Chapter 5. AAA Access Control
AAA stands for authentication, authorization, accounting. This chapter will cover the authentication and authorization aspects of AAA, leaving the accounting details for Chapter 11. AAA access control provides much greater scalability and functionality than the basic access control methods discussed in Chapter 3. AAA can use local router configuration, TACACS+, RADIUS, and Kerberos for authentication and can utilize a TACACS+ or RADIUS for authorization.
TACACS+ and RADIUS can be used both for authentication and authorization, while Kerberos can be used only for authentication. Cisco-only networks usually choose TACACS+ because of its enhanced features. TACACS+, however, is proprietary to Cisco. Networks using equipment from multiple vendors usually choose RADIUS for its interoperability. Finally, organizations with existing Kerberos access servers can configure their routers to use those servers to control access to Cisco routers.
Enabling AAA
To use any of these authentication and authorization methods, you must first enable AAA on the router. The general steps for enabling AAA are:
Turn on AAA with the aaa new-model command.
Configure security protocol information if using an access control server (ACS).
Define methods that specify the type and order of authentication with the aaa authentication command.
Apply the authentication methods to each line and/or enable access.
Configure AAA authorization, if needed, with the aaa authorization command.
Local Authentication
Assume that the router configuration has the following users:
username jdoe password 7 09464A061C480713181F13253920 username rsmith password 7 095E5D0410111F5F1B0D17393C2B3A37
To take advantage of the AAA accounting features, you can enable AAA but use these locally defined usernames for access. To do so:
Enable AAA with aaa new-model.
Make the default AAA authentication method local using the aaa authentication command.
Apply the default AAA authentication method to each line:
Router#
config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa new-modelRouter(config)#aaa authentication login default localRouter(config)#line vty 0 4Router(config-line)#login authentication defaultRouter(config-line)#exitRouter(config)#line aux 0Router(config-line)#login authentication defaultRouter(config-line)#exitRouter(config)#line con 0Router(config-line)#login authentication defaultRouter(config-line)#^ZRouter#
While AAA and local authentication provide greater accountability than non-AAA methods, local AAA authentication is not scalable, and all local passwords are stored in the configuration file using the weak Vigenere ciphers.
TACACS+ Authentication
TACACS+ is Cisco’s proprietary and recommended access control protocol. TACACS+ has the benefits of running over TCP, encrypting the entire contents of packets between the ACS and the router, supporting multiple protocols, and providing authentication and authorization support. TACACS+, however, is proprietary, and if your ACS server needs to serve non-Cisco equipment, you may have difficulty. If you are going to implement an ACS server for your Cisco routers only, TACACS+ is definitely the choice to make. Configuring TACACS+ on a router is fairly straightforward, but since the packets are encrypted, both the router and the server must be preconfigured with an encryption key.
To configure a router to use a TACACS+ server, assuming that the server is configured with the key MyTACACSkey, you must:
Enable AAA with the aaa new-model command.
Tell the router what TACACS+ server to use with the tacacs-server host command.
Tell the router what the TACACS+ server key is with the tacacs-server key command.
Define the default AAA authentication method to be TACACS+ with the locally configured users as a backup in case the TACACS+ server isn’t available.
Configure each line to use the default AAA authentication method.
Here is example of setting the AUX and VTY ports to use
the TACACS+ server 130.218.12.10:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa new-modelRouter(config)#tacacs-server host130.218.12.10 Router(config)#tacacs-server keyMyTACACSkey Router(config)#aaa authentication login default group tacacs+ localRouter(config)#line aux 0Router(config-line)#login authentication defaultRouter(config-line)#exitRouter(config)#line vty 0 4Router(config-line)#login authentication defaultRouter(config-line)#^ZRouter#
Warning
IOS Versions 12.0.5(T) and later use the aaa authentication login default group tacacs+ enable command. Earlier versions leave out the keyword group and use the aaa authentication login default tacacs+ enable command.
The router is now set up to use the TACACS+ server
130.218.12.10 for authentication.
There is an important item to note when using the aaa authentication login command. The command
tells the router to attempt to authenticate a user through TACACS+
first, and to use the locally configured enable password only if it
fails to reach the server. If the TACACS+ server is unreachable for some
reason, the router use the local enable password. If the TACACS+ server
is reachable, but rejects users because they didn’t authenticate
themselves correctly, the router does not default to the enable
password, but denies the users access.
TACACS+ Enable Password
You can also use TACACS+ for the enable password. If TACACS+ is already configured on your router, this can be done with the command:
aaa authentication enable default group tacacs+ enable
Otherwise, you need to:
Enable AAA, if not already enabled, with the aaa new-model command.
Tell the router what TACACS+ server to use with the tacacs-server host command.
Tell the router what the TACACS+ server key is.
