AAA Authentication Setup with TACACS+ and RADIUS
To authenticate large numbers of users, you need to have a database that stores the usernames and passwords. This is where either TACACS+ or RADIUS servers come into play.
On the router configuration, TACACS+ and RADIUS are not difficult to configure. They also allow for multiple forms of authentication, including:
Digital certificates
One-time passwords
Changeable passwords
Static passwords
UNIX authentication using the /etc/password file
NT database authentication
Three steps are required to make a router use AAA:
Step 1. |
Initial configuration |
Step 2. |
Building a method list |
Step 3. |
Linking the list to interfaces |
Each of these will be discussed in turn.
Initial Configuration
You need to know a few new commands before using TACACS+ or RADIUS. These commands are used in global configuration mode. For TACACS+, the commands are as follows:
aaa new-model tacacs-server host host-ip-address tacacs-server key serverkey
The first command, aaa new-model, tells the router that you are using either TACACS+ or RADIUS for authentication. The next line tells the router the IP address of the TACACS+ server, where host-ip-address is the IP address of that server. The third line tells the router what password key is shared between the router and the server. Unlike passwords, which can be made to appear encrypted within configuration files, this password key always appears in plain text.
It is important that the key is used on both the router and within the configuration file on the server. This ensures that the key is encrypted before being sent to the server. Unless both the TACACS+ server and one of the Ethernet ports on the router are located on an extremely secure network, it is possible for someone to gather keys through the use of a packet analyzer. Therefore, the authors recommend that the key is always entered in both places. There is little sense in not encrypting the key after going through the effort of configuring TACACS+ or RADIUS authentication.
RADIUS authentication also relies on three initial commands. The first command, aaa new-model, is the same as on a TACACS+ system. The next two commands differ only in the replacement of radius for tacacs:
aaa new-model radius-server host host-ip-address radius-server key serverkey
Building a Method List
Now that the initial configuration of authentication is completed, you need to determine in what order the authentication methods will be accomplished. You have some flexibility in the order chosen. For example, you can make the router check the TACACS+ server first and then the local entry on the router, or check the local first and then the TACACS+ server.
A number of different authentication services also can be used. Table 10-1 contains a list of the available services and a description of each.
| Service | Description |
|---|---|
| arap | Uses AppleTalk Remote Access Protocol list |
| enable | Uses the enable mode list |
| login | Used for character mode connections |
| nasi | Uses NetWare Asynchronous Services Interface |
| ppp | Uses Point-to-Point Protocol |
In addition to the service used, the order in which authentication is checked is also chosen. Up to four different authentication methods can be chosen. Multiple authentication methods are usually employed in case the authentication server is unreachable, but it can also be used to allow some individuals, such as the administrator, to completely bypass the server authentication process. Table 10-2 contains a list of valid authentication methods.
| Method | Description |
|---|---|
| auth-guest | Allows a guest logon only if the user has already logged into the EXEC mode. |
| enable | Uses the enable password for authentication. |
| guest | Allows a guest logon. |
| if-needed | Authenticates only if the user has not already been authenticated. |
| krb5 | Uses Kerberos 5 for authentication. |
| krb5-telnet | Uses Kerberos 5 for authentication on Telnet sessions. Note: This must be the first in the list. |
| line | Uses the line password for authentication. |
| local | Uses the local database for authentication. |
| none | No authentication is used. |
| radius | Uses RADIUS for authentication. |
| tacacs+ | Uses TACACS+ for authentication. |
Not all of the services can use all of the methods listed in Table 10-2. For example, the local method cannot use the enable service, and RADIUS cannot be used with NASI. A complete list of compatibilities can be found in Table 10-3.
| Method | arap | enable | login | nasi | ppp |
|---|---|---|---|---|---|
| auth-guest | Yes | No | No | No | No |
| enable | No | Yes | Yes | Yes | No |
| guest | Yes | No | No | No | No |
| if-needed | No | No | No | No | Yes |
| krb5 | No | No | Yes | No | No |
| krb5-telnet | No | No | Yes | No | No |
| line | Yes | Yes | Yes | Yes | No |
| local | Yes | No | Yes | Yes | Yes |
| none | No | Yes | Yes | Yes | Yes |
| radius | Yes | Yes | Yes | No | Yes |
| tacacs+ | Yes | Yes | Yes | Yes | Yes |
The aaa authentication command is used to start authentication on the router. The general syntax of this command is
aaa authentication service-type {default | list-name} method1 [method2] [method3] [method4]
With this command, service-type is one of the services previously listed in Table 10-1, such as arap, line, if-needed, and so on. The next parameter is either the keyword default or a list name. The list name can be virtually any word except the word default, and it is used to name the following list of authentication methods. The parameters method1, method2, method3, and method4 are used to specify the order in which authentication takes place. Use any of the methods listed in Table 10-2. At least one method must be used, with a maximum total of four methods specified.
