AAA Router Configuration

AAA Router Configuration

The following eight tasks are required to enable AAA authentication proxy services. These tasks must be configured in Global Configuration mode before authentication proxy can be configured. Fortunately, the first four tasks should be familiar from Chapter 3.

  • Enable AAA.

  • Define the security server (TACACS+ or RADIUS).

  • Define a server key (TACACS+ or RADIUS).

  • Define the list of login authentication methods.

  • Enable authentication proxy for AAA.

  • Activate authentication proxy accounting.

  • Create an ACL entry to allow return traffic from the AAA server to the firewall.

  • Enable the HTTP server feature to work with AAA.

Enable AAA

To enable the AAA Access Control model on the router or NAS, in Global Configuration mode, type the aaa new-model command. Use the no form of the command to disable the AAA. The syntax is

Rtr1(config)#aaa new-model Rtr1(config)#no aaa new-model

No variables exist. The words simply turn the feature on and off. Once entered, the CON, VTY, AUX, and TTY lines require a user name and a password for access. Any previous password configuration for those lines is automatically removed.

Note?

Technically, the aaa new-model command not only implements AAA, but also prohibits any of the earlier TACACS and extended TACACS commands.

Define the Security Server

Defining one or more security servers that provide the authentication services is necessary. The server or servers can be TACACS+, RADIUS, or both. The method lists specified in the authentication, authorization, and accounting commands determine which type of server should be used for each service and, if both are specified, in which order. If multiple servers of either type are specified, the Cisco IOS software searches for hosts in the order in which they’re specified.

Both protocols support Timeout Timer options for defining how long the device will wait for a reply from the specified host before moving on to any remaining server. Both also support Key options, which, if configured on both the server and the firewall router, provide a level of device authentication. The key, if defined, travels in the request packet and is treated as a password or authentication token by the server. If the key doesn’t match the one configured on the server, the request is denied.

The protocol-server host command is used to define the security server. While they’re quite similar, the RADIUS version has more options.

Define the Security Server—TACACS+

If a TACACS+ server host is used for authentication, use the tacacs-server host global configuration command. Use the no form of this command to delete the specified name or address. The syntax is

Rtr1(config)#tacacs-server host {hostname | ip address} [single-connection] [port port#]
[timeout seconds] [key string]
Rtr1(config)#no tacacs-server host hostname

hostname

Name of the TACACS+ server.

ip-addresss

IP address of the TACACS+ server.

single-connection

(Optional) Specify that the router maintain a single open connection for confirmation from the AAA/TACACS+ server. This command contains no autodetect feature and fails if the host isn’t running a Cisco Secure daemon.

port port#

(Optional) Overrides the default port number (49) with any number from 1 to 65535.

timeout seconds

(Optional) Overrides the global timeout value set with the global tacacs-server timeout command for this server only.

key string

(Optional) Specifies an authentication and encryption key. This must match the key used by the TACACS+ daemon. Overrides the key set by the global command tacacs-server key for this server only.

Because some of the parameters of the tacacs-server host command override global settings made by the tacacs-server timeout and tacacs-server key commands, this command can be used to enhance security on a network by uniquely configuring individual TACACS+ connections.

Define TACACS+ Server Key Option

The global authentication encryption key is set with the global configuration command tacacs-server key. This key value must match the key value configured on the TACACS+ server, if one is used. Use the no form of this command to disable the key. The syntax is

Rtr1(config)#tacacs-server key string
Rtr1(config)#no tacacs-server key [string]

string

Any leading spaces are ignored, but spaces within and at the end of the key are not. Don’t enclose the key in quotation marks unless they’re part of the key.

The following example specifies a global timeout of seven seconds, a global key of cisco-key, and then three TACACS+ servers. The first one—tac-serv1—is the one all requests are sent to first. If those requests aren’t answered before the timeout timer expires (seven seconds), the next two servers are tried in order. The global timeout and key settings only apply to the first two servers because the third one has overriding options defined.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host tac-serv1
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host 192.168.6.4 port 1500 timeout 3 key cisco9

Define the Security Server—RADIUS

To specify a RADIUS server host, use the radius-server host global configuration command. Use the no form of this command to delete the specified RADIUS host. The syntax is

Rtr1(config)#radius-server host {hostname | ip-address} [auth-port port-num]
?[acct-port port-num] [timeout seconds] [retransmit retries] [key string]
?[alias{hostname | ip-address}]
Rtr1(config)#no radius-server host {hostname | ip-address} [auth-port port-num]
?[acct-port port-num] [timeout seconds] [retransmit retries] [key string]

hostname

DNS name of the RADIUS server.

ip-address

IP address of the RADIUS server.

auth-port port-num

(Optional) To specify a UDP destination port for authentication requests. The host isn’t used for authentication if set to 0.

acct-port port-num

(Optional) To specify a UDP destination port for accounting requests. The host isn’t used for accounting if set to 0.

