Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Character (line or EXEC TTY, vty, auxiliary, and Login, exec, and enable
mode)
console
commands
aaa authentication
banner
aaa authentication
enable default
aaa authentication
fail-message
This command creates a message that is displayed when a user login fails.
aaa authentication
local-override
This command is used to configure the Cisco IOS software to check the local
user database for authentication before attempting another form of
authentication. The no form of this command may be used to disable the
override
aaa authentication
login
Use the aaa authentication login global configuration command to set AAA
authentication at login. The no form of this command is used to disable AAA
authentication
aaa authentication
nasi
aaa authentication
password-prompt
aaa authentication
ppp
Use the aaa authentication ppp global configuration command to specify one
or more AAA authentication methods for use on Serial interfaces running PPP.
The no form of this command is used to disable authentication
aaa authentication
username-prompt
2. Syntax example
1. aaa authentication login {default | list-name} method1 [method2...]
aaa authentication login Command Elements
Command Element
Description
Default
Specifies the default list of methods to be used when a user logs in based on
the methods that follow this argument
list-name
Used to name the list of authentication methods activated when a user logs
in
Method
One keyword must be specified. To use the local user database, use the
local keyword
enable: The enable password is used for authentication
krb5: Kerberos 5 is used for authentication
krb5-telnet: Kerberos 5 Telnet authentication protocol is used when using
Telnet to connect to the router.
Line: The line password is used for authentication
local: The local username database is used for authentication
local-case: Provides case-sensitive local username authentication
none: No authentication is used
group radius: The list of all RADIUS servers is used for authentication
group tacacs+: The list of all TACACS+ servers is used for authentication.
Group group-name: Uses either a subnet of RADIUS or TACACS+ servers
for authentication as defined by the aaa group server radius or aaa group
server tacacs+ command.
4. Configuring AAA Authentication on Serial Interfaces Running PPP
1. various authentication methods for serial interfaces running PPP.
1. aaa authentication ppp default local This command is used to specify a
default PPP authentication method list using the local username-password
database on the router.
2. aaa authentication ppp dial-in local none This command is used to specify a
PPP authentication method list named dial-in. It should be used on the initial
login attempt, using the local username-password database on the router. If the
local username is not defined, no authentication is used.
Exec
Commands
Used to implement authorization for all commands for a specific privilege level
Level
Used to specify the command level that should be authorized. Values may range
from 0 to 15.
reverse-access
Configuration
Default
Used to list the authentication methods, list-name and method, as the default list of
methods for authorization
List-name
Method
Specifies the method to be used for authentication using one of the following
keywords:
group group-name: Specifies a subset of RADIUS or TACACS+ servers to be used
for authentication. These are defined with the aaa group server RADIUS or aaa
group server tacacs+ commands.
If-authenticated: The user is permitted to access the requested function if he or she
has been validly authenticated
krb5-instance: Used in conjunction with the Kerberos instance map command to
specify the instance to be used
local: Specifies the use of the local user database for authorization
none: Authorization is not performed.
system
Performs accounting for all system-level events that are not associated with users
network
Runs accounting for all network-related service requests, including SLIP, PPP, PPP
NCP, and ARAP
exec
connection
Provides information about all outbound connections made from the NAS
commands
level
Runs accounting for all commands at the specified privilege level. Privilege level
entries are integers and may range from 0 to 15
default
Sets the default list of methods for accounting services based on the listed
accounting methods specified by list-name.
list-name
vrf vrf-name
This optional command element, used only with system accounting, may be used to
specify a VPN routing and forwarding (VRF) configuration.
start-stop
Sends "start" accounting notice at the beginning of a process and "stop" accounting
notice at the end of a process. The start accounting record is sent in the background.
Regardless of whether the start accounting notice was received by the accounting
server, the requested user process begins.
stop-only
Sends a stop accounting notice at the end of the requested user process.
none
broadcast
group groupname
Defines the character string used to name the group of accounting methods.
2. Examples
1. router(config)# aaa accounting commands 15 default stop-only group tacacs+
2. router(config)# aaa accounting auth-proxy default start-stop group tacacs+
2.
3.
4.
5.
6.
7.
Secure ACS 4.0 for Windows makes it possible for these hosts to be audited by
third-party vendors before granting network access. External policy servers also
make it possible to extend Cisco Secure ACS policies.
Improvements to scalability - The 4.0 version of Cisco Secure ACS for Windows
supports an industry-standard relational database management system (RDBMS),
increasing the number of devices (AAA clients) ten times while increasing the
number of users by three times the previous number. Improvements have also been
made in performance, including significant performance increases in the number of
transactions per second across the full protocol portfolio supported by Cisco Secure
ACS.
Network Access Profiles (NAP) - One new feature providing by Cisco Secure ACS
4.0 for Windows is Network Access profiles. Using these, administrators may
classify access requests based on network location, membership in a network device
group (NDG), protocol type, or other RADIUS attribute values sent by the NAD
used by the user to connect. AAA policies may be mapped to specific profiles.
Using this feature allows you as an administrator to apply a different access policy
based on, for instance, wireless access.
Extended replication components - Through the improved replication provided by
Cisco Secure ACS 4.0 for Windows, administrators may now replicate NAPs and all
related configurations, including
1. Posture validation settings
2. AAA clients and hosts
3. External database configuration
4. Global authentication configuration
5. NDGs
6. Dictionaries
7. Shared-profile components
8. Additional logging attributes
EAP-FAST enhanced support - Cisco has developed EAP-FAST as a publicly
accessible IEEE 802.1x EAP type to support customers who cannot enforce a strong
password policy. EAP-FAST is also for those who want to deploy an 802.1x EAP
type that has the following characteristics:
1. No digital certificate is required
2. Versatile supports for user and password database types
3. Support for password expiration and change
4. Flexible and easy to deploy and manage
Machine access restrictions (MARs): MARs is offered as an enhancement of
Microsoft Windows machine authentication. Administrators can use MARs to
control authorization of EAP-TLS, EAP-FASTv1a, and Microsoft PEAP users who
authenticate with a Microsoft Windows external user database when Microsoft
Windows machine authentication is enabled. With this feature, users who access the
network with a computer that has not passed machine authentication within a
configurable length of time are given the authorizations of a user group that you
specify. You can configure this to limit authorization as needed, or you may choose
to deny network access.
NAFs - Network access filters (NAF), a new type of shared profile component, give
administrators a flexible way to apply network access restrictions and downloadable
ACLs on network device names, NDGs, or their IP address. When NAFs are
applied by IP addresses, you may use IP address ranges and wildcards. This new
feature allows for granular application of network access restrictions (NAR) and
downloadable ACLs. Previously, these supported only the use of the same access
restrictions or ACLs to all devices.
8. Downloadable IP ACLs - Per-user ACL support is extended to any Layer 3 network
device that supports downloadable IP ACLS, such as Cisco ASA, Cisco PIX
Firewalls, Cisco VPN solutions, and Cisco IOS routers. Sets of ACLs may be
defined that can be applied per user or per group. This works hand in hand with
NAC by enforcing the correct ACL policy. Further, these may be used along with
NAFs to apply downloadable ACLs differently on a per-device basis, tailoring ACLs
uniquely per user, per access device.
9. Certificate revocation list (CRL) comparison - An X.509 CRL profile is used to
support certificate revocation in this version of Cisco Secure ACS for Windows.
2. Cisco Secure ACS 4.0 for Windows Installation
Ports Used by Cisco Secure ACS for Client Communication
Feature
Protocol
Port(s)
RADIUS authentication
authorization
UDP
1645, 1812
RADIUS accounting
UDP
1646, 1813
TACACS+
TCP
49
TCP
2000
RDBMS synchronization
TCP
2000
TCP
2000
Logging
TCP
2001
TCP
2002
Configurable
1. TACACS+ daemon provides the NAS with one of the following responses
1. ACCEPT - The user is authenticated, and authorization begins at this point if the
NAS has been configured to require it.
2. REJECT - Authentication has failed for the user. The user either is prompted to
retry the login sequence or is denied further access, depending on the TACACS+
daemon.
3. ERROR - At some point during the authentication process, an error occurred.
This may have occurred at either the daemon or in the network connection
between the daemon and the NAS. If an ERROR response is received, the NAS
usually attempts to use an alternative method to authenticate the user.
4. CONTINUE - The user is prompted for further authentication information
before acceptance or rejection
5. Authorization if required - TACACS+ daemon is contacted again and it returns
either ACCEPT or REJECT. If accepted, the response contains attributes that
direct the EXEC or NETWORK session for that user which determines which
services the user can access.
1. Services may include
1. PPP, Telnet, rlogin, SLIP, or EXEC services
2. Connection parameters, such as the host or client IP address, ACL, and
user timeouts
Authorization process with TACACS+ after the user has successfully authenticated
1. TACACS+ can be used to upload a per-user ACL and static route to the NAS, as
well as for a variety of other parameters. The steps involved in this process are as
follows:
1. NAC submits an authorization request for the network access to the TACACS+
server.
2. The request is either accepted or denied by TACACS+. Authorization
parameters are sent to the NAC if the access is permitted and are applied to the
user connection.
2. Command Authorization with TACACS+
1. Figure below shows what happens when an admin enters the configure terminal
command. During this process, TACACS+ establishes a new TCP session. By
default, a new TCP session is established for each authorization request; this may
lead to delays when users enter commands. To improve performance, Cisco Secure
ACS supports persistent TCP sessions. To realize this benefit, both the Cisco Secure
ACS and the router have to be configured for this functionality.
3. TACACS+ Attributes
1. TACACS+ frequently uses a number of attributes for authentication and
authorization:
1. ACL (EXEC authorization) - Lists an access class number that will be applied
to a line
2. ADDR (SLIP, PPP/IP authorization) - When using a SLIP or PPP/IP
connection, this is used to specify the IP address of the remote host that should
be assigned.
3. CMD (EXEC) - The attribute-value (AV) pair is used to start an authorization
request for an EXEC command
4. Priv-lvl (EXEC authorization) - This may be an integer between 0 and 15. It is
used to specify the current privilege level for command authorization.
5. Route (PPP/IP, SLIP authorization) - Used to specify a route to be applied to
an interface.
6. InACL (PPP/IP, SLIP authorization) - Used with SLIP or PPP/IP connections
to list an inbound IP ACL.
7. OutACL - Used with SLIP or PPP/IP connections to list an outbound IP ACL.
8. Addr-pool - Used to specify the name of a local address pool from which to
obtain the address of the remote host.
9. Autocmd - Used to specify a command to be automatically executed at EXEC
startup.
2. TACACS+ is proprietary and uses TCP port 49. Supports routers, switches, PIX.
Primary protocol for Cisco AAA implementations. Typically each AAA transaction
uses a dedicated TCP connection. By using a single connection there is less server
load and better detection of a break in communication. This single session persists
as long as the server or network device is operational.
7. Features of RADIUS
1. Radius is RFC 2865
2. Cisco's RADIUS is RFC 2865 plus IETF attribute 26, the vendor-specific attribute
(VSA) for Cisco. Via this VSA any authorization request specified in the TACACS+
specification can be sent to an access device through RADIUS.
3. Limitations
1. Limited security
2. The combination of authentication and authorization on one function
Comparison of RADIUS and TACACS+
Topic
TACACS+
RADIUS
Packet delivery
TCP
UDP
AAA support
Multiprotocol
support
None
Router
management
Responses
4. Configuring TACACS+
1. CLI Steps
1. Enable AAA globally to allow the use of all AAA elements. This is a
prerequisite for all other AAA commands.
2. Specify which Cisco Secure ACS will provide AAA services for the network
access server. (NAS)
3. Configure an encryption key to be used to encrypt the data transfer between the
network access server and the Cisco Secure ACS.
2. Configuring the Network Access Server with TACACS+
1. router(config)# aaa new model
2. router(config)# tacacs-server host 192.168.10.75 single connection
3. router(config)# tacacs-server key shared1
Commonly Used AAA Configuration Commands
Command
Description
aaa new-model
Used to enable AAA on the router. This is a prerequisite for all other AAA
commands
tacacs-server host Used to indicate the address of the Cisco Secure ACS server and to specify the
ip-address single- use of the TCP single-connection feature of Cisco Secure ACS. Performance is
connection
improved by maintaining a single TCP connection for the life of the session
between the NAS and the Cisco Secure ACS server, rather than opening and
closing TCP connections for each session, which is the default
tacacs-server key Used to establish a shared secret encryption key between the network access
key
server and the Cisco Secure ACS server.
Used to create a default that is automatically applied to all lines and interfaces to
specify the method or sequence of methods used for authentication
list-name
Used to create a list (you may choose the name) that is applied explicitly to a line or
interface using the method or methods specified. This list overrides the default when
applied to a specific line or interface.
group group- Used to specify the use of an AAA server. The group radius and group tacacs+
name
methods refer to previously defined RADIUS or TACACS+ servers. The group-name
string is used to specify a predefined group of RADIUS or TACACS+ servers for
group radius authentication (created with the aaa group server radius or aaa group server tacacs+
command).
group
tacacs+
method2
method3
method4