low -a 'service=shell{\ndefault cmd=deny\n}\n' Profile Successfully Added b. Verify the group rtr_low. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_low Group Profile Information group = rtr_low{ profile_id = 66 profile_cycle = 1 service=shell { default cmd=deny } } c. Create the member rtr_dweeb and assign this user to group rtr_low. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_dweeb -pr rtr_low -pw des,ciscorules Profile Successfully Added d. Verify the user rtr_dweeb. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_dweeb User Profile Information user = rtr_dweeb{ profile_id = 66 profile_cycle = 1 member = rtr_low password = des "********" } e. Test the Cisco IOS commands for the user rtr_dweeb (see Table 4-1), with these actions: – Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file. – Log in to the router by using a new terminal window with the rtr_dweeb account and enter the commands shown in Tabl e4-1. – From the AAA server, enter the following command to obtain the matching csuslog content: <CSUserver>$tail -f /var/log/csuslog Note See “C.6 Server-Based TACACS+ Router Authorization Diagnostics.” Cisco AAA Implementation Case Study 4-16 Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization Step 3 Configure, verify, and test operation of the AAA server group rtr_tech. The following tasks illustrate configuring, verifying, and testing group rtr_tech for compliance with the requirements specified in Tabl e4-1: a. Create the group rtr_tech. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_tech -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\ncmd=reload{\ndeny all\n}\ncmd=configure{\ndeny .*}\n}\n' b. Verify the group rtr_tech. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_tech Group Profile Information group = rtr_tech{ profile_id = 47 profile_cycle = 1 service=shell { default cmd=permit cmd=debug { deny all permit .* } cmd=reload { deny all } cmd=configure { deny .* } } } c. Create the member rtr_techie and assign this user to group rtr_tech. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_techie -pr rtr_tech -pw des,ciscorules Profile Successfully Added d. Verify the user rtr_techie. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_techie User Profile Information user = rtr_techie{ profile_id = 39 profile_cycle = 1 member = rtr_tech password = des "********" } e. Test the Cisco IOS commands for the user rtr_techie (see Table 4-1) with these actions: – Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file. – Log in to the router by using a new terminal window with the rtr_techie account and enter the commands shown in Tabl e4-1. Cisco AAA Implementation Case Study 4-17 Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization – From the AAA server, enter the following command to obtain the matching csuslog content: <CSUserver>$tail -f /var/log/csuslog See “C.6 Server-Based TACACS+ Router Authorization Diagnostics.” Note Step 4 Configure, verify, and test operation of AAA server Group rtr_super. The following tasks illustrate configuring, verifying, and testing group rtr_super for compliance with the requirements specified in Tabl e4-1: a. Create the group rtr_super. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -g rtr_super -a 'service=shell {\ndefault cmd=permit\ncmd=debug {\ndeny all\npermit .*\n}\n}\n' Profile Successfully Added b. Verify the group rtr_super. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g rtr_super Group Profile Information group = rtr_super{ profile_id = 40 profile_cycle = 1 service=shell { default cmd=permit cmd=debug { deny all permit .* } } } c. Create the member rtr_geek and assign this user to group rtr_super. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/AddProfile -p 9900 -u rtr_geek des,ciscorules Profile Successfully d. -pr rtr_super -pw Verify the user rtr_geek. Enter the following command: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rtr_geek User Profile Information user = rtr_geek{ profile_id = 45 profile_cycle = 1 member = rtr_super password = des "********" } e. Test the Cisco IOS commands for the user rtr_geek (see Table 4-1) with these commands: – Simultaneously monitor the output of debug aaa authorization from a console shell session and the AAA server csuslog file. Cisco AAA Implementation Case Study 4-18 Chapter 4 Implementing the Server-Based AAA Subsystem 4.6 Implementing Server-Based TACACS+ Router Authorization – Log in to the router by using a new terminal window with the rtr_geek account and enter the commands shown in Tabl e4-1. – From the AAA server, enter the following command to obtain the matching csuslog content: <CSUserver>$tail -f /var/log/csuslog Note See “C.6 Server-Based TACACS+ Router Authorization Diagnostics.” Cisco AAA Implementation Case Study 4-19 Chapter 4 4.6 Implementing Server-Based TACACS+ Router Authorization Cisco AAA Implementation Case Study 4-20 Implementing the Server-Based AAA Subsystem CH A P T E R 5 Implementing Server-Based AAA Accounting This chapter focuses on the following two topics: • 5.1 Implementing Server-Based TACACS+ Dial Accounting • 5.2 Implementing Server-Based TACACS+ Router Accounting Caution The example configuration fragments used throughout this chapter include IP addresses, passwords, authentication keys, and other variables that are specific to this case study. If you use these fragments as foundations for you own configurations, be sure that your specifications apply to your environment. Note See “1.1 AAA Technology Summary,” in Chapter 1 for brief definitions of authentication, authorization, and accounting as they relate to AAA security implementation. 5.1 Implementing Server-Based TACACS+ Dial Accounting The information compiled by the Cisco IOS client focuses on the performance of intermediate systems in terms of AAA accounting packet output, disconnect cause codes, elapsed time, packets in/out, and other useful information. This section addresses configuring server-based TACACS+ accounting on the AAA server and the Cisco IOS client or network access server (NAS). Note TACACS+ is used for accounting, even though RADIUS is used to support the dialup clients. These steps help you to accomplish the following tasks: Step 1 1. Configure the server-based TACACS+ dial accounting on the AAA server. 2. Configure server-based TACACS+ dial accounting on the NAS. 3. Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle dB instance. 4. Verify AAA accounting from the NAS. Configure the server-based TACACS+ dial accounting on the AAA server. Cisco AAA Implementation Case Study 5-1 Chapter 5 Implementing Server-Based AAA Accounting 5.1 Implementing Server-Based TACACS+ Dial Accounting Include the following configuration line in /opt/ciscosecure/CLI/config/CSU.cfg to enable group membership accounting: config_acct_fn_enable = 1 For detailed accounting performance, go to: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto cid84517 Step 2 Configure server-based TACACS+ dial accounting on the NAS. Include the following Cisco IOS commands in your configuration file to support dialup authentication, authorization, and accounting. aaa aaa aaa aaa aaa aaa Step 3 new-model authentication login default group radius local authentication ppp default if-needed group radius local authorization exec default group radius if-authenticated accounting exec default stop-only group radius accounting network default stop-only group radius Verify and troubleshoot server-based accounting from the AAA server by using an SQL query to Oracle dB instance. The following examples illustrate the use of SQL query commands to monitor user rad_dial being disconnected due to idletime configured with the line configuration session-timeout command in the NAS: <CSUServer>$/export/home/oracle> sqlplus SQL*Plus: Release 3.3.4.0.1 - Production on Mon Apr 17 17:41:52 2000 Copyright (c) Oracle Corporation 1979, 1996. All rights reserved. Enter user-name:csecure/csecure@ciscoaus Connected to: Oracle7 Server Release 7.3.4.0.1 - Production PL/SQL Release 2.3.4.0.0 - Production SQL> select * from cs_accounting_log where blob_data like '%rad_dial%'; LOG_ID BLOB_ORDINAL BLOB_DATA -------------------------------------------------------------------------------172.22.87.3 rad_dial Async20 65004 stop server=danvers time=17:36:33 date=04/17/2000 task_id=40 timezone=CST service=ppp protocol=ip addr=172.22.83.12 disc-cause=4 disc-cause-ext=1021 pre-bytes-in=132 pre-bytes-out=139 pre-paks-in=5 pre-paks-out=7 bytes_i Note Step 4 The disc-cause and disc-cause-ext output both reflect idle timeouts from Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter. Verify AAA accounting from the NAS. Review and verify user rad_dial disconnecting session from the NAS by using the Cisco IOS show caller user and debug aaa accounting commands. Cisco AAA Implementation Case Study 5-2 Chapter 5 Implementing Server-Based AAA Accounting 5.1 Implementing Server-Based TACACS+ Dial Accounting The following example illustrates local accounting diagnostic output in which user rad_dial is disconnected because of a line configuration session-timeout command configured in the NAS: Note User rad_dial dials into maui-nas-03. Note the session-timeout was applied. maui-nas-03#show caller user rad_dial detail User: rad_dial, line tty 20, service Async Active time 00:00:47, Idle time 00:00:00 Timeouts: Absolute Idle Idle Session Exec Limits: 04:00:00 00:15:00 00:48:00 Disconnect in: 03:59:12 00:14:59 TTY: Line 20, running PPP on As20 Location: PPP: 172.22.83.12 DS0: (slot/unit/channel)=0/0/2 Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits Status: Ready, Active, No Exit Banner, Async Interface Active HW PPP Support Active, Modem Detected Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out Modem Callout, Modem RI is CD, Line usable as async interface, Modem Autoconfigure Integrated Modem Modem State: Ready, Modem Configured User: rad_dial, line As20, service PPP Active time 00:00:44, Idle time 00:00:08 Timeouts: Absolute Idle Limits: 00:15:00 Disconnect in: 00:14:50 User rad_dial is disconnected after 15 minutes of inactivity and an accounting packet is sent to the AAA Server: maui-nas-03#show debug General OS: AAA Accounting debugging is on *Apr *Apr *Apr *Apr *Apr *Apr Note 17 17 17 17 17 17 17:36:35.262 17:36:35.262 17:36:35.262 17:36:35.262 17:36:35.262 17:36:35.262 CST: CST: CST: CST: CST: CST: AAA/ACCT/ACCT_DISC: Found list "default" Async20 AAA/DISC: 4/"Idle Timeout" AAA/ACCT/ACCT_DISC: Found list "default" Async20 AAA/DISC/EXT: 1021/"Idle Timeout" Async20 AAA/DISC: 4/"Idle Timeout" Async20 AAA/DISC/EXT: 1021/"Idle Timeout" The disc-cause and disc-cause-ext both reflect idle timeouts from Table 5-1 listed in “5.3 AAA Disconnect Cause Code Descriptions” in this chapter. Cisco AAA Implementation Case Study 5-3 Chapter 5 Implementing Server-Based AAA Accounting 5.2 Implementing Server-Based TACACS+ Router Accounting 5.2 Implementing Server-Based TACACS+ Router Accounting These steps help you to accomplish the following tasks: Step 1 1. Configure the server-based TACACS+ router accounting on the AAA server. 2. Configure server-based TACACS+ EXEC and command level accounting on the router. 3. Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB instance. 4. Verify and troubleshoot server-based accounting operation from the router. Configure the server-based TACACS+ router accounting on the AAA server. config_acct_fn_enable = 1 For detailed accounting performance, go to: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23ug/acctg.htm#xto cid84517 Step 2 Configure server-based TACACS+ EXEC and command level accounting on the router. Include the following Cisco IOS commands in your configuration file to enable router EXEC and command AAA authentication, authorization, and accounting: aaa aaa aaa aaa aaa aaa aaa aaa aaa new-model authentication login default group tacacs+ local authentication login NO_AUTHEN none authorization exec default group tacacs+ if-authenticated authorization exec NO_AUTHOR none authorization commands 15 default group tacacs+ authorization commands 15 NO_AUTHOR none accounting exec default stop-only group tacacs+ accounting commands 15 default stop-only group tacacs+ line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN Note Authentication and authorization is disabled on the console port with the use of the NO_AUTHEN and NO_AUTHOR named lists. Cisco AAA Implementation Case Study 5-4 Chapter 5 Implementing Server-Based AAA Accounting 5.2 Implementing Server-Based TACACS+ Router Accounting Step 3 Verify and troubleshoot server-based accounting from the AAA Server with SQL query to Oracle dB instance. The following example illustrates the use of the SQL query select command to monitor user rtr_geek entering the configure terminal privilege level 15 command: SQL>select * from cs_accounting_log where blob_data like '%rtr_geek%'; LOG_ID BLOB_ORDINAL BLOB_DATA -------------------------------------------------------------------------------Mon Apr 17 14:06:27 2000 Client-Id = 172.22.80.3 Client-Port-Id = 0 NAS-Port-Type = Async User-Name = "rtr_geek" Acct-Status-Type = Stop LOG_ID BLOB_ORDINAL BLOB_DATA -------------------------------------------------------------------------------172.22.87.3 rtr_geek tty0 async stop server=danvers time=18:10:02 date=04/17/2000 task_id=52 timezone=CST service=shell priv-lvl=15 cmd=configure terminal <cr> Step 4 Verify and troubleshoot server-based accounting operation from the router. Enter the configure terminal command to test AAA accounting behavior as follows (be sure the debug aaa accounting command is enabled): maui-nas-03#show debug General OS: AAA Accounting debugging is on maui-nas-03#configure terminal Enter configuration commands, one per line. maui-nas-03(config)#^Z End with CNTL/Z. This debug command output results from entering the configure terminal command: *Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: User rtr_geek, Port tty0, Priv 15: "configure terminal <cr>" *Apr 17 18:14:45.722 CST: AAA/ACCT/CMD: Found list "default" *Apr 17 18:14:45.726 CST: AAA/ACCT: user rtr_geek, acct type 3 (1057208544): Method=tacacs+ (tacacs+) *Apr 17 18:14:45.930 CST: TAC+: (1057208544): received acct response status = SUCCESS Cisco AAA Implementation Case Study 5-5 Chapter 5 Implementing Server-Based AAA Accounting 5.3 AAA Disconnect Cause Code Descriptions 5.3 AAA Disconnect Cause Code Descriptions Table 5-1 lists the disconnect codes reported by Cisco AAA accounting records. The disconnect cause codes are referred to in “5.1 Implementing Server-Based TACACS+ Dial Accounting.” Table 5-1 AAA Disconnect Cause Code Listings Disconnect Cause Code Description 1 User Request 2 Lost Carrier 3 Lost Service 4 Idle Timeout 5 Session Timeout 6 Admin Reset 7 Admin Reboot 8 Port Error 9 NAS Error 10 NAS Request 11 NAS Reboot 12 Port Unneeded 13 Port Preempted 14 Port Suspended 15 Service Unavailable 16 Callback 17 User Error 18 Host Request 1002 Unknown 1004 CLID Auth Fail 1010 No Carrier 1011 AAA_VAL_DISC_LOST_CARR 1012 No Modem result codes 1020 AAA_VAL_DISC_USER_REQ 1021 AAA_VAL_DISC_IDL_TIMOUT 1022 Exited Telnet 1023 Peer has No IPADDR 1024 AAA_VAL_DISC_LOST_SERV 1025 Password failure 1026 TCP Disabled 1027 Control-C Detected 1028 AAA_VAL_DISC_HOST_REQ Cisco AAA Implementation Case Study 5-6 Chapter 5 Implementing Server-Based AAA Accounting 5.3 AAA Disconnect Cause Code Descriptions Table 5-1 AAA Disconnect Cause Code Listings Disconnect Cause Code Description 1040 LCP Neg Timeout 1041 LCP Neg Failed 1042 PAP Auth Failed 1043 CHAP Auth Failed 1044 Remote Auth Failed 1045 Received Terminate 1046 Upper Layer Req Close 1100 AAA_VAL_DISC_SES_TIMOUT 1101 Fail Security 1102 AAA_VAL_DISC_CALLBACK 1120 AAA_VAL_DISC_SERV_UNAVAIL Cisco AAA Implementation Case Study 5-7 Chapter 5 5.3 AAA Disconnect Cause Code Descriptions Cisco AAA Implementation Case Study 5-8 Implementing Server-Based AAA Accounting CH A P T E R 6 Diagnosing and Troubleshooting AAA Operations This chapter focuses on diagnosing and troubleshooting negotiations between AAA devices. This section reviews the case study environment and outlines the protocol flows associated with AAA negotiations in the context of this network environment. The subsequent sections focus on specific troubleshooting techniques as follows: • 6.1 Overview of Authentication and Authorization Processes • 6.2 Troubleshooting AAA Implementation • 6.3 AAA Troubleshooting Basics • 6.4 Troubleshooting Scenarios Cisco AAA Implementation Case Study 6-1 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.1 Overview of Authentication and Authorization Processes 6.1 Overview of Authentication and Authorization Processes Before jumping immediately into troubleshooting AAA problems, it is useful to review authentication and authorization processes. Figure 6-1 provides the general scenario this case study is built around. The primary elements of this environment are the AAA server, the AAA database, and the NAS. Figure 6-1 Basic AAA Case Study Environment Network element management server (NTP, Syslog, SNMP) Oracle dB server Analog lines Clients PSTN AAA server PRI lines Modems DNS server Cisco AS5x00 with integrated modems IP intranet Default gateway Internet Cisco AAA Implementation Case Study 6-2 35089 Internet firewall Diagnosing and Troubleshooting AAA Operations 6.1 Overview of Authentication and Authorization Processes The negotiation suggested in Figure 6-1 is expanded in Figure 6-2 which presents the logical flow of the authentication and authorization processes and illustrates the relationship between the elements within the TACACS+ based AAA negotiation. While the network access server (NAS) communicates directly with the AAA server, the AAA server in turn exchanges information with the Oracle database server. Figure 6-2 Dial Access Authentication and Authorization Flow Diagram Network access server Result TACACS+ query CiscoSecure ACS Fail Valid user Pass Fail Pass Password = ? Pass SQL Valid password Oracle database Pass Fail Authorization Pass 27815 Chapter 6 Cisco AAA Implementation Case Study 6-3 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.1 Overview of Authentication and Authorization Processes The RADIUS dial-access authentication and authorization illustrated in Figure 6-3 describes RADIUS negotiation between the NAS and the AAA server. User rad_dial is permitted PPP access through EXEC shell (character mode) or autoselect PPP (packet mode). Figure 6-3 RADIUS Dial Access Authentication and Authorization Process NAS Authentication and Authorization Access request Send username password Access accept User-Service-Type (Shell-User) User-Service-Type (Framed-User) AAA server AAA Server User Configuration user=rad_dial{ password=PAP "****" radius=Cisco{ reply_attributes={ 6=6 6=2 7=1 } } 35048 Framed-Protocol = PPP Network time Note Unlike TACACS+, the authentication and authorization processes are not handled as separate stages in RADIUS-based AAA access control. Cisco AAA Implementation Case Study 6-4 Diagnosing and Troubleshooting AAA Operations 6.1 Overview of Authentication and Authorization Processes Figure 6-4 and Figure 6-5 expand on the basic negotiation flow depicted in Figur e6-2 by illustrating the specific TACACS+ negotiation process associated with particular users, as defined in their respective CSU profiles. Figure 6-4 TACACS+ Dial Access Authentication and Authorization Session (EXEC Enabled) Access server Network time AAA server Authentication Send start Get user Oracle DB Send user Get pass Send password Pass user x = User = x Send AV service = shell AV cmd* Pass user = x Send AV service = ppp protocol = IP addr-pool = default Pass user = x Send AV service = ppp protocol = lcp password = PAP service = shell { default_cmd = permit } service = shell { protocol = ip { set addr-pool = default } protocol = lcp { } Pass user = x Send AV service = ppp protocol = ip 27812 Authorization CSU User Configuration Authorization Chapter 6 Pass The difference in authorization behavior stems from the use of two commands in the AAA server user configurations. The default_cmd=permit command included in the example in Figure 6-4 enables default privilege level 15 commands for user x. As configured in Figure 6-4, the session for user x depicts a process that involves either a shell initiated or a standard PPP session. The same negotiations are used in initiating shell access to a router. Cisco AAA Implementation Case Study 6-5 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.1 Overview of Authentication and Authorization Processes Both figures depict the stages of dial access authentication and authorization sessions between an access server and an AAA server. The key difference is defined in the CSU user configuration (profiles) included in each illustration. In Figure 6-4, EXEC shell access authorization is permitted while it is not permitted in the illustration depicted in Figure 6-5. Figure 6-5 TACACS+ Dial Access Authentication and Authorization Session (EXEC Shell Disabled) Access server Network time AAA server Send start Authentication Get user Send Abort Autoselect PPP user = x Authenticate peer Send password Pass LCP request Network Authorization Oracle database Pass user = y service = ppp protocol = lcp CSU User Configuration user = y password = PAP service = shell { set autocmd = ppp negotiate } service = ppp { protocol = ip{ set addr pool = default } protocol = lcp { } Pass Pass 27813 CONFREQ for options The example session illustrated in Figure 6-5 omits the default_cmd=permit AVP and instead includes the autocmd=ppp negotiate AVP disabling EXEC shell access to IOS devices. User y fails any attempt to access the router and receives the message PPP not allowed on this interface as a result of the PPP configuration statement. This distinction provides an element of security, blocking access to routers. Cisco AAA Implementation Case Study 6-6 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.2 Troubleshooting AAA Implementation 6.2 Troubleshooting AAA Implementation These sections help you to accomplish the following tasks: • 6.2.1 Troubleshooting Methodology Overview • 6.2.2 Cisco IOS Debug Command Summary 6.2.1 Troubleshooting Methodology Overview The troubleshooting methodology adopted in this chapter follows these general steps: 1. Isolating the problem. – Gathering detailed information about trouble. – Determining the starting point and fault isolation procedures. 2. Correcting the problem. – Making appropriate hardware, software, or configuration changes to correct the problem. 3. Verifying that the trouble is corrected. – Performing operational tests to verify that trouble is corrected. The troubleshooting tables presented in “6.3 AAA Troubleshooting Basics” and the example scenarios presented in “6.4 Troubleshooting Scenarios” generally follow this methodology in listing typical symptoms, and provide associated problems and diagnostics measures. 