Implementing Secure
Converged Wide Area
Networks (ISCW)
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
1
Configuring AAA on
Cisco Routers
Lesson 11 – Module 5 – ‘Cisco Device Hardening’
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
2
Module Introduction
 The open nature of the Internet makes it increasingly important for
businesses to pay attention to the security of their networks. As
organisations move more of their business functions to the public
network, they need to take precautions to ensure that attackers do
not compromise their data, or that the data does not end up being
accessed by the wrong people.
 Unauthorised network access by an outside hacker or disgruntled
employee can wreak havoc with proprietary data, negatively affect
company productivity, and stunt the ability to compete.
 Unauthorised network access can also harm relationships with
customers and business partners who may question the ability of
companies to protect their confidential information, as well as lead
to potentially damaging and expensive legal actions.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
3
Objectives
 At the completion of this eleventh lesson, you will be
able to:
Describe what is meant by the term ‘triple A’
Explain how and why AAA should be used to secure router
and switch access
Configure AAA using the IOS CLI and SDM
Describe the use of external AAA servers, including a brief
overview of CSACS
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
4
Authentication, Authorisation & Accounting

It is strongly recommended that network and administrative
access security in the Cisco environment is based on a modular
architecture that has three functional components:
1. authentication,
2. authorisation, and
3. accounting



ISCW-Mod5_L11
also known as AAA
These AAA services provide a higher degree of scalability than
line-level and privileged-EXEC authentication to networking
components
Unauthorised access in campus, dialup, and Internet
environments creates the potential for network intruders to gain
access to sensitive network equipment, services and data
Using a Cisco AAA architecture enables consistent, systematic
and scalable access security
© 2007 Cisco Systems, Inc. All rights reserved.
5
The Three Components of AAA
 Authentication
Provides the method of identifying users, including login and password
dialog, challenge and response, messaging support, and, depending
on the security protocol selected, encryption
 Authorisation
Provides the method for remote access control, including one-time
authorisation or authorisation for each service, per-user account list
and profile, user group support, and support of IP, IPX, ARA, and
Telnet
 Accounting
Provides the method for collecting and sending security server
information used for billing, auditing, and reporting, such as user
identities, start and stop times, executed commands (such as PPP),
number of packets, and number of bytes
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
6
Authentication
 Authentication is the way a user is identified prior to being allowed
access to the network and network services
 AAA authentication is configured by defining a named list of
authentication methods, and then applying that list to various
interfaces
 The method list defines the types of authentication to be performed
and the sequence in which they will be performed; it MUST be
applied to a specific interface before any of the defined
authentication methods will be performed
The only exception is the default method list (“default”). The default
method list is automatically applied to all interfaces if no other method
list is defined. A defined method list overrides the default method list.
 All authentication methods, except for local, line password, and
enable authentication, MUST be defined through AAA
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
7
Authorisation
 Authorisation provides the method for remote access control,
including one-time authorisation or authorisation for each service,
per-user account list and profile, user group support, and support
of IP, IPX, ARA, and Telnet
 AAA authorisation works by assembling a set of attributes that
describe what the user is authorised to perform
 These attributes are compared to the information contained in a
database for a given user and the result is returned to AAA to
determine the user's actual capabilities and restrictions
The database can be located locally on the access server or router, or
it can be hosted remotely on a RADIUS or TACACS+ security server
 As with authentication, AAA authorisation is configured by defining
a named list of authorisation methods, and then applying that list to
various interfaces
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
8
Accounting
 Accounting provides the method for collecting and sending security
server information used for billing, auditing, and reporting - user
identities, start and stop times, executed commands, number of
packets, and number of bytes
 Accounting enables tracking of the services users are accessing
as well as the amount of network resources they are consuming
 With AAA accounting activated, the NAS reports user activity to the
RADIUS or TACACS+ security server in the form of accounting
records
 Each accounting record is comprised of accounting AV pairs and is
stored on the access control server. This data can then be
analysed for network management, client billing, and/or auditing
 All accounting methods must be defined through AAA. Accounting
is configured by defining a named list of accounting methods, and
then applying that list to various interfaces
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
9
Access Control
 In many circumstances, AAA uses protocols such as RADIUS,
TACACS+, or Kerberos to administer security functions
 If your router or access server is acting as a network access
server, AAA is the means through which you establish
communication between your network access server and your
RADIUS, TACACS+, or Kerberos security server
 Although AAA is the primary (and recommended) method for
access control, Cisco IOS software provides additional features for
simple access control that are outside the scope of AAA, such as
local username authentication, line password authentication, and
enable password authentication. However, these features do not
provide the same degree of access control that is possible by
using AAA
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
10
Implementing AAA

