AAA (Authentication, Authorization & Accounting) either can be enabled locally on a cisco device or remotely through a TACACS/RADIUS server. TACACS is cisco proprietary protocol & RADIUS is IETF standard protocol. TACACS use TCP port 49 as transport protocol & RADIUS use UDP 1645-1646 (legacy) or 1812-1813 for AAA authentication & accounting respectively.
There are two sub categories for Authorization & Accounting called “exec” & “command” mode. “Exec Authorization” is for access the shell prompt & “Command Authorization” is for allow user to run specific commands. Similarly “exec accounting” will capture details about user accessing the shell prompt & “command accounting” keep track of what commands users execute on a cisco device. Out of the TACACS & RADIUS, only TACACS support these “command authorization” & “command accounting” configurations.
When configuring TACACS or RADIUS on a cisco device there are 3 steps of configuring it.
1. Define Server Credential (Address, Key, Source interface)
2. Define AAA List ( for Authentication/Authorization/Accounting)
3. Apply AAA List
Before configuring AAA commands on Cisco device we have to create users in ACS server. In this example we will create two users who belongs to two separate Identity Groups (named Admin-Group & Non-Admin-Group). You can do this in ACS 5.x under “Users & Identity Stores > Identity Groups” section.
Then you can create two individual users and assigned them to the identity groups created. In ACS 5.x you can crate a user under “Users and Identity Stores > Internal Identity Stores > Users” section.
Next step is to add router into ACS server as AAA client. I have used router’s loopback address 10.10.205.20 ( this is the IP ACS expect tacacs packet coming from router) as IP of this router in ACS. If you have pre-defined Location & Device Type groups you can associate this device on to these as well.
Then you need to configure AAA configuration on this cisco router.Following CLI commands will define TACACS server credentials on router.
tacacs-server host 192.168.100.2
tacacs-server key cisco
ip tacacs source-interface Loopback0
You can test the connectivity between AAA client & AAA Server by issuing “test aaa group tacacs+ <username> <password> legacy ” CLI command. As shown below it says user was successfully authenticated by ACS server which mean client to server connectivity is working. (no ports/ acl blocks tacacs traffic). If you cannot see something like this, you can use “debug aaa authentication” & “debug tacacs authentication” command to troubleshoot this.
Next step is to define the AAA list relates to AAA. We will see first how to do this for Authentication & later in the section for Authorization & Accounting. In my example I have named this list as “TACACS-AUTH” for tacacs authentication. It is always recommended to configure “aaa authentication login default local” in case if you leave certain lines (vty, con, aux) to use default authentication. In this way you can access the device through that by using local username/password & you will not lock yourself out as long as you have local username password configured for this router.
Once you applied defined TACACS-AUTH list under any line, it will NOT fall back to the local database as long as TACACS server is reachable. Therefore you cannot use local username/password credential for the lines you configured for TACACS-AUTH list. Below show config related to this.
username cisco privilege 15 password Cisco
aaa authentication login default local
aaa authentication login TACACS-AUTH group tacacs+ local
Now you need to apply AAA list the (console, vty, aux, etc) where you access this device. Will apply this to vty interface( in my router it says 903 vty lines)
line vty 0 903
login authentication TACACS-AUTH
Now we will look at how Authorization works in AAA configuration. In this example we will configure “mrnadmin” user will get full privileges where as “mrnguest” user will get level 1 privileges where it can execute only show commands. I have defined “TACACS-EXEC-AUTHOR” list for this & then apply it under vty lines.
aaa authorization exec TACACS-EXEC-AUTHOR group tacacs+
line vty 0 903
authorization exec TACACS-EXEC-AUTHOR
Now on the 5.2 server you have to define two shell profile under “Policy Elements > Device Administration” section. In my example named those two profile as Priv15 & Priv1 for Admin user & guest user respectively. Below shows the Priv15 profile settings.
To verify the final configuration, you can telnet into this router(10.10.205.20) using those two credentials. Once you use “mrnadmin” you can go into priviledge mode & you can run any commnads. But if you use “mrnguest” you cannot enter into privilege mode & only show commands can be run.
In the next post we will see AAA Accounting commands related to this.