6.2.2 Cisco IOS Debug Command Summary Output from Cisco IOS debug commands provide a valuable source of information and feedback concerning state transitions and functions within the AAA subsystem environment. Use the debug commands that follow for capturing AAA-related transitions and functions: • debug condition user username Enabling this debug command sets conditional debugging for a specific user and generates output debugs related to the user. This command is helpful in an enterprise environment for troubleshooting. • debug aaa authentication Enabling this debug command displays authentication information with TACACS+ and RADIUS client/server interaction. • debug aaa authorization Enabling this debug command displays authorization information with TACACS+ and RADIUS client/server interaction. • debug aaa accounting Enabling this debug command displays accounting information with TACACS+ and RADIUS client/server interaction. • debug tacacs Enabling this debug command displays TACACS+ interaction between IOS client and AAA Server. • debug radius Cisco AAA Implementation Case Study 6-7 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Enabling this debug command displays RADIUS interaction between the IOS client and the AAA server. In addition to debug command output gathered directly from devices running Cisco IOS, a Cisco AAA server can be configured to collect important operational diagnostics. Go to the following link for information regarding configuring and using CSU ACS logs: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx/csu23rg/troubles.htm 6.3 AAA Troubleshooting Basics AAA operational diagnostic activity for access environments is divided into the following basic areas: • Dial-based versus router-based access • Local versus server access • Authentication and authorization processes These three areas can be associated with eight underlying diagnostic situations which are addressed in the following subsections: • 6.3.1 Troubleshooting Dial-Based Local Authentication • 6.3.2 Troubleshooting Dial-Based Server Authentication • 6.3.3 Troubleshooting Dial-Based Local Authorization • 6.3.4 Troubleshooting Dial-Based Server Authorization • 6.3.5 Troubleshooting Router-Based Local Authentication • 6.3.6 Troubleshooting Router-Based Server Authentication • 6.3.7 Troubleshooting Router-Based Local Authorization • 6.3.8 Troubleshooting Router-Based Server Authorization The following sections address each of the diagnostic topics separately. Detailed scenarios are provided in “6.4 Troubleshooting Scenarios.” The diagnostics summaries address the troubleshooting process using three basic stages: 1. Identifying symptoms 2. Isolating problems 3. Resolving problems Each diagnostic table includes suggestions for identifying and isolating problems. Diagnostic information is provided in “6.4 Troubleshooting Scenarios.” Specific diagnostic output is included to illustrate how network entities react to failures and how to discern specific failures. Note Some of the symptoms described in the following tables can be caused by a variety of problems other than AAA issues. Because this case study focuses on AAA-based security topics, the problems and diagnostics provided here focus on AAA issues. Cisco AAA Implementation Case Study 6-8 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics 6.3.1 Troubleshooting Dial-Based Local Authentication The following symptoms are addressed in separate tables in this section: • Single User Failure; Individual Dial-in User Connection Fails • Multiple User Failure; All Dial-in Users Unable to Connect to NAS Table 6-1 Single User Failure; Individual Dial-in User Connection Fails Problem Suggested Diagnostic Steps User entered invalid username or password. 1. To verify local account, enter: <NAS>#debug aaa authentication Test login with username/password. Look for “user not found” or “password validation” failure. 2. Table 6-2 If user is not found, add the user. If password validation failure, reenter login with username and password combination. Multiple User Failure; All Dial-in Users Unable to Connect to NAS Problem AAA behavior configured incorrectly in NAS. Suggested Diagnostic Steps 1. Enter this diagnostic command in NAS: <NAS>#debug aaa authentication 2. To verify local authentication is configured correctly, enter: <router>#show running-config 3. Verify inclusion of one of these commands: aaa authentication login default local or aaa authentication login ppp default local Shell initiated PPP session passes, but is torn down. 1. Enter this diagnostic command in NAS: <NAS>#debug aaa authentication 2. To verify AAA is configured correctly in NAS, enter: <NAS>#show running-config 3. Verify inclusion of this command: aaa authentication ppp default if-needed local Cisco AAA Implementation Case Study 6-9 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics 6.3.2 Troubleshooting Dial-Based Server Authentication The following symptoms are addressed in separate tables in this section: • Single User Failure; Individual User Unable to Make Connection (RADIUS and TACACS+) • Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS andTACACS+) Problem User name not in server database. Suggested Diagnostic Steps 1. To verify user is in database, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username User entered password incorrectly. 1. Verify password case-sensitivity. 2. Monitor user activity in AAA server: <CSUserver>$tail –f /var/log/csuslog|grep username User profile configured incorrectly. The error message “bad method for user” reported in csuslog file. User account disabled due to too many failed logins. Cisco AAA Implementation Case Study 6-10 3. Review csuslog file for errors (for example, if user is configured for OTP, verify PASSCODE is accepted from OTP server. 4. Reset user password or synchronize PASSCODE if needed. 1. To verify user profile is programmed with correct password type, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. Verify user profile privilege is sufficient to perform task. 3. Verify profile is configured for correct password type. For example, PAP for OTP. 1. To view user profile, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username 2. Verify that the profile is not disabled. If it is disabled, compare set server current-failed-login counters to max failed login setting in CSU.cfg file. 3. If these attributes are the same, reset user profile status to enabled and reset the set server current-failed-login counter by using the web-based administration utility. Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-3 Single User Failure; Individual User Unable to Make Connection (RADIUS andTACACS+) Problem User account password or profile expired. Suggested Diagnostic Steps 1. To view profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. For TACACS+: Look for expiration in profile, such as: expires = "24 Jan 2000" 3. For RADIUS: Look for expiration in profile, such as: Password-Expiration = "24 Jan 2000" User workstation configured incorrectly. 1. Review user dialup networking setup. 2. To review user profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 3. User exceeded the maximum number of concurrent sessions. Check for setup for parameter such as “Requires encrypted password.” To review user profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username For TACACS+, look for this AVP: max-sessions For RADIUS, look for this AVP: Maximum-Channels Cisco AAA Implementation Case Study 6-11 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) Problem Suggested Diagnostic Steps Connection between NAS and AAA server is down. Verify network connectivity between NAS and AAA server. Enter these diagnostic commands in NAS: <NAS>#show tacacs <NAS>#debug tacacs <NAS>#debug radius <NAS>#ping CSU-server-name TACACS+ or RADIUS key incorrect in NAS or AAA server. Review NAS and CSU configurations for shared secret. In NAS, enter: <NAS>#show running-config In AAA server, enter: <CSUserver>$grep NAS-IP-Address /opt/ciscosecure/config/CSU.cfg <CSUserver>$tail -f /var/log/csuslog Maximum number of users exceeded. 1. Verify license key is entered correctly in AAA server. Enter the following commands at the CSUserver: <CSUserver>$grep license-key /opt/ciscosecure/config/CSU.cfg 2. To review expiration date of license key, enter: <CSUserver>$grep license-key /var/log/csuslog Cisco AAA Implementation Case Study 6-12 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-4 Multiple User Failure; All Dial-in Users Unable to Connect to NAS (RADIUS and TACACS+) Problem Suggested Diagnostic Steps Group profile password type does not match type specified in NAS group-async or dialer interface configuration (for example, PPP authentication PAP). Shell initiated PPP session passes, but is torn down. 1. To review NAS configuration, enter: <NAS># show running-config 2. Verify group-async or dialer interface is configured with correct password type. For example, for OTP, PAP must be specified. 3. Verify group profile matches group-async or dialer interface configuration in NAS. 1. Enter this diagnostic command in NAS: <NAS>#debug aaa authentication 2. To verify correct AAA configuration is configured in NAS, enter: <NAS>#show running-config 3. Verify these commands are included in the NAS configuration: aaa authentication ppp default if-needed tacacs+ or aaa authentication ppp default if-needed radius 6.3.3 Troubleshooting Dial-Based Local Authorization The following symptoms are addressed in separate tables in this section: • User Cannot Start PPP • Network Authorization Fails • Unable to Access Specific Host or Network Service • Multilink Fails Table 6-5 User Cannot Start PPP Problem Suggested Diagnostic Steps User client configuration error. Refer to MS troubleshooting chapter: http://support.microsoft.com/support/kb/arti cles/Q130/0/79.asp?LNG=ENG&SA=ALLK B Cisco AAA Implementation Case Study 6-13 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-6 Network Authorization Fails Problem Suggested Diagnostic Steps 1 Attribute-value pairs (AVPs) not assigned . 1. Enter this diagnostic command in NAS: <NAS>#debug aaa authorization 2. To verify AAA is configured correctly in NAS, enter: <NAS>#show running-config 3. Verify inclusion of this command: aaa authorization exec default local 1. AAA authorization only supported on shell sessions with local accounts. Table 6-7 Unable to Access Specific Host or Network Service Problem Suggested Diagnostic Steps Access list assigned to user. 1. Verify local account not restricted with access-class AVP: <NAS>#show running-config 2. Enter these NAS commands to determine whether access list is assigned to user: <NAS>#show caller user userid detail <NAS>#show line 3. To review access list with this NAS command, enter: <NAS>#show access-list ACL-number Table 6-8 Multilink Fails Problem Suggested Diagnostic Steps User profile restricted. To verify user account is not restricted by inclusion of max-links AVP, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile -p 9900 -u username Cisco AAA Implementation Case Study 6-14 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics 6.3.4 Troubleshooting Dial-Based Server Authorization The following symptoms are addressed in separate tables in this section: • Multiple Users Cannot Start PPP (RADIUS and TACACS+) • Network Authorization Fails (RADIUS and TACACS+) • User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) • Multilink Fails (TACACS+) • Multilink Fails (RADIUS) • Session Fails to Disconnect After Expected Idle Timeout (TACACS+) • Session Fails to Disconnect After Expected Idle Timeout (RADIUS) • No EXEC Shell for TACACS+ • No EXEC Shell for RADIUS • Cannot Start Concurrent Sessions (TACACS+) • Cannot Start Concurrent Sessions (RADIUS) Cisco AAA Implementation Case Study 6-15 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-9 Multiple Users Cannot Start PPP (RADIUS and TACACS+) Problem AAA authorization configured incorrectly in NAS. Suggested Diagnostic Steps 1. Enter this diagnostic command in NAS: <NAS>#debug aaa authorization 2. To verify AAA is configured correctly in NAS, enter: <NAS>#show running-config 3. Verify inclusion of this command: aaa authorization network default group tacacs+ or aaa authorization network default group radius Does not have PPP service assigned. 1. To view group profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname 2. For TACACS+, verify the following commands are assigned to group: service=ppp protocol=lcp protocol=ip 3. For RADIUS, verify the following commands are assigned to group: Service-Type=Framed Framed-Protocol=ppp Group lacks shell service assigned (EXEC shell-initiated PPP session only). 1. To view group profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname 2. For TACACS+, verify the following command is assigned to group: service=shell 3. For RADIUS, verify the following command is assigned to group: User-Service-Type (Shell-User) Cisco AAA Implementation Case Study 6-16 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-10 Network Authorization Fails (RADIUS and TACACS+) Problem Suggested Diagnostic Steps AVPs not assigned. 1. Enter this diagnostic command in NAS: <NAS>#debug aaa authorization 2. To verify AAA is configured correctly in NAS, enter: <NAS>#show running-config 3. Verify inclusion of this command: aaa authorization network default group tacacs+ or aaa authorization network default group radius Table 6-11 User or Group Members Unable to Access Specific Host or Network Service (RADIUS and TACACS+) Problem Access list assigned to user. Suggested Diagnostic Steps 1. To view group profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname Verify group account not restricted with inacl AVP. 2. Enter these NAS commands to determine whether access list is assigned to user: <NAS>#show caller user userid detail <NAS>#show line 3. Review access list with this NAS command: <NAS>#show access-list ACL-number Cisco AAA Implementation Case Study 6-17 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-12 Multilink Fails (TACACS+) Problem User or group profile lacks proper AVP. Suggested Diagnostic Steps 1. To verify group account includes protocol=multilink AVP assigned, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname 2. User or group profile restricted. Review profile for load-threshold AVP and whether it is configured properly. To verify group account not restricted with max-links AVP, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname Table 6-13 Multilink Fails (RADIUS) Problem Suggested Diagnostic Steps User or group profile lacks proper AVP. To verify group account includes framed-protocol=multilink AVP assigned, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname User or group profile restricted. To verify group account not restricted with max-links AVP, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname Table 6-14 Session Fails to Disconnect After Expected Idle Timeout (TACACS+) Problem Suggested Diagnostic Steps The idletime AVP not configured on group profile. To verify group account includes idletime AVP assigned, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname Table 6-15 Session Fails to Disconnect After Expected Idle Timeout (RADIUS) Problem Suggested Diagnostic Steps The Idle-Timeout AVP not configured on group profile. To verify group account includes Idle-Timeout AVP assigned, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname Cisco AAA Implementation Case Study 6-18 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-16 No EXEC Shell for TACACS+ Problem Suggested Diagnostic Steps User or group lacks service=shell AVP assigned. To verify service=shell is assigned to user or group, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username Table 6-17 No EXEC Shell for RADIUS Problem Suggested Diagnostic Steps User or group does not have User-Service-Type AVP assigned. To verify User-Service-Type (Shell-User) is assigned to user or group, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –g groupname <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username Table 6-18 Cannot Start Concurrent Sessions (TACACS+) Problem User exceeds the maximum number of concurrent sessions. Suggested Diagnostic Steps 1. To review the user profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. Look for the following AVP: server max sessions Table 6-19 Cannot Start Concurrent Sessions (RADIUS) Problem User exceeds the maximum number of concurrent sessions. Suggested Diagnostic Steps 1. To review the user profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. Look for the following AVP: Maximum-Channels 6.3.5 Troubleshooting Router-Based Local Authentication The following symptoms are addressed in separate tables in this section: Cisco AAA Implementation Case Study 6-19 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics • Single User Failure; Individual Dial-in User Connection Fails • Multiple User Failure; All Dial-in Users Unable to Connect to Router • Users Can Access Router by Using Console or VTY, but Not Both Table 6-20 Single User Failure; Individual Dial-in User Connection Fails Problem User entered invalid username or password. Suggested Diagnostic Steps 1. To verify local account, enter: <router>#debug aaa authentication 2. Test login with username/password. 3. Look for user not found or password validation failure. Table 6-21 Multiple User Failure; All Dial-in Users Unable to Connect to Router Problem AAA behavior configured incorrectly in router. Suggested Diagnostic Steps 1. Enter this diagnostic command in router: <router>#debug aaa authentication 2. To verify local authentication is configured correctly, enter: <router>#show running-config 3. Verify inclusion of this command: aaa authentication login/ppp default local Cisco AAA Implementation Case Study 6-20 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-22 Users Can Access Router by Using Console or VTY, but Not Both Problem Incorrect AAA configuration in router. Suggested Diagnostic Steps 1. Enter this diagnostic command in router: <router>#debug aaa authentication 2. To verify AAA is configured correctly in router, enter: <router>#show running-config 3. Verify method used for console authentication matches VTY method. For example: • AAA configuration: aaa authentication login listname group tacacs+ • Console line configuration: line con 0 login authentication listname • VTY line configuration: line vty 0 4 login authentication listname 6.3.6 Troubleshooting Router-Based Server Authentication The following symptoms are addressed in separate tables in this section: • Single User Failure; Individual User Unable to Make a Connection • Multiple User Failure; All Dial-In Users Unable to Connect to the Router • Users Pass Authentication on Console or VTY, but Not Both Cisco AAA Implementation Case Study 6-21 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-23 Single User Failure; Individual User Unable to Make a Connection Problem User name not in server database. Suggested Diagnostic Steps 1. To verify user is in database , enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username User entered password incorrectly. 1. Verify password case sensitivity. 2. To monitor user activity in AAA server, enter: <CSUserver>$tail –f /var/log/csuslog|grep username User profile configured incorrectly. The error message “bad method for user” reported in csuslog file. User account disabled due to too many failed logins. User account password or profile expired. 3. Review csuslog file for errors. 1. To verify user profile is programmed with correct password type, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. Verify user profile privilege is sufficient to perform task. 3. Verify profile is configured for correct password type. For example, DES or clear text. 1. To view user profile, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username 2. Verify that the profile is not disabled. If it is disabled, compared set server current-failed-login counters to max failed login setting in CSU.cfg file. 3. If these attributes are the same, reset user profile status to enabled and reset the set server current-failed-login counter by using the web-based administration utility. 1. To view profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. Look for expiration in profile, such as: expires = "24 Jan 2000" User exceeds the maximum number of concurrent sessions. 1. To review the user profile, enter: <CSUserver>$/opt/ciscosecure/CLI/ViewPr ofile –p 9900 –u username 2. Look for the following AVP: server max sessions Cisco AAA Implementation Case Study 6-22 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-24 Multiple User Failure; All Dial-In Users Unable to Connect to the Router Problem Suggested Diagnostic Steps Connection between router and AAA server down. Verify network connectivity between router and AAA server. Enter these diagnostic commands in router: <router>#show tacacs <router>#debug tacacs <router>#debug radius <router>#ping CSU-IP-address TACACS+ key incorrect in router or AAA server. Review router and CSU configurations for shared secret. In the router, enter: <router>#show running-config In the AAA server, enter: <CSUserver>$grep router-IP-address /opt/ciscosecure/config/CSU.cfg Maximum number of users exceeded. 1. Verify license key is entered correctly in AAA server. Enter the following commands at the CSUserver: <CSUserver>$grep license-key /opt/ciscosecure/config/CSU.cfg 2. To review the expiration date of the license key, enter: <CSUserver>$grep license-key /var/log/csuslog Cisco AAA Implementation Case Study 6-23 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-25 Users Pass Authentication on Console or VTY, but Not Both Problem Incorrect AAA configuration in router. Suggested Diagnostic Steps 1. Enter this diagnostic command in router: <router>#debug aaa authentication 2. To verify AAA is configured correctly in router, enter. <router>#show running-config 3. Verify method used for console authentication matches VTY method. For example: • AAA configuration: aaa authentication login listname group tacacs+ • Console line configuration: line con 0 login authentication listname • VTY line configuration: line vty 0 4 login authentication listname 6.3.7 Troubleshooting Router-Based Local Authorization The following symptoms are addressed in separate tables in this section: • User Fails Router Command • User Disconnected After Entering a Password • Users Access Incorrect Privilege Level Commands • Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” Cisco AAA Implementation Case Study 6-24 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-26 User Fails Router Command Problem AAA configuration error. Suggested Diagnostic Steps 1. Enter this diagnostic command in router to determine method of authorization and failure: <router>#debug aaa authorization 2. To verify AAA is configured correctly in router, enter: <router>#show running-config Example: If aaa authorization commands is used, ensure method specified is local. User profile lacks appropriate privilege level to perform command. To review privilege configuration in router, enter: <router>#show running-config Example: Cisco IOS command aaa authorization commands 15 default local is used, but user does not have a corresponding privilege level assigned. User profile lacks appropriate enable level to perform command. To review enable privilege level configuration in router, enter. <router>#show running-config Example of relevant Cisco IOS commands: aaa authentication enable default local enable 15 secret enable 10 secret2 In this example, users at enable level 10 cannot perform privilege level 15 commands. Table 6-27 User Disconnected After Entering a Password Problem Suggested Diagnostic Steps Authorization failed service. Looks like an authentication problem, but is an authorization failure. To review AAA configuration, enter: <router>#show running-config If aaa authorization exec command specifies method other than local, user fails shell access. For example, aaa authorization exec default tacacs+ results in local user failing authorization. Cisco AAA Implementation Case Study 6-25 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-28 Users Access Incorrect Privilege Level Commands Problem AAA behavior incorrectly configured. Suggested Diagnostic Steps 1. Enter this diagnostic command in router to determine level of command authorization: <router>#debug aaa authorization 2. To review AAA configuration in router, enter: <router>#show running-config 3. Verify AAA configured properly in router. For example: aaa authorization commands 15 default local Table 6-29 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” Problem The autocommand ppp negotiate command assigned to user. Suggested Diagnostic Steps 1. To review correct configuration is configured in router, enter: <router>#show running-config Look for autocommand ppp negotiate command assigned to user. 2. Delete autocommand ppp negotiate if appropriate. 