Cisco provides three ways of implementing AAA services for
Cisco routers, network access servers (NAS), and switch
equipment:
1. Self-contained AAA: AAA services can be self-contained in the
router or NAS itself (also known as local authentication)
2. Cisco Secure ACS for Windows Server: AAA services on the
router or NAS contact an external Cisco Secure Access Control
Server (ACS) for Windows system for user and administrator
authentication
3. Cisco Secure ACS Solution Engine: AAA services on the router
or NAS contact an external Cisco Secure ACS Solution Engine for
user and administrator authentication

ISCW-Mod5_L11
There are also open source AAA servers available that work in
conjunction with Cisco IOS devices
© 2007 Cisco Systems, Inc. All rights reserved.
11
Implementing AAA
Administrative access: Console, Telnet, and AUX access
Remote user network access: Dialup or VPN access
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
12
Router Access Modes
 All of the AAA commands (except aaa accounting system) apply
to either character mode or packet mode. (The mode refers to
the format of the packets that request AAA)
If the query is presented as Service-Type = Exec-User, the query is
presented in character mode
If the request is presented as Service-Type = Framed-User and
Framed-Type = PPP, the request is presented in packet mode.
 Character mode allows a network administrator with a large
number of routers in a network to authenticate one time as the
user, and then access all routers that are configured in this method
 Primary applications for the Cisco Secure ACS include securing
dialup access to a network and securing the management of
routers within a network. Both applications have unique AAA
requirements.
 With CSACS, a variety of authentication methods can be chosen,
each providing a set of authorisation privileges. Router ports must
be secured using the Cisco IOS software and a CSACS server
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
13
Router Access Modes
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
14
AAA Protocols: RADIUS and TACACS+
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
15
AAA Protocols: RADIUS and TACACS+
 The best-known and best-used types of AAA protocols are
TACACS+ and RADIUS
 TACACS+ and RADIUS have different features that make them
suitable for different situations
 RADIUS is maintained by a standard that was created by the IETF
 TACACS+ is a proprietary Cisco Systems technology that encrypts
data
TACACS+ runs over TCP - RADIUS runs over UDP
 TACACS+ provides many benefits for configuring Cisco devices to
use AAA for management and terminal services. TACACS+ can
control the authorisation level of users; RADIUS cannot
Because TACACS+ separates authentication and authorisation, it is
possible to use TACACS+ for authorisation and accounting, while using
a different method for authentication, such as Kerberos
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
16
RADIUS Features
 Radius is an IETF standard protocol - RFC 2865
 Standard attributes can be augmented by proprietary attributes:
Vendor-specific attribute 26 allows any TACACS+ attribute to be
used over RADIUS
 Uses UDP on standard port numbers (1812 and 1813; CSACS
uses 1645 and 1646 by default)
 It includes only two security features:
1.Encryption of passwords (MD5 encryption)
2.Authentication of packets (MD5 fingerprinting)
 Authorisation is only possible as part of authentication
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
17
RADIUS Authentication and Authorisation
The example shows how RADIUS exchange starts once the
NAS is in possession of the username and password
The ACS can reply with Access-Accept message, or AccessReject if authentication is not successful
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
18
RADIUS Messages

There are four types of messages involved in a
RADIUS authentication exchange:
1. Access-Request: Contains AV pairs for the username,
password (this is the only information that is encrypted by
RADIUS), and additional information such as the NAS port
2. Access-Challenge: Necessary for challenge-based
authentication methods such as Challenge Handshake
Authentication Protocol (CHAP), Microsoft CHAP (MSCHAP), and Extensible Authentication Protocol-Message
Digest 5 (EAP-MD5)
3. Access-Accept: The positive answer if the user information
is valid
4. Access-Reject: Sent as a negative reply if the user
information is invalid
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
19
RADIUS AV Pairs

RADIUS messages contain zero or more AV-pairs, for example:
1.
2.
3.
4.
5.

