Introduction to CISCO router AAA and related routing configuration cisco aaa www.2cto.com 3A concept: authentication authorization Accounting accountingcisco provides a variety of 3A services for routers and switches: 1. Self-contained AAA router/NAS self-contained AAA service NAS (Network Access Server) 2. Contact the AAA service on the cisco secure acs router/NAS with the external cisco secure acs system 3. Contact the AAA service on the cisco secure acs solution engine router/NAS with the external cisco secure acs solutionengine System 4. the AAA service on a third-party ACS router/NAS communicates with a third-party ACS system recognized by the external CISCO. radius tacacs + cisco secure acs series are a comprehensive and flexible platform for secure network access. He is mainly responsible for accessing the console and VTY ports of routers and switches through the cisco nas and vro dial-up administrator to access the cisco pix Firewall to access www.2cto.com VPN3000 series hubs (for RADIUS only) the wireless LAN Using cisco leap and PEAP supports the wireless 802.1X authentication of the switch. The AAA configuration process of the border router is vty, asynchronous, the aux and tty ports securely access the config tenable password *** service password-encryptionenable secret ****** for Privileged EXEC and configuration modes on the VBR, use the aaa new-model command to enable AAA. Config taaa new-modelusername *** password *** aaa authentication login default local Note: When configuring the aaa new-model command, you must provide a local login method, prevent the router from being locked due to invalid management sessions. 3. Configure the AAA authentication list aaa authentication login to define the authentication procedure that the user view needs to use when logging on to the vro. Aaa authentication ppp defines the authentication steps to be used for user sessions on the serial interfaces that use PPP. Aaa authentication enable default defines the authentication method list after AAA is enabled globally on the Access Server when someone tries to use the enable command to enter the Privileged EXEC mode, and apply it to links and interfaces. The authentication method lists services (PPP, ARAP, NASI, LOGIN) and authentication methods (local, TACACS +, RADIUS, login, or enable ), we recommend that you use local authentication as the final method. Define authentication method List 1. Specify the Service (PPP, ARAP, NASI) or login authentication 2 to identify a list name or use the default authentication method 3, and specify that one of them is unavailable, how does a vro respond? 4. Apply the vro to one of the following links: tty, vty, console, aux, and async, or the Console port used for login is the asynchronous link www.2cto.com of ARA-synchronous, asynchronous, and PPP. SLIP. the Virtual Interface 5 configured for NASI or ARAP uses the aaa authentication command in global configuration mode to enable the AAA authentication process. 1 aaa authentication login command config t aaa authentication login default enable aaa authentication login console-in local aaa authentication login tty-in line console-in and tty-in are simple methods created by administrators. list name. Aaa authentication login {default | list-name} method1 [method2 ~~] When a default user logs on, use the authentication method listed after this variable as the default list of methods. list-name: (enable) the string method used to name the authentication method list when the user logs on) use the enable password to authenticate (krb5) use kerberos 5 to authenticate (krb5-telnet) when using telnet to connect to the router, use kerberos 5 telnet authentication protocol (line) use the link password to authenticate (local) use the local user name database for authentication (none) without authentication (group-radius) using a list containing all RADIUS servers for authentication (group tacacs +) use a list containing all TACACS + servers to authenticate (group-name) using RADIUS or a subset of TACACS + servers to authenticate these servers defined in aaa groupserver radius or aaa group serve R tacacs + command 2 aaa authentication ppp command aaa authentication ppp (default | list-name) method1 [method2 ~~~] When a default user logs on, the authentication method listed after this variable is used as the default list of methods. list-name is the string method used to name the authentication method list when the user logs on: (if-needed, if the user authenticates on the TTY link, no further authentication is required (krb5 uses kerberos 5 for authentication (local uses the local user name database for authentication (local-case (none does not require authentication (group-name uses a RADIUS or TACACS + server subset to authenticate these servers defined in aaa groupserver radius or aaa group server tacacs + command 3 aaa authentication enable default command aaa authentication enable default method1 [method2 ~~] Method: enable uses the enable password to authenticate line and uses the link password to authenticate none. You do not need to authenticate group radius. Use a list containing all RADIUS servers to authenticate group tacacs + use a list containing all TACACS + servers. authentication group-name uses RADIUS or a subset of TACACS + servers to authenticate these servers. defined in aaa groupserver radius or aaa group server tacacs + command, four pairs of link and Interface Application Authentication commands config t aaa new-model enables AAA aaa authentication login default enable to use the enable password as the default logon method aaa authentication login console-in group tacacs + local whenever the name c is used The list of onsole-in uses TACACS + authentication. If TACACS + authentication fails, use your local user name and password aaa authentication login dial-in group tacacs + use TACACS + for authentication whenever the list named dial-in is used. username *** password *** creates a local user name and password, most likely, use line console 0 