6.3.8 Troubleshooting Router-Based Server Authorization The following symptoms are addressed in separate tables in this section: • User Fails Router Command • User Disconnected After Entering Password • Users Access Incorrect Privilege Level Commands • Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” • Router User Unable to Initiate Shell Session with Router • AVPs Not Working on Console Port Cisco AAA Implementation Case Study 6-26 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-30 User Fails Router Command Problem AAA configuration error. Suggested Diagnostic Steps 1. Enter this diagnostic command in router to determine method of authorization and failure: <router>#debug aaa authorization 2. To review AAA configuration in router, enter: <router>#show running-config Example: If aaa authorization commands is used, ensure method specified is tacacs+. User profile lacks appropriate privilege level to perform command. To view user profile for appropriate priv-lvl=x AVP, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username User profile lacks appropriate enable privilege level to perform command. To view user profile for appropriate enable privilege level, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username For example: privilege = des "********" 15 Table 6-31 User Disconnected After Entering Password Problem Suggested Diagnostic Steps Authorization failed service. To review AAA configuration, enter: <router>#show running-config If aaa authorization exec command specifies method other than TACACS+, user fails shell access. For example, aaa authorization exec default local results in TACACS+ user failing authorization. Cisco AAA Implementation Case Study 6-27 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.3 AAA Troubleshooting Basics Table 6-32 Users Access Incorrect Privilege Level Commands Problem AAA behavior incorrectly configured. Suggested Diagnostic Steps 1. Enter this diagnostic command in router to determine level of command authorization: <router>#debug aaa authorization 2. To verify AAA is configured correctly in router, enter <router>#show running-config Example of relevant Cisco IOS command: aaa authorization commands 15 default group tacacs+ User profile configured incorrectly. To view user profile for appropriate priv-lvl= x AVP, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username Table 6-33 Router User Receives Error Message Stating “This Line Not Allowed to Run PPP and is Disconnected” Problem The autocommand ppp negotiate AVP assigned to user. Suggested Diagnostic Steps 1. To view user profile for inclusion of autocommand ppp negotiate AVP assigned to user, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username 2. Delete autocommand ppp negotiate if appropriate. Table 6-34 Router User Unable to Initiate Shell Session with Router Problem Suggested Diagnostic Steps Lack of service=shell AVP; user sees “Authorization failed service” error message. To view user profile for inclusion of service=shell AVP, enter: <CSUserver>$/opt/ciscosecure/utils/bin/ ViewProfile -p 9900 -u username Table 6-35 AVPs Not Working on Console Port Problem Suggested Diagnostic Steps Feature is not supported on console ports. None. Feature not supported. Cisco AAA Implementation Case Study 6-28 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios 6.4 Troubleshooting Scenarios The following example troubleshooting scenarios elaborate the process of diagnosing, correcting, and testing several problems addressed in “6.3 AAA Troubleshooting Basics”: • 6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication) • 6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) • 6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) • 6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) • 6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) • 6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) • 6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) 6.4.1 Isolating Incorrect TACACS+ Key in NAS or AAA Server (TACACS+ Dial-Based Server Authentication) This scenario focuses on a server-authentication failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Tabl e6-4 for additional related problems. Symptom Multiple user failure; all dial-in users unable to connect to NAS. See Tabl e6-4. Possible Cause TACACS+ key incorrect in NAS or AAA server. See Table 6-4. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The last line of this debug output shows the failure expressed for user dial_tac. 088189: Jan 27 18:37:22.972 CST: AAA/MEMORY: create_user (0x61D7A2E0) user=’’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 088190: Jan 27 18:37:22.976 CST: AAA/AUTHEN/START (953379418): port=’tty51’ list= =30356 25154 088203: Jan 27 18:37:26.216 CST: TAC+: ver=192 id=3035625154 received AUTHEN status = GETPASS 088204: Jan 27 18:37:26.216 CST: AAA/AUTHEN (3035625154): status = GETPASS 088205: Jan 27 18:37:30.337 CST: AAA/AUTHEN/CONT (3035625154): continue_login (user=’dial_tac’) 088206: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): status = GETPASS 088207: Jan 27 18:37:30.337 CST: AAA/AUTHEN (3035625154): Method=ADMIN (tacacs+) 088208: Jan 27 18:37:30.337 CST: TAC+: send AUTHEN/CONT packet id=3035625154 088209: Jan 27 18:37:30.637 CST: TAC+: ver=192 id=3035625154 received AUTHEN status = FAIL Step 2 Enter the following command to assess warnings and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog Cisco AAA Implementation Case Study 6-29 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios The AAA server log file reports the following warning when no key is specified (indicating that there is no encryption key): Jan 27 18:35:17 coachella CiscoSecure: WARNING - Insecure configuration: No encryption key for NAS <default> Step 3 Review NAS configurations for shared secret configuration. To obtain the NAS configuration, enter: <NAS>#show running-config The following configuration fragment specifies the TACACS+ server and key. In this case, the key is bobbit. tacacs-server host 172.22.53.201 key bobbit Review the AAA server configuration for the corresponding server shared secret configuration. View the CSU.cfg file with vi (or a similar tool): <CSUserver>$vi /opt/ciscosecure/config/CSU.cfg Find the key configuration in the CSU.cfg AAA server configuration file and review it for the NAS specification. In this example, this configuration is missing. NAS config_nas_config = { { "172.22.53.201", "", If the key is properly configured, it appears between the quotation marks following the IP address specification. In this case, the key is missing. Because it is not specified in the AAA server configuration file, users’ access is blocked. Step 4 Update key specifications and restart the AAA server. Verify successful dialup operation. 6.4.2 Isolating Invalid User Password (TACACS+ Dial-Based Server Authentication) This scenario focuses on a server-authentication failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-3 for additional related problems. Symptom Single user failure; individual dial-in user unable to connect to NAS. See Tabl e6-3. Possible Cause User enters invalid password. See Table 6-3. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. This command results in a stream of diagnostic output. Cisco AAA Implementation Case Study 6-30 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios The last line in the following output shows the AAA authentication request sent to AAA server for user dial_tac: 092852: Jan 27 22:19:06.713 CST: AAA/AUTHEN (543609479): status = GETPASS 092853: Jan 27 22:19:07.985 CST: AAA/AUTHEN/CONT (543609479): continue_login (user=’dial_tac’) The NAS receives FAIL from AAA server for user: 092854: 092855: 092856: 092857: 092858: Jan Jan Jan Jan Jan 27 27 27 27 27 22:19:07.985 22:19:07.985 22:19:07.985 22:19:08.185 22:19:08.185 CST: CST: CST: CST: CST: AAA/AUTHEN (543609479): status = GETPASS AAA/AUTHEN (543609479): Method=ADMIN (tacacs+) TAC+: send AUTHEN/CONT packet id=543609479 TAC+: ver=192 id=543609479 received AUTHEN status = FAIL AAA/AUTHEN (543609479): status = FAIL The user session is torn down and AAA process is freed: 092859: Jan 27 22:19:10.185 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog In this case, the AAA server log reports an incorrect password for user dial_tac: Jan 27 22:19:08 coachella CiscoSecure: NOTICE - Authentication - Incorrect password; [NAS = 172.22.63.1, Port = tty51, User = dial_tac, Service = 1, Priv = 1] Jan 27 22:19:08 coachella CiscoSecure: INFO - Profile: user = dial_tac { Jan 27 22:19:08 coachella set server current-failed-logins = 1 Note Step 3 Following the failure, the current-failed-login counter increments. This counter is described in Table 6-3. If the user does not exist in the database (but should), create a new user, or provide feedback if password or login were entered incorrectly by the user. 6.4.3 Isolating Non-Existent User (TACACS+ Dial-Based Server Authentication) This scenario focuses on a server-authentication failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Tabl e6-3 for additional related problems. Symptom Single user failure; individual dial-in user unable to connect to NAS. See Tabl e6-3. Possible Cause User does not exist in the database. See Table 6-3. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. Cisco AAA Implementation Case Study 6-31 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios The following output fragment shows the AAA process starting on NAS. 092794: Jan 27 22:15:39.132 CST: AAA/MEMORY: create_user (0x61D87A70) user=’’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 092795: Jan 27 22:15:39.132 CST: AAA/AUTHEN/START (3576082779): port=’tty51’ list=’INSIDE’ action=LOGIN service=LOGIN GETPASS is sent to AAA server for verification for user dial_test: 092806: Jan 27 22:15:41.132 092807: Jan 27 22:15:41.132 092808: Jan 27 22:15:41.936 GETPASS 092809: Jan 27 22:15:41.936 092810: Jan 27 22:15:43.340 (user=’dial_test’) 092811: Jan 27 22:15:43.340 092812: Jan 27 22:15:43.340 CST: AAA/AUTHEN/START (3285027777): Method=ADMIN (tacacs+) CST: TAC+: send AUTHEN/START packet ver=192 id=32850=27777 CST: TAC+: ver=192 id=3285027777 received AUTHEN status = CST: AAA/AUTHEN (3285027777): status = GETPASS CST: AAA/AUTHEN/CONT (3285027777): continue_login CST: AAA/AUTHEN (3285027777): status = GETPASS CST: AAA/AUTHEN (3285027777): Method=ADMIN (tacacs+) The NAS then receives the authentication FAIL message from the AAA server: 092813: Jan 27 22:15:43.340 CST: TAC+: send AUTHEN/CONT packet id=3285027777 092814: Jan 27 22:15:43.540 CST: TAC+: ver=192 id=3285027777 received AUTHEN status = FAIL 092815: Jan 27 22:15:43.540 CST: AAA/AUTHEN (3285027777): status = FAIL The session is torn down and AAA process is freed: 092816: Jan 27 22:15:45.540 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_test’ ruser=’’ port=’tty51’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 092817: Jan 27 22:15:45.540 CST: AAA: parse name=tty51 idb type=-1 tty=-1 092818: Jan 27 22:15:45.540 CST: AAA: name=tty51 flags=0x11 type=5 shelf=0 slot Step 2 Enter the following command to assess warning and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog AAA server log file shows that the AAA server did not find user dial_test in cache (profile caching is enabled): Jan 27 22:15:41 coachella CiscoSecure: DEBUG - Profile USER = dial_test not found in cache. The AAA server log file also shows that AAA server did not find user in the database; next, the AAA server conducts a search for the unknown_user account: Jan 27 22:15:41 coachella CiscoSecure: WARNING - User dial_test not found, using unknown_user AAA server finally again reports user not found after exhausting its search: Jan 27 Jan 27 Jan 27 [NAS = Step 3 22:15:41 coachella CiscoSecure: 22:15:43 coachella CiscoSecure: 22:15:43 coachella CiscoSecure: 172.22.63.1, Port = tty51, User DEBUG - Password: DEBUG - AUTHENTICATION CONTINUE request (c3cd8bc1) DEBUG - Authentication - User not found; = dial_test, Service = 1] Enter the following command to view a user profile in the database: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_test Error: Unable to find profile RC = 3 Cisco AAA Implementation Case Study 6-32 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios Step 4 If the user does not exist in the database (but should), create a new user, or provide feedback if password or login were entered incorrectly by the user. 6.4.4 Isolating Missing PPP Service Definition (TACACS+ Dial-Based Server Authorization) This scenario focuses on a server-authorization failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-9 for additional related problems. Symptom Multiple users cannot start PPP. See Table 6-9. Possible Cause Group does not have service=ppp AVP assigned. See Table 6-9. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following output fragment shows the PPP service authorization request being initiated for user dial_tac; then, being denied by the AAA server: 111802: 111803: 111804: 111805: 111806: 111807: 111808: 111809: FAIL 111810: Step 2 Feb Feb Feb Feb Feb Feb Feb Feb 3 3 3 3 3 3 3 3 20:48:53.015 20:48:53.015 20:48:53.015 20:48:53.015 20:48:53.015 20:48:53.015 20:48:53.015 20:48:53.219 CST: CST: CST: CST: CST: CST: CST: CST: As2 AAA/AUTHOR/LCP (153050196): send AV service=ppp As2 AAA/AUTHOR/LCP (153050196): send AV protocol=lcp As2 AAA/AUTHOR/LCP (153050196): found list "default" As2 AAA/AUTHOR/LCP (153050196): Method=tacacs+(tacacs+) AAA/AUTHOR/TAC+: (153050196): user=dial_tac AAA/AUTHOR/TAC+: (153050196): send AV service=ppp AAA/AUTHOR/TAC+: (153050196): send AV protocol=lcp As2 AAA/AUTHOR (153050196): Post authorization status = Feb 3 20:48:53.219 CST: As2 AAA/AUTHOR/LCP: Denied Enter the following command to assess warning and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog AAA server log file shows that the AAA server successfully authenticated the user, but that the PPP service request was denied due to an authorization failure: Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = Async2, User = dial_tac, Priv = 1] Feb 3 20:48:58 coachella CiscoSecure: DEBUG - AUTHORIZATION request (468d69de) Feb 3 20:48:58 coachella CiscoSecure: DEBUG - Authorization - Failed service; [ NAS = 172.22.63.1, user = dial_tac, port = Async2, input: service=ppp protocol=lcp output: ] Step 3 Add service=ppp and related AVPs protocol=ip and protocol=lcp. Cisco AAA Implementation Case Study 6-33 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios 6.4.5 Isolating Defined AVPs not Being Assigned (TACACS+ Dial-Based Server Authorization) This scenario focuses on a server-authorization failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-10 for additional related problems. Symptom Network authorization fails. See Table 6-10. Possible Cause AVPs not assigned. See Table 6-10. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Review the group profile. In this case, the group profile shows inacl=110 is assigned to the aaa_test_group profile: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -g aaa_test_group Group Profile Information group = aaa_test_group{ profile_id = 64 profile_cycle = 7 service=ppp { protocol=ip { inacl=110 } protocol=lcp { } } } Step 2 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following output fragment shows that no AAA authorization for service=net taking place. 112037: Feb 3 21:18:04.994 CST: AAA/MEMORY: create_user (0x61DF0AE8) user=’dial_tac’ ruser=’’ port=’Async5’ rem_addr=’async/81560’ authen_type=PAP service=PPP priv=1 Step 3 Enter the following command to assess warning and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog The following log file fragment confirms that access is permitted with no AAA authentication. Feb 3 21:18:05 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = Async5, User = dial_tac, Priv = 1] Feb 3 21:18:05 coachella CiscoSecure: INFO - Profile: user = dial_tac { Feb 3 21:18:05 coachella set server current-failed-logins = 0 Feb 3 21:18:05 coachella profile_cycle = 12 Feb 3 21:18:05 coachella } Step 4 Add aaa authorization network default group tacacs+ global command to the NAS configuration. Cisco AAA Implementation Case Study 6-34 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios 6.4.6 Isolating Missing Shell Service Definition (TACACS+ Dial-Based Server Authorization) This scenario focuses on a server-authorization failure for a dial-based connection and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-16 for additional related problems. Symptom No EXEC shell (terminal window after dial). See Table 6-16. Possible Cause User or group does not have service=shell AVP assigned. See Table 6-16. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following output fragment shows the request sent to AAA server to start service=shell: 092730: Jan 27 21:57:41.355 list=’INSIDE’ service=EXEC 092738: Jan 27 21:57:41.355 (tacacs+) 092739: Jan 27 21:57:41.355 092740: Jan 27 21:57:41.355 CST: tty52 AAA/AUTHOR/EXEC (3818889333): Port=’tty52’ CST: tty52 AAA/AUTHOR/EXEC (3818889333): Method=ADMIN CST: AAA/AUTHOR/TAC+: (3818889333): user=dial_tac CST: AAA/AUTHOR/TAC+: (3818889333): send AV service=shell The following output fragments illustrate notification of the failure from AAA server for service=shell: 092741: Jan 27 21:57:41.355 CST: AAA/AUTHOR/TAC+: (3818889333): send AV cmd* 092742: Jan 27 21:57:41.559 CST: AAA/AUTHOR (3818889333): Post authorization status = FAIL The following fragment illustrates the Authorization FAILED message being detected by the debug aaa authorization process: 092743: Jan 27 21:57:41.559 CST: AAA/AUTHOR/EXEC: Authorization FAILED 092744: Jan 27 21:57:43.559 CST: AAA/MEMORY: free_user (0x61D87A70) user=’dial_tac’ ruser=’’ port=’tty52’ rem_addr=’172.22.2.3’ authen_type=ASCII service=LOGIN priv=1 Step 2 Enter the following command to assess warning and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog In this case, the authentication succeeds for user dial_tac, as illustrated in the following csuslog file fragment: Jan 27 21:57:40 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = tty52, User = dial_tac, Priv = 1] However, the csuslog file also shows that the authorization failed service for user dial_tac because the service=shell AVP is not assigned: Jan 27 21:57:40 coachella CiscoSecure: DEBUG Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075) Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ] Cisco AAA Implementation Case Study 6-35 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios Step 3 Enter the following command to review the user profile. This profile shows that the AVP service=shell is not assigned to user dial_tac: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u dial_tac User Profile Information user = dial_tac{ profile_id = 63 profile_cycle = 4 member = aaa_test_group password = des "********" password = pap "********" } Step 4 Assign service=shell AVP. 6.4.7 Isolating Incorrect PPP Reply Attributes (RADIUS Dial-Based Server Authorization) This scenarios focuses on a server-authorization failure for a dial-based connection using the RADIUS protocol and provides a statement of a symptom, suggests a specific problem, and summarizes diagnostic steps. Diagnostics include output from relevant debug commands and other troubleshooting tools. See Table 6-9 for additional related problems. Symptom PPP session is not established. See Table 6-9. Possible Cause User or group does not have correct PPP reply attributes. See Table 6-9. Action Complete troubleshooting steps to isolate and resolve this possible cause. Step 1 Gather general debug command information from the NAS. The following output is from a debug aaa authentication command executed on a NAS. The following fragment illustrates the Authorization FAILED message being detected by the debug aaa authorization process: *Apr 5 23:12:28.228: AAA/AUTHOR/EXEC: Authorization FAILED *Apr 5 23:12:30.228: AAA/MEMORY: free_user (0x612311BC) user='rad_dial' ruser='' port='tty4' rem_addr='408/3241933' authen_type=ASCII service=LOGIN priv=1 *Apr 5 23:12:30.936: %ISDN-6-DISCONNECT: Interface Serial0:0 disconnected from unknown , call lasted 61 seconds *Apr 5 23:12:30.980: %LINK-3-UPDOWN: Interface Serial0:0, changed state to down Step 2 Enter the tail command to assess warning and errors reported in the AAA server log file: <CSUserver>$tail -f /var/log/csuslog In this case, the authorization fails for user rad_dial, as illustrated in the following csuslog file fragment: Apr 6 15:14:03 sleddog CiscoSecure: INFO - RADIUS: Servicing requests from NAS (172.23.84.35), sending host <172.23.84.35> Cisco AAA Implementation Case Study 6-36 Chapter 6 Diagnosing and Troubleshooting AAA Operations 6.4 Troubleshooting Scenarios However, the csuslog file also shows that the authorization failed service for user dial_tac because the service=shell AVP is not assigned: Jan 27 21:57:40 coachella CiscoSecure: DEBUG Jan 27 21:57:41 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e39fa075) Jan 27 21:57:41 coachella CiscoSecure: DEBUG - Authorization - Failed service; [NAS = 172.22.63.1, user = dial_tac, port = tty52, input: service=shell cmd* output: ] Step 3 Enter the following command to view a user profile in the database: <CSUserver>$/opt/ciscosecure/CLI/ViewProfile -p 9900 -u rad_dial User Profile Information user = rad_dial{ profile_id = 23 set server current-failed-logins = 0 profile_cycle = 4 password = pap "********" radius=Cisco { reply_attributes= { 7=1 9,1="ip:inacl=110" } } } Note Step 4 In this profile, the missing reply_attribute is 6=2. Add the following RADIUS AVP: Frame-Protocol=ppp (entered as 6=2 in AddProfile command input). Cisco AAA Implementation Case Study 6-37 Chapter 6 6.4 Troubleshooting Scenarios Cisco AAA Implementation Case Study 6-38 Diagnosing and Troubleshooting AAA Operations A P P E N D I X A AAA Device Configuration Listings This appendix provides the following configuration listings: • A.1.1 Example Local-Based Router AAA Configuration • A.1.2 Example Server-Based TACACS+ NAS Configuration • A.1.3 Example Server-Based