There are approximately 50 standard-based attributes (RFC 2865)




RADIUS allows proprietary attributes
Basic attributes are used for authentication purposes
Most other attributes are used in the authorisation process
Cisco has added several vendor-specific attributes on the server
side. Cisco IOS devices will, by default, always use Cisco AV
pairs, but Cisco devices can be configured to use only IETF
attributes for standard compatibility
Accounting information is sent within special RADIUS
accounting messages

ISCW-Mod5_L11
User-Name
User-Password (this is the only encrypted entity in RADIUS)
CHAP-Password
Service-Type
Framed-IP-Address
© 2007 Cisco Systems, Inc. All rights reserved.
20
TACACS+ Attributes and Features


The TACACS+ protocol is much more flexible than the RADIUS
communication. TACACS+ protocol permits the TACACS+
server to use virtually arbitrary dialogs to collect enough
information until a user is authenticated
TACACS+ messages contain AV-pairs, such as:
1. ACL
2. ADDR
3. CMD
4. Interface-Config
5. Priv-Lvl
6. Route
ISCW-Mod5_L11


TACACS+ uses TCP on well-known port number 49
TACACS+ establishes a dedicated TCP session for every AAA
action

Cisco Secure ACS can use one persistent TCP session for all
actions

Protocol security includes authentication and encryption of all
TACACS+ datagrams
© 2007 Cisco Systems, Inc. All rights reserved.
21
TACACS+ Authentication
The example shows how TACACS+ exchange starts before the
user is prompted for username and password.
The prompt text can be supplied by the TACACS+ server.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
22
TACACS+ Network Authorisation
The example shows the process of network authorisation that
starts after successful authentication.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
23
TACACS+ Command Authorisation
The example illustrates the command authorisation process that
repeatedly starts for every command that requires authorisation
(based on command privilege level).
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
24
Configuring the AAA Server
 These are the first steps in configuring the network
access server:
ISCW-Mod5_L11

Globally enable AAA to allow the use of all AAA elements.
This step is a prerequisite for all other AAA commands.

Specify the Cisco Secure ACS (if being used, or other
server if not) that will provide AAA services for the network
access server

