Chapter 3- Authentication, Authorization,

and Accounting

CCNA Security
Objectives

• Explain the funtion and operation of the

authentication, authorization, and accounting
(AAA) protocol.
• Configure a Cisco router to perform AAA
authentication with a local database.
• Describe how to configure Cisco ACS to
support AAA for Cisco IOS routers.
• Configure server-base AAA

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
AAA Overview

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
AAA Overview

• The local database method has some limitations.

– The user accounts must be configured
locally on each device.
– The local database configuration provides
no fallback authentication method.

Password recovery becomes the only option.

AAA Overview

AAA = Authentication + Authorization + Accounting

Refer to 3.1.1.2

AAA provides a higher degree of scalability than

the con, aux, vty and privileged EXEC
authentication commands alone.
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication – Password-Only

• Uses a login and password combination on access lines

• Easiest to implement, but most unsecure method
• Vulnerable to brute-force attacks
• Provides no accountability

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication – Local Database

• Creates individual user account/password on each device

• Provides accountability
• User accounts must be configured locally on each device
• Provides no fallback authentication method

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
 Local Versus Remote Access

Local Access Remote Access

LAN 2

R1 R1 Firewall R2
LAN 1 Internet Internet

LAN 3
Console Port
Administrator

Management
Requires a direct connection to a console LAN
port using a computer running terminal
emulation software
Administration Logging
Host Host

Uses Telnet, SSH HTTP or SNMP connections

to the router from a computer

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
AAA Authentication

• Character mode - A user sends a request to establish an

EXEC mode process with the router for administrative
purposes.
• Packet mode - A user sends a request to establish a
connection through the router with a device on the network.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Local AAA Authentication

• Used for small networks

• Stores usernames and passwords locally in the Cisco
router

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Server – Based AAA Authentication

• Server-based method uses an external database server resource that

leverages RADIUS or TACACS+ protocols.
– Cisco Secure Access Control Server (ACS) for Windows Server
– Cisco Secure ACS Solution Engine or Cisco Secure ACS Express
• More appropriate if there are multiple routers

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
AAA Authorization

• Typically implemented using an AAA server-based solution

• Uses a set of attributes that describes user access to the
network

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
AAA Accounting

• Implemented using an AAA server-based solution

• Keeps a detailed log of what an authenticated user does
on a device

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
AAA Accounting Functions

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Local AAA Authentication with CLI

• R1# conf t
• R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
• R1(config)# username ADMIN secret Str0ng5rPa55w0rd
• R1(config)# aaa new-model
• R1(config)# aaa authentication login default local-case
• R1(config)# aaa local authentication attempts max-fail 10

To authenticate administrator access (character

mode access)
1. Add usernames and passwords to the local
router database
2. Enable AAA globally
3. Configure AAA parameters on the router
4. Confirm and troubleshoot the AAA
configuration

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Authentication Configuration
• router(config)#

aaa authentication login {default | list-name}

method1…[method4]

Command Description

Uses the listed authentication methods that follow this

default
keyword as the default list of methods when a user logs in

list-name Character string used to name the list of authentication

methods activated when a user logs in
method1 Identifies the list of methods that the authentication
[method2... algorithm tries in the given sequence. You must enter at
] least one method; you may enter up to four methods.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Login Method Types

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Additional Security
• router(config)#
aaa local authentication attempts max-fail [number-of-
unsuccessful-attempts]

R1# show aaa local user lockout

Local-user Lock time

JR-ADMIN 04:28:49 UTC Sat Dec 27 2008

R1# show aaa sessions

Total sessions since last reload: 4
Session Id: 1
Unique Id: 175
User Name: ADMIN
IP Address: 192.168.1.10
Idle Time: 0
CT Call Handle: 0

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Sample Configuration

R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default local-case
enable
R1(config)# aaa authentication login TELNET-LOGIN local-case
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
R1

• Enable secret cisco

• aaa new-model
• aaa authentication login CONSOLE local none
• aaa authentication login TELNET local

• Username admin privilege 15 secret admin123

• line con 0
• login authentication CONSOLE
• line vty 0 4
• login authentication TELNET
R1

• Enable secret cisco

• aaa new-model
• aaa authentication login CONSOLE local none
• aaa authentication login TELNET local none

• Username admin privilege 15 secret admin123

• line con 0
• login authentication CONSOLE
• line vty 0 4
• login authentication TELNET
• Enable secret cisco
• aaa new-model
• aaa authentication login CONSOLE enable
• aaa authentication login TELNET local none

• Username admin secret admin

• line con 0
• login authentication CONSOLE
• line vty 0 4
• login authentication TELNET
• Enable secret cisco
• aaa new-model
• aaa authentication login default local enable

• Username admin secret admin

• line con 0
• line vty 0 4
Configuring Local AAA Authentication with CCP

• To verify the AAA configuration and to enable or disable AAA, choose

Configure > Router > AAA > AAA Summary.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Local AAA Authentication with CCP

• The first task when using CCP to configure AAA services for local authentication is to
create users:
• Step 1. Choose Configure > Router > Router Access > User Accounts/View.

• Step 2. Click Add to add a new user.

• Step 3. In the Add an Account window, enter the username and password in the
appropriate fields to define the user account.

• Step 4. From the Privilege Level drop-down list, choose 15, unless there are lesser
privilege levels defined.

• Step 5. If views have been defined, check the Associate a View with the user check
box and choose a view from the View Name list that is associated with a user.

• Step 6. Click OK.

The CLI command that CCP generates is

username AAAadmin privilege 15 view roor secret 5 $1$f16u$uKOO6J/UnojZ0bCEzgnQi1

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure Login Authentication

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configure Login Authentication
• Configure the default method list for login authentication using the local
database:

• Step 1. Choose Configure > Router > AAA > Authentication Policies >
Login. Any defined method lists will be displayed.

• Step 2. To view the options for a method list, select the list name and click Edit.

• Step 3. From the Edit a Method List for Authentication Login window, click Add.

• Step 4. From the Select Method List(s) for Authentication Login window,
choose local from the method list if it is not already selected.

• Step 5. Click OK.

The CLI command that CCP generates is

aaa authentication login default local.
Configure Login Authentication

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Local AAA Authentication

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Local AAA Authentication

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Server-Based AAA Characteristics

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
TACACS+ and RADIUS protocols

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
TACACS+/RADIUS Comparison

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
TACACS+ Authentication Process

Connect Username prompt?

Username? Use “Username”

JR-ADMIN JR-ADMIN

Password prompt?

Password? Use “Password”

“Str0ngPa55w0rd” “Str0ngPa55w0rd”

Accept/Reject

• Refer to 3.3.2.2
• Provides separate AAA services
• Utilizes TCP port 49

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
RADIUS Authentication Process

Access-Request
Username? (JR_ADMIN, “Str0ngPa55w0rd”)

JR-ADMIN Access-Accept
Password?

Str0ngPa55w0rd

• Refer to 3.3.2.3
• Works in both local and roaming situations
• RADIUS combines authentication and authorization as one
process.
• Uses UDP ports 1645 or 1812 for authentication
• and UDP ports 1646 or 1813 for accounting
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Secure ACS Benefits

• Extends access security by combining authentication, user

access, and administrator access with policy control
• Allows greater flexibility and mobility, increased security,
and user-productivity gains
• Enforces a uniform security policy for all users
• Reduces the administrative and management efforts

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Advanced Features

• Automatic service monitoring

• Database synchronization and importing of tools for large-scale
deployments
• Lightweight Directory Access Protocol (LDAP) user authentication
support
• User and administrative access reporting
• Restrictions to network access based on criteria
• User and device group profiles

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Scalability features

• Ease of use
• Scalability
• Extensibility
• Management
• Administration
• Product flexibility
• Integration
• Third-party support
• Control

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Installation Options

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Cisco Secure ACS

• Consider Third-Party Software Requirements

• Verify Network and Port Prerequisites
– AAA clients must run Cisco IOS Release 11.2 or later.
– Cisco devices that are not Cisco IOS AAA clients must be configured with
TACACS+, RADIUS, or both.
– Dial-in, VPN, or wireless clients must be able to connect to AAA clients.
– The computer running ACS must be able to reach all AAA clients using
ping.
– Gateway devices must permit communication over the ports that are needed
to support the applicable feature or protocol.
– A supported web browser must be installed on the computer running ACS.
– All NICs in the computer running Cisco Secure ACS must be enabled.
• Configure Secure ACS via the HTML interface
– http://127.0.0.1:2002
– http://ip_address[hostname]:2002

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Cisco Secure ACS Homepage

add, delete, modify settings for AAA clients (routers)

set menu display options for TACACS and RADIUS

configure database settings

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
 Network Configuration

• 1. Click Network Configuration on the navigation bar

2. Click Add Entry

3. Enter the hostname

4. Enter the IP address

5. Enter the secret key

6. Choose the appropriate

protocols
7. Make any other necessary
selections and click Submit
and Apply
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Interface Configuration

• The selection made in the Interface Configuration window

controls the display of options in the user interface

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
External User Database

• 1. Click the External User Databases button on the navigation bar

2. Click Database Configuration

3. Click Windows Database

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Windows User Database Configuration

4. Click configure

5. Configure options

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring the Unknown User Policy

