Configuring Local Database AAA on a Cisco Router
There are many instances where simple password-based authentication will not be adequate. Certainly many security policies will dictate that both username and password will be required if for no other reason than that the person who logs in to the router needs to be identified (authenticated) and his activities need to be tracked (accounted). What users are allowed to do (authorization) is something else we can control if we know who they are in the first place. You can’t do all these things if the system simply uses passwords. Let’s first define AAA, and then quickly itemize Cisco’s four solutions. Then we’ll get back to configuring local database AAA on a Cisco router.
The next section contains a more formal definition of authentication, authorization, and accounting (AAA)—the functions that AAA servers perform.
Authentication, Authorization, and Accounting (AAA)
The following list represents a simple definition of the three A’s in AAA.
- Authentication. Establishes who you are.
- Authorization. Now that we know who you are, we can establish what you can do and what you can access.
- Accounting. Also, now that we know who you are, we can establish what you did, how long you did it, and how often you did it.
Note the heavy emphasis on you. (This isn’t a comment on society, by the way!) Clearly it all starts with authentication, because authorization and accounting would not be possible without establishing an individual’s identity first.
Memorize the meaning of the three A’s in AAA. Two Reasons for Implementing AAA on Cisco Routers
Cisco specifies two main reasons for implementing AAA on Cisco routers. These are outlined in the following list:
- Remote User Network Access. AAA is performed in support of IPsec and SSL VPN users and dial-up users before they are permitted access to an organization’s network.
- Administrative Access. AAA is performed before a user is permitted administrative access to a router (console, Telnet/SSH/HTTP, auxiliary).
Cisco’s Implementation of AAA for Cisco Routers
Let’s now look at how Cisco implements AAA for Cisco routers. There are two main categories of AAA implementations: local AAA (or “self-contained” AAA) and external AAA. These are outlined next:
- Self-Contained AAA. Local authentication on the router or other network access server (NAS) using a local username/password database. Essentially, the device is acting both as AAA client and server.
The terms “Network Access Server (NAS)” and “AAA client” mean the same thing. Cisco favors the term “AAA client” mostly, but you will still see the term NAS here and there in Cisco literature.
- External Authentication. Authentication using an external Cisco Secure Access Control Server (ACS). There are three separate Cisco Secure ACS external AAA solutions:
- Cisco Secure Access Control Server for Microsoft Windows Server.
- Cisco Secure ACS Express: An entry-level RADIUS and TACACS+ AAA 1U server appliance. Supports up to 50 AAA clients, as well as 350 unique user logons in a 24-hour period.
- Cisco Secure ACS Solution Engine: An appliance that supports many more AAA clients and unique user logons than Cisco Secure ACS Express.
Readers who are familiar with AAA will note the heavy emphasis on Cisco solutions for external AAA. In reality, Cisco is one of many vendors of external AAA solutions. The mar ket abounds with choices, including Microsoft IAS (Internet Authentication Service), FreeRadius (Open Source), and Livingston’s Steel-Belted Radius.
Recall from the “Two Reasons for Implementing AAA on Cisco Routers” section in this chapter that there are two types of access. Access to the router is called “remote administrative access”. Access through the router to networks beyond the router is called “remote network access.” Figure 3.10 illustrates this difference, as does Table 3.2, which defines how Cisco further categorizes these two main types of access.
FIGURE 3.10 Types of access and AAA placement.
Tasks to Configure Local Database AAA on a Cisco Router
There are four basic tasks to configuring local AAA (whether character or packet mode) on a router:
Task 1: Configure user accounts by creating a username/password database on the router.
Task 2: Enable AAA on the router.
Task 3: Configure AAA on the router, defining what type of remote access (administrative or network) AAA is to be performed and tying it to the username/password database.
Task 4: Verify and possibly troubleshoot the AAA configuration.
These tasks are the same whether you are using the Cisco SDM or the CLI. The following sections show the detailed steps in each task. Let’s perform the first three tasks using the SDM. The equivalent CLI command appears as a separate note with each task. Judge for yourself whether you prefer to use the GUI or the CLI.
Task 1: Configuring User Accounts
Figure 3.11 illustrates the Add an Account dialog that you use to add a local user account on the router.
