In this post, we will look at the AAA config for 9800 device administration. Even though most of these config common across many Cisco IOS devices, here we use a 9800 WLC as example here.
Here are some background details about the TACACS+ (Terminal Access Controller Access-Control System Plus) protocol. TACACS+ defined originally as a IETF draft in 1997 & then updated RFC8907 in 2020 & provide AAA (Authentication, Authorization & Accounting) functionality. Mainly it is using for device administration
TACACS+ packet header got a 12-byte header and it got “type” fields that defined 3 types of TACACS packets.
TAC_PLUS_AUTHEN (0x00) – Authentication
TAC_PLUS_AUTHOR (0x02) – Authorization
TAC_PLUS_ACCT (0x03) – Accounting
The sequence number starts with 1 by client and increments by 1. TACACS server will use an even number sequence number starting with 2. The “Session ID” uniquely identifies a session (Authentication, Authorization, or accounting) and uses a strong random number generation method to derive it.
The body of the TACACS packets may be obfuscated using a shared secret that is configured on the client & TACACS server. Once you capture TACACS traffic, you can easily see the cleartext view by configuring a shared secret on Wireshark under the TACACS protocol.
Let’s look at the basic AAA commands you require on 9800 (or any IOS device). First, you have to enable aaa services using the “aaa new-model” command. Once you add that command, you will see it will remove any local logins configured under VTY lines.
aaa new-model +aaa session-id common line vty 0 4 -login local line vty 5 15 -login local
Then you can define TACACS Server with IP address & shared secret.
tacacs server ISE-TAC address ipv4 192.168.100.12 key Vipassana123
Then you can create a TACACS Group and add a previously defined server to it.
C9800-2(config)#aaa group server ? ldap Ldap server-group definition radius Radius server-group definition tacacs+ Tacacs+ server-group definition aaa group server tacacs+ TAC-GRP server name ISE-TAC
Then you can define authentication list (TAC-AUTH) to use TAC-GRP you created and in case of AAA server is not reachable, you can fall-back to “local” authentication. If you want to use it for SSH then you can apply it under line VTY.
aaa authentication login TAC-AUTH group TAC-GRP local ! line vty 0 15 login authentication TAC-AUTH
You can define an authorization method list (TAC-AUTHOR) to use TAC-GRP and then “local” in case of AAA server not reachable. EXEC authorization is a special from of command authorization where it verifies user privileges immidiately after login authentication
aaa authorization exec TAC-AUTHOR group TAC-GRP local if-authenticated ! line vty 0 15 authorization exec TAC-AUTHOR
If you want TACACS+ to be use for each CLI command authorization, you can use your authorization method list to do that. Keep in mind, this require AAA server to evaluate each CLI command you enter on the device.
aaa authorization config-commands aaa authorization commands 1 TAC-AUTHOR local if-authenticated aaa authorization commands 15 TAC-AUTHOR local if-authenticated ! line vty 0 15 authorization commands 1 TAC-AUTHOR authorization commands 15 TAC-AUTHOR
You can define accounting method list to use defined TAC-GRP. In this case we use “default” method list as we do not want to different accounting based on connection type.
aaa accounting exec default start-stop group TAC-GRP aaa accounting commands 1 default start-stop group TAC-GRP aaa accounting commands 15 default start-stop group TAC-GRP
Fort GUI access to use AAA you can use it under HTTP Authentication
ip http authentication aaa login-authentication TAC-AUTH ip http authentication aaa exec-authorization TAC-AUTHOR
Here is the summary of CLI config described above. (for simpliciy)
aaa new-model ! tacacs server ISE-TAC address ipv4 192.168.100.12 key Vipassana123 ! aaa group server tacacs+ TAC-GRP server name ISE-TAC ! aaa authentication login TAC-AUTH group TAC-GRP local ! aaa authorization exec TAC-AUTHOR group TAC-GRP local if-authenticated ! aaa accounting exec default start-stop group TAC-GRP aaa accounting commands 1 default start-stop group TAC-GRP aaa accounting commands 15 default start-stop group TAC-GRP ! line vty 0 15 login authentication TAC-AUTH authorization exec TAC-AUTHOR ! ip http authentication aaa login-authentication TAC-AUTH ip http authentication aaa exec-authorization TAC-AUTHOR ! ***** If you need Command Authorization **** aaa authorization config-commands aaa authorization commands 1 TAC-AUTHOR local if-authenticated aaa authorization commands 15 TAC-AUTHOR local if-authenticated ! line vty 0 15 authorization commands 1 TAC-AUTHOR authorization commands 15 TAC-AUTHOR
If you want console session also to be authenticated & authorized against AAA server, then you can apply those under line console 0 as well. You require to add “aaa authorization console” command in global config as well.
aaa authorization console ! line con 0 login authentication TAC-AUTH authorization exec TAC-AUTHOR
In case you want to use a local username for console authentication, you can do something similar to below. You should have a local user defined with required privileges (priv 15 users directly go to exec prompt where as other priv user has to enter enable password).
username mrn-local privilege 15 secret xxxx ! aaa authentication login CON-AUTH local aaa authorization console aaa authorization exec CON-AUTHOR local ! line con 0 login authentication CON-AUTH authorization exec CON-AUTHOR
I have used Cisco ISE as a TACACS server and you can refer to this detailed guide (worth keeping a copy of that document) on how you should design ISE for TACACS and configure the policy on ISE. Below diagram (taken from the above document) show the Authentication, Authorization & Accounting packet flow that you should expect.
