Understanding AAA Configuration

 

 

AAA in networking terminology is abbreviation for Authentication, Authorization and Accounting.

AAA is what keeps the network secure by making sure only the right and legitimate users are authenticated, that those users have access only to the right network resources and that those users are logged as they go about their business.

Authentication: Identifies users by login and password.

Authorization: After initial authentication, authorization looks at what that authenticated user has access to do.

Accounting: You can use accounting to see what users do once they are authenticated and authorized. For example, with accounting, you could get a log of when users logged in and when they logged out.

In this post we will be configuring AAA on Cisco IOS router with two pre-requisites that should be kept in mind:

  • All users logging into the router must authenticate with a username and password to one of two redundant TACACS+ servers.
  • Users must be able to log in using a backup local user account stored on the router only if neither TACACS+ server is reachable

Configuring AAA in steps:

Step 1: Create a backup user account

R1(config)#username ipwithease privilege 15 secret cisco

Step 2: Enable AAA

R1(config)#aaa new-model

Step3: Configuring the TACACS+ servers

tacacs-server host 192.168.1.3 key Cisco1       >>>>>For Primary TACAS+ SERVER

tacacs-server host 192.168.2.3 key Cisco2       >>>>For Secondary TACAS+ SERVER>


Step4: Define the AAA method list

We need to define a method list which instructs the router to use AAA authentication for terminal logins.

aaa authentication login default group tacacs+ local

Now let us understand the above command in parts:

aaa authentication login : It specifies that the following parameters are to be used for user login authentication. The word default is used instead of a custom name for the list (you can only define one default list for each AAA function).

group tacacs+: means “use all configured TACACS+ servers.

local: defines a secondary authentication mechanism; it instructs the router to failover to locally defined user accounts if none of the authentication servers in the first method are reachable.

The above method list handles only the authentication aspect of AAA. By itself, this list only allows us to authenticate as a user with privilege level 1 (user exec mode).

To communicate a heightened privilege level (e.g. privilege level 15, or “enable mode”) from the TACACS+ server, we also need to define an authorization method list

R1(config)#aaa authorization exec default group tacacs+ local

Step 5: Enforcing AAA authentication on terminal lines

R1(config)#line console 0

R1(config-line)#login authentication default

R1(config-line)#line vty 0 15

R1(config-line)#login authentication default

 

Note: These commands won’t be visible under the running-configuration.

Please follow and like us:

Related Post

Comments

comments

Add a Comment