Cisco Switch AAA Setup
advertisement
Setup a Cisco Switch with AAA Server CS580 Winter 2005 Presented by: Chris Orona Kevork Tamamian Xuong Tsan What is AAA Server? • AAA ( Authentication, Authorization, Accounting) For example: RADIUS (Remote Authentication DialIn User Service) TACACS (Terminal Access Controller Access Control System) TACACS • Specified in RFC 1492 • Uses port 49 (TCP or UDP) • XTACACS – TACACS extensions created by Cisco TACACS server on a switch switch(config)# switch(config)# switch(config)# switch(config)# login tacacs tacacs-server host 192.20.22.7 tacacs-server key "I am cool" tacacs-server attempts 3 switch(config)# tacacs-server timeout 5 TACACS server cont.. TACACS Verification switch# show tacacs Enable use-tacacs:Enabled Login tacacs:Enabled tacacs-server last-resort:password tacacs-server hosts:192.20.27.7 tacacs-server key:I am cool tacacs-server login attempts:3 tacacs-server timeout:5 seconds tacacs-server directed-request:Disabled TACACS+ • An new version of TACACS, however less compatible • Uses a separate server for AAA TACACS+ packet 4 bits 4 bits 8 bits 8 bits 8 bits Major Minor Packet type Sequence No. Flags Session ID (4 bytes) Length (4 bytes) • Major/Minor version • Packet Type • Authentication, Authorization, or Accounting • Flags • Whether encryption is set TACACS+ Traffic Authentication • Enables the switch/router to ask for passwords on a remote server • Set up passwords for login and enable access • Backup with enable password in case server is down aaa new-model aaa authentication login default tacacs+ enable aaa authentication enable default tacacs+ enable Authorization • Request authorization for events. Obtaining a shell, configuring, or certain commands • Again, have a backup command in case the server is down. aaa authorization exec default tacacs+ ifauthenticated Accounting • Log access and attempted access to a remote server • Can log inbound and/or outbound connections • Types of accounting • start-stop: records without waiting for the server • stop-only: only records when action is completed • wait-start: waits for log to be sent before allowing action aaa accounting exec default start-stop tacacs+ aaa accounting connection default start-stop tacacs+ ClearBox RADIUS and TACACS+ Server 2.4.5 • Available for Windows • Can authenticate against a Windows domain or SQL database (Access, SQL server, ODBC, etc.) • $399, or free trial version with limited password functionality. Reference Links • http://www.cisco.com/en/US/products/hw/switches/ps637/produc ts_configuration_guide_chapter09186a008007da46.html#15411 • http://www.cisco.com/en/US/tech/tk59/technologies_configuratio n_example09186a0080093c7c.shtml • http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09 186a0080094e99.shtml • http://www.informit.com/articles/article.asp?p=170744&seqNum =2 • http://www.cisco.com/pcgibin/search/search.pl?searchPhrase=cisco+router+1601+support+ tacacs&x=0&y=0&nv=Search+All+Cisco.com%23%23cisco.com& nv=Technical+Support%26Documentation%23%23cisco.com%23 TSD&language=en&country=US&accessLevel=Guest&siteToSearch =cisco.com • http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/produ cts_configuration_guide_chapter09186a00800ca7a7.html#16099 • Clearbox server: http://www.xperiencetech.com/
