AAA


aaa

How many times have you locked yourself out of the device ? Well I have done a quite few times and then all you can do is a password recovery which I guess is ok when you’re project deadline is way ahead and you have time to experiment etc but what if you’re in a LAB environment or your manager is calling you every hour asking for a project update and you’re sitting there on your own in some Data Centre and you’ve just locked yourself out of the device ?

Well I hope that the following AAA configuration examples will help you take a strategic approach when configuring AAA cause we all know it can be tricky.

METHODS OF AUTHENTICATION
LOCAL” – use local user database credentials
LOCAL-CASE” – same as LOCAL but makes password case sensitive
LINE” – use password configured under line to access the router , this includes VTY lines
ENABLE” – use globally configured list of enable passwords with their privilege levels
GROUP TACACS+ or RADIUS” – user remote AAA server for authentication

LOCAL DATABSE
R1(config)#username CISCO privilege 15 password CISCO123         (sets username and password with privilege level 15 in LOCAL database)
R1(config)#username ADMIN privilege 7 password ADMIN123       (sets username and password with privilege level 7 in LOCAL database)
R1(config)#enable password CISCO123                                                      (sets enable unencrypted password in LOCAL database)
R1(config)#enable password CISCO123                                                      (sets enable unencrypted password in LOCAL database)
R1(config)#enable secret CISCO123                                                             (sets enable encrypted password in LOCAL database)

ENABLE AAA
R1(config)#aaa new-model                 (enables aaa new model)

AAA TACACS/RADIUS CONFIG
R1(config)#tacacs-server host 150.100.220.20                      (use TACACS+ server at the IP address 150.100.220.20)
R1(config)#radius-server host 150.100.220.21                      (use Radius server at the IP address 150.100.220.21)
R1(config)#tacacs-server key CISCO                                          (encrypts communication between R1 and TACACS with password CISCO)
R1(config)#radius-server key CISCO                                         (encrypts communication between R1 and RADIUS with password CISCO)
R1(config)#ip tacacs source-interface loopback 0                (sources TACACS packets from the Loopback 0 interface)
R1(config)#ip radius source-interface loopback 0               (sources Radius packets from the Loopback 0 interface)

AAA CUSTOMIZATION
R1(config)#aaa authentication password-prompt “Password Required”        (creates custom prompt password message)
R1(config)#aaa authentication userame-prompt “Username Required”         (creates custom prompt username message)

R1(config)#aaa authentication banner #                          (creates custom banner message)
Enter TEXT message.  End with the character ‘#’.
This system requires authentication#

R1(config)#aaa authentication fail-message #              (creates custom authetication failed message)
Enter TEXT message.  End with the character ‘#’.
Authentication Failed , try again#

AAA AUTHENTICAION
R1(config)#aaa authentication login CONSOLE local                                              (configures router to use LOCAL database authentication)
R1(config)#aaa authentication login VTY group tacacs+ local                              (configures router to first use TACAcs and then local database)
R1(config)#aaa authentication login VTY group tacacs+ local-case                   (configures router to first use TACAcs and then local database, same as local but makes password case sensitive)
R1(config)#aaa authentication login VTY group tacacs+ line                                (configures router to first use TACAcs and then line database, make sure password is set under line vty)
R1(config)#aaa authentication enable default group tacacs+ none                     (privilege mode will be authenticated first against TACACS+ then it’ll fall back to no authentication)
R1(config)#aaa authentication attempts login 3                                                             (specifies number of valid login attempts)
R1(config)#aaa authentication ppp default group tacacs+ group radius local none  (for all PPP authentication request use TACACS then RADIUS then LOCAL then NONE authen method)

LINE PORTS
R1(config)#line con 0
R1(config-line)#login authentication CONSOLE     (login to consolse as specified under aaa CONSOLE statement above)

R1(config)#line vty 0 15
R1(config-line)#login authentication VTY   (login to vty as specified under aaa VTY statement above)
R1(config-line)#password CISCO                    (login to vty — see above aaa VTY second statement)

AAA AUTHORIZATION
R1(config)#aaa authorization console                                                                    (enables console authorization)
R1(config)#aaa authorization exec CONSOLE group tacacs+ local             (console line should authorize users with TACACS then LOCAL database)
R1(config)#aaa authorization exec VTY group tacacs+ if-authenticated  (authorises any authenticated users if TACASE server fails)

DIFFERENCE BETWEEN NONE AND IF-AUTHENTICATED METHODS:

EXAMPLE 1

R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default none
R1(config)#line con 0
R1(config-line)#privilege level 15

If TACACS server is not available the router will allow incoming connections

EXAMPLE2

R1(config)#aaa authentication login default group tacacs+ none
R1(config)#aaa authorization exec default if-authenticated
R1(config)#line con 0
R1(config-line)#privilege level 15

If TACACS server is not available the router grants access but fails authorization

LINE PORTS  
R1(config)#line con 0
R1(config-line)#authorization exec CONSOLE               (ensure the console line is authorized, see above aaa config)

Enjoy !

Tom

Advertisements

About ccie4all
Hello, and welcome to the first post of my CCIE blog This blog has got one simple goal and that is to improve our skills in Cisco Networking field so we can become best engineers on a job market. Wordpress Blog https://ccie4all.wordpress.com/ information about the changes made to Gns3 BGP , MPLS and R&S CCIE labs. In order to access and download all provided materials and receive important updates from Gns3 BGP , MPLS and R&S CCIE labs under GNS3 tab in the main header please go ahead and subscribe to https://ccie4all.wordpress.com/ ! All other posts have not been affected and can be accessed at any given time. Enjoy ! Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: