AAA

Securing access to Cisco routers and switches is a critical concern. Often, access is secured using enable
and vty/console passwords, configured locally on the device. For large networks with many devices, this
can become unmanageable, especially when passwords need to be changed. A centralized form of access
security is required.

AAA is a security system based on Authentication, Authorization, and Accounting.

Authentication is used to grant or deny access based on a user account and password.
Authorization determines what level of access that user has on the router when authenticated.
Accounting can keep track of who logged into what device, and for how long.

AAA Protocols:

There are two most used protocols (RADIUS and TACACS+.) in implementing Authentication,
Authorization, and Accounting in the network. There are several key differences between RADIUS and
TACACS+ servers: •

 RADIUS is an industry standard protocol, while TACACS+ is Cisco proprietary.

 RADIUS utilizes UDP, while TACACS+ utilizes TCP.
 RADIUS encrypts only the password during the authentication process, while TACACS+
encrypts the entire packet.
There is one additional key difference: TACACS+ allows for the authorization of a user, in addition to the
authentication of a user. Thus, TACACS+ allows us to control what commands a particular user can input.
RADIUS provides only authentication services.

AAA Server Lab:

Lab Topology:

1. Configuration of AAA Server (its linux based)

root@AAA-1:# ifconfig (to check IP Address on interfaces)
root@AAA-1:# nano /etc/network/interfaces (To edit/assign IP address, subnet mask etc.)
Note: un-comment auto eth0, iface eth0, address, netmask, gateway and upcho.
root@AAA-1:# cat /etc/network/interfaces (To verify IP address, subnet mask etc.)
Assign IP Address on router R1 and check connectivity between R1 and AAA server.

2. Configuration on Router R-1

2.1 Configure username and password for local authentication.
R-1(config)#username khan privilege 15 secret cisco123
R-1(config)#line vty 0 4
R-1(config-line)#transport input all
R-1(config)#login local
Note: verify this by simply accessing this R-1 from client via telnet or ssh.

Now we want to do authentication from AAA server. For this we have to do some configuration on
devices (Router-1).

2.2. Configuration of AAA on devices.

R-1(config)#aaa new-model (to enable aaa support on this device)

R-1(config)#aaa group server {radius/tacacs+} {groupname}

R-1(config-sg-tacacs+)#server 192.168.1.100

R-1(config-sg-tacacs+)#exit

R-1(config)#tacacs-server host 192.168.1.100 key gns3

R-1(config)# tacacs-server key gns3

R1(config)#aaa authentication login default group gns3group local

Note: To check username and password of tacacs+ server use following commands on AAA Server.

root@AAA-1:# cd /etc/tacacs+/

root@AAA-1:/etc/tacacs+# ls

tac_plus.conf

root@AAA-1:/etc/tacacs+# nano tac_plus.conf