The following example defines port 12 as the destination port for authentication requests and port 16 as the destination port for accounting requests on a RADIUS host named 192.168.1.4. Because entering a line resets all the port numbers, you must specify a host and configure both the accounting and authentication ports on a single line.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 12 acct-port 16

To use separate servers for accounting and authentication, use the zero port value, as appropriate. The following example specifies RADIUS server192.168.1.4 be used for accounting, but not for authentication, and RADIUS server host1 be used for authentication, but not for accounting:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server host 192.168.1.4 auth-port 0
Rtr1(config)#radius-server host host1.domain.com acct-port 0
Define RADIUS Server Key Option

The global authentication encryption key is set with the global configuration command radius-server key. This key value must match the key value configured on the RADIUS server, if one is used. Use the no form of this command to disable the key. The syntax is

Rtr1(config)#radius-server key string
Rtr1(config)#no radius-server key [string]

string

Any leading spaces are ignored; but spaces within and at the end of the key are not. Don’t enclose the key in quotation marks unless they’re part of the key.

The following example specifies a global timeout of seven seconds, a global key of cisco-key, and then three RADIUS servers. The first—rad-serv1—is the one all requests are sent to first. If those requests aren’t answered before the timeout timer expires (seven seconds), the next two servers are tried in order. The global timeout and key settings only apply to the first two servers because the third one has overriding options defined.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server timeout 7
Rtr1(config)#radius-server key cisco-key
Rtr1(config)#radius-server host rad-serv1
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#radius-server host 192.168.6.4 timeout 3 key cisco9

Define AAA Group Server (Optional)

The global configuration mode command aaa group server provides a way to group existing defined server hosts. By grouping a set of servers, you can use the group name with other AAA commands to select that subset of server hosts to use them for a particular service. A server group is comprised of server hosts of a particular type. Currently, the IOS supports RADIUS and TACACS+ server hosts. The aaa group server command lists the IP addresses of the selected server hosts from the global protocol-server host list. To remove a server group from the configuration list, enter the no form of this command. The syntax is

Rtr1(config)#aaa group server {tacacs+ | radius} group-name
Rtr1(config)#no aaa group server tacacs+ | radius group-name

group-name

Character string used to name the group of servers

The command was introduced in IOS version 12.0(5)T. There are no default values.

The command can only be entered after the aaa new-model command turns on the AAA features. The entry is followed by one or more server server-name statements identifying the servers to be included in the group. The next two sample outputs demonstrate this; be sure to note the prompt for the server entries.

The following example uses the three TACACS+ servers created in the earlier example and selects only two them to be included in the server group.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host tac-serv1
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host 192.168.6.4 port 1500 timeout 3 key cisco9
Rtr1(config)#aaa group server tacacs+ tac-1
Rtr1(config-sg-tacacs+)#server tac-serv1
Rtr1(config-sg-tacacs+)#server 192.168.6.4

The following RADIUS example shows the configuration of an AAA group server named rad-1, which includes two of the three defined servers:

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server timeout 7
Rtr1(config)#radius-server key cisco-key
Rtr1(config)#radius-server host rad-serv1
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#radius-server host 192.168.6.4 timeout 3 key cisco9
Rtr1(config)#aaa group server radius rad-1
Rtr1(config-sg-radius)#server rad-serv1 auth-port 1800 acct-port 1801
Rtr1(config-sg-radius)#server 192.168.6.4 auth-port 1802 acct-port 1803

The server statement allows the auth-port and acct-port to be defined. If not specified, the default value of auth-port is 1645 and the default value of acct-port is 1646. The output for next paragraph demonstrates this.

