Cisco - Managing Switch Users¶
AAA Overview¶
- Used to manage user activity by controlling and reporting on their actions
- AAA Functions
- Authentication - Who is the user?
- Authorization - What is the user allowed to do?
- Accounting - What did the user do?
- After successfull login, users are given “User Exec” level privileges
- An “Enable” secret is entered which grants additional privileges
- Local usernames can be configured on the switch, not scaleable
- Centralised authentication can be done through TACAC+ or RADIUS
Centralised Authentication¶
- Client/Server model
- Switches as clients known as “Network Access Device” (NAD) or “Network Access Server” (NAS)
- Cisco provides AAA services through two products
- Identity Service Engine (ISE)
- Secure Access Control Server (ACS)
Terminal Access Controller Access Control System (TACACS+)¶
- Cisco Proprietary
- Uses TCP Port 49 for secure/encrypted communication
Remote Access Dial-In User Service (RADIUS)¶
- Standards Based
- Uses UDP Ports 1812 (Authentication) and 1813 (Accounting)
- Not all traffic is encrypted
Method Lists¶
- Used to group vvarius authentication/authorisation methods for easier reuse
- Authentication methods
- TACACS+ - Try each server defined until success or positive denial
- RADIUS - Try each server defined until success or positive denial
- LOCAL - Check the entered details against configured users on the local switch
- LINE - Authenticate against password defined on VTP/console, does not use a username
- Authorization Methods
- Commands - Server must give permit for any command at any privilege level
- Config-Commands - Server must give permission for config commands
- Configuration - Server must vie permisson to enter config mode
- Exec - Server must give permission to run exec session
- Network - Server must return permission to use network related sessions
- Reverse-Access - Server must give permission for reverse telnet sessions
- Only TACACS+ supports per-command authorisation, RADIUS is all or nothing
Accounting¶
- Records activities performed by a user
- Supported by RADIUS and TACACS+
- Accounting Levels
- System - Major swich events (E.g. reload)
- Exec - User authenticated into an Exec session (IP, Time and duration are recorded)
- Commands - Info on commands running at the specified level
- Accounting Times
- Start-Stop - Events recorded at both beginning and end
- Stop-Only - Events recorded at end of action
- none - No events recorded
Configuring Authentication¶
Enable AAA on the Switch
aaa new-model
Create Local Users
username <username> password <password>
Define RADIUS server
radius-server host {<hostname>|<ip>} [key <string>]
Define TACACS+ server
tacacs-server host {<hostname>|<ip>} [key <string>]
Define Server Groups and Included Servers
aaa group server {radius|tacacs+} <group-name>
server <ip>
Define Method List For Authentiation
aaa authentiation login {default | <list-name>} <method-1> [<method-x> ...]
Apply the method list to a switch line
line {vty|con}<number>
login authentication {default|<list-name>}
Configure Authorisation¶
Define Authorization Method List
aaa authorization {commands|config-commands|configuration|exec|network|reverse-access}
{default|<list-name>} <method-1> [<method-x> ...]
Apply method list too specific line
line {vty|con}<number>
login authorization {default|<list-name>}
Configure Accounting¶
Define Accounting Method List
aaa accounting {system|exec|commands <level>} {default|<list-name>}
{start-stop|stop-only|wait-start|none} <method> [<method-x> ...]
Apply method list to required lines
line {vty|con}<number>
login accounting {default|<list-name>}