I have configured “cpi” as an admin user with privilege 15 and “mrn-staff” as a general user locally defined on ISE which will get privilege level 5 shell access. Let’s test our configuration while capturing packets in 9800 to see what’s happening with AAA. Below shows TACACS Authorization Policy with configured TACACS profile.
Here is the 9800 Packet Capture setting (9800 GUI -> Troubleshooting > Packet Capture) that you can use to filter TACACS communication when accessing 9800 WLC via SSH. Given ACL has defined on the 9800 to filter out that traffic when taking PCAP.
With that setting, I have captured TACACS traffic while “cpi” & “mrn-staff” users trying to access 9800 via SSH. Here is the PCAP file (tacacs-9800.pcap) for your reference. You can enter the shared secret key (Vipassana123) that I have used in order to see details of TACACS frame body.
Without decryption, you will see an “encrypted request” for frame number 253.
Once decrypted you will see the details below. You will see “mrn-staff” user on 192.168.129.102 trying to access TTY line 2. Prviledge Level 1 indicate user’s current priviledge level.
Authentication Start (seq#1), Auth Reply (Seq#2 or #4) and Authentication Continue (seq#3) frame body include following info (refer RFC8907 for details)
Here is the those frame details in wireshark capture. You can filter all related packets using Session ID (right-click and “Apply As Filter” or drag & drop that to display-filter area). As you can see Auth Seq 1 & 3 sent by the client. Sequence & 2 & 4 by ISE server. In sequence 2, ask for a password for Authentication (in seq 3 client sending it) & in sequence 4 confirm authentication has passed.
Then you will see two Authorization (Request/Reply) frames. In the request message, you can see “privilege level 1” which was the user’s current privilege. In the Reply message user has been given “priv-lvl=5” shell access. Status “PASS_ADD” in the reply message indicates the request has been authorized.
Accounting messages are followed by authorization. You will see those accounting messages reqularly (Note: I have keep WLC GUI open using “rasika” as username and you can see certain accounting messages related to that session as well)
Here is the 2nd Authentication for “cpi” user where you can see “authorization” reply (frame#681) got with privilege level 15 shell access.
You can see “cpi” user issue “configure terminal” & successful as well (refer frame #789 & #791)
Here are few things I have come across when it comes to 9800 AAA. There can be many more 🙂 , if you know particular things to be aware of, pls provide that info as a comment.
1. Managing 9800 with DNAC
In order DNAC to properly manage 9800 with appropriate NETCONF, we had to add following two lines (CSCvy00489) in aaa config. It is describe in this deployment guide as well. If you are using AAA group as default method, you may need to modify your configs of 9800.
aaa authentication login default local aaa authorization exec default local
2. 9800 AAA fallback (refer 9800 best practice guide)
If you have multiple AAA servers, then it is important to configure the dead-criteria and the deadtime timers on 9800 (CSCtl06706). With these commands the Catalyst 9800 marks a non-responsive server as “dead” and moves to the backup server. To configure these timers, use the following CLI commands:
radius-server dead-criteria time 5 tries 3 radius-server deadtime 5
If you want to test AAA fallback in controlled manner, you can apply an ACL to block traffic to particular AAA server (& permit all other traffic). In 9800 WLC you can apply an ACL like below on management SVI interface. In our configuration, you can see if “local” authentication/authorization being in used when ISE server is not reachable.
ip access-list extended BLOCK-ISE 10 deny ip host 192.168.100.12 any 20 permit ip any any ! interface Vlan100 ip address 192.168.100.20 255.255.255.0 ip access-group BLOCK-ISE in
Here is a really good post about TACACS on IOS devices by Daniel Dib
The 9800 is like a switch, but I enable TACACS+ authorization and authentication, the weird part in the rest of Shell SW I log in with privilege 15 by default and in 9800 need to provide the enable password. Do you have any clue?
if you don’t mind, pls share your show run | sec aaa output from 9800. Then I can have a look & give some insight
I just compare the config and have some extras that may not be needed
– remove the authorization command 0 from vty
– add the accounting commands
– add the authorization config-commands
Thanks for all the amazing blog work you do. I don’t think you realise how many people you reach and what a value you give our community 🙏🏻
I recently had some 9800s deployed and for TACACS and the engineer hit an issue where the read only privilege level doesn’t allow for config to be viewed. So basically our current situation is that if we want to check configs via the GUI we need to be elevated to priv 15. Is that how you have it setup or are we missing something here?
Jim Young said:
I wanted take a moment to thank you for all of your post. I use something from your post on many projects I work. It sort of feels like we work together. What you are doing matters, I wanted you to know that. I really appreciate you and your efforts.
Hey Jim, it is a really kind remark about my work. I am really happy to know you found these posts useful & help you. Thank you very much for your note.
Hey Jim, Thank you for the note. I have seen it randomly, once I SSH into WLC & then try to access GUI it always worked.. did not had opportunity to test it to see the root cause
want login via local credential as well as ISE Please share the config.
Thank you for good Work.