Suppose you manage hundreds of Cisco devices; how can you connect and secure it against unauthorized access? You can use local username, but it isn’t scalable and granular, or use an AAA Server. In fact, the benefits of AAA are:
- Increased flexibility and control of access configuration.
- Scalability.
- Standardized authentication methods.
- Multiple backup system.
Additionally, AAA provides a modular way of performing the following services:
Authentication is the way a user is identified prior to being allowed access to the network and network services.
Authorization works by assembling a set of attributes that describe what the user is authorized to perform. These attributes are compared to the information contained in a database for a given user and the result is returned to AAA to determine the user‘s actual capabilities and restrictions.
Accounting enables you to track the services users are accessing as well as the amount of network resources they are consuming.
A typical AAA server is Radius (Remote Authentication Dial-In User Service): it is an open protocol, distributed client/server system that provides Authentication, Authorization and Accounting (AAA) management.
Remember: In Radius, authentication and authorization are coupled together. If the username is found and the password is correct, the RADIUS server returns an Access-Accept response, including a list of attribute-value pairs that describe the parameters to be used for this session.
Radius server configuration on Cisco IOS is performed in few steps:
Enable the AAA feature
aaa new-model
Define the Radius server and the key server
radius server radius-ise address ipv4 192.168.245.123 key c1sc0ziN3
Define a Radius server group
aaa group server radius radius-ise-group server name radius-ise
Remember: The radius group can contain more than one server for redundancy/load balancing.
Note: If the “radius server” command is not supported you need to use legacy commands:
radius-server host 192.168.245.123 key c1sc0ziN3 aaa group server radius radius-ise-group server 192.168.245.123
After that, it is possible define the method lists:
aaa authentication login VTY_authen group radius-ise-group local aaa authorization exec VTY_author group radius-ise-group local aaa accounting exec default
These lines define the AAA characteristics; if the radius server is alive use the group “radius-ise-group”, otherwise use local username defined with the command:
username "username" privilege 15 secret "password"
Now it is possible link the “VTY_authen” and “VTY_author” template to the vty lines:
line vty 0 4 authorization exec VTY_author login authentication VTY_authen
Tips: add these lines
aaa authentication login default none aaa authorization exec default none
so default authentication/authorization is not permitted.
If the Radius server configuration is done, you can access to devices with username/password defined in the server!
Other tips
In the previous commands, the AAA template is applied to the vty lines. What about console? If you want to access to the console using only the enable password, use this template:
aaa authentication login CONSOLE enable
line con 0 privilege level 15 login authentication CONSOLE
Note: The command “privilege level 15” permits to access directly in privileged mode.
And what about http server, if enabled? To access via RADIUS add these lines:
ip http authentication aaa login-authentication VTY_authen ip http authentication aaa exec-authorization VTY_author
Troubleshooting
To validate that the Cisco device can access and securely communicate with the RADIUS server:
test aaa group radius-ise-group "username" "password" new-code
Two result can occurs.
Authentication success:
Ciscozine#test aaa group radius-ise-group fabio myp4ssw0rD new-code User successfully authenticated USER ATTRIBUTES username "fabio" service-type 1 [Login] priv-lvl 15 (0xF) Ciscozine#
Failed authentication:
Ciscozine#test aaa group radius-ise-group fabio wr0ngpwd new-code User rejected Ciscozine#
Some interesting show are “show radius server-group all” and “show aaa servers”, while “debug radius”, “debug aaa authentication” and “debug aaa authorization” are useful during troubleshooting.
References:
Watch out with chatty NMS systems that connect at relatively high (n/sec) rate with the devices; it will look like a DDoS attack on your RADIUS server coming from every network device.