together with the console-in logon method list to enter the link console configuration mode. login authentication console-in uses the console-in list as the logon authentication line s3/0 for console port 0 ppp authentication chap dial-in use the dial-in list as the ppp chap logon authentication interface S3/0 4 configuration for the user to authorize AAA authorization command after authentication Aaa authorization {network | exec | commands level | reverse-access | configuration} {default | list-name} method1 [method2 ~~] The network authorizes all network-related service requests, including SLIP, PPP, ppp ncp, and ARA exec, to determine whether a user can run an EXEC shell. commands specifies the level of authorization for all commands at the specified privileged level. Valid value 0-15 reverse-access indicates authorization for reverse access connections, for example, if reverse Telnet configuration is used to download the authentication method listed after configuration default is used from the AAA Server, as the default method list, listname is used to authenticate the list of authentication methods. method specifies at least one type of the following keywords for group authentication using a subset of radius or tacacs + server, these servers are defined in the aaa group server radius or aaa group server tacacs + command if-authenticated if the user is authenticated, Allowing users to access the requested functionality; The krb5-instance uses the instance defined by the kerberos instance map command; the local uses the local user name database to authorize none without authorization example: enable secret level 1 *** creates an enable secret password for level 1 users. enable secret level 15 *** creates an enable secret password for level 15 users. aaa new-model enables AAA aaa authentication login default enable uses the enable password as the default logon method aaa authentication login console-in group tacacs + local whenever the list named console-in is used, both use TACACS + authentication. If TACACS + authentication fails, use your local user name and password aaa Authentication login dial-in group tacacs + use TACACS + for authentication whenever the list named dial-in is used. username *** password *** creates a local user name and password, it is most likely that aaa authorization commands 1 alpha local is used together with the console-in logon method list to authorize www.2cto.com aaa authorization commands 15 bravo if-authenticated for the use of all level 1 commands with the local user name database group tacplus local if the user has been authenticated, to run commands of Level 15, if not authenticated, you must authenticate aaa authorization network charlie Based on the TACACS + server in the tacplus group before allowing them to access commands of Level 15. Local none uses the local database to authorize the use of all network services. If the local server is unavailable, this command execution is not authorized, the user can use all the network services aaa authorization exec delta if-authenticated group tacplus if the user has been authenticated to run the EXEC process, if not authenticated, before allowing EXEC, you must use the TACACS + server in the tacplus group to authenticate privilege exec level 1 ping to level 1. Enable PING line console 0 login authentication console-in using the console-in list as the console port 0 logon authentication line s3/0 ppp authentication chap dial-in use dial-in list as interface S3/0 ppp chap login authentication 5 configuration specifies how to write accounting record AA A accounting aaa accounting [auth-proxy | system | network | exec | connection | commands level] {default | list-name} [vrf-name] [start-stop | stop- only | none] [broadcast] [method] [method2] auth-proxy provides information about all Authentication proxy user events. system executes accounting for all non-user-related system-level events. network is set to all networks. the associated service request running accounting exec is the EXEC shell session running accounting. Connection provides all information about outgoing connections to the source sub-NAS. commands bills all commands with specific privileges, valid privileged level value: 0-15 default the billing method list-name listed after this parameter is used to command the string vrf-name for the billing method list specifies that a VRF is configured with start-stop in one the beginning of the process, send a start accounting notification. At the end of the process, send a stop accounting notification. Stop-only sends a stop accounting notification when the requested user project ends. none disables the accounting service broadcast on this link or interface to enable sending accounting records to multiple 3A servers, at the same time, it sends an accounting record www.2cto.com method to the first server in each group, specifying that at least one group radius in the key sub-account uses the list of all RADIUS servers as the accounting group tacacs + use all the listed TACACS + servers. the accounting group-name uses RADIUS or a subset of TACACS + server as the accounting. Enable the following commands on the router to enable several aaa accounting system wait-start local Audit system Events aaa using the accounting method accounting network stop-only local when network service is interrupted, notification of sending stop records aaa accounting exec start-stop l When the EXEC process starts, ocal sends a start record notification. when it ends, it sends the stop record aaa accounting commands 15 wait-start local before the start of any level 15 command, send a start record notification and wait for confirmation. When the command is terminated, send a stop record notification. 6. Check Configuration debug aaa authentication display debugging information about the authentication function debug aaa authorization display debugging information about the authorization function debug aaa accounting display debugging information about the accounting function