RADIUS NAS Configuration • A.4.1 CSU.cfg Listing • A.4.2 CSConfig.ini Listing • A.4.3 Oracle User Environment Variable • A.4.4 listener.ora Listing A.1 Sample Cisco IOS Configuration Listings The following listing represents the complete running configuration for the router and NAS used to illustrate AAA implementation in this solution guide. Listings are included for TACACS+ and RADIUS configurations. Cisco AAA Implementation Case Study A-1 Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings A.1.1 Example Local-Based Router AAA Configuration The following example of a local-based router configuration includes both dial-in and EXEC shell access configurations. maui-rtr-03#show running-config Building configuration... Current configuration: ! ! Last configuration change at 09:19:35 CST Thu Apr 13 2000 by brownr ! NVRAM config last updated at 09:14:55 CST Thu Apr 13 2000 by brownr ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname maui-rtr-03 ! no logging console aaa new-model aaa authentication login default local enable aaa authentication login NO_AUTHEN none aaa authorization exec default local aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default local aaa authorization commands 15 NO_AUTHOR none aaa accounting exec default start-stop group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ enable secret 5 xxxxxxxxxxxxxxxxx ! username admin privilege 15 password 7 xxxxxxxxxxxx ! ! ! clock timezone cst -6 clock summer-time CST recurring ip subnet-zero ip domain-name maui-onions.com ip name-server x.x.x.x ip name-server x.x.x.x ! ! ! ! ! ! ! interface Loopback0 ip address 172.22.255.3 255.255.255.255 no ip directed-broadcast ! interface ATM1/0 no ip address no ip directed-broadcast shutdown no atm ilmi-keepalive ! interface Serial2/0 ip address 10.10.10.1 255.255.255.0 no ip directed-broadcast ! Cisco AAA Implementation Case Study A-2 Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings interface Serial2/1 no ip address no ip directed-broadcast shutdown ! interface Serial2/2 no ip address no ip directed-broadcast shutdown ! interface Serial2/3 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/0 ip address 172.22.241.3 255.255.255.0 no ip directed-broadcast ip summary-address eigrp 69 172.22.80.0 255.255.240.0 5 ! interface Ethernet3/1 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/2 no ip address no ip directed-broadcast shutdown ! interface Ethernet3/3 no ip address no ip directed-broadcast shutdown ! interface FastEthernet4/0 ip address 172.22.80.1 255.255.255.0 no ip directed-broadcast ip summary-address eigrp 69 172.22.240.0 255.255.240.0 5 half-duplex ! router eigrp 69 network 172.22.0.0 ! ip default-gateway 172.22.53.1 ip classless ip http server ip http authentication aaa ip tacacs source-interface Loopback0 ! snmp-server engineID local 00000009020000D0BB7F5054 snmp-server community cisco xx snmp-server community rules xx snmp-server trap-source Loopback0 snmp-server contact snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps config snmp-server enable traps envmon tacacs-server host 172.22.53.201 key biteme tacacs-server key ciscorules ! line con 0 authorization commands 15 NO_AUTHOR Cisco AAA Implementation Case Study A-3 Appendix A A.1 Sample Cisco IOS Configuration Listings authorization exec NO_AUTHOR accounting commands 15 NO_ACCOUNT login authentication NO_AUTHEN transport input none line aux 0 line vty 0 4 ! ntp clock-period 17179912 ntp source Loopback0 ntp update-calendar ntp server 172.22.255.1 end Cisco AAA Implementation Case Study A-4 AAA Device Configuration Listings Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings A.1.2 Example Server-Based TACACS+ NAS Configuration The following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for TACACS+ implementations: maui-nas-03#show running-config Building configuration... Current configuration: maui-nas-03#sh run Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname maui-nas-03 ! aaa new-model aaa authentication login default group tacacs+ local aaa authentication login NO_AUTHEN none aaa authentication ppp default if-needed group tacacs+ local aaa authorization exec default group tacacs+ if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization commands 15 default group tacacs+ aaa authorization commands 15 NO_AUTHOR none aaa accounting exec default stop-only group tacacs+ aaa accounting commands 15 default stop-only group tacacs+ aaa accounting network default start-stop group tacacs+ ! username admin privilege 15 password 7 xxxxxxxxxxxxx username diallocal access-class 110 password 7 xxxxxxxxxxx username diallocal autocommand ppp spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/7 firmware location system:/ucode/mica_port_firmware ! ! resource-pool disable ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero no ip domain-lookup ip domain-name maui-onions.com ip name-server 172.22.53.210 ! isdn switch-type primary-ni isdn voice-call-failure 0 partition flash 2 24 8 ! ! ! controller T1 0 Cisco AAA Implementation Case Study A-5 Appendix A A.1 Sample Cisco IOS Configuration Listings framing esf clock source line primary linecode b8zs pri-group timeslots 1-24 ! controller T1 1 clock source line secondary 1 ! controller T1 2 clock source line secondary 2 ! controller T1 3 clock source line secondary 3 ! controller T1 4 clock source line secondary 4 ! controller T1 5 clock source line secondary 5 ! controller T1 6 clock source line secondary 6 ! controller T1 7 clock source line secondary 7 ! ! interface Loopback0 ip address 172.22.87.3 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback1 ip address 172.22.83.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Ethernet0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown ! interface Serial0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 Cisco AAA Implementation Case Study A-6 AAA Device Configuration Listings Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings ! interface Serial2 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial0:23 description "PRI D channel" ip unnumbered Dialer1 no ip directed-broadcast encapsulation ppp no ip route-cache no logging event link-status timeout absolute 240 0 dialer rotary-group 1 dialer-group 5 no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue compress stac no cdp enable ! interface FastEthernet0 ip address 172.22.80.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip tcp header-compression passive no ip mroute-cache no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 192 ! interface Dialer1 Cisco AAA Implementation Case Study A-7 Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache no logging event link-statustimeout absolute 240 0 dialer in-band dialer idle-timeout 300 either dialer-group 5 no snmp trap link-status peer default ip address pool default no fair-queue compress stac no cdp enable ppp max-bad-auth 3 ppp multilink ! router eigrp 69 network 172.22.0.0 ! ip local pool default 172.22.83.2 172.22.83.254 ip default-gateway 172.22.80.1 ip classless ip tacacs source-interface Loopback0 ip http server ! access-list 110 deny tcp any any eq telnet access-list 110 permit tcp any any tacacs-server host 172.22.53.204 tacacs-server key ciscorules snmp-server engineID local 0000000902000050546B87BC snmp-server community xxxxxxxxx RO snmp-server community xxxxxxxxx RW radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules banner login ^CC Welcome to maui-nas-03 Maui-onions Lab Learning Rack ISG ^C ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN transport input none line 1 192 session-timeout 15 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptn line aux 0 line vty 0 4 ! end Cisco AAA Implementation Case Study A-8 Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings A.1.3 Example Server-Based RADIUS NAS Configuration The following example of a server-based NAS configuration includes both dial-in and EXEC shell access configurations for RADIUS implementations: maui-nas-03#show running-config Building configuration... Current configuration: maui-nas-03#sh run Building configuration... Current configuration: ! version 12.0 service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname maui-nas-03 ! aaa new-model aaa authentication login default group radius local aaa authentication login NO_AUTHEN none aaa authentication ppp default if-needed group radius local aaa authorization exec default group radius if-authenticated aaa authorization exec NO_AUTHOR none aaa authorization commands 15 NO_AUTHOR none aaa accounting exec default stop-only group radius aaa accounting network default start-stop group radius ! username admin privilege 15 password 7 xxxxxxxxxxxxx username diallocal access-class 110 password 7 xxxxxxxxxxx username diallocal autocommand ppp spe 1/0 1/7 firmware location system:/ucode/mica_port_firmware spe 2/0 2/7 firmware location system:/ucode/mica_port_firmware ! ! resource-pool disable ! ! ! ! ! clock timezone CST -6 clock summer-time CST recurring ip subnet-zero no ip domain-lookup ip domain-name maui-onions.com ip name-server 172.22.53.210 ! isdn switch-type primary-ni isdn voice-call-failure 0 partition flash 2 24 8 ! ! ! controller T1 0 framing esf clock source line primary Cisco AAA Implementation Case Study A-9 Appendix A A.1 Sample Cisco IOS Configuration Listings linecode b8zs pri-group timeslots 1-24 ! controller T1 1 clock source line secondary 1 ! controller T1 2 clock source line secondary 2 ! controller T1 3 clock source line secondary 3 ! controller T1 4 clock source line secondary 4 ! controller T1 5 clock source line secondary 5 ! controller T1 6 clock source line secondary 6 ! controller T1 7 clock source line secondary 7 ! ! interface Loopback0 ip address 172.22.87.3 255.255.255.255 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Loopback1 ip address 172.22.83.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache ! interface Ethernet0 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown ! interface Serial0 no ip address no ip directed-broadcast encapsulation ppp no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial1 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial2 Cisco AAA Implementation Case Study A-10 AAA Device Configuration Listings Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial3 no ip address no ip directed-broadcast no ip route-cache no ip mroute-cache shutdown no fair-queue clockrate 2015232 ! interface Serial0:23 description "PRI D channel" ip unnumbered Dialer1 no ip directed-broadcast encapsulation ppp no ip route-cache no logging event link-status timeout absolute 240 0 dialer rotary-group 1 dialer-group 5 no snmp trap link-status isdn switch-type primary-5ess isdn incoming-voice modem no fair-queue compress stac no cdp enable ! interface FastEthernet0 ip address 172.22.80.3 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache duplex auto speed auto ! interface Group-Async1 ip unnumbered Loopback0 no ip directed-broadcast encapsulation ppp no ip route-cache ip tcp header-compression passive no ip mroute-cache no logging event link-status dialer in-band dialer idle-timeout 900 async mode interactive no snmp trap link-status peer default ip address pool default no fair-queue no cdp enable ppp max-bad-auth 3 ppp authentication pap chap group-range 1 192 ! interface Dialer1 no ip address no ip directed-broadcast Cisco AAA Implementation Case Study A-11 Appendix A AAA Device Configuration Listings A.1 Sample Cisco IOS Configuration Listings encapsulation ppp no ip route-cache no ip mroute-cache no logging event link-statustimeout absolute 240 0 dialer in-band dialer idle-timeout 300 either dialer-group 5 no snmp trap link-status peer default ip address pool default no fair-queue compress stac no cdp enable ppp max-bad-auth 3 ppp multilink ! router eigrp 69 network 172.22.0.0 ! ip local pool default 172.22.83.2 172.22.83.254 ip default-gateway 172.22.80.1 ip classless ip tacacs source-interface Loopback0 ip http server ! access-list 110 deny tcp any any eq telnet access-list 110 permit tcp any any tacacs-server host 172.22.53.204 tacacs-server key ciscorules snmp-server engineID local 0000000902000050546B87BC snmp-server community xxxxxxxxx RO snmp-server community xxxxxxxxx RW radius-server host 172.22.53.204 auth-port 1645 acct-port 1646 key ciscorules banner login ^CC Welcome to maui-nas-03 Maui-onions Lab Learning Rack ISG ^C ! line con 0 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHEN transport input none line 1 192 session-timeout 15 exec-timeout 48 0 autoselect during-login autoselect ppp absolute-timeout 240 script dialer cisco_default refuse-message ^CCCCCCCC!!! All lines are busy, try again later ###^C modem InOut modem autoconfigure type mica transport preferred telnet transport input all transport output pad telnet rlogin udptn line aux 0 line vty 0 4 ! end Cisco AAA Implementation Case Study A-12 Appendix A AAA Device Configuration Listings A.2 Router AAA Command Implementation Descriptions A.2 Router AAA Command Implementation Descriptions Configurations addressed in this section focus on router administration configurations. Router administration configurations cause functions to run within the router shell. Examples include commands executed from a the router console, commands executed with a VTY connection, and a shell-initiated session established using a modem. Each is an example of an EXEC function. Table A-1 provides commands relevant for a router in a Cisco IOS AAA environment. Table A-1 Cisco IOS Commands Required to Set AAA for a Router Cisco IOS Command tacacs-server key secret-key aaa new-model Description/Application Comment Specifies encryption key; must be the same in AAA server. Enables AAA. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all PPP interfaces. aaa authentication login default group Causes router to forward all login requests to AAA server. tacacs+ aaa authorization exec default group tacacs+ Use default list for authorization to verify service=shell attribute is if-authenticated assigned to user and download appropriate shell attributes assigned in AAA server. aaa authorization commands 15 default Use command authorization for privilege level 15 commands that group tacacs+ if-authenticated must be assigned to router users for successful operation of these commands. aaa accounting exec default start-stop group Logs EXEC shell information for user profile in start-stop tacacs+ TACACS+ format. aaa accounting commands 15 default Sends TACACS+ accounting stop record at the end of a privilege stop-only group tacacs+ level 15 command. aaa accounting system default stop-only Performs accounting for all system level events not associated with group tacacs+ users, such as reloads in stop-start TACACS+ format. ip tacacs source-interface FastEthernet0/0/0 Specifies this interface IP address for management in the AAA server. ip http server Enables HTTP server access. ip http authentication aaa Forces AAA authentication and authorization at privilege level 15. tacacs-server host IP-address Specifies AAA server. A.3 NAS AAA Command Implementation Descriptions Configurations addressed in this section focus on AAA withPPP. These configurations differ from router administration configurations. PPP is a network level function and is separate from router shell functions. You can configure PPP to be initiated automatically or you can initiate PPP with a terminal window after dialing in to a NAS. Table A-2 lists commands relevant for a NAS providing PPP access a Cisco IOS AAA environment. Note The following table lists Cisco IOS configuration commands required to support both TACACS+ and RADIUS AAA implementations. Cisco AAA Implementation Case Study A-13 Appendix A AAA Device Configuration Listings A.3 NAS AAA Command Implementation Descriptions Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) IOS Command aaa new-model Description/Application Comment Enables authentication, authorization, and accounting. Forces an implicit login authentication default against all lines/console interfaces and an implicit ppp authentication pap default against all ppp interfaces. aaa authentication login default group Causes router to forward all login requests to a TACACS+ server. tacacs+ aaa authentication login default group radius Causes router to forward all login requests to a RADIUS server. aaa authentication ppp default if-needed Use default list for PPP authentication; the if-needed keyword group radius allows clients using “Terminal Window after Dial” option to successfully authenticate to RADIUS server and negotiate PPP, without using Windows dialup networking username and password combination. aaa authentication ppp default if-needed Use default list for PPP authentication; the if-needed keyword group tacacs+ allows clients using “Terminal Window after Dial” option to successfully authenticate to TACACS+ server and negotiate PPP, without using Windows dialup networking username and password combination. aaa authorization exec default group radius Use default list to verify authorization. if-authenticated aaa authorization exec default group tacacs+ Use default list for authorization to verify service=shell attribute is if-authenticated assigned to user and download appropriate shell attributes assigned in AAA server. aaa authorization network default group Use default list for authorization to verify service=-ppp attribute is tacacs+ if-authenticated assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through TACACS+. aaa authorization network default group Use default list for authorization to verify Service-Type=Framed radius if-authenticated attribute is assigned to user or group and download appropriate PPP attributes assigned in AAA server. Command specifies that authorization is only permitted if user or group is properly authenticated through RADIUS. aaa accounting exec default start-stop group Logs EXEC shell information for user profile in start-stop tacacs+ TACACS+ format. aaa accounting network default start-stop Logs all network related services requests, such as PPP in group tacacs+ stop-start TACACS+ format. aaa accounting exec default start-stop group Logs EXEC shell information for user profile in start-stop radius RADIUS format. aaa accounting network default start-stop Logs all network related services requests, such as PPP in group radius stop-start RADIUS format. Cisco AAA Implementation Case Study A-14 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings Table A-2 Cisco IOS Commands Used to Set AAA with PPP for NAS (RADIUS and TACACS+) IOS Command tacacs-server host IP-address key secret-key radius-server host IP-address auth-port 1645 acct-port 1646 key secret-keys Description/Application Comment Specifies AAA server. Specifies encryption key; must be the same in AAA server. Specifies RADIUS AAA server IP address by using default UDP Port 1645 for authentication and authorization and UDP Port 1646 for accounting. A.4 CiscoSecure for UNIX Configuration Listings This section provides the following listings: • A.4.1 CSU.cfg Listing • A.4.2 CSConfig.ini Listing • A.4.4 listener.ora Listing • A.4.3 Oracle User Environment Variable For a complete description of AAA server files, go to: http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/cs_unx Cisco AAA Implementation Case Study A-15 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings A.4.1 CSU.cfg Listing # cd /opt/ciscosecure/config # ls CSConfig.ini CSU.cfg CSU.cfg.sav # cat CSU.cfg LIST config_license_key = {"a73dc113d300a5ba3459"}; STRING config_update_log_filename = "/opt/ciscosecure/logfiles/passwd_chg.log"; /* store accounting records here when database fails */ /* default = /var/log/CSAccountingLog */ STRING config_acct_filename = "/var/log/CSAccountingLog"; /* AAA Server Metrics */ /* default = 0 (disable) */ NUMBER config_metrics_enable = 0; /* 1 to enable, 0 to disable */ /* default = 8 seconds */ NUMBER config_metrics_log_interval = 8; /* in seconds */ /* Callerid as Username */ /* default = 1 (enable) */ NUMBER config_callerid_enable = 1; /* 1 to enable, 0 to disable */ /* Use default user profile when user/callerid can't be found */ /* default = 1 (enable) */ NUMBER config_defaultuser_enable = 1; /* 1 to enable, 0 to disable */ /* AAA Server MaxSessions Configuration */ /* default = 0 (disable) */ NUMBER config_maxsessions_enable = 0; /* 1 to enable, 0 to disable */ /* default = 24 hours */ NUMBER config_maxsessions_session_timeout = 1440; /* in minutes */ /* default = 60 minutes */ NUMBER config_maxsessions_purge_interval = 60; /* in minutes */ /* AAA Server Distributed MaxSessions Configuration */ /* default = 0 (disable) */ NUMBER config_distmaxsessions_enable = 0; /* 1 to enable, 0 to disable */ /* default = 0 (disabled) */ NUMBER config_dms_periodic_stats_interval = 0; /* 0 to disable, otherwise inte rval in seconds */ /* Cryptocard challenge lookahead */ /* default = 0, which is same as 1, do only 1 challenge, don't look ahead */ /* the maximum number of challenge look ahead is 20 */ NUMBER config_cryptocard_challenge_lookahead = 0; /* Group Profile Cache Timeout; 0 == no timeout */ /* default = 5 seconds */ NUMBER config_cache_group_timeout = 5; /* in seconds */ /* Per-user accounting function */ /* default = 1 (enable) */ NUMBER config_acct_fn_enable = 1; /* 1 to enable, 0 to disable */ /* Extended Radius support */ NUMBER config_hex_string_support_enable = 0; /* 1 to enable, 0 to disable */ STRING NUMBER NUMBER NUMBER NUMBER NUMBER config_server_ip_address = "172.23.25.41"; config_token_cache_absolute_timeout = 86400; config_system_logging_level = 0x80; config_logging_configuration = 0xffffffff; config_warning_period = 20; config_expiry_period = 60; Cisco AAA Implementation Case Study A-16 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings NUMBER NUMBER */ NUMBER NUMBER / config_local_timezone = -8; config_use_host_timezone = 0; /* set this for your timezone */ /* set value to 1 to always use system time config_record_write_frequency = 5; /* update frequency in seconds */ config_max_failed_authentication = 10; /* nmbr of authen fails accepted * /* before account is disabled. * / NAS config_nas_config = { { "", "ciscorules", "", 1, 2, 1 } }; /* NAS name can go here */ /* NAS/CiscoSecure secret key */ /* message_catalogue_filename */ /* username retries */ /* password retries */ /* trusted NAS for SENDPASS */ AUTHEN config_external_authen_symbols = { { "./libskey.so", "skey" } , { "./libpap.so", "pap" } , { "./libchap.so", "chap" } , { "./libarap.so", "arap" } }; AUTHOR config_external_author_symbols = { { "./libargs.so", "process_input_arguments", "process_input_arguments_ok", "process_input_arguments_fail", "process_output_arguments", "process_output_arguments_ok", "process_output_arguments_fail" } }; /* * Sample of pre/post process configuration. * AUTHOR config_external_author_symbols = { { "./libcustomerprovided.so", "customer_function" } }; * Cisco AAA Implementation Case Study A-17 Appendix A A.4 CiscoSecure for UNIX Configuration Listings * end sample */ ACCT config_external_acct_symbols = { { "./libacctmember.so", "acct_member_fn" } }; ADMIN config_external_admin_symbols = { "./libadmin.so" }; DB config_external_database_symbols = { { "./libdb.so", "", "" } }; PARSER config_external_parser_symbols = { "./libt+.so" }; EVENT config_external_event_symbols = { { "./libdb.so", "", "" } }; DMS config_external_dms_symbols = { "./libCiscoDMS.so" }; # # Cisco AAA Implementation Case Study A-18 AAA Device Configuration Listings Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings A.4.2 CSConfig.ini Listing # #cat CSConfig.ini ############################################################ # # $Archive: $ # # (C) Copyright 1996 Cisco Systems. All rights reserved. # # This is CiscoSecure DBServer main initialization file. # # $Log: $ # # $NoKeyWords: $ # ############################################################ ;<--------------------- Ruler Line --------------------------------------------> ; 1 2 3 4 5 6 7 8 ;2345678901234567890123456789012345678901234567890123456789012345678901234567890 ; ;------------------------------------------------------------------------------[System] ; Location where the system is installed RootDir=/opt/ciscosecure ; Location of the default profile (default= $RootDir/config/DefaultProfile) DefaultProfile=/opt/ciscosecure/config/DefaultProfile ;------------------------------------------------------------------------------[System Error] SysErrorFileDir = /opt/ciscosecure/logfiles ; DBServer gets the default path for System error handler here ; if it was not specified at command line with option ; [-LOGPATH path] when starting the DBServer deamon. ; DBServer must have sufficient access privilege to create this : path and the log file if it does not already exist. ; log levels are 1 thru 10 where Minor=1, Moderate=5, Severe=8, Catastrophic=10 ; (note: Catastrophic errors will shutdown the daemon) MinLogLevel = 8 ;------------------------------------------------------------------------------[SessionMgr] ; Session Manager configurables, purge interval is in minutes MaxSessions=1000 PurgeInterval=60 ;------------------------------------------------------------------------------[AccountingMgr] ;If this parameter=enable then log acct packets into cs_accounting_log database table LogRawAccountingPacketToDB = enable ;If we are logging accounting records then this parameter decides whether to buffer the records ; in memory and then save them to the database using a background process. Enabl ing this will ; increase burst authentication performance. ;If enabled the DBServer will create enough buffers to match the value of 2 less than ; the number of database connections available. Cisco AAA Implementation Case Study A-19 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings ; NOTE: There is a risk of losing DBServer going ; down ungracefully. BufferAccountingPackets = enable records that are in memory in the event of the ;This parameter decides the size of each accounting packet buffer. Legal values are from 5 to 1000 AccountingBufferSize = 500 ; if parameter=enable then dbserver will process user max session info and save in memory, ; if disabled then ArchiveMaxSessionInfoToDB will also be disabled. ProcessInMemoryMaxSessionInfo = enable ; If this parameter=enable then log user max session info into cs_user_accounting database table ; Note that if the BufferAccountingPackets parameter is enabled AND ProcessInMemoryMaxSessionInfo ; is enabled then max session info records will be buffered as well. ArchiveMaxSessionInfoToDB = enable ; This is how often (in minutes) the system checks for accounting sessions to ; purge. ; NOTE: The purge interval is actually dependant upon a system background task ; that is not guaranteed to run more frequently than 60 minutes. This ; value is therefore not accurate to the minute and should not be set to ; less than 60. AcctPurgeInterval=60 ; This is how long (in minutes) a session can be considered ; active before it is purged. ; NOTE: This value is dependent on the AcctPurgeInterval setting and is not ; accurate to the minute. It is not intended to be set to less than 60. AcctPurgeTimeOut=1440 ;------------------------------------------------------------------------------[DBServer] DBServerName = CSdbServer Protocol=TCP MaxPacketSize = 4096 ; Each DBServer process should have it's own unique name. ; Do not put the hostname here in case more than one instance ; of the DBServer is running on the same machine ;The following is for internal use only by the DBServer ;Date format expected from the client application such as the GUI, ;to be used for parsing date/time string. The dbserver will reject ;inputs that contains other date/time format. This format will also ;be used to return date/time strings. ;Examples, "d MMM yyyy" => "12 Feb 1997", "EEE MMM d hh:mm:ss z yyyy" => "Tue Ap r 1 09:26:55 PST 1997" DateFormat = "d MMM yyyy" DateTimeFormat = "EEE MMM d hh:mm:ss z yyyy" ;------------------------------------------------------------------------------[ValidClients] 100 = sleddog ; Add list of trusted clients above ^^^^ in the format: ; ClientID = Client's Host Name ; CGI stub's clientID=100, and it's host name ; For example 100 = localhost or 100 = 192.92.182.2 ; 101 = 192.92.190.5 ; Cisco AAA Implementation Case Study A-20 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings ;if ValidateClients=true, then we only allow the clients with ids listed ;above to connect to the dbserver ValidateClients = false ;if FastAdminValidateClients = true, then we only allow the clients with ids ;listed below to connect to the FastAdmin FastAdminValidateClients = false ;------------------------------------------------------------------------------[Protocol TCP] HostName = sleddog Port = 9900 ; Name of host server ; Daemon port number ;Port=5001 ;------------------------------------------------------------------------------[Workers Pool] ; Maximum numbers of connection workers in pool, beyond which ; newly added workers will be ignored (or deleted). MaxInPool=50 ;------------------------------------------------------------------------------[Database] DataSource = ORACLE DriverType = JDBC-Weblogic-Oracle ; Specify the rdbms installed and the driver type ; (ODBC or JDBC) that interfaces with the rdbms. ; Driver=ODBC or Driver=JDBC, then go to the [ODBC] ; or [JDBC] section to fill in the URL info. # Oracle with ODBC ;DataSource = ORACLE ;DriverType = ODBC-Visigenic-Oracle # Oracle with JDBC ;DataSource = ORACLE ;DriverType = JDBC-Weblogic-Oracle # SQLAnywhere with ODBC ;DataSource = SQLAnywhere ;DriverType = ODBC-SQLAnywhere # Sybase with ODBC ;DataSource = SYBASE ;DriverType = ODBC-Visigenic-Sybase # Sybase with JDBC ;DataSource = SYBASE ;DriverType = JDBC-Weblogic-Sybase # Test with some other DB that we did not qualify ;DataSource = OtherDB ;DriverType = ODBC-Visigenic # names of data dictionary ProfileAttr = cs_profile_attr_dict ProfileCol = cs_profile_col_dict UserAcct = cs_user_account_attr_dict ;------------------------------------------------------------------------------[SQLAnywhere] ;this is the bundle database ConnectionLicense = 12 Cisco AAA Implementation Case Study A-21 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings Username = DBA Password = SQL ;------------------------------------------------------------------------------[OtherDB] ;number of open connections allowed to the data source(based on db license) ConnectionLicense = 1 Username = csecure Password = csecure ;------------------------------------------------------------------------------[ORACLE] ;number of open connections allowed to the data source(based on db license) ConnectionLicense=4 Username = csecure Password = csecure ;------------------------------------------------------------------------------[SYBASE] ;number of open connections allowed to the data source(based on db license) ConnectionLicense = 8 Username = csecure Password = csecure ;------------------------------------------------------------------------------[ODBC-SQLAnywhere] ;ODBC driver information Manager = sun.jdbc.odbc.JdbcOdbcDriver Driver = jdbc:odbc:SQLAnywhere;ENG=csecure;DBF=<database_file>;Start="dbeng50 -u d" ;Property below is required for internal use only: connection usage property PrepareStatement = 0 ;------------------------------------------------------------------------------[ODBC-Visigenic-Oracle] ;ODBC driver information Manager = sun.jdbc.odbc.JdbcOdbcDriver Driver = jdbc:odbc:Oracle ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------[ODBC-Visigenic-Sybase] ;ODBC driver information Manager = sun.jdbc.odbc.JdbcOdbcDriver Driver = jdbc:odbc:SybaseDBLib ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------[JDBC-Weblogic-Oracle] ;JDBC driver information Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicOciDriverManager Driver=jdbc:weblogic:oracle:ciscosj ;Property below is required for internal use only: connection usage property PrepareStatement = 1 ;------------------------------------------------------------------------------[JDBC-Weblogic-Sybase] ;JDBC driver information Manager=cisco.ciscosecure.dbserver.jdbc.WeblogicDBLibDriverManager Driver=jdbc:weblogic:sybase ;Property below is required for internal use only: connection usage property PrepareStatement = 1 Cisco AAA Implementation Case Study A-22 Appendix A AAA Device Configuration Listings A.4 CiscoSecure for UNIX Configuration Listings ;------------------------------------------------------------------------------[ProfileCaching] EnableProfileCaching = OFF ;Polling period in minutes for cs_trans_log table ; Interval in seconds can be specified by fraction. ; For example, '5/60' denotes 5 seconds and '1 1/2' denotes 90 seconds. ; Setting to 0 disbles polling. DBPollInterval = 30 ;------------------------------------------------------------------------------- A.4.3 Oracle User Environment Variable #su - oracle Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 $env HOME=/export/home/oracle HZ=100 LD_LIBRARY_PATH=/opt/oracle/product/7.3.4/lib:/usr/openwin/lib:/usr/dt/lib:/usr/ lib LOGNAME=oracle ORACLE_DOC=/doc ORACLE_HOME=/opt/oracle/product/7.3.4 ORACLE_SID=ciscosj ORACLE_TERM=xsun5 ORAENV_ASK=NO PATH=/usr/bin::/opt/oracle/product/7.3.4:/opt/oracle/product/7.3.4/bin:/usr/ccs/ bin: SHELL=/bin/sh TERM=ansi TMPDIR=/var/tmp TNS_ADMIN=/opt/oracle/product/7.3.4/network/admin TZ=GMT-8 Cisco AAA Implementation Case Study A-23 Appendix A A.4 CiscoSecure for UNIX Configuration Listings A.4.4 listener.ora Listing $cd $ORACLE_HOME/ $ls bin jdbc nlsrtl3 orainst precomp sqlplus book22 lib ocommon otrace rdbms svrmgr dbs network oracore3 plsql slax $cd network/admin $ls csmgen.tcl listener.ora tcl7.4 tnsnames.ora csmman.man sqlnet.fdf tk4.0 $cat listener.ora # # Installation Generated Net V2 Configuration # Version Date: Sep-16-97 # Filename: Listener.ora # LISTENER = (ADDRESS_LIST = (ADDRESS= (PROTOCOL= IPC)(KEY= ciscosj)) (ADDRESS= (PROTOCOL= IPC)(KEY= PNPKEY)) (ADDRESS= (PROTOCOL= TCP)(Host= sleddog)(Port= 1521)) ) SID_LIST_LISTENER = (SID_LIST = (SID_DESC = (GLOBAL_DBNAME= sleddog.) (ORACLE_HOME= /opt/oracle/product/7.3.4) (SID_NAME = ciscosj) ) ) STARTUP_WAIT_TIME_LISTENER = 0 CONNECT_TIMEOUT_LISTENER = 10 TRACE_LEVEL_LISTENER = OFF $ls csmgen.tcl listener.ora tcl7.4 tnsnames.ora csmman.man sqlnet.fdf tk4.0 $cat tnsnames.ora # # Installation Generated NetV2 Configuration # Version Date: Sep-30-97 # Filename: Tnsnames.ora # ciscosj = (DESCRIPTION = (ADDRESS = (PROTOCOL= TCP)(Host= sleddog)(Port= 1521)) (CONNECT_DATA = (SID = ciscosj)) ) Cisco AAA Implementation Case Study A-24 AAA Device Configuration Listings Appendix A AAA Device Configuration Listings A.5 CiscoSecure Log Files A.5 CiscoSecure Log Files $CSUBASE/logfiles/cs_install.log $CSUBASE/logfiles/cs_shutdown.log $CSUBASE/logfiles/cs_startup.log $CSUBASE/logfiles/csdblog_<date> $CSUBASE/logfiles/passwd_chg.log $CSUBASE/ns-home/CSUServer/logs/access $CSUBASE/ns-home/CSUServer/logs/errors $CSUBASE/ns-home/admserver/errors $CSUBASE/ns-home/admserver/access $CSUBASE/ns-home-httpd-csuserver/logs Cisco AAA Implementation Case Study A-25 Appendix A A.5 CiscoSecure Log Files Cisco AAA Implementation Case Study A-26 AAA Device Configuration Listings A P P E N D I X B AAA Impact on Maintenance Tasks Most BootFlash images do not recognize all Cisco IOS aaa commands. As a result, invoking a BootFlash image can lead to a password recovery situation unless the Cisco IOS fragments listed in this appendix are used to disable AAA. One example of a situation requiring the inclusion of this configuration is a software image upgrade for a Cisco AS5200 access server. Include the following Cisco IOS commands to disable AAA authentication and authorization on the console and VTY ports of a NAS: aaa authentication login NO_AUTHENT none aaa authorization exec NO_AUTHOR none aaa authorization commands 15 NO_AUTHOR none line con 0 authorization exec NO_AUTHOR login authentication NO_AUTHENT authorization commands 15 NO_AUTHOR line vty 0 4 authorization commands 15 NO_AUTHOR authorization exec NO_AUTHOR login authentication NO_AUTHENT Note Refer to “4.6 Implementing Server-Based TACACS+ Router Authorization” for related implementation information. Cisco AAA Implementation Case Study B-1 Appendix B Cisco AAA Implementation Case Study B-2 AAA Impact on Maintenance Tasks A P P E N D I X C Server-Based AAA Verification Diagnostic Output This appendix is organized into the following sections: • C.1 Server-Based TACACS+ Dialup Authentication Diagnostics • C.2 Server-Based TACACS+ Dialup Authorization Diagnostics • C.3 Server-Based RADIUS Dialup Authentication Diagnostics • C.4 Server-Based RADIUS Dialup Authorization Diagnostics • C.5 Server-Based TACACS+ Router Authentication Diagnostics • C.6 Server-Based TACACS+ Router Authorization Diagnostics Diagnostic examples present captured output from debug command (router) and tail command (AAA server) listings. Note Output fragments provided here are excerpted from the applicable debug command output or AAA server csuslog file—unless otherwise noted. Diagnostic content is gathered from the AAA server by using the tail -f /var/log/csuslog command. Pertinent portions of output are included as fragments of complete listings. C.1 Server-Based TACACS+ Dialup Authentication Diagnostics The following test results for “4.1 Implementing Server-Based TACACS+ Dialup Authentication” provide relevant NAS and AAA server log output: 1. Authentication login is successful for user tac_dial. 2. PAP authentication request for user tac_dial. 3. Creation of user tac_dial, service=ppp. 4. Authentication PASS received from AAA server. Note Use these debug commands: debug aaa authentication and debug ppp authentication. Cisco AAA Implementation Case Study C-1 Appendix C Server-Based AAA Verification Diagnostic Output C.2 Server-Based TACACS+ Dialup Authorization Diagnostics The following diagnostic results are presented in the order in which they are generated during the authentication process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Note 1. The debug command output can vary depending on Cisco IOS versions. Authentication login is successful for user tac_dial. AAA server csuslog output: Feb 4 10:40:13 coachella CiscoSecure: DEBUG - AUTHENTICATION START request (8d2d325f) Feb 4 10:40:13 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.63.1, Port = Async3, User = tac_dial, Priv = 1] 2. PAP authentication request for user tac_dial. NAS debug output: 113288: Feb 113289: Feb 3. 4 10:40:13.696 CST: As3 PAP: I AUTH-REQ id 1 len 23 from "tac_dial" 4 10:40:13.696 CST: As3 PAP: Authenticating peer tac_dial Creation of user tac_dial, service=ppp. NAS debug output: 113290: Feb 4 10:40:13.696 CST: AAA: parse name=Async3 idb type=10 tty=3 113291: Feb 4 10:40:13.696 CST: AAA: name=Async3 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=3 channel=0 113292: Feb 4 10:40:13.696 CST: AAA: parse name=Serial0:4 idb type=12 tty=-1 113293: Feb 4 10:40:13.696 CST: AAA: name=Serial0:4 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=4 113294: Feb 4 10:40:13.696 CST: AAA/MEMORY: create_user (0x61E09254) user='tac_dial' ruser='' port='Async3' rem_addr='async/81560' authen_type=PAP service=PPP priv=1 113295: Feb 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): port='Async3' list='' action=LOGIN service=PPP 4. Authentication PASS received from AAA server. NAS debug output: 113296: Feb 113297: Feb 113298: Feb (tacacs+) 113299: Feb 113300: Feb PASS 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): using "default" list 4 10:40:13.696 CST: AAA/AUTHEN (2368549471): status = UNKNOWN 4 10:40:13.696 CST: AAA/AUTHEN/START (2368549471): Method=tacacs+ 4 10:40:13.696 CST: TAC+: send AUTHEN/START packet ver=193 id=2368549471 4 10:40:13.900 CST: TAC+: ver=193 id=2368549471 received AUTHEN status = C.2 Server-Based TACACS+ Dialup Authorization Diagnostics The following test results for “4.2 Implementing Server-Based TACACS+ Dialup Authorization” provide relevant NAS and AAA server log output: 1. User dialtest is authorized EXEC shell access to the NAS. 2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs. 3. User dialtest is authorized EXEC shell access to NAS. 4. User dialtest is assigned the addr-pool=default AVP through network authorization. Cisco AAA Implementation Case Study C-2 Appendix C Server-Based AAA Verification Diagnostic Output C.2 Server-Based TACACS+ Dialup Authorization Diagnostics 5. User dialtest is assigned the inacl=110 AVP through network authorization. 6. User dialtest starts PPP and is assigned the addr-pool=default and inacl=110AVPs. Note Use this debug command: debug aaa authorization. The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Note 1. The debug command output can vary depending on Cisco IOS versions. User dialtest is authorized EXEC shell access to the NAS. AAA server csuslog output: Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (365f23d3) Apr 6 15:48:06 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=shell cmd* output: ] 2. User dialtest starts PPP from the shell and is assigned the addr-pool=default and inacl=110 AVPs. AAA server csuslog output: Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (74e5f744) Apr 6 15:48:07 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip addr-pool*default output: inacl=110] Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (78655fcd) Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=lcp output: ] Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - AUTHORIZATION request (cae30c69) Apr 6 15:48:13 sleddog CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.23.84.35, user = dialtest, port = tty8, input: service=ppp protocol=ip output: addr-pool=default inacl=110] 3. User dialtest is authorized EXEC shell access to NAS. NAS debug output: *Apr 6 00:12:29.932: service=EXEC *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:29.932: *Apr 6 00:12:30.136: PASS_ADD As8 AAA/AUTHOR/EXEC (912204755): Port='tty8' list='' AAA/AUTHOR/EXEC: As8 (912204755) user='dialtest' As8 AAA/AUTHOR/EXEC (912204755): send AV service=shell As8 AAA/AUTHOR/EXEC (912204755): send AV cmd* As8 AAA/AUTHOR/EXEC (912204755): found list "default" As8 AAA/AUTHOR/EXEC (912204755): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (912204755): user=dialtest AAA/AUTHOR/TAC+: (912204755): send AV service=shell AAA/AUTHOR/TAC+: (912204755): send AV cmd* As8 AAA/AUTHOR (912204755): Post authorization status = Cisco AAA Implementation Case Study C-3 Appendix C Server-Based AAA Verification Diagnostic Output C.3 Server-Based RADIUS Dialup Authentication Diagnostics 4. User dialtest is assigned the addr-pool=default AVP through network authorization. NAS debug output: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.480: *Apr 6 00:12:31.684: PASS_ADD 5. AAA/AUTHOR/PPP: As8 (1961228100) user='dialtest' As8 AAA/AUTHOR/PPP (1961228100): send AV service=ppp As8 AAA/AUTHOR/PPP (1961228100): send AV protocol=ip As8 AAA/AUTHOR/PPP (1961228100): send AV addr-pool*default As8 AAA/AUTHOR/PPP (1961228100): found list "default" As8 AAA/AUTHOR/PPP (1961228100): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (1961228100): user=dialtest AAA/AUTHOR/TAC+: (1961228100): send AV service=ppp AAA/AUTHOR/TAC+: (1961228100): send AV protocol=ip AAA/AUTHOR/TAC+: (1961228100): send AV addr-pool*default As8 AAA/AUTHOR (1961228100): Post authorization status = User dialtest is assigned the inacl=110 AVP through network authorization. NAS debug output: *Apr *Apr *Apr *Apr 6. 6 6 6 6 00:12:31.684: 00:12:31.684: 00:12:31.684: 00:12:31.684: AAA/AUTHOR/Async8: AAA/AUTHOR/Async8: AAA/AUTHOR/Async8: AAA/AUTHOR/Async8: PPP: PPP: PPP: PPP: Processing Processing Processing Processing AV AV AV AV service=ppp protocol=ip addr-pool*default inacl=110 User dialtest starts PPP and is assigned the addr-pool=default and inacl=110 AVPs. NAS debug output: *Apr *Apr *Apr *Apr *Apr *Apr *Apr *Apr 6 6 6 6 6 6 6 6 00:33:05.860: 00:33:05.864: 00:33:05.864: 00:33:05.864: 00:33:05.864: 00:33:05.864: 00:33:05.864: 00:33:05.864: As9 As9 As9 As9 As9 As9 As9 As9 AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: AAA/AUTHOR/IPCP: Says use pool Pool returned Processing AV Processing AV Processing AV Processing AV Processing AV Authorization default 172.23.25.37 service=ppp protocol=ip addr-pool=default inacl=110 addr*172.23.25.37 succeeded C.3 Server-Based RADIUS Dialup Authentication Diagnostics The following test results for “4.3 Implementing Server-Based RADIUS Dialup Authentication” provide relevant NAS output: 1. User rad_dial successfully passes authentication on port Async 5). 