With either protocol, if you attempt to create the server group without first defining the servers with protocol-server host commands, you’ll get the following error messages because the IOS attempts to verify the server presence. Notice the entry with

Rtr1(config)#aaa new-model
Rtr1(config)#aaa group server radius rad-1
Rtr1(config-sg-radius)#server rad-serv1
Translating "rad-serv1"...domain server (255.255.255.255)
 ?????????????????????????????^
% Invalid input detected at '^' marker.

Rtr1(config-sg-radius)#server 192.168.6.4
Rtr1(config-sg-radius)#
00:02:11: %RADIUS-4-NOSERV: Warning: Server 192.168.6.4:1645,1646 is 
not defined.
Rtr1(config-sg-radius)#^z
Rtr1#show run
Building configuration...
!
hostname Rtr1
!
aaa new-model
aaa group server radius rad-1
 server 192.168.6.4 auth-port 1645 acct-port 1646
!

Notice that the entry with a named server—rad-serv1—returned an invalid input error and the command was rejected. The entry that used the server IP address—192.168.6.4—returned a system warning message indicating that the specified address can’t be found, but the entry was accepted. The show run command in the same output confirms this. The result is identical for TACACS+. So, if you’re going to define servers by name, it’s critical for your ip host table to be created or your ip name-server command(s) to be issued before creating your server groups.

Define Login Authentication Methods List

To use AAA authentication for device login, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication. The syntax is

Rtr1(config)#aaa authentication login {default | list-name} method1 [method2. . .]
Rtr1(config)#no aaa authentication login {default | list-name} method1 [method2. . .]

default

Uses the listed authentication methods as the default list when a user logs in.

list-name

Character string used to name the list of authentication methods that can be specified to use when a user logs in.

method

At least one of the keywords described in the next table.

The method# arguments identify the list of methods the authentication algorithm tries, in the stated sequence. Method keywords are described in the following table.

Keyword

Description

group tacacs+

Use the list of all TACACS+ servers to authenticate services.

group radius

Use the list of all RADIUS servers to authenticate services.

group group-name

Use a subset of RADIUS or TACACS+ servers for authentication, as defined by the server group group-name in the preceding section.

Local

Use the local user name database for authentication.

local-case

Use case-sensitive local user name database for authentication.

Enable

Use the enable password for authentication.

Line

Use the line password for authentication.

krb5

Use Kerberos 5 for authentication.

krb5-telnet

Use Kerberos 5 Telnet authentication protocol when using Telnet to connect to the router.

None

Use no authentication—no security.

The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication succeeds, even if all methods return an error, specify None as the final method in the command line.

Examples of this command are included in the next section.

Enable Authorization Proxy (auth-proxy) for AAA

To configure AAA authorization to all proxy authentications, use the global configuration mode command aaa authorization to enable authorization and to create a method list, defining authorization methods that can be used when a user accesses the specified function.

In Chapter 3, you learned a method list is simply a list describing the authorization methods to be queried (such as RADIUS or TACACS+), in sequence. Method lists enable one or more security protocols to be used for authorization, thus ensuring a backup system if the initial method fails.

Use the auth-proxy option of the global configuration command aaa authorization to set parameters for proxy authentications. Use the no form of this command to disable AAA authentication proxy. The general syntax of the command is

Rtr1(config)#aaa authorization {authorization-type} {default | list-name} method1 [method2. . .]
Rtr1(config)#no aaa authorization {authorization-type}

The AAA authorization types include the following:

Rtr1(config)#aaa authorization {network | exec | commands level| reverse-access
| configuration | config-commands | auth-proxy | ipmobile}
?{default | list-name} method1 [method2. . .]

The authorization proxy feature uses the auth-proxy keyword. Unlike other AAA authorization options, this one requires the keyword default, not allowing the creation of a named list. Also, this feature only allows three method options: group tacacas+, group radius, and group group-name. The actual syntax and choices include

Rtr1(config)#aaa authorization auth-proxy default method1 [method2. . .]

The proxy authentication feature only allows three method options: group tacacs+, group radius, and group group-name.

group tacacs+

Uses the list of all TACACS+ servers defined with the tacacs-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.

group radius

Uses the list of all RADIUS servers defined with the radius-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.

group group-name

Uses the list of specified TACACS+ or RADIUS servers defined with the aaa group server command to provide authorization services. The servers are tried in sequential order within the group from the top, first entered.