Configure the encryption key that will be used to encrypt the
data transfer between the network access server and the
Cisco Secure ACS
© 2007 Cisco Systems, Inc. All rights reserved.
25
Configuring the AAA Server
TACACS+
RADIUS
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
26
AAA Configuration Commands
Command
Description
aaa new-model
Enables AAA on the router. Prerequisite for all other AAA
commands.
tacacs-server host ipaddress single-connection
Indicates the address of the Cisco Secure ACS server
and specifies use of the TCP single-connection feature
of Cisco Secure ACS. This feature improves
performance by maintaining a single TCP connection for
the life of the session between the network access
server and the Cisco Secure ACS server, rather than
opening and closing TCP connections for each session
(the default).
tacacs-server key key
Establishes the shared secret encryption key between
the network access server and the Cisco Secure ACS
server.
radius-server host ipaddress
Specifies a RADIUS AAA server.
radius-server key key
Specifies an encryption key to be used with the RADIUS
AAA server.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
27
AAA Authentication Commands
Router(config)#
aaa authentication login {default | list_name} group
{group_name | tacacs+ | radius} [method2 [method3
[method4]]]
• Use this command to configure the authentication process
Router(config)#aaa authentication login default group tacacs+
local line
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
28
aaa authentication login Parameters
Parameter
Description
default
This command creates a default that is automatically
applied to all lines and interfaces, specifying the method
or sequence of methods for authentication.
list-name
This command creates a list, with a name of your
choosing, that is applied explicitly to a line or interface
using the method or methods specified. This defined list
overrides the default when you apply the defined list to a
specific line or interface.
group group-name
group radius
group tacacs+
These methods specify the use of an AAA server. The
group radius and group tacacs+ methods refer to
previously defined RADIUS or TACACS+ servers. The
group-name string allows the use of a predefined group of
RADIUS or TACACS+ servers for authentication (created
with the aaa group server radius or aaa group server
tacacs+ command).
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
29
aaa authentication login Parameters (Cont.)
Parameter
Description
method2
method3
method4
This command executes authentication methods in the order that the
methods are listed. If an authentication method returns an error, such
as a timeout, the Cisco IOS software attempts to execute the next
method. If the authentication fails, access is denied. You can configure
up to four methods for each operation. The method must be supported
by the authentication operation that you specify. A general list of
methods includes:
n- enable:
n- krb5:
Uses the enable password for authentication
nUses server-group
nUses Kerberos Version 5 for authentication
n- line:
nUses the line password for authentication
n- local:
n- local-case:
Uses the local username and password database for
authentication
nUses case-sensitive local username authentication
n- none:
nUses no authentication
n- group:
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
30
Configuring AAA Authentication Using
TACACS+
Command
Description
aaa authentication login The default login is TACACS+ server. If there is no
default group tacacs+
response from the server, then use the local username
local
and password database.
aaa authentication login Used for character mode username and password
my_list group tacacs+
challenge. A new list name, my_list, is defined, and the
only method is TACACS+.
line con 0
Enters console configuration mode.
login authentication
my_list
Configures the console line to use the AAA list name
my_list, which has been previously defined to use only
TACACS+.
line 1 48
login authentication
my_list
Configures lines 1 through 48 to use the AAA list name
my_list, which has been previously defined to use only
TACACS+.
line vty 0 4
On lines vty 0 through 4, the default list is used, which
in this case specifies the aaa authentication login
default tacacs+ local command.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
31
Character Mode Login Example
Router#show running-config
...
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication login my_list group tacacs+
...
line con 0
line aux 0
line vty 0 4
login authentication my_list
• Because the authentication has not been specified for line
con 0 and aux 0, the default option is used
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
32
Enabling AAA in SDM
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
33
Confirming the AAA Activation
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
34
Defining RADIUS Servers
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
35
Defining TACACS+ Servers
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
36
Creating a Login Authentication Policy
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
37
Configuring a Login Authentication Policy
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
38
Creating an EXEC Authorisation Policy
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
39
Configuring an EXEC Authorisation Policy
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
40
Creating Local User Accounts
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
41
Configuring VTY Line Parameters
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
42
Applying Authentication Policy to VTY Lines
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
43
Applying Authorisation Policy to VTY Lines
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
44
Verifying AAA Login Authentication Commands
aaa new-model
!
aaa authentication login default local
aaa authentication login radius_local group radius group radius
aaa authorization exec default local
!
username joe secret 5 $1$SlZh$Io83V..6/8WEQYTis2SEW1
!
tacacs-server host 10.1.1.10 single-connection key secrettacacs
radius-server host 10.1.1.10 auth-port 1645 acct-port 1646 key
secretradius
!
line vty 0 4
login authentication radius_local
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
45
Troubleshoot AAA Login Authentication on Cisco
Routers
 Use the debug aaa authentication command on
routers to trace AAA packets and monitor authentication
 The command displays debugging messages on
authentication functions
router#
debug aaa authentication
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
46
‘AAA Authorization’ Commands
 The access server can be configured to restrict the user
to perform certain functions only after successful
authentication
 Use the aaa authorization command in global
configuration mode to select the function authorised
and the method of authorisation
 Troubleshooting Authorization
To display information on AAA authorisation, use the debug aaa
authorization command in privileged-EXEC mode.
Use the no debug aaa authorization form of the command to
disable this debug mode.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
47
‘AAA Authorization’ Commands
router(config)#
aaa authorization {network | exec | commands level | config-commands
| reverse-access} {default|list-name} method1 [method2...]
Example:
router(config)#aaa authorization exec default group radius local none
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
48
AAA Accounting Commands
 Use the aaa accounting command in global configuration mode
for auditing and billing purposes..
 Accounting of user EXEC sessions requires that aaa new-model is
enabled and that the authentication and authorisation configuration
is in place.
 The Cisco Secure ACS serves as a central repository for
accounting information by completing the access control
functionality.
Accounting tracks events that occur on the network.
 Each session that is established through the Cisco Secure ACS
can be fully accounted for and stored on the server. This stored
information can be very helpful for management, security audits,
capacity planning, and network usage billing.
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
49
AAA Accounting Commands
router(config)#
aaa accounting {command level | connection | exec | network |
system} {default | list-name} {start-stop | stop-only | wait-start}
group {tacacs+ | radius}
Example:
R2(config)#aaa accounting exec default start-stop group tacacs+
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
50
AAA Accounting Example
R2#show running-config | begin aaa
aaa new-model
!
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
...
tacacs-server host 10.1.1.3
tacacs-server key SeCrEtKeY
...
The Cisco Secure ACS serves as a central repository for accounting
information by completing the access control functionality. Accounting
tracks events that occur on the network. The next slide shows a
TACACS+ report from Windows ACS
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
51
TACACS+ Reports and Activity
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
52
Troubleshooting Accounting
• Use this command to help troubleshoot AAA accounting
problems.
router#
debug aaa accounting
R2#debug aaa accounting
16:49:21: AAA/ACCT: EXEC acct start, line 10
16:49:32: AAA/ACCT: Connect start, line 10, glare
16:49:47: AAA/ACCT: Connection acct stop:
task_id=70 service=exec port=10 protocol=telnet address=172.31.3.78
cmd=glare bytes_in=308 bytes_out=76 paks_in=45 paks_out=54
elapsed_time=14
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
53
ISCW-Mod5_L11
© 2007 Cisco Systems, Inc. All rights reserved.
54