2. User rad_dial successfully passes authentication. Note Use these debug commands: debug aaa authentication and debug ppp authentication. The following diagnostic results are presented in the order in which they are generated during the authentication process. Specific output fragments are differentiated with brief explanatory notes to help identify relevant information. Cisco AAA Implementation Case Study C-4 Appendix C Server-Based AAA Verification Diagnostic Output C.4 Server-Based RADIUS Dialup Authorization Diagnostics The debug command output can vary depending on Cisco IOS versions. Note 1. User rad_dial successfully passes authentication on port Async 5). NAS debug output: 00:38:42: AAA/MEMORY: create_user (0x61619F48) user='rad_dial' ruser='' port='Async5' rem_addr='65004/65301' authen_type=PAP service=PPP priv=1 00:38:42: AAA/AUTHEN/START (3896270890): port='Async5' list='' action=LOGIN service=PPP 00:38:42: AAA/AUTHEN/START (3896270890): using "default" list 00:38:42: AAA/AUTHEN (3896270890): status = UNKNOWN 00:38:42: AAA/AUTHEN/START (3896270890): Method=radius (radius) 00:38:42: AAA/AUTHEN (3896270890): status = PASS 2. User rad_dial successfully passes authentication. NAS debug output: Apr Apr Apr 6 16:18:19 danvers CiscoSecure: INFO - Profile: user = rad_dial { 6 16:18:19 danvers set server current-failed-logins = 0 6 16:18:19 danvers profile_cycle = 9 C.4 Server-Based RADIUS Dialup Authorization Diagnostics The following test results for “4.4 Implementing Server-Based RADIUS Dialup Authorization” provide relevant NAS server log output: 1. User rad_dial is authorized for protocol=lcp. 2. User rad_dial is authorized for IPCP. 3. Input access-list is verified as 110 while the output access-list is shown as not set. Note Use these commands: debug aaa authorization and show caller user rad_dial detail. The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to you identify relevant information. Cisco AAA Implementation Case Study C-5 Appendix C Server-Based AAA Verification Diagnostic Output C.4 Server-Based RADIUS Dialup Authorization Diagnostics Note 1. The debug command output can vary depending on Cisco IOS versions. User rad_dial is authorized for protocol=lcp. NAS debug output: 01:02:17: AAA/MEMORY: create_user (0x61504AC4) user='rad_dial' ruser='' port='As ync6' rem_addr='65004/65301' authen_type=PAP service=PPP priv=1 01:02:17: As6 AAA/AUTHOR/LCP: Authorize LCP 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Port='Async6' list='' service=NET 01:02:17: AAA/AUTHOR/LCP: As6 (3341570658) user='rad_dial' 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV service=ppp 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): send AV protocol=lcp 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): found list "default" 01:02:17: As6 AAA/AUTHOR/LCP (3341570658): Method=radius (radius) 01:02:17: As6 AAA/AUTHOR (3341570658): Post authorization status = PASS_REPL 2. User rad_dial is authorized for IPCP. NAS debug output: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:17: 01:02:18: 01:02:18: 01:02:18: 01:02:18: 01:02:18: 01:02:18: 3. As6 AAA/AUTHOR/LCP: Processing AV service=ppp As6 AAA/AUTHOR/FSM: (0): Can we start IPCP? As6 AAA/AUTHOR/FSM (2347737596): Port='Async6' list='' service=NET AAA/AUTHOR/FSM: As6 (2347737596) user='rad_dial' As6 AAA/AUTHOR/FSM (2347737596): send AV service=ppp As6 AAA/AUTHOR/FSM (2347737596): send AV protocol=ip As6 AAA/AUTHOR/FSM (2347737596): found list "default" As6 AAA/AUTHOR/FSM (2347737596): Method=radius (radius) As6 AAA/AUTHOR (2347737596): Post authorization status = PASS_REPL As6 AAA/AUTHOR/FSM: We can start IPCP As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5 As6 AAA/AUTHOR/IPCP: Processing AV service=ppp As6 AAA/AUTHOR/IPCP: Processing AV inacl=110 As6 AAA/AUTHOR/IPCP: Authorization succeeded As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5 As6 AAA/AUTHOR/IPCP: Start. Her address 0.0.0.0, we want 172.22.83.5 As6 AAA/AUTHOR/IPCP: Processing AV service=ppp As6 AAA/AUTHOR/IPCP: Processing AV inacl=110 As6 AAA/AUTHOR/IPCP: Authorization succeeded As6 AAA/AUTHOR/IPCP: Done. Her address 0.0.0.0, we want 172.22.83.5 As6 AAA/AUTHOR/IPCP: Start. Her address 172.22.83.5, we want 172.22.8 3.5 Input access-list is verified as 110 while the output access-list is shown as not set. Cisco AAA Implementation Case Study C-6 Appendix C Server-Based AAA Verification Diagnostic Output C.5 Server-Based TACACS+ Router Authentication Diagnostics Output from show caller user rad_dial detail from NAS: User: rad_dial, line tty 116, service Async Active time 00:01:29, Idle time 00:00:40 Timeouts: Absolute Idle Idle Session Exec Limits: 04:00:00 00:48:00 Disconnect in: 03:58:30 TTY: Line 116, running PPP on As116 Location: PPP: 172.22.83.37 DS0: (slot/unit/channel)=0/0/20 Line: Baud rate (TX/RX) is 115200/115200, no parity, 1 stopbits, 8 databits Status: Ready, Active, No Exit Banner, Async Interface Active HW PPP Support Active, Modem Detected Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out Modem Callout, Modem RI is CD, Line usable as async interface, Modem Autoconfigure Integrated Modem Modem State: Ready, Modem Configured User: rad_dial, line As116, service PPP Active time 00:01:23, Idle time 00:00:35 Timeouts: Absolute Idle Limits: Disconnect in: PPP: LCP Open, PAP (<- AAA), IPCP, CDPCP LCP: -> peer, ACCM, AuthProto, MagicNumber, PCompression, ACCompression <- peer, ACCM, MagicNumber, PCompression, ACCompression NCP: Open IPCP, CDPCP IPCP: <- peer, Address -> peer, Address IP: Local 172.22.83.1, remote 172.22.83.37 Access list (I/O) is 110/not set, default (I/O) not set/not set Counts: 14 packets input, 1399 bytes, 0 no buffer 1 input errors, 1 CRC, 0 frame, 0 overrun 15 packets output, 1448 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets C.5 Server-Based TACACS+ Router Authentication Diagnostics The following test results for “4.5 Implementing Server-Based TACACS+ Router Authentication” provide relevant router output: 1. Get user and password interaction between router and AAA server. 2. User rtr_test successfully logs in. Note Use this debug command: debug aaa authentication. The following diagnostic results are presented in the order in which they are generated during the authentication process. Specific output fragments are differentiated with brief explanatory notes to you identify relevant information. Note 1. The debug command output can vary depending on Cisco IOS versions. Get user and password interaction between router and AAA server. Cisco AAA Implementation Case Study C-7 Appendix C Server-Based AAA Verification Diagnostic Output C.5 Server-Based TACACS+ Router Authentication Diagnostics Router debug output: Feb 24 11:10:27.101 CST: AAA/MEMORY: create_user (0x61F74900) user='' ruser='' port='tty2' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1 Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): port='tty2' list='' action=LOGIN service=LOGIN Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): using "default" list Feb 24 11:10:27.101 CST: AAA/AUTHEN/START (2925282821): Method=tacacs+ (tacacs+) Feb 24 11:10:27.105 CST: TAC+: send AUTHEN/START packet ver=192 id=2925282821 Feb 24 11:10:27.305 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETUSER Feb 24 11:10:27.305 CST: AAA/AUTHEN (2925282821): status = GETUSER Feb 24 11:10:30.549 CST: AAA/AUTHEN/CONT (2925282821): continue_login (user='(undef)') Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): status = GETUSER Feb 24 11:10:30.549 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+) Feb 24 11:10:30.549 CST: TAC+: send AUTHEN/CONT packet id=2925282821 Feb 24 11:10:30.749 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = GETPASS Feb 24 11:10:30.749 CST: AAA/AUTHEN (2925282821): status = GETPASS Feb 24 11:10:33.981 CST: AAA/AUTHEN/CONT (2925282821): continue_login (user='rtr_test') Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): status = GETPASS Feb 24 11:10:33.981 CST: AAA/AUTHEN (2925282821): Method=tacacs+ (tacacs+) Feb 24 11:10:33.981 CST: TAC+: send AUTHEN/CONT packet id=2925282821 Feb 24 11:10:34.181 CST: TAC+: ver=192 id=2925282821 received AUTHEN status = PASS Feb 24 11:10:34.181 CST: AAA/AUTHEN (2925282821): status = PASS Feb 24 11:10:34.381 CST: TAC+: (2248458861): received author response status = PASS_ADD 2. User rtr_test successfully logs in. AAA server csuslog output: Feb 24 11:10:34 coachella CiscoSecure: DEBUG - Authentication - LOGIN successful; [NAS = 172.22.255.3, Port = tty2, User = rtr_test, Priv = 1 Cisco AAA Implementation Case Study C-8 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics C.6 Server-Based TACACS+ Router Authorization Diagnostics The following test results illustrate three separate user types as described in “4.6 Implementing Server-Based TACACS+ Router Authorization”, belonging to three separate user groups: rtr_low, rtr_tech, and rtr_super. The example output is provided in the following sections: • C.6.1 Test Results for rtr_low Group • C.6.2 Test Results for rtr_tech Group • C.6.3 Test Results for rtr_super Group Note Use this debug command: debug aaa authorization. C.6.1 Test Results for rtr_low Group Test results follow for each Cisco IOS command summarized in Table 4-1, including relevant router output and AAA server log output: 1. User rtr_dweeb is authorized EXEC shell access. 2. User rtr_dweeb enters enable mode. 3. User rtr_dweeb fails debug all command. 4. User rtr_dweeb fails debug ip packet command. 5. User rtr_dweeb fails clear ip cache command. 6. User rtr_dweeb fails reload command. 7. User rtr_dweeb fails show running-config command. 8. User rtr_dweeb fails write terminal command. 9. User rtr_dweeb fails copy running-config startup-config command. 10. User rtr_dweeb fails write memory command. 11. User rtr_dweeb fails configure terminal command. The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Cisco AAA Implementation Case Study C-9 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics Note 1. The debug command output can vary depending on Cisco IOS versions. User rtr_dweeb is authorized EXEC shell access. Router debug output: Feb 18 11:44:36.115 CST: AAA/MEMORY: create_user (0x61F883B4) user='' ruser='' p ort='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1 Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Port='tty3' list=''service=EXEC Feb 18 11:44:42.135 CST: AAA/AUTHOR/EXEC: tty3 (1279405337) user='rtr_dweeb' Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV service=shell Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): send AV cmd* Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): found list "default" Feb 18 11:44:42.135 CST: tty3 AAA/AUTHOR/EXEC (1279405337): Method=tacacs+ (tacacs+) Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): user=rtr_dweeb Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV service=shell Feb 18 11:44:42.135 CST: AAA/AUTHOR/TAC+: (1279405337): send AV cmd* Feb 18 11:44:42.335 CST: AAA/AUTHOR (1279405337): Post authorization status = PASS_ADD Feb 18 11:44:42.335 CST: AAA/AUTHOR/EXEC: Authorization successful AAA server csuslog output: Feb 18 [NAS = Feb 18 Feb 18 Feb 18 [NAS = ] 2. 11:44:41 coachella 172.22.255.3, Port 11:44:41 coachella 11:44:42 coachella 11:44:42 coachella 172.22.255.3, user CiscoSecure: = tty3, User CiscoSecure: CiscoSecure: CiscoSecure: = rtr_dweeb, DEBUG - Authentication - LOGIN successful; = rtr_dweeb, Priv = 1] DEBUG DEBUG - AUTHORIZATION request (4c422d19) DEBUG - Authorization - Request authorized; port = tty3, input: service=shell cmd* output: User rtr_dweeb enters enable mode. Router debug output: Feb 18 11:44:45.651 CST: AAA/MEMORY: free_user (0x61CC44D4) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15 3. User rtr_dweeb fails debug all command. Router debug output: Feb 18 11:44:49.875 service=CMD Feb 18 11:44:49.875 Feb 18 11:44:49.875 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:49.879 Feb 18 11:44:50.079 Cisco AAA Implementation Case Study C-10 CST: tty3 AAA/AUTHOR/CMD (2800178490): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (2800178490) user='rtr_dweeb' tty3 AAA/AUTHOR/CMD (2800178490): send AV service=shell tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd=debug tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=all tty3 AAA/AUTHOR/CMD (2800178490): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (2800178490): found list "default" tty3 AAA/AUTHOR/CMD (2800178490): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (2800178490): user=rtr_dweeb AAA/AUTHOR/TAC+: (2800178490): send AV service=shell AAA/AUTHOR/TAC+: (2800178490): send AV cmd=debug AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=all AAA/AUTHOR/TAC+: (2800178490): send AV cmd-arg=<cr> AAA/AUTHOR (2800178490): Post authorization status = FAIL Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics AAA server csuslog output: Feb 18 11:44:49 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a6e7553a) Feb 18 11:44:49 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=debug cmd-arg=all cmd-arg=<cr> output: ] 4. User rtr_dweeb fails debug ip packet command. Router debug output: Feb 18 11:44:55.447 service=CMD Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.447 Feb 18 11:44:55.647 CST: tty3 AAA/AUTHOR/CMD (4087104408): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (4087104408) user='rtr_dweeb' tty3 AAA/AUTHOR/CMD (4087104408): send AV service=shell tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd=debug tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=ip tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=packet tty3 AAA/AUTHOR/CMD (4087104408): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (4087104408): found list "default" tty3 AAA/AUTHOR/CMD (4087104408): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (4087104408): user=rtr_dweeb AAA/AUTHOR/TAC+: (4087104408): send AV service=shell AAA/AUTHOR/TAC+: (4087104408): send AV cmd=debug AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=ip AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=packet AAA/AUTHOR/TAC+: (4087104408): send AV cmd-arg=<cr> AAA/AUTHOR (4087104408): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:44:55 coachella CiscoSecure: Feb 18 11:44:55 coachella CiscoSecure: 172.22.255.3, user = rtr_dweeb, port = cmd-arg=ip cmd-arg=packet cmd-arg=<cr> 5. DEBUG - AUTHORIZATION request (f39c4398) DEBUG - Authorization - Failed command; [NAS = tty3, input: service=shell cmd=debug output: ] User rtr_dweeb fails clear ip cache command. Router debug output: Feb 18 11:45:00.483 list=''service=CMD Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.483 Feb 18 11:45:00.687 CST:tty3 AAA/AUTHOR/CMD (3223867754):Port='tty3' CST:AAA/AUTHOR/CMD:tty3 (3223867754) user='rtr_dweeb' CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV service=shell CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd=clear CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=ip CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=cache CST:tty3 AAA/AUTHOR/CMD (3223867754):send AV cmd-arg=<cr> CST:tty3 AAA/AUTHOR/CMD (3223867754):found list "default" CST:tty3 AAA/AUTHOR/CMD (3223867754):Method=tacacs+(tacacs+) CST:AAA/AUTHOR/TAC+:(3223867754):user=rtr_dweeb CST:AAA/AUTHOR/TAC+:(3223867754):send AV service=shell CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd=clear CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=ip CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=cache CST:AAA/AUTHOR/TAC+:(3223867754):send AV cmd-arg=<cr> CST:AAA/AUTHOR (3223867754):Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (c028516a) Feb 18 11:45:00 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=clear cmd-arg=ip cmd-arg=cache cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-11 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 6. User rtr_dweeb fails reload command. Router debug output: Feb 18 11:45:03.911 service=CMD Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:03.911 Feb 18 11:45:04.115 CST: tty3 AAA/AUTHOR/CMD (410330894): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (410330894) user='rtr_dweeb' tty3 AAA/AUTHOR/CMD (410330894): send AV service=shell tty3 AAA/AUTHOR/CMD (410330894): send AV cmd=reload tty3 AAA/AUTHOR/CMD (410330894): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (410330894): found list "default" tty3 AAA/AUTHOR/CMD (410330894): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (410330894): user=rtr_dweeb AAA/AUTHOR/TAC+: (410330894): send AV service=shell AAA/AUTHOR/TAC+: (410330894): send AV cmd=reload AAA/AUTHOR/TAC+: (410330894): send AV cmd-arg=<cr> AAA/AUTHOR (410330894): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:03 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1875270e) Feb 18 11:45:03 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=reload cmd-arg=<cr> output: ] 7. User rtr_dweeb fails show running-config command. Router debug output: Feb 18 11:45:08.891 CST: service=CMD Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: cmd-arg=running-config Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: Feb 18 11:45:08.891 CST: cmd-arg=running-config Feb 18 11:45:08.891 CST: Feb 18 11:45:09.095 CST: tty3 AAA/AUTHOR/CMD (2227741892): Port='tty3' list='' AAA/AUTHOR/CMD: tty3 (2227741892) tty3 AAA/AUTHOR/CMD (2227741892): tty3 AAA/AUTHOR/CMD (2227741892): tty3 AAA/AUTHOR/CMD (2227741892): user='rtr_dweeb' send AV service=shell send AV cmd=show send AV tty3 AAA/AUTHOR/CMD (2227741892): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (2227741892): found list "default" tty3 AAA/AUTHOR/CMD (2227741892): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (2227741892): user=rtr_dweeb AAA/AUTHOR/TAC+: (2227741892): send AV service=shell AAA/AUTHOR/TAC+: (2227741892): send AV cmd=show AAA/AUTHOR/TAC+: (2227741892): send AV AAA/AUTHOR/TAC+: (2227741892): send AV cmd-arg=<cr> AAA/AUTHOR (2227741892): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (84c8a4c4) Feb 18 11:45:08 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=showcmd-arg=running-config cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-12 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 8. User rtr_dweeb fails write terminal command. Router debug output: Feb 18 11:45:12.079 service=CMD Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.079 Feb 18 11:45:12.279 CST: tty3 AAA/AUTHOR/CMD (2744233862): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (2744233862) user='rtr_dweeb' tty3 AAA/AUTHOR/CMD (2744233862): send AV service=shell tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd=write tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd-arg=terminal tty3 AAA/AUTHOR/CMD (2744233862): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (2744233862): found list "default" tty3 AAA/AUTHOR/CMD (2744233862): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (2744233862): user=rtr_dweeb AAA/AUTHOR/TAC+: (2744233862): send AV service=shell AAA/AUTHOR/TAC+: (2744233862): send AV cmd=write AAA/AUTHOR/TAC+: (2744233862): send AV cmd-arg=terminal AAA/AUTHOR/TAC+: (2744233862): send AV cmd-arg=<cr> AAA/AUTHOR (2744233862): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (a391af86) Feb 18 11:45:11 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=write cmd-arg=terminal cmd-arg=<cr> output: ] 9. User rtr_dweeb fails copy running-config startup-config command. Router debug output: Feb 18 11:45:17.631 CST: service=CMD Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: cmd-arg=running-config Feb 18 11:45:17.631 CST: cmd-arg=startup-config Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: Feb 18 11:45:17.631 CST: cmd-arg=running-config Feb 18 11:45:17.631 CST: cmd-arg=startup-config Feb 18 11:45:17.631 CST: Feb 18 11:45:17.835 CST: tty3 AAA/AUTHOR/CMD (1138992853): Port='tty3' list='' AAA/AUTHOR/CMD: tty3 (1138992853) tty3 AAA/AUTHOR/CMD (1138992853): tty3 AAA/AUTHOR/CMD (1138992853): tty3 AAA/AUTHOR/CMD (1138992853): user='rtr_dweeb' send AV service=shell send AV cmd=copy send AV tty3 AAA/AUTHOR/CMD (1138992853): send AV tty3 AAA/AUTHOR/CMD (1138992853): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (1138992853): found list "default" tty3 AAA/AUTHOR/CMD (1138992853): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (1138992853): user=rtr_dweeb AAA/AUTHOR/TAC+: (1138992853): send AV service=shell AAA/AUTHOR/TAC+: (1138992853): send AV cmd=copy AAA/AUTHOR/TAC+: (1138992853): send AV AAA/AUTHOR/TAC+: (1138992853): send AV AAA/AUTHOR/TAC+: (1138992853): send AV cmd-arg=<cr> AAA/AUTHOR (1138992853): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:17 coachella CiscoSecure: DEBUG - AUTHORIZATION request (43e3a6d5) Feb 18 11:45:17 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=copycmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-13 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 10. User rtr_dweeb fails write memory command. Router debug output: Feb 18 11:45:20.915 service=CMD Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:20.915 Feb 18 11:45:21.119 CST: tty3 AAA/AUTHOR/CMD (1068431717): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (1068431717) user='rtr_dweeb' tty3 AAA/AUTHOR/CMD (1068431717): send AV service=shell tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd=write tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd-arg=memory tty3 AAA/AUTHOR/CMD (1068431717): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (1068431717): found list "default" tty3 AAA/AUTHOR/CMD (1068431717): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (1068431717): user=rtr_dweeb AAA/AUTHOR/TAC+: (1068431717): send AV service=shell AAA/AUTHOR/TAC+: (1068431717): send AV cmd=write AAA/AUTHOR/TAC+: (1068431717): send AV cmd-arg=memory AAA/AUTHOR/TAC+: (1068431717): send AV cmd-arg=<cr> AAA/AUTHOR (1068431717): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:20 coachella CiscoSecure: DEBUG Feb 18 11:45:20 coachella CiscoSecure: DEBUG 172.22.255.3, user = rtr_dweeb, port = tty3, cmd=writecmd-arg=memory cmd-arg=<cr> output: - AUTHORIZATION request (3faef965) - Authorization - Failed command; [NAS = input: service=shell ] 11. User rtr_dweeb fails configure terminal command. Router debug output: Feb 18 11:45:32.399 service=CMD Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.399 Feb 18 11:45:32.603 CST: tty3 AAA/AUTHOR/CMD (530570549): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (530570549) user='rtr_dweeb' tty3 AAA/AUTHOR/CMD (530570549): send AV service=shell tty3 AAA/AUTHOR/CMD (530570549): send AV cmd=configure tty3 AAA/AUTHOR/CMD (530570549): send AV cmd-arg=terminal tty3 AAA/AUTHOR/CMD (530570549): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (530570549): found list "default" tty3 AAA/AUTHOR/CMD (530570549): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (530570549): user=rtr_dweeb AAA/AUTHOR/TAC+: (530570549): send AV service=shell AAA/AUTHOR/TAC+: (530570549): send AV cmd=configure AAA/AUTHOR/TAC+: (530570549): send AV cmd-arg=terminal AAA/AUTHOR/TAC+: (530570549): send AV cmd-arg=<cr> AAA/AUTHOR (530570549): Post authorization status = FAIL AAA server csuslog output: Feb 18 11:45:32 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1f9fdd35) Feb 18 11:45:32 coachella CiscoSecure: DEBUG - Authorization - Failed command; [NAS = 172.22.255.3, user = rtr_dweeb, port = tty3, input: service=shell cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ] C.6.2 Test Results for rtr_tech Group Tests results follow for each of the Cisco IOS commands summarized in Tabl e4-1, including relevant router output and AAA server log output: 1. User rtr_techie is authorized EXEC shell access. 2. User rtr_techie enters enable mode. 3. User rtr_techie is denied the debug all command. Cisco AAA Implementation Case Study C-14 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 4. User rtr_techie is permitted debug ip packet command. 5. User rtr_techie is permitted clear ip cache command. 6. User rtr_techie is denied reload command. 7. User rtr_techie is permitted show running-config command. 8. User rtr_techie is permitted write terminal command. 9. User rtr_techie is permitted copy running-config starting config command. 10. User rtr_techie is permitted write memory command. 