• 1. Click External User Databases on the navigation bar

2. Click Unknown User Policy

3. Place a check in the box

4. Choose the database in from the list and click

the right arrow to move it to the Selected list
5. Manipulate the databases to reflect the order 6. Click Submit
in which each will be checked
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Group Setup

• Database group mappings - Control authorizations for

users authenticated by the Windows server in one group
and those authenticated by the LDAP server in another

1. Click Group Setup on the navigation bar

2. Choose the 3. Click Permit in the Unmatched

group to edit Cisco IOS commands option
and click
4. Check the Command check box
Edit Settings
and select an argument

5. For the Unlisted Arguments option,

click Permit

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
User Setup

• 1. Click User Setup on the navigation bar

2. Enter a username and click Add/Edit

3. Enter the data to define the user account

4. Click Submit
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Server-Based AAA Authentication with CLI

1. Globally enable AAA to allow the user of all AAA

elements (a prerequisite)
2. Specify the Cisco Secure ACS that will provide AAA
services for the network access server
3. Configure the encryption key that will be used to
encrypt the data transfer between the network access
server and the Cisco Secure ACS
4. Configure the AAA authentication method list

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Group Method List
• R1(config)# aaa authentication type { default | list-name } method1 …
[method4]

R1(config)# aaa authentication login default ?

enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via
Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging
support

R1(config)# aaa authentication login default group ?

WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

R1(config)# aaa authentication login default group

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
http://www.cisco.com/en/US/docs/ios/sec_user_services/configuration/guide/sec_cfg_authentifcn.html#wp1076055

• It is important to remember that a FAIL response is significantly different

from an ERROR.
• A FAIL means that the user has not met the criteria contained in the applicable
authentication database to be successfully authenticated. Authentication ends
with a FAIL response.
• An ERROR means that the security server has not responded to an
authentication query. Because of this, no authentication has been attempted.
Only when an ERROR is detected will AAA select the next authentication
method defined in the authentication method list.
Sample Configuration

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
• aaa new-model
• !
• aaa authentication login default group tacacs+ local
• !
• tacacs-server host 192.168.1.3 key cisco123

• !
• Username admin privilege 15 secret admin123
Configuring Server-Based AAA Authentication with SDM

• 1. Choose Configure > Additional Tasks > AAA > AAA Servers and
Groups > AAA Servers

2. Click Add

3. Choose TACACS+
4. Enter the IP address
(or hostname) of the
AAA server
5. Check the Single
Connection check box to
maintain a single
connection

6. Check the Configure Key

7. Click OK to encrypt traffic
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Create AAA Login Method List
• 1. Choose Configure>Additional Tasks>AAA>Authentication Policies>Login

2. Click Add
3. Choose User Defined

4. Enter the name

5. Click Add

6. Choose group tacacs+ from the list

7. Click OK

8. Click Add to add a backup method 9. Choose enable from the list
Click OK twice
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Apply Authentication Policy

• 1. Choose Configure>Additional Tasks>Router Access>VTY

2. Click Edit

3. Choose the authentication

policy to apply

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Troubleshooting Server-Based AAA Authentication

R1# debug aaa authentication

AAA Authentication debugging is on
R1#
14:01:17: AAA/AUTHEN (567936829): Method=TACACS+
14:01:17: TAC+: send AUTHEN/CONT packet
14:01:17: TAC+ (567936829): received authen response status = PASS
14:01:17: AAA/AUTHEN (567936829): status = PASS

• The debug aaa authentication command provides a view of

login activity
• For successful TACACS+ login attempts, a status message
of PASS results

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Debug RADIUS, TACACS
• R1# debug radius ?
• accounting RADIUS accounting packets only
• authentication RADIUS authentication packets only
• brief Only I/O transactions are recorded
• elog RADIUS event logging
• failover Packets sent upon fail-over
• local-server Local RADIUS server
• retransmit Retransmission of packets
• verbose Include non essential RADIUS debugs
• <cr>

• R1# debug radius

R1# debug tacacs ?

accounting TACACS+ protocol accounting
authentication TACACS+ protocol authentication
authorization TACACS+ protocol authorization
events TACACS+ protocol events
packet TACACS+ packets
<cr>

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Debug RADIUS, TACACS

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Server-Based AAA Authorization

Command authorization for user

show version JR-ADMIN, command “show version”?

Display “show
version” output Accept

Command authorization for user

configure terminal JR-ADMIN, command “config terminal”?
Do not permit
Reject
“configure terminal”

Refer: 3.5.1.1
.The TACACS+ protocol allows the separation of authentication from
authorization.
.Can be configured to restrict the user to performing only certain functions
after successful authentication.
.Authorization can be configured for
- character mode (exec authorization)
- packet mode (network authorization)
.RADIUS does not separate the authentication from the authorization
process

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Server-Based AAA Authorization

R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group
tacacs+
R1(config)# aaa authentication login TELNET-LOGIN
local-case
R1(config)# aaa authorization exec default group
tacacs+
R1(config)# aaa authorization network default group
tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z

• To configure command authorization, use:

aaa authorization service-type {default | list-name} method1 [method2] [method3]
[method4]
• Service types of interest include:
– commands level For exec (shell) commands
– exec For starting an exec (shell)
– network For network services. (PPP, SLIP, ARAP)

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Using SDM to Configure Authorization Character Mode

• 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Exec

2. Click Add

3. Choose Default

4. Click Add

5. Choose group tacacs+ from the list

6. Click OK

7. Click OK to return to the Exec Authorization window

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
 Using SDM to Configure Authorization Packet Mode

• 1. Choose Configure>Additional Tasks>AAA>Authorization Policies>Network

2. Click Add

3. Choose Default

4. Click Add

7. Click OK to return to 5. Choose group tacacs+ from the list

the Exec Authorization
pane 6. Click OK
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: Configure Authorization

• Requirement:
– Assign the privilege level=5 for remote users, using the
Telnet service
– The users can use the show, router and interface with
all sub-option commands
– Do not authenticate for console access
Example: Configure Authorization

• Router#show run | section aaa

aaa new-model
aaa authentication login AUTHEN group tacacs+ local
aaa authentication login NO-AUTHEN none
aaa authorization exec EXEC-AUTHO group tacacs+
aaa authorization commands 5 COM-AUTHO group tacacs+
• Router#show run | section tacacs-server
tacacs-server host 192.168.220.133 key cisco123
• Router#show run | section privilege
username student privilege 15 password 0 cisco
privilege configure all level 5 router
privilege configure all level 5 interface
privilege exec level 5 configure terminal
privilege exec level 5 configure
Example: Configure Authorization

• Router#show run | begin line con 0

line con 0
logging synchronous
login authentication NO-AUTHEN
line aux 0
line vty 0 4
authorization commands 5 COM-AUTHO
authorization exec EXEC-AUTHO
login authentication AUTHEN
Example: Configure Authorization
Example: Configure Authorization
Example: Configure Authorization
Example: Configure Authorization
Example: Configure Authorization
Configuring Server-Based AAA Accounting

• Provides the ability to track usage, such as dial-in access; the ability to
log the data gathered to a database; and the ability to produce reports
on the data gathered
• To configure AAA accounting using named method lists:
aaa accounting {system | network | exec | connection | commands
level} {default | list-name} {start-stop | wait-start | stop-only | none}
[method1 [method2]]
• Supports 6 different types of accounting: network, connection, exec,
system, commands level, and resource.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Configuring Server-Based AAA Accounting

R1# conf t
R1(config)# username JR-ADMIN secret Str0ngPa55w0rd
R1(config)# username ADMIN secret Str0ng5rPa55w0rd
R1(config)# aaa new-model
R1(config)# aaa authentication login default group tacacs+
R1(config)# aaa authentication login TELNET-LOGIN local-
case
R1(config)# aaa authorization exec group tacacs+
R1(config)# aaa authorization network group tacacs+
R1(config)# aaa accounting exec start-stop group tacacs+
R1(config)# aaa accounting network start-stop group tacacs+
R1(config)# line vty 0 4
R1(config-line)# login authentication TELNET-LOGIN
R1(config-line)# ^Z

• aaa accounting exec default start-stop group tacacs+

Defines a AAA accounting policy that uses TACACS+ for logging both
start and stop records for user EXEC terminal sessions.
• aaa accounting network default start-stop group tacacs+
Defines a AAA accounting policy that uses TACACS+ for logging both
start and stop records for all network-related service requests.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Example: Configure Accounting

• aaa accounting exec default start-stop group tacacs+

• aaa accounting commands 5 default start-stop group
tacacs+
Example: Configure Accounting
Chapter Summary

• The Authencation, Authorization, and Accounting (AAA) protocol

provides a scalable framework for enabling access security.
• AAA controls who is allowed to connect to the network, what they are
allowed to do, and keeps records of what was done.
• In small or simple networks, AAA authentication can be implemented
using a local database.
• Local AAA can be configured using CLI and SDM.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Chapter Summary

• In large or complex networks, AAA authentication can be

implemented using server-based AAA.
• AAA servers can use RADIUS or TACACS+ protocols to
communicate with client routers.
• The Cisco Access Control Server (ACS) can be used to
provide AAA server services.
• Server-based AAA authentication can be configured using
CLI or SDM.
• Server-based AAA authorization and accounting can be
configured using CLI or SDM.

Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com
Học viện công nghệ thông tin Bach Khoa - Website: www.bkacad.com