FIGURE 3.11 Configuring user accounts using Cisco SDM.
The separate steps to add a user per the dialog illustrated in Figure 3.11 are detailed next. The labels on Figure 3.11 correspond to the steps in the list:
- Choose Configure->Additional Tasks->Router Access->User Accounts/View in the SDM.
- Click Add to create a new user.
- In the resulting window, enter the username and password.
- If you haven’t created views or lesser privilege levels, change this user’s Privilege Level to 15.
- (Optional) If views have been defined, you can check the Associate a View with the user check box and select a view from the drop-down list.
- Click OK and you’re done.
The SDM generates the username ispuser privilege 15 view root secret 5 $1$Q0Kr$YNRAK9n/9Y1SqprgqpmYC/ CLI command.
Task 2: Enabling and Disabling AAA
As we saw in the previous subsection, “Configuring Role-Based Access to the CLI,” we must enable AAA even for local AAA on the router. Figure 3.12 illustrates the SDM dialog that is used to enable or disable AAA.
FIGURE 3.12 Enabling and disabling AAA using Cisco SDM.
Choose Configure->Additional Tasks->AAA-> Enable (or Disable).
Note the status of AAA. The GUI will tell you if it is enabled or disabled. If it is enabled, the button will be labeled Disable. If it is disabled, the button will be labeled Enable. If you click the Disable button, you will be warned that all AAA will be disabled. Recall that enabling AAA was a prerequisite for creating privilege levels and for views.
The SDM generates the aaa new-model CLI command when you click Enable. The CLI command no aaa new-model disables AAA.
Task 3: Configuring AAA on the Router
Figure 3.13 illustrates the basic steps required to configure AAA on the router.
FIGURE 3.13 Configuring AAA on the router.
What follows are the basic steps required to configure AAA on the router. The labels on Figure 3.13 correspond with the numbers of the following steps:
- Choose Configure->Additional Tasks->AAA->Authentication Policies->Login and click Add.
- In the resulting “Add a Method List for Authentication Login” window, verify that Default is selected in the Name drop-down list.
- Click Add.
- From the “Select Method Lists(s) for Authentication Login” window, choose local.
- Click the OK button on the Select Method List(s) for Authentication Login window.
- Click the OK button on the Add a Method List for Authentication Login window to complete the task.
The SDM generates the aaa authentication login default local CLI command.
Task 4: Verifying the AAA Configuration
The debug aaa authentication CLI command helps you verify that AAA authentication is functioning. Note that in the following example, the terminal monitor command was necessary because this capture was made during a telnet session with the router. The output represents a successful login using the
“default” AAA method: CiscoISR#debug aaa authentication AAA Authentication debugging is on CiscoISR#terminal monitor Apr 21 14:24:56.511: AAA/BIND(00000032): Bind i/f Apr 21 14:24:56.511: AAA/AUTHEN/LOGIN (00000032): Pick method list ‘default’
Additional Local Database AAA CLI Commands
Let’s examine some additional CLI commands that help secure and verify an AAA configuration that uses the local database for authentication.
If you want to lock out any user after 10 failed login attempts for local AAA, you can issue this command: aaa local authentication attempts max-fail 10 To identify local AAA users whose accounts have been locked out, you type in this command:
show aaa local user lockout
Here’s an example. It appears that the ISP user has been locked out. What were they doing working on the weekend anyway?
CiscoISR#show aaa local user lockout Local-user Lock time ispuser 14:28:49 UTC Sun Apr 20 2008
To clear (re-instate) all local AAA users who have been locked out, type in this command:
clear aaa local user lockout
If you want to clear a single local AAA user, you can use this form of the command, where ispuser is the locked-out user:
clear aaa local user lockout ispuser
To display detailed statistics of all logged-in users, you type in this command:
show aaa user all
The following command displays current sessions of users who have been authenticated, authorized, or accounted by the AAA module. It shows AAA sessions with their unique IDs:
show aaa sessions
Here’s an example of its output:
CiscoISR#show aaa sessions Total sessions since last reload: 48 Session Id: 45 Unique Id: 50 User Name: admin IP Address: 192.168.0.114 Idle Time: 0 CT Call Handle: 0 CiscoISR#