The following example uses TACACS+ servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group tacacs+ local secret
Rtr1(config)#aaa authorization auth-proxy default group tacacs+

The following example uses RADIUS servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#radius-server timeout 7
Rtr1(config)#radius-server key cisco-key
Rtr1(config)#radius-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group radius local secret
Rtr1(config)#aaa authorization auth-proxy default group radius

The following example uses the three TACACS+ servers used earlier and selects only two of them to be included in the server group.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host tac-serv1
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#tacacs-server host 192.168.6.4 port 1500 timeout 3 key cisco9
Rtr1(config)#aaa group server tacacs+ tac-1
Rtr1(config-sg-tacacs+)#server tac-serv1
Rtr1(config-sg-tacacs+)#server 192.168.6.4
Rtr1(config)#aaa authentication login default group tac-1 local secret
Rtr1(config)#aaa authorization auth-proxy default group tac-1

Activate Authentication Proxy Accounting

The aaa accounting command enables accounting and creating named method lists to define specific accounting methods on a per-line or per-interface basis. Use the global configuration mode command aaa accounting auth-proxy to activate the security server that will monitor the accounting information. The router reports these attributes as accounting records, which are then stored in an accounting log on the security server. Use the no form of this command to disable accounting. The basic syntax is

Rtr1(config)#aaa accounting auth-proxy default {accounting-method} method1 [method2. . .]

The accounting methods include the following four choices:

start-stop

Sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether the start accounting notice was received by the accounting server.

wait-start

Sends both a start and a stop accounting notice to the accounting server. But, if the wait-start keyword is used, the requested user service does not begin until the start accounting notice is acknowledged.

stop-only

Sends a stop accounting notice at the end of the requested user process.

None

Disables accounting services on this line or interface.

For minimal accounting, use the stop-only keyword. For more detailed accounting, include the start-stop keyword. For even more accounting control, include the wait-start keyword, which ensures the start notice is received by the RADIUS or TACACS+ server before granting the user’s process request.

Unlike other AAA authorization options, this one requires the keyword default, not allowing the creation of a named list. Also, this feature only allows three method options: group tacacas+, group radius, and group group-name.

group tacacs+

Uses the list of all TACACS+ servers defined with the tacacs-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.

group radius

Uses the list of all RADIUS servers defined with the radius-server host command to provide authorization services. The servers are tried in sequential order from the top, first entered.

group group-name

Uses the list of specified TACACS+ or RADIUS servers defined with the aaa group server command to provide authorization services. The servers are tried in sequential order within the group from the top, first entered.

The following example uses TACACS+ servers for both login authentication and proxy authorization.

Rtr1(config)#aaa new-model 
Rtr1(config)#tacacs-server timeout 7
Rtr1(config)#tacacs-server key cisco-key
Rtr1(config)#tacacs-server host 192.168.1.4
Rtr1(config)#aaa authentication login default group tacacs+ local secret
Rtr1(config)#aaa authorization auth-proxy default group tacacs+
Rtr1(config)#aaa accounting auth-proxy default start-stop group tacacs+

ACL Entry for Return Traffic from the AAA Server

Typically, it’s necessary to create an ACL entry to allow the AAA server TACACS+ or RADIUS return traffic to get to the firewall. If CBAC has already been configured, an input ACL should already be implemented on an interface. Because two ACLs can’t be on the same interface monitoring traffic that’s traveling in one direction, it’s necessary to add the appropriate entries to that ACL.

If there’s no existing ACL, consider the following

  • The source address is the IP address of the AAA server.

  • The destination is the IP address of the router interface nearest to the AAA server.

  • Do you want to permit ICMP traffic?

  • Block all other traffic.

  • Apply the ACL inbound on the interface connected to the AAA server.

The syntax of the specify entry required for the return traffic looks like the following:

Rtr1(config)#access-list acl# permit tcp host source eq tacacs host dest 

In the following example, ACL 105 blocks all inbound traffic on interface Ethernet0/0, except for traffic from the AAA server, assuming that traffic from the AAA server would come in through Ethernet0/0. The permit ip any any statement allows any ICMP traffic through.

interface Ethernet0/0
 ?ip address 192.168.1.1 255.255.255.0
 ?ip access-group 105 in 
!
access-list 105 permit tcp host 192.168.1.20 eq tacacs host 192.168.1.1
access-list 105 deny ? tcp any any
access-list 105 deny ??udp any any
access-list 105 permit ip any any



Part III: Virtual Private Networks (VPNs)