AAA Technologies
Today, we live in a world in which almost everything must be protected from misuse and nothing is free. It does not matter whether you are a system administrator, manager, student, or a network engineer. If you access services via a network, you always need three things:
These components are collectively known as AAA (Commonly referred to as Triple A). As discussed in the following sections, each of these components plays an important role.
Authentication
Authentication ensures that the network’s users are who they claim to be. This is important because you do not want these people accessing the network if they are not supposed to. Usually a shared secret or a trusted third-party software application provides authentication.
Authentication enables the network administrators to identify who can connect to a network device or Internet by including the user’s username and password. Normally, when a user connects to a router remotely via Telnet, the user must supply only a password to gain access to the router. This is functional but not secure because, if the router is connected to the Internet, an attacker could try and try to connect, and you might never know that this was occurring. All the attacker would need to do is guess a single password to access your router. How hard could that be when he has all the time in the world?
When someone logs on to one of your network devices and makes a change, how do you know who the person is and what she has done? With AAA authentication, whenever a user logs on, the user must enter a username and password pair (which the network administrator assigned). The following code snippet shows an example of a remote user accessing a Cisco router with AAA configured to request a username:
User Access Verification
Username: tom_thomas
Password: xxxxxxxx
MyNetworkDevice>
As shown in the preceding example, the user must enter a valid username and password to gain access to the router. Typically, a database that contains the valid usernames resides locally on the device or on a remote security server such as Cisco Access Control Server (ACS).
Authorization
After the user is authenticated, there must be a way to ensure that the user is authorized to do the things he requests. For example, if you are a normal user, you do not have the permissions to access all the files in a file system.
Authorization enables administrators to control the level of access users have after they successfully gain access to the router. Cisco IOS Software enables certain access levels (called privilege levels) that control which IOS commands the user can issue. For example, a user with a 0 privilege level cannot issue any IOS commands. A user with a privilege level of 15 can perform all valid IOS commands. The local or remote security server can grant access levels.
You can display your privileged level on a Cisco router with the show privilege command, as shown in the following command line:
MyNetworkDevice# show privilege
Current privilege level is 15
MyNetworkDevice#
Authorization can also dictate the types of protocol activity in which the user can engage, such as allowing a user to invoke only FTP, Telnet, SSH, or HTTP traffic. The higher the privilege, the more capabilities a user has with the IOS command set.
Accounting
Accounting occurs after the authentication and authorization steps have been completed. Accounting enables administrators to collect information about users and the actions that they take when connected to network devices. The information gathered through accounting can provide network forensic evidence of tampering or hacking because you have a road map of the user’s times/dates and activities. Specifically, administrators can track which user logged in to which router or switch, which IOS commands a user issued, and how many bytes were transferred during a user’s session. For example, accounting enables administrators to monitor the routers that have had their configurations changed. A router or a remote security server can collect accounting information.
Note
If you use wireless in an airport, for example, to access the Internet, you use a form of AAA when you authenticate and receive authorization into the service provider’s network. Accounting is the process in which the network service provider collects network usage information for billing relating to how long you were connected, capacity planning, and other purposes. This is important for the service provider—there is no such thing as a free lunch.
After AAA is configured, you can use external security servers to run external security protocols—such as RADIUS or TACACS—that will stop unauthorized access to your network. Both RADIUS and TACACS can be implemented on Cisco network devices and are reviewed in the upcoming sections.
Note
You must use AAA if you intend to use RADIUS or TACACS security server protocols. As AAA collects the information, it sends it to the security servers to determine each of the characteristics associated with AAA.
Remote Authentication Dial-In User Service (RADIUS)
RADIUS is a client/server-based system that secures a Cisco network against intruders. RADIUS is a protocol implemented in Cisco IOS Software that sends authentication requests to a RADIUS server. A RADIUS server is a device that has the RADIUS daemon or application installed. RADIUS must be used with AAA to enable the authentication, authorization, and accounting of remote users. When a RADIUS server authenticates a user, the following events occur:
1. The remote user is prompted for a username and password.
2. The username and password are encrypted and sent across the data network.
3. The RADIUS server accepts or rejects a username and password pair. In some instances, a user might be asked to enter more information. (This is called a challenge response.) For example, if a user’s password has expired, a RADIUS server prompts the user for a new password.
