2.2 AAA concepts
2.2.b Configure administrative access on a Cisco router using TACACS+ and Radius (Accounting)
R1(config)# aaa accounting exec ACCEXEC start-stop group tacacs+ group radius R1(config)# aaa accounting commands 15 ACCCMDS stop-only group tacacs+ groups radius R1(config)# line vty 0 4 R1(config-line)# accounting exec ACCEXEC R1(config-line)# accounting commands 15 ACCCMDS
On the debug aaa auth command what shows that the authentication was successful or not
*Pass*on the output *Fail* on the output
2.2.c Verify connectivity on a Cisco router to a TACACS+ server
*debug aaa authentication* command is a useful AAA troubleshooting command because it provides a high-level view of login activity.
2.2.b Configure administrative access on a Cisco router using TACACS+ and Radius (authorization)
R1(config)# aaa authorization exec SRVEXEC group tacacs+ group radius local R1(config)# aaa authorization commands 15 SRVCMD group tacacs+ group radius local R1(config)# aaa authorization config-commands R1(config)# line vty 0 4R1(config-line)# authorization exec SRVEXEC R1(config-line)# authorization commands 15 SRVCMD
2.2.d Explain the integration of Active Directory with AAA
See above with radius and t+
2.2.a Describe RADIUS and TACACS+ technologies
See next cards
TACACS+
TACACS+ is a Cisco enhancement to the original TACACS protocol. Despite its name, TACACS+ is an entirely new protocol that is incompatible with any previous version of TACACS. TACACS+ is supported by the Cisco family of routers and access servers.TACACS+ is Cisco proprietary. Under normal operations, it encrypts the entire body of the packet for more secure communications and utilizes TCP port 49. It also allows for greater modularity, by the total separation of all three AAA functions: authentication, authorization, and accounting.
How do you avoid locking out the administrator configuring AAA
To avoid accidentally locking out the administrator, *authorization is not implemented on line con 0 by default*. To enable authorization for the console, use the *aaa authorization console* global-configuration command.
What shows TACACS+ and Radius login attempts
debug tacacs debug radius
2.2.e Describe authentication and authorization using ACS and ISE (ISE)
Cisco ISE is a next-generation identity management system that combines ACS with Network Admission Control (NAC) but also includes features such as Profiling: Determines the type of device from which the user is accessing the network Posture assessment: Determines the "health" of the device accessing the network Centralized web authentication: Simplifies the provisioning of guest access AAA: Offers identity-based network access, logging, compliance, and reporting Cisco ISE is the main policy component for Cisco TrustSec and is a Cisco technology that protects assets such as data, applications, and mobile devices from unauthorized access. Cisco ISE not only can quickly isolate and contain threats and limit the impact of data breaches, but can also simplify and accelerate safe bring your own device (BYOD) deployments.The switched, wireless, and routing infrastructure provides the policy enforcement building block. These network devices are instructed by ISE to ensure that only the expected communications is permitted through the network.ISE utilizes standards-based RADIUS for authentication and authorization functions. User credentials are passed from the NAS to Cisco ISE via a RADIUS Access-Request message. Cisco ISE generally consults an external identity source, such as Microsoft Active Directory or LDAP, for credential verification and for user and group attributes. After the user identity is verified and its account attributes are processed, an appropriate authorization profile can be applied to its session. *Cisco ISE conveys the associated authorization policy to the NAS in a RADIUS Access-Accept reply*. Both posturing (OS version, patches, antivirus) and profiling (device type) can then be applied and used to determine what resources the user can access.
2.2.e Describe authentication and authorization using ACS and ISE (ACS)
Cisco Secure ACS is a robust AAA server offering both TACACS+ and RADIUS services in one system. With ACS, an organization can centralize both user network access policies and network device administrative access policies in one server. Most network devices rely on the TACACS+ and RADIUS protocols to communicate with AAA servers. Some network devices have the ability to interact directly with Active Directory (AD) or LDAP for authentication purposes. Although Cisco Secure ACS can be integrated to use the AD service, Microsoft Windows Server can also be configured as an AAA server. 1. The client establishes a connection with the router in an attempt to access a protected resource. 2. The router passes the username and password to the ACS server. 3. The ACS server consults the LDAP or AD server. 4. Based on information that is found in the LDAP or AD server database, the ACS server informs the router that the user is or is not authenticated. 5. The router passes the authentication results on to the client.