There are three exceptions to the syntax described above. These exceptions are:
aaa authentication local-override aaa authentication password-prompt text-string aaa authentication username-prompt text-string
The aaa authentication local-override command is used on an individual interface to force the IOS to check the local database before attempting any other form of authentication. The aaa authentication password-prompt text-string command is used to change the text that is displayed when a user is prompted for a password. The parameter text-string is the text that is displayed. The aaa authentication username-prompt text-string changes the text that is displayed when a user is prompted for a username.
Now look at how these commands work. Assume that you want to make TACACS+ the default authentication method for PPP access. You would use the following command:
aaa authentication ppp default tacacs+
If you want to use TACACS+ as the default and also allow the local database to be used if the TACACS+ server does not respond, you would use the following command:
aaa authentication ppp branch-office-users tacacs+ login
Notice in this scenario that you have dropped the use of the word default and are now using branch-office-users instead. The parameter branch-office-users is an arbitrary name made up for this list. It is critical that the administrator understands that the local database is not used if any response is received from the TACACS+ server. In other words, the local database is only used if the TACACS+ server is not available. The local database is not consulted if the TACACS+ server rejects the request to log in.
To review, the following shows the new commands used in this configuration. For this example you will use TACACS+ to authenticate users logging into the router. If the TACACS+ server is not available, you will use the local database to authenticate. The set of global commands required follows:
aaa new-model !Get ready to use AAA tacacs-server host 172.30.1.50 !Set the server to look for the TACACS+ server at the IP address of 172.30.1.50 tacacs-server key mysecretkey !Using the server key "mysecretkey" on both the router and !within the configuration of the TACACS+ server forces !encryption when the key is sent to the server aaa authentication ppp branch-office-users tacacs+ login !Set authentication for PPP to first use the TACACS+ server and !then use the local database. !The name of this list is "branch-office-users."
Now that the method list is built, you still need to link the list to an interface before authentication can take place.
Linking the List to Interfaces
Because the initial and method list configurations are done, you merely need to add the proper commands to the individual interfaces.
In this example, you are going to use AAA authentication on S2, which is connected to the branch office.
interface serial 2 !This interface is connected via ISDN to the branch office ppp authentication chap !You have set the PPP authentication to use CHAP
Although this configuration works to authenticate the users with CHAP, it might not be the best configuration for your purposes. Instead, you could use the TACACS+ server for the initial authentication. You would then use CHAP if the user is not already authenticated. To do this, you change the last interface configuration line to read:
ppp authentication chap if-needed branch-office-users !You have set the PPP authentication to use CHAP if the user has !not already been authenticated by the TACACS+ server.
This gives a little more protection. To refine this a little more, in the following configuration the router first expects a CHAP password. If the received password fails, the router then accepts another password attempt, this time expecting a PAP password. Because PAP sends the password itself in clear text, the administrator should ensure that the chap keyword is used before the pap keyword. This causes the first connection attempt password hash to be encrypted with a clear text password being sent only if the CHAP connection attempt fails. Using the pap keyword first would cause the first attempt to be accomplished with a clear-text password, which is a less secure method.
ppp authentication chap pap if-needed branch-office-users !You have set the PPP authentication to use CHAP if the user has !not already been authenticated by the TACACS+ server. !If CHAP is not available, you use PAP.
Finally, because you only need to verify users from the remote office coming into the main branch, you can specify that only those calling in are authenticated. As the router is now configured, both incoming and outgoing users are authenticated. Adding the keyword callin to the previous command authenticates only incoming calls:
ppp authentication chap pap if-needed branch-office-users callin !You have set the PPP authentication to use CHAP if the user has !not already been authenticated by the TACACS+ server. !If CHAP is not available, you use PAP. !This only applies to connections initiated from the outside of this interface.
The final configuration looks like this:
aaa new-model tacacs-server host 172.30.1.50 tacacs-server key mysecretkey aaa authentication ppp branch-office-users tacacs+ login interface serial 2 ppp authentication chap pap if-needed branch-office-users callin
Fine-Tuning the Configuration
You now have a configuration where the remote PPP user authenticates through the TACACS+ server. However, there is a configuration issue here that is sure to become a problem sometime in the future. You have not really secured how you log into the router for administrative purposes. You need to be extremely careful when authenticating users to the console. If you rely solely on a TACACS+ or RADIUS server, you will be unable to log onto the router if there are problems in communication between the two. Therefore, you need to enable another method of accessing the console.
This is very simple to do, but very important for troubleshooting purposes. First, set the default authentication for the login through the console and TTY to use TACACS+ or RADIUS. Then create a list that requires no authentication. Finally, associate this list with an interface. An example follows:
aaa authentication login default tacacs+ aaa authentication login administrative none line con 0 login authentication administrative
The only security issue related to this configuration is that anyone who has physical access to the router can plug into the console and log in, bypassing the TACACS+ authentication. However, anyone with physical access to the router also has the ability to reset the router and bypass the current configuration anyway. As always, physical security is necessary on all equipment critical to your network.