Configure the enable password to use the TACACS+ server first and then the locally configured enable password in case the TACACS+ server is unavailable:
Router#
config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa new-modelRouter(config)#tacacs-server host130.218.12.10 Router(config)#tacacs-server keyMyTACACSkey Router(config)#aaa authentication enable default group tacacs+ enableRouter(config-line)#^ZRouter#Warning
Cisco provides a free Unix-based TACACS+ server that you can download from ftp://ftp-eng.cisco.com/pub/tacacs. This free server hasn’t been updated since 1998, and if you are not comfortable using a free solution, you may want to look at Cisco’s commercial access control servers.
HTTP Authentication with TACACS+
If you are running the HTTP service on your router (not recommended), you can use TACACS+ for HTTP authentication. Assuming that TACACS+ is already set up on your router, you can enable HTTP authentication through TACACS+ by:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#ip http authentication aaaRouter(config)#^Z
TACACS+ Authorization
In addition to authentication, TACACS+ provides very granular control over user authorization. Most configuration is done on the TACACS+ server. Using TACACS+, you can specify what a user can and cannot do. Once this information is configured on the server, you then tell the router to use the TACACS+ server to authorize every command at a specific level.
EXEC authorization
EXEC is what Cisco calls the command-line shell on its routers. You can use TACACS+ to configure which users are authorized to use the EXEC prompt to execute commands. Without access to an EXEC prompt, even users who are successfully authenticated will be unable to start a shell and will be disconnected. Most TACACS+ daemons have a default deny stance, so before you enable EXEC authorization, make sure your TACACS+ server is set up to allow at least one user EXEC access.
To use TACACS+ for EXEC authorization, enter the command:
Router(config)#aaa authorization exec default group tacacs+ if-authenticatedThe final if-authenticated is a fail-safe that allows successfully authenticated users to start an EXEC a shell if the TACACS+ server is unavailable. This keeps you from being locked out of the router if the network or TACACS+ server is down.
Command authorization
In addition to using TACACS+ to authorize EXEC (shell) access, you can use it to specify what commands a user can and cannot run. This is done on a per-privilege-level basis, and again, most TACACS+ servers default to no authorization. Therefore, before you turn it on, make sure that the TACACS+ server is set up to allow at least one user authorization to necessary commands such as enable and configure. Command authorization is set using aaa authorization commands:
Router(conf)#aaa authorization commands 1 default group tacacs+ if-authenticatedThis line configures the router to use the TACACS+ server to authorize all commands that are run at level 1. To configure the router to use the TACACS+ server, authorize all level 15 commands you would use:
Router(conf)#aaa authorization commands 15 default group tacacs+ if-authenticatedThe final if-authenticated is a fail-safe that tells the router, if the TACACS+ server is unavailable, to allow authenticated users to successfully run any command at their current run level. This prevents you from being locked out of the router if the TACACS+ server is unreachable.
RADIUS Authentication
RADIUS is an access control server protocol developed by Livingston Enterprises and is documented in RFC 2865. While there are proprietary extensions to RADIUS, it is much more interoperable between different vendors than Cisco’s TACACS+. However, Cisco still recommends the use of TACACS+ instead of RADIUS for the following reasons:
RADIuS encrypts only the password inside access request packets, while TACACS+ encrypts the entire payload.
RADIUS combines the authentication and authorization features, while TACACS+ provides methods to separate these two functions.
TACACS+ has multiprotocol support built in.
However, the multivendor interoperability issue can be very compelling, and many organizations already run RADIUS authentication servers. This section details how to configure a Cisco router to authenticate to an external RADIUS server if your organization already has or chooses to use RADIUS.
To configure a router to use RADIUS authentication, perform the following steps:
Enable AAA with the command aaa new-model.
Tell the router what RADIUS server to use with the radius-server host command.
Tell the router what the RADIUS server key is with the radius-server key command.
Define the default AAA authentication method to be RADIUS (using the locally configured users as a backup in case the RADIUS server isn’t available).
Configure each line to use the default AAA authentication method.
Here is an example of setting the console and VTY ports to use the
RADIUS server 130.218.50.5 for
authentication:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa new-modelRouter(config)#radius-server host130.218.50.5 Router(config)#radius-server keyMyRADIUSkey Router(config)#aaa authentication login default group radius localRouter(config)#line con 0Router(config-line)#login authentication defaultRouter(config-line)#exitRouter(config)#line vty 0 4Router(config-line)#login authentication defaultRouter(config-line)#^ZRouter#
Warning
IOS Versions 12.0.5(T) and later use the aaa authentication login default group radius enable command. Earlier versions leave out the group keyword and use the aaa authentication login default radius enable command.
