AAA stands for Authentication, Authorization and Accounting. To enable this more advanced and granular control in an IOS Router, we must first use the "aaa new-model" command.
c1841(config)#aaa new-model
After the "aaa new-model" command has been enabled, we can optionally configure aaa servers. The reason this is optional, because we do have the option of using local authentication, or even continuing using "line" password and "enable" password as authentication protocols. To configure a aaa server, we can start with either the "radius-server" or "tacacs-server" command.
c1841(config)#radius-server host 1.1.1.1 key cisco
c1841(config)#tacacs-server host 2.2.2.2 key cisco
The next step with enabling AAA in IOS routers is to start building methods. Methods are constructs that allow us to attach items that require authentication, authorization and/or accounting to one or more method for addressing this need. For example, a login may require authentication and we could assign this to "local" for local router authentication. The exec process can be assigned authorization from various sources, like tacacs, radius or local. In this case, an enable level ranging from 0 to15 would be assigned to the exec process. Method lists are configured using the following format. Some options are omitted for brevity.
aaa [ authentication | authorization | accounting ] {
- | default } { local | group ( radius | tacacs ) }
When we start building these method lists, we can see that there are different process and options based on whether we are configuring an authentication, authorization or accounting method. The other thing that I should mention is that "default" will apply to all processes of the type specified, unless the process itself is configured otherwise. For example, if we configure an authentication method for "login" and use the keyword "default", it will apply to all login processes unless we configure the individual login processes. For example.
c1841(config)#username cisco password cisco
//this method is attached by default
c1841(config)#aaa authentication login default local
//this method is not attached
c1841(config)#aaa authentication login RAD group radius
c1841(config)#line vty 0 4
c1841(config-line)#login
With the above five lines of configuration, telnet authentication would use a local user database. However, if we wanted to use the radius server for login authentication, we would modify the configuration as follows.
//local user isn't used with this configuration
c1841(config)#username cisco password cisco
//this method is attached by default
c1841(config)#aaa authentication login default local
//but this method is explicitly attached
c1841(config)#aaa authentication login RAD group radius
c1841(config)#line vty 0 4
c1841(config-line)#login authentication RAD
Here is a similar configuration that uses TACACS+.
c1841(config)#aaa authentication login TAC group tacacs+
c1841(config)#line vty 0 4
c1841(config-line)#login authentication TAC
Now we can expand on this and use exec authorization. This will basically place the user into a privileged mode upon logging in. Notice that we use "TAC" as the method name for authorization. This is technically a separate method list and could have another name, "TACAUTHOR" for example. Additionally, we could have used "default" and not configured anything under the line.
c1841(config)#aaa authentication login TAC group tacacs+
c1841(config)#aaa authorization exec TAC group tacacs+
c1841(config)#line vty 0 4
c1841(config-line)#login authentication TAC
c1841(config-line)#authorization exec TAC
We might also decide to attach these methods to the http server, possibly for SDM control.
c1841(config)#aaa authentication login TAC group tacacs+
c1841(config)#aaa authorization exec TAC group tacacs+
c1841(config)#ip http authentication aaa
c1841(config)#ip http authentication aaa login-authentication TAC
c1841(config)#ip http authentication aaa exec-authorization TAC
Authentication and Accounting are the first two "A's" in the AAA triad. The third item is accounting. Enabling this is very similar. We can log the start and stop of the exec process by configuring the following. We will use the "default" process so we don't have to assign it to each process that we wish to do accounting for.
c1841(config)#aaa accounting exec default start-stop group tacacs+
This is a good example of just logging the beginning and end of the exec process, but it might be more useful to log the commands that are entered at level 15.
c1841(config)#aaa accounting commands 15 TAC15 group tacacs+
c1841(config)#line vty 0 4
c1841(config-line)#accounting commands 15 TAC15
TACACS+ also has the ability to authorize commands. When this is configured, each command is sent to the TACACS+ server to verify that the user should be able to execute the command. When a user attempts to enter a command in a router, the user's current privilege level is compared against the level that the command is configured at. By default, Cisco routers have commands configured at level 0, 1 and 15. Assuming that the user is logged on at an equal or higher privilege level, the command passes the privilege level check. If command authorization is configured, the command is then sent to the AAA server for command authorization. This is a TACACS+ only configuration. The example below combines TACACS+ authentication, accounting, exec authorization and command authorization (along with config-commands). In this example I have applied these methods to the console port.
c1841(config)#aaa authentication login TAC group tacacs+
c1841(config)#aaa accounting commands 15 TAC group tacacs+
//assign the exec a privilege leve from tacacs+
c1841(config)#aaa authorization exec TAC group tacacs+
//check the individual commands against tacacs+
c1841(config)#aaa authorization commands 15 TAC group tacacs+
c1841(config)#aaa authorization commands 1 TAC group tacacs+
c1841(config)#aaa authorization commands 0 TAC group tacacs+
//authorize the config commands too
c1841(config)#aaa authorization config-commands
//attach these methods to the console port
c1841(config)#line con 0
c1841(config-line)#login authentication TAC
c1841(config-line)#accounting commands 15 TAC
c1841(config-line)#authorization exec TAC
c1841(config-line)#authorization commands 15 TAC
c1841(config-line)#authorization commands 1 TAC
c1841(config-line)#authorization commands 0 TAC
Nessun commento:
Posta un commento