11. User rtr_techie is denied configure terminal command. The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Note 1. The debug command output can vary depending on Cisco IOS versions. User rtr_techie is authorized EXEC shell access. Router debug output: Feb 18 14:27:32.388 CST: AAA/MEMORY: create_user (0x61CC44D8) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=LOGIN priv=1 Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Port='tty3' list=''service=EXEC Feb 18 14:27:36.984 CST: AAA/AUTHOR/EXEC: tty3 (3820424789) user='rtr_techie' Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV service=shell Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): send AV cmd* Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): found list "default" Feb 18 14:27:36.984 CST: tty3 AAA/AUTHOR/EXEC (3820424789): Method=tacacs+ (tacacs+) Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): user=rtr_techie Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): send AV service=shell Feb 18 14:27:36.984 CST: AAA/AUTHOR/TAC+: (3820424789): send AV cmd* Feb 18 14:27:37.184 CST: AAA/AUTHOR (3820424789): Post authorization status = PASS_ADD Feb 18 14:27:37.184 CST: AAA/AUTHOR/EXEC: Authorization successful AAA server csuslog output: Feb 18 14:27:36 coachella [NAS = 172.22.255.3, Port Feb 18 14:27:36 coachella Feb 18 14:27:36 coachella Feb 18 14:27:36 coachella [NAS = 172.22.255.3, user output: ] 2. CiscoSecure: DEBUG - Authentication - LOGIN successful; = tty3, User = rtr_techie, Priv = 1] CiscoSecure: DEBUG CiscoSecure: DEBUG - AUTHORIZATION request (e3b70e55) CiscoSecure: DEBUG - Authorization - Request authorized; = rtr_techie, port = tty3, input: service=shell cmd* User rtr_techie enters enable mode. Router debug output: Feb 18 14:27:39.776 CST: AAA/MEMORY: free_user (0x61F5DEC0) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15 Feb 18 14:27:43.976 CST: tty3 AAA/AUTHOR/CMD (438698848): Port='tty3' list='' service=CMD Cisco AAA Implementation Case Study C-15 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 3. User rtr_techie is denied the debug all command. Router debug output: Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb Feb 18 18 18 18 18 18 18 18 18 18 18 18 18 14:27:43.976 14:27:43.976 14:27:43.976 14:27:43.976 14:27:43.976 14:27:43.976 14:27:43.976 14:27:43.976 14:27:43.980 14:27:43.980 14:27:43.980 14:27:43.980 14:27:44.180 CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (438698848) user='rtr_techie' tty3 AAA/AUTHOR/CMD (438698848): send AV service=shell tty3 AAA/AUTHOR/CMD (438698848): send AV cmd=debug tty3 AAA/AUTHOR/CMD (438698848): send AV cmd-arg=all tty3 AAA/AUTHOR/CMD (438698848): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (438698848): found list "default" tty3 AAA/AUTHOR/CMD (438698848): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (438698848): user=rtr_techie AAA/AUTHOR/TAC+: (438698848): send AV service=shell AAA/AUTHOR/TAC+: (438698848): send AV cmd=debug AAA/AUTHOR/TAC+: (438698848): send AV cmd-arg=all AAA/AUTHOR/TAC+: (438698848): send AV cmd-arg=<cr> AAA/AUTHOR (438698848): Post authorization status = FAIL AAA server csuslog output: Feb 18 14:27:43 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1a260360) Feb 18 14:27:43 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=debug cmd-arg=all cmd-arg=<cr> output: ] 4. User rtr_techie is permitted debug ip packet command. Router debug output: Feb 18 14:27:47.668 list=''service=CMD Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.668 Feb 18 14:27:47.872 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (3962222355): Port='tty3' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (3962222355) user='rtr_techie' tty3 AAA/AUTHOR/CMD (3962222355): send AV service=shell tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd=debug tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd-arg=ip tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd-arg=packet tty3 AAA/AUTHOR/CMD (3962222355): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (3962222355): found list "default" tty3 AAA/AUTHOR/CMD (3962222355): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (3962222355): user=rtr_techie AAA/AUTHOR/TAC+: (3962222355): send AV service=shell AAA/AUTHOR/TAC+: (3962222355): send AV cmd=debug AAA/AUTHOR/TAC+: (3962222355): send AV cmd-arg=ip AAA/AUTHOR/TAC+: (3962222355): send AV cmd-arg=packet AAA/AUTHOR/TAC+: (3962222355): send AV cmd-arg=<cr> AAA/AUTHOR (3962222355): Post authorization status = AAA server csuslog output: Feb 18 14:27:47 coachella Feb 18 14:27:47 coachella [NAS = 172.22.255.3, user cmd-arg=ip cmd-arg=packet Cisco AAA Implementation Case Study C-16 CiscoSecure: DEBUG CiscoSecure: DEBUG = rtr_techie, port = cmd-arg=<cr> output: AUTHORIZATION request (ec2ab713) Authorization - Request authorized; tty3, input: service=shell cmd=debug ] Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 5. User rtr_techie is permitted clear ip cache command. Router debug output: Feb 18 14:27:51.760 service=CMD Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.760 Feb 18 14:27:51.964 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (1013999614): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (1013999614) user='rtr_techie' tty3 AAA/AUTHOR/CMD (1013999614): send AV service=shell tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd=clear tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=ip tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=cache tty3 AAA/AUTHOR/CMD (1013999614): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (1013999614): found list "default" tty3 AAA/AUTHOR/CMD (1013999614): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (1013999614): user=rtr_techie AAA/AUTHOR/TAC+: (1013999614): send AV service=shell AAA/AUTHOR/TAC+: (1013999614): send AV cmd=clear AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=ip AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=cache AAA/AUTHOR/TAC+: (1013999614): send AV cmd-arg=<cr> AAA/AUTHOR (1013999614): Post authorization status = AAA server csuslog output: Feb 18 14:27:51 coachella CiscoSecure: DEBUG - AUTHORIZATION request (3c7067fe) Feb 18 14:27:51 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=clear cmd-arg=ip cmd-arg=cache cmd-arg=<cr> output: ] 6. User rtr_techie is denied reload command. Router debug output: Feb 18 14:27:54.548 service=CMD Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.548 Feb 18 14:27:54.752 CST: tty3 AAA/AUTHOR/CMD (2672654626): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (2672654626) user='rtr_techie' tty3 AAA/AUTHOR/CMD (2672654626): send AV service=shell tty3 AAA/AUTHOR/CMD (2672654626): send AV cmd=reload tty3 AAA/AUTHOR/CMD (2672654626): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (2672654626): found list "default" tty3 AAA/AUTHOR/CMD (2672654626): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (2672654626): user=rtr_techie AAA/AUTHOR/TAC+: (2672654626): send AV service=shell AAA/AUTHOR/TAC+: (2672654626): send AV cmd=reload AAA/AUTHOR/TAC+: (2672654626): send AV cmd-arg=<cr> AAA/AUTHOR (2672654626): Post authorization status = FAIL AAA server csuslog output: Feb 18 14:27:54 coachella CiscoSecure: DEBUG - AUTHORIZATION request (9f4d7922) Feb 18 14:27:54 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=reload cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-17 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 7. User rtr_techie is permitted show running-config command. Router debug output: Feb 18 14:27:57.576 CST: service=CMD Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: cmd-arg=running-config Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: Feb 18 14:27:57.576 CST: cmd-arg=running-config Feb 18 14:27:57.576 CST: Feb 18 14:27:57.780 CST: PASS_ADD tty3 AAA/AUTHOR/CMD (3919120170): Port='tty3' list='' AAA/AUTHOR/CMD: tty3 (3919120170) tty3 AAA/AUTHOR/CMD (3919120170): tty3 AAA/AUTHOR/CMD (3919120170): tty3 AAA/AUTHOR/CMD (3919120170): user='rtr_techie' send AV service=shell send AV cmd=show send AV tty3 AAA/AUTHOR/CMD (3919120170): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (3919120170): found list "default" tty3 AAA/AUTHOR/CMD (3919120170): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (3919120170): user=rtr_techie AAA/AUTHOR/TAC+: (3919120170): send AV service=shell AAA/AUTHOR/TAC+: (3919120170): send AV cmd=show AAA/AUTHOR/TAC+: (3919120170): send AV AAA/AUTHOR/TAC+: (3919120170): send AV cmd-arg=<cr> AAA/AUTHOR (3919120170): Post authorization status = AAA server csuslog output: Feb 18 14:27:57 coachella CiscoSecure: DEBUG - AUTHORIZATION request (e999072a) Feb 18 14:27:57 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=show cmd-arg=running-config cmd-arg=<cr> output: ] 8. User rtr_techie is permitted write terminal command. Router debug output: Feb 18 14:28:00.825 service=CMD Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:00.825 Feb 18 14:28:01.025 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (1409504713): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (1409504713) user='rtr_techie' tty3 AAA/AUTHOR/CMD (1409504713): send AV service=shell tty3 AAA/AUTHOR/CMD (1409504713): send AV cmd=write tty3 AAA/AUTHOR/CMD (1409504713): send AV cmd-arg=terminal tty3 AAA/AUTHOR/CMD (1409504713): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (1409504713): found list "default" tty3 AAA/AUTHOR/CMD (1409504713): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (1409504713): user=rtr_techie AAA/AUTHOR/TAC+: (1409504713): send AV service=shell AAA/AUTHOR/TAC+: (1409504713): send AV cmd=write AAA/AUTHOR/TAC+: (1409504713): send AV cmd-arg=terminal AAA/AUTHOR/TAC+: (1409504713): send AV cmd-arg=<cr> AAA/AUTHOR (1409504713): Post authorization status = AAA server csuslog output: Feb 18 14:28:00 coachella CiscoSecure: DEBUG - AUTHORIZATION request (540355c9) Feb 18 14:28:00 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write cmd-arg=terminal cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-18 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 9. User rtr_techie is permitted copy running-config starting config command. Router debug output: Feb 18 14:28:05.269 CST: service=CMD Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: cmd-arg=running-config Feb 18 14:28:05.269 CST: cmd-arg=startup-config Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: Feb 18 14:28:05.269 CST: cmd-arg=running-config Feb 18 14:28:05.269 CST: cmd-arg=startup-config Feb 18 14:28:05.269 CST: Feb 18 14:28:05.473 CST: PASS_ADD tty3 AAA/AUTHOR/CMD (4281070087): Port='tty3' list='' AAA/AUTHOR/CMD: tty3 (4281070087) tty3 AAA/AUTHOR/CMD (4281070087): tty3 AAA/AUTHOR/CMD (4281070087): tty3 AAA/AUTHOR/CMD (4281070087): user='rtr_techie' send AV service=shell send AV cmd=copy send AV tty3 AAA/AUTHOR/CMD (4281070087): send AV tty3 AAA/AUTHOR/CMD (4281070087): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (4281070087): found list "default" tty3 AAA/AUTHOR/CMD (4281070087): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (4281070087): user=rtr_techie AAA/AUTHOR/TAC+: (4281070087): send AV service=shell AAA/AUTHOR/TAC+: (4281070087): send AV cmd=copy AAA/AUTHOR/TAC+: (4281070087): send AV AAA/AUTHOR/TAC+: (4281070087): send AV AAA/AUTHOR/TAC+: (4281070087): send AV cmd-arg=<cr> AAA/AUTHOR (4281070087): Post authorization status = AAA server csuslog output: Feb 18 14:28:05 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ff2bf207) Feb 18 14:28:05 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=copy cmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ] 10. User rtr_techie is permitted write memory command. Router debug output: Feb 18 14:28:08.121 service=CMD Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.121 Feb 18 14:28:08.325 CST: tty3 AAA/AUTHOR/CMD (192752980): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (192752980) user='rtr_techie' tty3 AAA/AUTHOR/CMD (192752980): send AV service=shell tty3 AAA/AUTHOR/CMD (192752980): send AV cmd=write tty3 AAA/AUTHOR/CMD (192752980): send AV cmd-arg=memory tty3 AAA/AUTHOR/CMD (192752980): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (192752980): found list "default" tty3 AAA/AUTHOR/CMD (192752980): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (192752980): user=rtr_techie AAA/AUTHOR/TAC+: (192752980): send AV service=shell AAA/AUTHOR/TAC+: (192752980): send AV cmd=write AAA/AUTHOR/TAC+: (192752980): send AV cmd-arg=memory AAA/AUTHOR/TAC+: (192752980): send AV cmd-arg=<cr> AAA/AUTHOR (192752980): Post authorization status = PASS_ADD AAA server csuslog output: Feb 18 14:28:08 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b7d2d54) Feb 18 14:28:08 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=write cmd-arg=memory cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-19 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 11. User rtr_techie is denied configure terminal command. Router debug output: Feb 18 14:28:11.621 service=CMD Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.621 Feb 18 14:28:11.825 CST: tty3 AAA/AUTHOR/CMD (3042655042): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (3042655042) user='rtr_techie' tty3 AAA/AUTHOR/CMD (3042655042): send AV service=shell tty3 AAA/AUTHOR/CMD (3042655042): send AV cmd=configure tty3 AAA/AUTHOR/CMD (3042655042): send AV cmd-arg=terminal tty3 AAA/AUTHOR/CMD (3042655042): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (3042655042): found list "default" tty3 AAA/AUTHOR/CMD (3042655042): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (3042655042): user=rtr_techie AAA/AUTHOR/TAC+: (3042655042): send AV service=shell AAA/AUTHOR/TAC+: (3042655042): send AV cmd=configure AAA/AUTHOR/TAC+: (3042655042): send AV cmd-arg=terminal AAA/AUTHOR/TAC+: (3042655042): send AV cmd-arg=<cr> AAA/AUTHOR (3042655042): Post authorization status = FAIL AAA server csuslog output: Feb 18 14:28:11 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b55b3b42) Feb 18 14:28:11 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_techie, port = tty3, input: service=shell cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ] C.6.3 Test Results for rtr_super Group Tests results follow for each of the Cisco IOS commands summarized in Tabl e4-1, including relevant router output and AAA server log output: 1. User rtr_geek is authorized EXEC shell access. 2. User rtr_geek enters enable mode. 3. User rtr_geek is denied debug all command. 4. User rtr_geek is permitted debug ip packet command. 5. User rtr_geek is permitted reload command. 6. User rtr_geek is permitted show running-config command. 7. User rtr_geek is permitted write terminal command. 8. User rtr_geek is permitted copy running-config startup-config command. 9. User rtr_geek is permitted write memory command. 10. User rtr_geek is permitted configure terminal command. The following diagnostic results are presented in the order in which they are generated during the authorization process. Specific output fragments are differentiated with brief explanatory notes to help you identify relevant information. Cisco AAA Implementation Case Study C-20 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics The debug command output can vary depending on Cisco IOS versions. Note 1. User rtr_geek is authorized EXEC shell access. Router debug output: Feb Feb Feb Feb Feb Feb Feb Feb 22 22 22 22 22 22 22 22 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): user=rtr_geek 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): send AV service=shell 15:26:16.322 CST: AAA/AUTHOR/TAC+: (424410682): send AV cmd* 15:26:16.822 CST: AAA/AUTHOR (424410682): Post authorization status = PASS_ADD 15:26:16.822 CST: AAA/AUTHOR/EXEC: Authorization successful 15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, port tty3 15:26:16.822 CST: AAA/ACCT/EXEC: Found list "default" 15:26:16.822 CST: AAA/ACCT/EXEC/START User rtr_geek, Port tty3, task_id=310 start_time=951254776 timezone=CST service=shell Feb 22 15:26:16.822 CST: AAA/ACCT: user rtr_geek, acct type 0 (2751112696): Method=tacacs+ (tacacs+) Feb 22 15:26:17.022 CST: TAC+: (2751112696): received acct response status = SUCCESS AAA server csuslog output: Feb 22 [NAS = Feb 22 Feb 22 Feb 22 Feb 22 Feb 22 Feb 22 [NAS = 2. 15:26:16 coachella 172.22.255.3, Port 15:26:16 coachella 15:26:16 coachella 15:26:16 coachella 15:26:16 coachella 15:26:16 coachella 15:26:16 coachella 172.22.255.3, user CiscoSecure: DEBUG - Authentication - LOGIN successful; = tty3, User = rtr_geek, Priv = 1] CiscoSecure: DEBUG CiscoSecure: INFO - Profile: user = rtr_geek { set server current-failed-logins = 0 profile_cycle = 2 } CiscoSecure: DEBUG - Authorization - Request authorized; = rtr_geek, port = tty3, input: service=shell cmd*output: ] User rtr_geek enters enable mode. Router debug output: Feb 22 15:26:22.562 CST: AAA/MEMORY: free_user (0x61F55834) user='' ruser='' port='tty3' rem_addr='172.22.53.201' authen_type=ASCII service=ENABLE priv=15 Feb 22 15:26:46.502 CST: tty3 AAA/AUTHOR/CMD (32101230): Port='tty3' list='' service=CMD 3. User rtr_geek is denied debug all command. Router debug output: Feb 22 15:26:46.502 service=CMD Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.502 Feb 22 15:26:46.702 Feb 22 15:26:53.378 service=CMD CST: tty3 AAA/AUTHOR/CMD (32101230): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (32101230) user='rtr_geek' tty3 AAA/AUTHOR/CMD (32101230): send AV service=shell tty3 AAA/AUTHOR/CMD (32101230): send AV cmd=debug tty3 AAA/AUTHOR/CMD (32101230): send AV cmd-arg=all tty3 AAA/AUTHOR/CMD (32101230): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (32101230): found list "default" tty3 AAA/AUTHOR/CMD (32101230): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (32101230): user=rtr_geek AAA/AUTHOR/TAC+: (32101230): send AV service=shell AAA/AUTHOR/TAC+: (32101230): send AV cmd=debug AAA/AUTHOR/TAC+: (32101230): send AV cmd-arg=all AAA/AUTHOR/TAC+: (32101230): send AV cmd-arg=<cr> AAA/AUTHOR (32101230): Post authorization status = FAIL tty3 AAA/AUTHOR/CMD (1642620731): Port='tty3' list='' Cisco AAA Implementation Case Study C-21 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics AAA server csuslog output: Feb 22 15:26:46 coachella CiscoSecure: DEBUG - AUTHORIZATION request (1e9d36e) Feb 22 15:26:46 coachella CiscoSecure: DEBUG - Authorization - Failed command line; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=debug cmd-arg=all cmd-arg=<cr> output: ] 4. User rtr_geek is permitted debug ip packet command. Router debug output: Feb 22 15:26:53.378 list=''service=CMD Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.378 Feb 22 15:26:53.578 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (1642620731): Port='tty3' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (1642620731) user='rtr_geek' tty3 AAA/AUTHOR/CMD (1642620731): send AV service=shell tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd=debug tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd-arg=ip tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd-arg=packet tty3 AAA/AUTHOR/CMD (1642620731): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (1642620731): found list "default" tty3 AAA/AUTHOR/CMD (1642620731): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (1642620731): user=rtr_geek AAA/AUTHOR/TAC+: (1642620731): send AV service=shell AAA/AUTHOR/TAC+: (1642620731): send AV cmd=debug AAA/AUTHOR/TAC+: (1642620731): send AV cmd-arg=ip AAA/AUTHOR/TAC+: (1642620731): send AV cmd-arg=packet AAA/AUTHOR/TAC+: (1642620731): send AV cmd-arg=<cr> AAA/AUTHOR (1642620731): Post authorization status = AAA server csuslog output: Feb 22 15:26:53 coachella Feb 22 15:26:53 coachella [NAS = 172.22.255.3, user cmd-arg=ip cmd-arg=packet 5. Note CiscoSecure: DEBUG - AUTHORIZATION request (61e8673b) CiscoSecure: DEBUG - Authorization - Request authorized; = rtr_geek, port = tty3, input: service=shell cmd=debug cmd-arg=<cr> output: ] User rtr_geek is permitted reload command. Be sure to save your running configuration by using the appropriate write or copy running-config command before using the reload command. Router debug output: Feb 22 15:27:16.667 list=''service=CMD Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.667 Feb 22 15:27:16.867 PASS_ADD Cisco AAA Implementation Case Study C-22 CST: tty3 AAA/AUTHOR/CMD (3461622395): Port='tty3' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (3461622395) user='rtr_geek' tty3 AAA/AUTHOR/CMD (3461622395): send AV service=shell tty3 AAA/AUTHOR/CMD (3461622395): send AV cmd=reload tty3 AAA/AUTHOR/CMD (3461622395): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (3461622395): found list "default" tty3 AAA/AUTHOR/CMD (3461622395): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (3461622395): user=rtr_geek AAA/AUTHOR/TAC+: (3461622395): send AV service=shell AAA/AUTHOR/TAC+: (3461622395): send AV cmd=reload AAA/AUTHOR/TAC+: (3461622395): send AV cmd-arg=<cr> AAA/AUTHOR (3461622395): Post authorization status = Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics AAA server csuslog output: Feb 22 15:27:16 coachella CiscoSecure: DEBUG - AUTHORIZATION request (ce542a7b) Feb 22 15:27:16 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=reload cmd-arg=<cr> output: ] 6. User rtr_geek is permitted show running-config command. Router debug output: Feb 22 15:27:34.455 CST: service=CMD Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: cmd-arg=running-config Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.455 CST: Feb 22 15:27:34.655 CST: tty3 AAA/AUTHOR/CMD (150984379): Port='tty3' list='' AAA/AUTHOR/CMD: tty3 (150984379) tty3 AAA/AUTHOR/CMD (150984379): tty3 AAA/AUTHOR/CMD (150984379): tty3 AAA/AUTHOR/CMD (150984379): user='rtr_geek' send AV service=shell send AV cmd=show send AV tty3 AAA/AUTHOR/CMD (150984379): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (150984379): found list "default" tty3 AAA/AUTHOR/CMD (150984379): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (150984379): user=rtr_geek AAA/AUTHOR/TAC+: (150984379): send AV service=shell AAA/AUTHOR/TAC+: (150984379): send AV cmd=show AAA/AUTHOR/TAC+: (150984379): send AV cmd-arg=running-config AAA/AUTHOR/TAC+: (150984379): send AV cmd-arg=<cr> AAA/AUTHOR (150984379): Post authorization status = PASS_ADD AAA server csuslog output: Feb 22 15:27:34 coachella CiscoSecure: DEBUG - AUTHORIZATION request (8ffd6bb) Feb 22 15:27:34 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=show cmd-arg=running-config cmd-arg=<cr> output: ] 7. User rtr_geek is permitted write terminal command. Router debug output: Feb 22 15:27:39.871 service=CMD Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:39.871 Feb 22 15:27:40.075 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (3013136481): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (3013136481) user='rtr_geek' tty3 AAA/AUTHOR/CMD (3013136481): send AV service=shell tty3 AAA/AUTHOR/CMD (3013136481): send AV cmd=write tty3 AAA/AUTHOR/CMD (3013136481): send AV cmd-arg=terminal tty3 AAA/AUTHOR/CMD (3013136481): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (3013136481): found list "default" tty3 AAA/AUTHOR/CMD (3013136481): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (3013136481): user=rtr_geek AAA/AUTHOR/TAC+: (3013136481): send AV service=shell AAA/AUTHOR/TAC+: (3013136481): send AV cmd=write AAA/AUTHOR/TAC+: (3013136481): send AV cmd-arg=terminal AAA/AUTHOR/TAC+: (3013136481): send AV cmd-arg=<cr> AAA/AUTHOR (3013136481): Post authorization status = AAA server csuslog output: Feb 22 15:27:39 coachella CiscoSecure: DEBUG - AUTHORIZATION request (b398d061) Feb 22 15:27:39 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write cmd-arg=terminal cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-23 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 8. User rtr_geek is permitted copy running-config startup-config command. Router debug output: Feb 22 15:27:44.755 CST: list=''service=CMD Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: cmd-arg=running-config Feb 22 15:27:44.755 CST: cmd-arg=startup-config Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: Feb 22 15:27:44.755 CST: cmd-arg=running-config Feb 22 15:27:44.755 CST: cmd-arg=startup-config Feb 22 15:27:44.755 CST: Feb 22 15:27:44.959 CST: PASS_ADD tty3 AAA/AUTHOR/CMD (2463024765): Port='tty3' AAA/AUTHOR/CMD: tty3 (2463024765) tty3 AAA/AUTHOR/CMD (2463024765): tty3 AAA/AUTHOR/CMD (2463024765): tty3 AAA/AUTHOR/CMD (2463024765): user='rtr_geek' send AV service=shell send AV cmd=copy send AV tty3 AAA/AUTHOR/CMD (2463024765): send AV tty3 AAA/AUTHOR/CMD (2463024765): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (2463024765): found