RADIUS Enable Password
With the preceding RADIUS configuration, to set the enable password to use RADIUS for authentication, use the command:
aaa authentication enable default group radius enable
A complete configuration for only the enable password would include the following steps:
Enable AAA with the aaa new-model command.
Tell the router which RADIUS server to use with the radius-server host command.
Tell the router what the RADIUS server key is with radius-server key.
Configure the enable password to use the RADIUS server first and then the locally configured enable password in case the server is unavailable:
Router#
config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa new-modelRouter(config)#radius-server host130.218.50.5 Router(config)#radius-server keyMyRADIUSkey Router(config)#aaa authentication enable default group radius enableRouter(config)#^ZRouter#
HTTP Authentication with RADIUS
If running the HTTP services on your router, you can use RADIUS to provide HTTP authentication. Assuming that RADIUS is already set up on your router to perform line or other authentication, the following commands will set up HTTP to use RADIUS authentication:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#ip http authentication aaaRouter(config)#^ZRouter#
RADIUS Authorization
Configuring RADIUS for EXEC or command authorization is very similar to the TACACS+ configuration. The only change is the RADIUS keyword instead of TACACS+. The following commands set RADIUS authorization for the EXEC commands, level 1 commands, and level 15 commands, respectively:
aaa authorization exec default group radius if-authenticated aaa authorization commands 1 default group radius if-authenticated aaa authorization commands 15 default group radius if-authenticated
Kerberos Authentication
Kerberos is a network authentication protocol developed by MIT. Kerberos can provide authentication only. It doesn’t have the capability to perform authorization. Some sites with existing Kerberos servers use Kerberos for authentication, while using TACACS+ or RADIUS for authorization. A tutorial on Kerberos is out of the scope of this book, but see web.mit.edu/kerberos/www for the latest Kerberos information.
If your network uses Kerberos for authentication, the following example shows how to configure your router to use the Kerberos server for authentication. This example assumes that you are already familiar with Kerberos and have a functional Kerberos authentication server set up.
To use a Kerberos server for authentication, you must:
Enable AAA authentication with the aaa new-model command.
Configure Kerberos protocol support:
Define the default Kerberos realm with the kerberos local-realm command.
Specify which Kerberos server to use with the kerberos server command.
Copy the SRVTAB from the server with the kerberos srvtab remote command.
Enable credential forwarding with the kerberos credential forward command.
Configure the router to use Kerberos for default login authentication with locally configured usernames as a backup in case the Kerberos server isn’t available.
Configure each line to use the default login authentication.
This example uses the Realm CISCO.COM and the Kerberos server
138.218.56.5 to configure the VTY and
AUX ports to use Kerberos authentication:
Router#config terminalEnter configuration commands, one per line. End with CNTL/Z. Router(config)#aaa new-modelRouter(config)#kerberos local-realmCISCO.COM Router(config)#kerberos serverCISCO.COM 130.218.56.5 Router(config)#kerberos srvtab remote130.218.56.5 srvtab-filename Router(config)#kerberos credentials forwardRouter(config)#aaa authentication login default krb5 localRouter(config)#line aux 0Router(config-line)#login authentication defaultRouter(config-line)#exitRouter(config)#line vty 0 4Router(config-line)#login authentication defaultRouter(config-line)#^ZRouter#
Token-Based Access Control
An authentication method that offers additional security is token-based access control. With this method, each user has a smart card or token that either displays a constantly changing password or buttons that calculate a new password based on a challenge phrase. Without this card, it is impossible to authenticate yourself to the system. This two-factor authentication provides additional security by requiring an attacker to both guess the user’s password and steal the smart card or token that is used to access the system.
Cisco routers don’t support token-based access control directly, but there is still a way to use this authentication method. The router must be configured to use a TACACS+ or RADIUS ACS for authentication. The ACS is then configured to use smart cards or token-based access control. A word of warning, however: due to the way that HTTP performs authentication, token-based access control cannot be used.
AAA Security Checklist
This checklist summarizes the important security information presented in this chapter. A complete security checklist is provided in Appendix A. If your organization chooses to use AAA, the following checklist will help you do so securely:
If AAA is used, when possible, use TACACS+ instead of other methods.
If TACACS+ or RADIUS is used, then keep the configuration files secure, since TACACS+ and RADIUS keys are not obscured by the service password-encryption command.
If AAA authentication is used, always set the backup method for authentication to locally configured usernames or the default privileged password and never to none.
If AAA authorization is used and your security needs are low to medium, make sure the backup method for authorization is if-authenticated (to avoid being locked out of the router).
If AAA authorization is used and you need a higher level of security, make sure there is no backup method for authorization.
Disable HTTP access. If it must be used, make sure it uses TACACS+ or RADIUS, and not the default privileged-mode password, for authentication.
In larger organizations that need dual-factor access control, configure the router’s TACACS+ or RADIUS servers to use token-based access control.