Info on config (authorization)
Example 25-3 continues to build on Examples 25-1 and 25-2 by adding authorization for access to the EXEC shell (in other words, the CLI) and authorization for access to privilege level 15 and global configuration commands. Both authorization lists are then applied to the vty lines.
Info on config (accounting)
Example 25-4 continues to build on Example 25-3 by adding the command that will cause an accounting record to be sent at the start of an administrative access session to the device's EXEC process, and another accounting record to be sent at the end of the session. Also, a second command is added that causes an accounting record to be sent for every privilege level 15 command and every configuration mode command that is entered by the user. Both accounting lists are then applied to the vty lines.
Info on config (authentication)
In Example 25-1, we are enabling AAA globally and then configuring the parameters for two AAA servers: a TACACS+ server at address 172.16.255.100 and a RADIUS server at address 172.16.255.101. Since TACACS+ uses TCP, we are using the single-connection command to maintain a single TCP connection for the duration of the session. The RADIUS server is using the standard UDP port numbers instead of the legacy Cisco values. Finally, we have defined a shared secret key to use for each protocol.When the AAA security servers have been identified, the servers must be included in the method list of the aaa authentication login command.
Info on config (server authentication)
In Example 25-2, we define three authentication lists: default, NOAUTH, and SRVAUTH. Each list uses specific authentication methods. For redundancy, a local user has been configured on R1 in case both the TACACS+ and RADIUS servers are unavailable. The default list is then applied to HTTP authentication attempts, while the NOAUTH list is applied to the console line, and the SRVAUTH list is applied to the vty lines. Notice that only SSH connections are permitted on the vty lines.
AAA - Authorization
Now that authentication has been enabled, we need to look at controlling what actions and commands a user is allowed to perform. When AAA authorization is not enabled, all users are allowed full access. After authorization is started, the default changes to allow no access. This means that the administrator must create a user with full access rights before authorization is enabled. Failure to do so immediately locks the administrator out of the system the moment the aaa authorization command is entered.
2.2.b Configure administrative access on a Cisco router using TACACS+ and Radius (Authentication config)
R1(config)# aaa new-model R1(config)# tacacs server TACSRV R1(config-server-tacacs)# address ipv4 172.16.255.100 R1(config-server-tacacs)# single-connection R1(config-server-tacacs)# key SecretTACACS R1(config-server-tacacs)# exit R1(config)# radius server RADSRV R1(config-radius-server)# address ipv4 172.16.255.101 auth-port 1812 acct-port 1813 R1(config-radius-server)# key SecretRADIUS R1(config-radius-server)# exit
2.2.b Configure administrative access on a Cisco router using TACACS+ and Radius (Authentication server based)
R1(config)# username ADMIN privilege 15 algorithm-type scrypt secret ADMINPass R1(config)# aaa authentication login default group tacacs+ group radius local-case R1(config)# aaa authentication login NOAUTH none R1(config)# aaa authentication login SRVAUTH group tacacs+ group radius local-case R1(config)# ip http authentication aaa login-authentication default R1(config)# line con 0 R1(config)# login authentication NOAUTH R1(config)# exitR1(config)# line vty 0 4 R1(config)# transport input ssh R1(config)# login authentication SRVAUTH
Radius
RADIUS is a general-purpose AAA protocol that is used across many technologies, including network access via wireless access points, wired switches, VPN, and administrative access to network devices. It is a fully open standard protocol developed by Livingston Enterprises and is described in RFC 2865 and RDF 2866.RADIUS is a distributed client/server system that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco devices and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.A RADIUS server listens on either UDP 1645 (legacy) or 1812 for authentication and authorization and either UDP 1646 (legacy) or 1813 for accounting. Communication between the NAS and RADIUS server is not completely secure; only the password portion of the RADIUS packet header is encrypted.As illustrated in Figure 26-2, the RADIUS authentication process between the NAS and RADIUS server starts when a client attempts to connect to the network. The NAS prompts the user, requesting a username and password. The user sends his or her credentials to the NAS. The NAS then sends the authentication request (Access-Request) to the RADIUS server. The RADIUS server responds with an Access-Accept message (if the user is successfully authenticated) or an Access-Reject (if the user is not successfully authenticated).
TACACS+ and radius comparison
https://learning.oreilly.com/library/view/31-days-before/9780134423821/graphics/26tab02.jpg
What command quickly verifies if the AAA clients and the AAA server are authenticated
test aaa group (enable command)