list "default" tty3 AAA/AUTHOR/CMD (2463024765): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (2463024765): user=rtr_geek AAA/AUTHOR/TAC+: (2463024765): send AV service=shell AAA/AUTHOR/TAC+: (2463024765): send AV cmd=copy AAA/AUTHOR/TAC+: (2463024765): send AV AAA/AUTHOR/TAC+: (2463024765): send AV AAA/AUTHOR/TAC+: (2463024765): send AV cmd-arg=<cr> AAA/AUTHOR (2463024765): Post authorization status = AAA server csuslog output: Feb 22 15:27:44 coachella CiscoSecure: DEBUG - AUTHORIZATION request (92cec67d) Feb 22 15:27:44 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=copy cmd-arg=running-config cmd-arg=startup-config cmd-arg=<cr> output: ] 9. User rtr_geek is permitted write memory command. Router debug output: Feb 22 15:27:52.351 service=CMD Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.351 Feb 22 15:27:52.555 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (3171189379): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (3171189379) user='rtr_geek' tty3 AAA/AUTHOR/CMD (3171189379): send AV service=shell tty3 AAA/AUTHOR/CMD (3171189379): send AV cmd=write tty3 AAA/AUTHOR/CMD (3171189379): send AV cmd-arg=memory tty3 AAA/AUTHOR/CMD (3171189379): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (3171189379): found list "default" tty3 AAA/AUTHOR/CMD (3171189379): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (3171189379): user=rtr_geek AAA/AUTHOR/TAC+: (3171189379): send AV service=shell AAA/AUTHOR/TAC+: (3171189379): send AV cmd=write AAA/AUTHOR/TAC+: (3171189379): send AV cmd-arg=memory AAA/AUTHOR/TAC+: (3171189379): send AV cmd-arg=<cr> AAA/AUTHOR (3171189379): Post authorization status = AAA server csuslog output: Feb 22 15:27:52 coachella CiscoSecure: DEBUG - AUTHORIZATION request (bd048283) Feb 22 15:27:52 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=write cmd-arg=memory cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-24 Appendix C Server-Based AAA Verification Diagnostic Output C.6 Server-Based TACACS+ Router Authorization Diagnostics 10. User rtr_geek is permitted configure terminal command. Router debug output: Feb 22 15:27:56.039 service=CMD Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.039 Feb 22 15:27:56.239 PASS_ADD CST: tty3 AAA/AUTHOR/CMD (4076778320): Port='tty3' list='' CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: CST: AAA/AUTHOR/CMD: tty3 (4076778320) user='rtr_geek' tty3 AAA/AUTHOR/CMD (4076778320): send AV service=shell tty3 AAA/AUTHOR/CMD (4076778320): send AV cmd=configure tty3 AAA/AUTHOR/CMD (4076778320): send AV cmd-arg=terminal tty3 AAA/AUTHOR/CMD (4076778320): send AV cmd-arg=<cr> tty3 AAA/AUTHOR/CMD (4076778320): found list "default" tty3 AAA/AUTHOR/CMD (4076778320): Method=tacacs+ (tacacs+) AAA/AUTHOR/TAC+: (4076778320): user=rtr_geek AAA/AUTHOR/TAC+: (4076778320): send AV service=shell AAA/AUTHOR/TAC+: (4076778320): send AV cmd=configure AAA/AUTHOR/TAC+: (4076778320): send AV cmd-arg=terminal AAA/AUTHOR/TAC+: (4076778320): send AV cmd-arg=<cr> AAA/AUTHOR (4076778320): Post authorization status = AAA server csuslog output: Feb 22 15:27:56 coachella CiscoSecure: DEBUG - AUTHORIZATION request (f2feb350) Feb 22 15:27:56 coachella CiscoSecure: DEBUG - Authorization - Request authorized; [NAS = 172.22.255.3, user = rtr_geek, port = tty3, input: service=shell cmd=configure cmd-arg=terminal cmd-arg=<cr> output: ] Cisco AAA Implementation Case Study C-25 Appendix C C.6 Server-Based TACACS+ Router Authorization Diagnostics Cisco AAA Implementation Case Study C-26 Server-Based AAA Verification Diagnostic Output I N D E X dialup PPP filtering A 1-11 troubleshooting problems AAA BootFlash considerations verification, show caller user command (server-based) 4-10, C6 B-1 case study overview (figure) verification, show line command (local-based) 1-2 Cisco IOS 12.0(7)T command descriptions defined configuring EXEC and command level (TACACS+) 5-4 B-1 configuring NAS (TACACS+) example configuration (NAS) A-5, A-9 example configuration (router) overview task checklist (table) defined monitored dialup PPP events aaa authorization command aaa new-model key command 5-1, 5-4 1-11 monitored router administration events A-13, A-14 aaa authentication command 5-4 1-1 dial-based accounting (server) 1-12 1-14 aaa accounting command 5-2 configuring router (TACACS+) A-2 1-1 security checklist (table) records policies A-13, A-14 session timeout output example SQL query creating a user profile (RADIUS authentication) creating a user profile (RADIUS authorization) 4-7 4-9 creating a user profile (TACACS+ authentication) creating a user profile (TACACS+ authorization) negotiation process (flow diagram) 6-3 3-10 software version used in case study 5-1 server-based router implementation A-13, A-14 verifying user configuration (RADIUS authentication) 4-8, 4-9 5-4 5-3 5-2, 5-5 TACACS+ dial implementation 5-1 TACACS+ implementation (local-based) 4-3 4-5 TACACS+ router implementation 2-12 5-4 TACACS+ verification tests (local-based) 2-13 TACACS+ verification tests (server-based) verifying from AAA server xii 1-11 1-11 server-based dial implementation A-13, A-14 AAA server restarting 2-8 accounting A-13 1-1 disabling 6-14, 6-17 acknowledgements 5-2 5-2, 5-5 xv AddProfile command verifying user configuration (TACACS+ authentication) 4-3 adding basic user profile verifying user configuration (TACACS+ authorization) 4-5 adding group profiles (TACACS+ authorization) AAA servers in network context access list 3-11 adding group profiles (TACACS+ authentication) 4-17, 4-18 adding user profiles (RADIUS authentication) 1-2 4-11 adding user profiles (RADIUS authorization) 4-7 4-9 adding user profiles (TACACS+ authentication) 4-3 Cisco AAA Implementation Case Study 1 Index adding user profiles (TACACS+ authorization) 4-5 TACACS+ router, verifying by using csuslog administrative control authorization policy 1-11 creating, router example privilege level 15 4-13 TACACS+ verification tests (local-based) 2-6, 2-11 TACACS+ verification tests (server-based) C2, C9 verifying access list 1-11 attribute-value pair See AVPs 4-10 verifying PPP user authorization 4-5 verifying RADIUS authorization 4-9 autocommand ppp negotiate command audience defined adding group profiles (TACACS+ authentication) authentication configuring NAS (RADIUS) adding group profiles (TACACS+ authorization) 4-7 4-3 general process (flow diagram) 6-3 RADIUS implementation defined 1-11 EXEC disabled implementation C4 EXEC shell enabled (TACACS+) 1-5 4-2, 4-6, 4-10 RADIUS, user profile TACACS+ dialup, verifying by using csuslog TACACS+ implementation (local-based) 4-4 4-2, 4-10 TACACS+ verification tests (local-based) 2-3, 2-9 TACACS+ verification tests (server-based) verifying PPP user authentication TACACS+, user profile TACACS+ examples (table) 4-4 B See AAA authorization BootFlash images 4-9 configuring NAS (TACACS+) AAA considerations 4-4 4-13 C 1-1 general process (flow diagram) 6-3 case study 4-8 RADIUS verification tests (server-based) RADIUS vs. TACACS+ C5 1-5 server-based implementation 4-4, 4-8, 4-13 TACACS+ dialup, verifying by using csuslog TACACS+ implementation (local-based) TACACS+ implementation (server-based) Cisco AAA Implementation Case Study 2 4-5 2-5, 2-10 4-4, 4-13 4-3, 4-5 TACACS+ authorization, group profile C1, C7 hardware xii objectives xi overview 1-1 purpose software xi xii CCO accessing xiii 6-5 1-6 TACACS+ authentication, group profile authentication, authorization, and accounting RADIUS implementation 6-5 4-7, 4-9 RADIUS examples (table) 2-2, 2-8 TACACS+ implementation (server-based) configuring NAS (RADIUS) 6-6 privilege level 15 enabled (TACACS+) server-based implementation 4-16, 1-6 dial access devices 4-6 RADIUS verification tests (server-based) RADIUS vs. TACACS+ 4-11 4-17, 4-18 configuring NAS (TACACS+) defined 1-11 AVPs xi configuring routers 4-16, 4-18, 4-19 B-1 1-6 4-11 4-16, 4-17, 4-18 Index definition Cisco IOS 12.0(7)T (AAA) xiii CD-ROM configurations documentation Cisco IOS 12.0(7)T, NAS example xiv Challenge Handshake Authentication Protocol See CHAP example CSU.cfg listing 1-10 checklists AAA security (table) RADIUS A-16 Cisco 7206 VXR Cisco AS5300 xii Cisco AS5800 xii A-9 A-5 conventions 1-9 command syntax 1-9 document xii xiii xiii CSConfig.ini example file listing Cisco Connection Online A-19 CSU See CCO configuring CSU logging Cisco IOS 12.0(7)T creating csuslog file A-13, A-14 aaa authentication command aaa authorization command aaa new-model command A-13 A-13 installation process 1-11 A-15 A-19 A-16 3-2 3-5 log files listed A-25 minimum system specifications B-1 example configurations pkgadd command A-1 local-based router example 3-10 restarting syslog daemon A-13 A-2 radius-server host command A-15 server-based NAS example A-5, A-9 tacacs-server host command A-13, A-15 tacacs-server key command A-13 version used in case study xii xii 3-6 restarting AAA server A-13 CiscoSecure for UNIX example CSU.cfg listing installing A-13, A-14 autocommand ppp negotiate command ip tacacs command 3-9 example CSConfig.ini listing A-13, A-14 AAA command descriptions (router) 3-10 example configuration listings A-13, A-14 AAA command descriptions (NAS) ip http command 3-9 configuring debugging level xii aaa accounting command disabling AAA A-1 A-2 TACACS+ 1-10 general service definition (table) network services local router 1-14 1-12 AAA service definition (table) commands A-19 examples, Cisco IOS 12.0(7)T AAA implementation tasks (table) A-2 A-15 example CSConfig.ini listing ISDN authentication A-5, A-9 Cisco IOS 12.0(7)T, router example CSU example CHAP See CSU A-13 3-10 software version used in case study xii verifying Oracle account information version 2.3(3) 3-4 xii CSU.cfg example file listing A-16 csuslog configuring logging creating file 3-9 3-9 TACACS+ dialup authentication 4-4 Cisco AAA Implementation Case Study 3 Index TACACS+ dialup authorization 4-5 TACACS+ router authorization 4-16, 4-18, 4-19 E encryption using tail command (TACACS+ dialup authentication) 4-4 RADIUS using tail command (TACACS+ PPP authorization) 4-5 TACACS+ using tail command (TACACS+ router authorization) 4-16, 4-18, 4-19 using the tail command 1-4 1-5 F C1 flow diagram general authentication and authorization D 6-3 TACACS+, authentication and authorization database verifying instance 3-3 G Data Encryption Standard groups See DES defining administrative control debug command summary of relevant commands 6-7 using to troubleshoot AAA problems 6-7 H debug output accounting (server-based) hardware 5-3, 5-5 accounting, TACACS+ (local-based) case study 2-13 authentication, RADIUS (server-based) xii Cisco 7206 VXR C4 xii authentication, TACACS+ (local-based) 2-3, 2-10 Cisco AS5300 xii authentication, TACACS+ (server-based) C1, C7 Cisco AS5800 xii authorization, RADIUS (server-based) authorization, TACACS+ (local-based) 2-6, 2-11 authorization, TACACS+ (server-based) C3, C9 DES password support policy router policy 1-13 1-10 diagnostics xii I implementation AAA task checklist (table) directory environment variable 3-3 RADIUS attribute support IP addresses static address policy disconnect cause codes ip http command idle timeouts 5-2, 5-3 ip tacacs command listed (table) 5-6 ISDN Cisco AAA Implementation Case Study 1-13 A-13 A-13 CHAP authentication 4 1-14 interoperability using debug command output C1 verifying Sun UltraSPARC C5 1-10 1-6 4-13 4-14 Index authorization policy L checklist listener.ora A-24 local-based access compared with server-based access 1-10 dialup/shell AAA policy 1-10 general checklist (table) 1-9 1-6 1-6 O local-based configuration implementation overview TACACS+, accounting 2-1 objectives 2-12 case study TACACS+, authentication 2-2, 2-8 TACACS+, authorization 2-5, 2-10 See CCO 2-13 Oracle verification test results (TACACS+ authentication) 2-3, 2-9 accounting records policy verification test results (TACACS+ authorization) creating tablespace M DB Client 7.3(4) xii DB Server 7.3(4) xii listener (lsnrctl) management policy 3-2 3-3 listener.ora listing 1-5 A-24 Server Manager (svrmgrl) MD5 3-4 3-2 installation reference TACACS+ vs. RADIUS comparison 1-11 confirming tnsnames service 2-6, 2-11 RFC link xi online documentation verification test results (TACACS+ accounting) 3-3 software version used in case study 1-2 user environment variable multiprotocol support TACACS+ vs. RADIUS comparison xii A-23 verifying account information 1-5 N verifying database instance 3-3 verifying SMON operation 3-3 3-4 verifying software directory environment variable 3-3 OS Solaris 2.5(1) xii NAS versions used in case study xii overview AAA case study NAS profile RADIUS 1-9 definitions and policies configuration listing defined 1-11 1-1 4-7 network environment P equipment summary 1-13 PAP network services AAA checklist (table) accounting policy 1-10 1-11 authentication policy 1-10 PPP authentication 1-10 Password Authentication Protocol See PAP Cisco AAA Implementation Case Study 5 Index passwords connection between NAS and AAA server down authentication policies 1-10 authorization policies 1-13 local access policy connection between router and AAA server down 6-23 1-13 authentication policy group profile password type does not match type in NAS 6-13 1-10 incorrect AAA configuration in router planning maximum number of users exceeded pre-deployment summary site preparation 1-9 shell initiated PPP session fails xi See PPP 6-12, 6-23 6-9, 6-13 TACACS+ or RADIUS key incorrect in NAS or AAA server 6-12 policies accounting user account disabled due to too many failed logins 6-10, 6-22 1-11 accounting, PPP 1-11 accounting, router administration authentication authorization 1-11 1-10 privilege level 15 authorization router, administrative control 1-13 6-10, 6-22 6-10, 6-22 6-10, 6-22 user workstation configured incorrectly 1-12 6-11 authorization AAA authorization configured incorrectly in NAS 6-16 1-10 verifying TACACS+ authorization AAA behavior incorrectly configured 4-5 verifying TACACS+ user authentication AAA configuration error 4-4 privilege level 1-2 6-26, 6-28 6-25, 6-27 access list assigned to user 6-14, 6-17 authorization failed service 6-25, 6-27 autocommand ppp negotiate assigned to user privilege level 15 6-26, 6-28 1-11, 1-12 command authorization policy local administration 6-9, 6-20 user profile configured incorrectly PPP TACACS+ support user enters invalid username or password user name not in server database 1-11 1-5 security considerations PAP authentication 6-11, 6-22 user exceeds the maximum number of concurrent sessions 6-11, 6-22 1-10 router management user account password or profile expired user enters password incorrectly 1-11 dialup/shell AAA AVPs not assigned 1-13 configuring accounting group lacks shell service assigned A-13 5-4 Lack of service=shell AVP authentication Cisco AAA Implementation Case Study 6-16 idletime TACACS+ AVP not configured on group profile 6-18 problems AAA behavior configured incorrectly in router 6-28 Idle-Timeout RADIUS AVP not configured on group profile 6-18 4-13 AAA behavior configured incorrectly in NAS 6-16 feature is not supported on console ports 1-11 router command authorization privilege level 15 commands 6-14, 6-17 does not have PPP service assigned 1-12 router authorization policy 6 6-21, 6-24 TACACS+ key incorrect in router or AAA server 6-23 Point-to-Point Protocol accounting 6-12 6-9 6-20 6-28 user client configuration error 6-13 Index user exceeds the maximum number of concurrent sessions 6-19 R user or group does not have User-Service-Type AVP assigned 6-19 RADIUS user or group profile lacks proper AVP 6-18 user or group profile restricted user profile configured incorrectly C4 authorization tests (server-based) 6-18 user or lacks service=shell AVP assigned authentication tests (server-based) 6-19 6-28 user profile lacks appropriate enable level to perform command 6-25 AVP examples (table) C5 1-6 compared with TACACS+ 1-4 compared with TACACS+ (table) 1-4 configuring authentication (server-based) 4-6 user profile lacks appropriate enable privilege level to perform command 6-27 configuring authorization (server-based) user profile lacks appropriate privilege level to perform command 6-25, 6-27 debug output, server-based authentication user profile restricted 6-14 creating user profiles (authentication) 4-7 debug output, server-based authorization encryption profiles interoperability NAS profile, creating creating basic user RFC link group, configuring router access 4-7 6-4 1-2 See also AVPs group, verifying (TACACS+ authentication) 4-11 group, verifying (TACACS+ authorization) 4-16, 4-17, 4-18 See also troubleshooting technology overview 1-3 troubleshooting scenario, authorization group configuration, TACACS+ group permissions (table) user, RADIUS user, TACACS+ 4-14 troubleshooting symptom list, authorization 6-5 verifying access list assignment 4-7, 4-9 radius-server host command 4-3, 4-5 user, verifying (TACACS+ authorization) 4-12 4-10 A-15 user configuration (RADIUS authorization) 4-7 RFCs reference links 4-9 user configuration (TACACS+ authentication) user configuration (TACACS+ authorization) Requests for Comments See RFCs 3-11 user configuration (RADIUS authentication) 4-3 4-5 1-2 router administration, command and control policy administrative control, creating xi 6-15 See RADIUS 4-16, 4-17, 4-18 purpose 6-10 Remote Authentication Dial-in User Service user, verifying (TACACS+ authentication) user, verifying basic 6-36 troubleshooting symptom list, authentication 4-13 user, defining access privileges case study A-9 negotiation process (flow diagram) 4-13 C5 1-6 assigning user to group profile (TACACS+ authorization) 4-16, 4-17, 4-18 3-11 C4 1-4 example configuration (NAS) assigning user to group profile (TACACS+ authentication) 4-11 4-8 authorization, controlling 1-11 4-13 4-13 management, RADIUS vs. TACACS+ 1-5 Cisco AAA Implementation Case Study 7 Index SQL*Plus S Release 3.3.4.0.1 scenario xii sqlplus case study description 1-8 verifying account information case study overview (figure) 1-2 symptom list, troubleshooting AAA scenarios troubleshooting examples 3-4 6-29 security dial-based local authentication 6-9 dial-based local authorization 6-13 dial-based server authentication policy considerations 1-12 dial-based server authorization server-based access 6-15 router-based local authentication compared with local-based access defined 6-10 1-7 router-based local authorization 6-24 1-7 router-based server authentication server-based configuration router-based server authorization implementation overview (authentication and authorization) 4-1 6-19 6-21 6-26 syslog daemon restarting verification test results (RADIUS authentication) verification test results (RADIUS authorization) verification test results (TACACS+ authentication) 3-10 C4 C5 C1, T C2, tablespace C7 verification test results (TACACS+ authorization) C9 installing (Oracle) verifying user (RADIUS authentication) 4-8, 4-9 verifying user (TACACS+ authentication) verifying user (TACACS+ authorization) 4-3 4-5 3-2 TAC contacting show caller user command xiv TACACS access list verification output (server-based) session timeout disconnect example 5-3 show line command 4-10, C6 RFC link 1-2 TACACS+ accounting tests (local-based) verification output (local-based) site preparation size requirements 3-2 2-8 assigning user to group profile (authentication) xi assigning user to group profile (authorization) 4-17, 4-18 SMON verifying operation on Oracle server 3-3 authentication and authorization (figure) authentication tests (local-based) software case study listing authentication tests (server-based) xii software components Cisco IOS 12.0(7)T xii authorization tests (server-based) C2, C9 AVP examples (table) Oracle DB Server 7.3(4) xii compared with RADIUS SQL*Plus Release 3.3.4.0.1 1-6 1-4 compared with RADIUS (table) xii xii Cisco AAA Implementation Case Study C1, C7 2-6, 2-11 xii OS Solaris 2.5(1) 2-3, 2-9 authorization tests (local-based) Oracle DB Client 7.3(4) 8 2-13 1-4 configuring accounting (local-based) 2-12 4-14 4-11 4-16, Index configuring authentication (local-based) configuring authentication (server-based) configuring authorization (local-based) tnsnames service 4-4, 4-13 verifying with tnsping utility 5-1, 5-2 configuring router accounting (server-based) using to verify tnsnames service diagnostic overview C3, C9 example scenarios 1-5 example configuration (NAS) multiprotocol support 6-29 6-7 RADIUS authorization scenario negotiation process, EXEC disabled (flow diagram) 6-6 6-36 See also problems See also RADIUS negotiation process, EXEC enabled (flow diagram) RFC link 6-1 methodology overview A-5 1-5 privilege level support 3-4 troubleshooting C1, C7 debug output, server-based authorization 3-4 tnsping 5-4 4-3 debug output, server-based authentication encryption See TACACS+ 2-5, 2-10 configuring dial accounting (server-based) 1-1 Terminal Access Controller Access Control System Plus 4-2, 4-10 configuring authorization (server-based) creating user profiles (authentication) AAA overview 2-2, 2-8 6-5 1-2 See also symptom list, troubleshooting AAA See also TACACS+ 1-2 TACACS+ authentication scenario router management 1-5 TACACS+ authorization scenario 6-29, 6-30, 6-31 6-33, 6-34, 6-35 See also AVPs See also troubleshooting service control U 1-3 technology overview 1-2 UNIX troubleshooting scenario, authentication troubleshooting scenario, authorization 6-29, 6-30, 6-31 6-33, 6-34, 6-35 troubleshooting symptom list, authentication troubleshooting symptom list, authorization 6-26 tacacs-server host command A-13, A-15 tacacs-server key command A-13 C1 verifying dialup authentication with csuslog (TACACS+) 4-4 verifying PPP authorization with csuslog (TACACS+) 4-5 verifying router authorization with csuslog (TACACS+) 4-16, 4-18, 4-19 Technical Assistance Center See TAC technology 6-15, 6-24, xii user creating profiles (RADIUS authentication) 4-7 creating profiles (RADIUS authorization) 4-9 creating profiles (TACACS+ authentication) 4-3 creating profiles (TACACS+ authorization) 4-5 user environment variable tail command reading the csuslog file 6-10, 6-21 version used in case study Oracle, listed A-23 V verification accounting, TACACS+ (local-based) 2-13 accounting, TACACS+ (server-based) authentication, RADIUS (server-based) 5-2 C4 authentication, TACACS+ (local-based) 2-3, 2-9 Cisco AAA Implementation Case Study 9 Index authentication, TACACS+ (server-based) authorization, RADIUS (server-based) C1, C7 C5 authorization, TACACS+ (local-based) 2-6, 2-11 authorization, TACACS+ (server-based) C2, C9 verification tests debug output, RADIUS authentication (server-based) C4 debug output, RADIUS authorization (server-based) C5 debug output, TACACS+ (local-based) debug output, TACACS+ (server-based accounting) 5-3, 5-5 debug output, TACACS+ authentication (server-based) C1, C7 debug output, TACACS+ authorization (server-based) C3, C9 SQL query (accounting) 5-2, 5-5 ViewProfile command verifying basic user configuration 3-11 verifying user configuration (RADIUS authentication) 4-8, 4-9 verifying user configuration (TACACS+ authentication) 4-3 verifying user configuration (TACACS+ authorization) 4-5 Cisco AAA Implementation Case Study 10 2-6, 2-11, 2-13

Cisco AAA Implementation Case Study

Related documents

Products

Support

Cisco AAA Implementation Case Study

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib