Configure AAA Switch Cisco IOS

Configure AAA Switch Cisco IOS

- in Enterprise Infrastructure
2779
0

AAA – Authentication, Authorization, Accounting

Authentication: Who is the user?
Authorization: What can the user do?
Accounting: What did the user do?

Cisco switches use two protocols for communication with AAA servers.

  • TACACS+: Cisco’s proprietary protocol that separates the AAA functions. It works securely by encrypting TCP traffic over port 49. For each instruction or command that is entered on the device, the switch always asks the server if it allows the action of the command entered to be done.
  • Radius: Open protocol that combines authentication and authorization in a single resource; communication uses UDP ports 1812 and 1813 (accounting), but is not fully encrypted.
Configuration:

Step 1.- Enable AAA on the switch.

Switch(config)# aaa new-model

Step 2. Define at least one local user

Use locally configured usernames and passwords as the last login resource:

Switch(config)# username username password password

Step 3. Define the authentication source.

First, define each server along with its shared secret password:

Switch(config)# radius-server host { hostname| ip-address } [ key string]
Switch(config)# tacacs-server host { hostname | ip-address} [ key string]

Then define a group name that will contain a list of servers:

Switch(config)# aaa group server { radius | tacacs+} group-name
Switch(config-sg)# server ip-address

Step 4: Define a list of authentication methods to test.

You can list the login authentication methods to the switch. You must assign a descriptive name to the method or use the “default” method with no name. List each method or protocol type in the order in which it should be tested. If none of the servers in the first method respond, the switch will try the servers in the following listed method.

Use the following global configuration command to define a list of methods:

Switch(config)# aaa authentication login { default | list-name} method1 [ method2 ...]

Here the methods refer to the following keywords:

  • tacacs+: each of the TACACS+ servers configured on the switch is tested in the order it was configured.
  • radius: each RADIUS server configured on the switch is tested in the order it was configured.
  • local: the user’s credentials are compared against all username commands configured on the local switch.
  • line: line passwords authenticate any logged-on user. User names cannot be used.

Step 5. Apply a list of methods to the vty or console lines.

Switch(config)# line console | vty [number-line]
Switch(config-line)# login authentication { default | list-name}

Step 6. Define user permissions or authorization:

Let’s define a list of authorization methods to be tested in sequence using the following global configuration command:

Switch(config)# aaa authorization { commands | config-commands | configuration | exec | network | reverse-access} { default | list-name} method1 [ method2 ...] 

Then, you can apply a list of authorization methods to a vty/console line. Users accessing the switch through that line will be subject to authorization. Use the following line configuration command:

Switch(config-line)# authorization { commands level | exec | reverse-access} { default | list-name} 

If you do not use this command, the default group is used for all lines. To configure a switch to use AAA authorization for all lines, enter the following:

Switch(config)# aaa authorization exec default group group-name none

Step 7.- define a method list that provides a sequence of accounting methods using the following global configuration command:

Switch(config)# aaa accounting { system | exec | commands level} { default | list-name} { start-stop | stop-only | wait-start | none} Switch(config)# aaa accounting { system | exec | commands level} { default | list-name} { start-stop | stop-only |wait-start | none} method1 [ method2 ...] 

Apply the accounting methods list to a specific line (console or vty):

Switch(config-line)# accounting commands level | connection | exec} { default | list-name} 

Example:

Switch(config)# aaa new-model
Switch(config)# username jcristobal password MyPassword

Switch(config)# tacas-server host 10.1.1.1 key MyKey
Switch(config)# tacas-server host 10.1.1.2 key MyKey
Switch(config)# aaa group server tacacs+ MyAuthServers
Switch(config-sg)# server 10.1.1.1
Switch(config-sg)# server 10.1.1.2


Switch(config)# aaa authentication login MyMethodAuth group MyAuthServers local
Switch(config)# aaa authorization exec MyMethodAuth if-authenticated
Switch(config)# aaa authorization commands 15 MyMethodAuth if-authenticated
Switch(config)# aaa accounting exec MyMethodAuth start-stop group MyAuthServers
Switch(config)# aaa accounting commands 15 MyMethodAuth start-stop group MyAuthServers


Switch(config)# line vty 0 15
Switch(config-line)# login authentication MyMethodAuth
Switch(config-line)# authorization commands 15 MyMethodAuth

Switch(config-line)# authorization exec MyMethodAuth
Switch(config-line)# accounting commands 15 MyMethodAuth
Switch(config-line)# accounting exec MyMethodAuth

Facebook Comments

You may also like

Autonomous System Numbers – BGP

There are two types of BGP Autonomous system