Note
Traffic between the Network Access Server (NAS) and RADIUS is not encrypted—as opposed to TACACS, which does encrypt authentication message traffic.
Note
A RADIUS server is usually software that runs on various platforms, including Microsoft NT servers or a UNIX host. RADIUS can authenticate router users, authenticate vendors, and even validate IP routes.
The following steps are required to enable RADIUS on a Cisco router:
Step 1. Use the aaa new-model command. AAA must be used with RADIUS.
Step 2. Specify the RADIUS server with the radius-server host command, as shown in Example 5-3.
Step 3. Specify the password used between the router and the RADIUS server.
Note
Of course, you must also ensure that you have entered users and passwords into the RADIUS server before activating RADIUS.
Example 5-3 displays the required configuration for a Cisco router to authenticate users from the RADIUS server with the host address 10.99.34.50.
Example 5-3 RADIUS Configuration
radius-server host 10.99.34.50
radius-server key <password>
Let’s move on to TACACS, which is an alternative protocol to RADIUS that also works with AAA.
Terminal Access Controller Access Control System (TACACS)
Cisco IOS supports three versions of TACACS: TACACS, extended TACACS, and TACACS+. All three methods authenticate users and deny access to users who do not have a valid username and password.
The first version of TACACS provides simple password verification and authentication. Accounting is limited in that only requests and denials are listed. Next, extended TACACS replaced the first version of TACACS. TACACS+, also referred to as TACACS plus, provides detailed accounting and must be used with AAA (in other words, the aaa new-model command must be enabled). TACACS+ (yes, the plus sign is important) supersedes the earlier releases of TACACS. In general, TACACS provides a centralized security system that validates users from any remote location. Typically, TACACS runs on a Windows Server or UNIX operating system. When a TACACS server authenticates a user, the following events occur:
1. The remote user is prompted for a username and password.
2. The username and password are sent across the data network and is authenticated.
3. The TACACS server accepts or rejects the username and password pair. The user might be asked to enter additional information (called a challenge response).
For example, a challenge response might appear when an error occurs during authentication. TACACS+ requires AAA, but TACACS and extended TACACS do not use AAA.
The configuration tasks required to enable TACACS+ on a Cisco router are as follows:
Step 1. Use the aaa new-model command. AAA must be used with TACACS+.
Step 2. Specify the TACACS+ server with the tacacs-server host command.
Step 3. Specify the authentication key used between the router and the TACACS+ server.
Step 4. Because TACACS+ must be used with AAA, you must specify TACACS+ authentication, authorization, and accounting.
Example 5-4 displays the required configuration for a Cisco router to authenticate users from the TACACS+ server with the host address 10.99.34.50.
Example 5-4 TACACS Configuration
aaa new-model
aaa authentication enable default tacacs+
! Sets router to use the tacacs server to authenticate enable
! password
aaa authorization exec tacacs+
! Sets tacacs+ plus to authorize exec commands on local router
aaa accounting exec start-stop tacacs+
! Accounting information is gathered for exec commands
tacacs-server host 10.99.34.50
tacacs-server key <password>
Example 5-4 is a basic TACACS + configuration; you can set other configuration options to enable complex AAA commands.
Caution
If you enable AAA on a router, you could get locked out if you are not careful. If you fat finger any commands and exit out of your configuration, you might not be able to re-enter; make sure you are certain of your work before disconnecting.
TACACS+ Versus RADIUS
Comparing the two server protocols, RADIUS and TACACS+, shows that both require AAA to be enabled on a Cisco router (unless you use the older versions of TACACS+, namely TACACS and extended TACACS). RADIUS and TACACS+ both require a username and password pair to obtain access. The difference between the two protocols is in the protocol itself and the fact that TACACS+ is a centralized validation service, whereas RADIUS is based on client/server technologies.