, ,

AAA (Authentication, Authorization & Accounting) either can be enabled locally on a cisco device or remotely through a TACACS/RADIUS server. TACACS is cisco proprietary protocol & RADIUS is IETF standard protocol. TACACS use TCP port 49 as transport protocol & RADIUS use UDP 1645-1646 (legacy) or 1812-1813 for AAA authentication & accounting respectively.

There are two sub categories for Authorization & Accounting called “exec” & “command” mode. “Exec Authorization” is for access the shell prompt & “Command Authorization” is for allow user to run specific commands. Similarly “exec accounting” will capture details about user accessing the shell prompt & “command accounting” keep track of what commands users execute on a cisco device. Out of the TACACS & RADIUS, only TACACS support these “command authorization” & “command accounting” configurations.

When configuring TACACS or RADIUS on a cisco device there are 3 steps of configuring it.

1. Define Server Credential (Address, Key, Source interface)
2. Define AAA List ( for Authentication/Authorization/Accounting)
3. Apply AAA List

Before configuring AAA commands on Cisco device we have to create users in ACS server. In this example we will create two users who belongs to two separate Identity Groups (named Admin-Group & Non-Admin-Group). You can do this in ACS 5.x under “Users & Identity Stores > Identity Groups” section.AAA-Basics-01

Then you can create two individual users and assigned them to the identity groups created. In ACS 5.x you can crate a user under “Users and Identity Stores > Internal Identity Stores > Users” section.AAA-Basics-02

Next step is to add router into ACS server as AAA client. I have used router’s loopback address ( this is the IP ACS expect tacacs packet coming from router) as IP of this router in ACS. If you have pre-defined Location & Device Type groups you can associate this device on to these as well.AAA-Basics-11

Then you need to configure AAA configuration on this cisco router.Following CLI commands will define TACACS server credentials on router.

aaa new-model
tacacs-server host
tacacs-server key cisco
ip tacacs source-interface Loopback0 

You can test the connectivity between AAA client & AAA Server by issuing “test aaa group tacacs+ <username> <password> legacy ” CLI command. As shown below it says user was successfully authenticated by ACS server which mean client to server connectivity is working. (no ports/ acl blocks tacacs traffic). If you cannot see something like this, you can use “debug aaa authentication” & “debug tacacs authentication” command to troubleshoot this.AAA-Basics-12

Next step is to define the AAA list  relates to AAA. We will see first how to do this for Authentication & later in the section for Authorization & Accounting. In my example I have named this list as “TACACS-AUTH” for tacacs authentication. It is always recommended to configure “aaa authentication login default local” in case if you leave certain lines (vty, con, aux)  to use default authentication. In this way  you can access the device through that by using local username/password & you will not lock yourself out as long as you have local username password configured for this router.

Once you applied defined TACACS-AUTH list under any line, it will NOT fall back to the local database as long as TACACS server is reachable. Therefore you cannot use local username/password credential for the lines you configured for TACACS-AUTH list. Below show config related to this.

username cisco privilege 15 password Cisco
aaa authentication login default local
aaa authentication login TACACS-AUTH group tacacs+ local
Now you need to apply AAA list the  (console, vty, aux, etc) where you access this device. Will apply this to vty interface( in my router it says 903 vty lines)

line vty 0 903
 login authentication TACACS-AUTH

Now we will look at how Authorization works in AAA configuration. In this example we will configure “mrnadmin” user will get full privileges where as “mrnguest” user will get level 1 privileges where it can execute only show commands. I have defined “TACACS-EXEC-AUTHOR” list for this & then apply it under vty lines.

aaa authorization exec TACACS-EXEC-AUTHOR group tacacs+
line vty 0 903
  authorization exec TACACS-EXEC-AUTHOR

Now on the  5.2 server you have to define two shell profile under “Policy Elements > Device Administration” section.  In my example named those two profile as Priv15 & Priv1 for Admin user & guest user respectively. Below shows the Priv15 profile settings.AAA-Basics-04

Below screenshot shows the “Priv1” profile settings.AAA-Basics-05

You need to define which command set each group can execute. I have create two command sets called “AllowAll” & “ShowOnly” for this.AAA-Basics-06

Then you can define a service selection rule under “Access Policies > Service Selection Rules” section which will match the tacacs protocol & then pointing to “Default Device Admin”.AAA-Basics-07

Then if you go to “Default Device Admin” section you  need to select Identity as ” Internal Users”. In this way device admin users will authenticated against ACS internal user database.AAA-Basics-08

Then under Authorization section you can define authorization policy for these two user groups. You can customized the conditions if it is not available under the default selections.AAA-Basics-09

Below shows the details of each policy.AAA-Basics-10

To verify the final configuration, you can telnet into this router( using those two credentials. Once you use “mrnadmin” you can go into priviledge mode & you can run any commnads. But if you use “mrnguest” you cannot enter into privilege mode & only show commands can be run.AAA-Basics-13

In the next post we will see AAA Accounting commands related to this.

Related Posts

1. EAP Overview
2. PEAP & EAP-FAST with ACS 5.2