***************************** Cisco - Managing Switch Users ***************************** AAA Overview ============ - Used to manage user activity by controlling and reporting on their actions - AAA Functions * Authentication - Who is the user? * Authorization - What is the user allowed to do? * Accounting - What did the user do? - After successfull login, users are given "User Exec" level privileges - An "Enable" secret is entered which grants additional privileges - Local usernames can be configured on the switch, not scaleable - Centralised authentication can be done through TACAC+ or RADIUS Centralised Authentication -------------------------- - Client/Server model - Switches as clients known as "Network Access Device" (NAD) or "Network Access Server" (NAS) - Cisco provides AAA services through two products * Identity Service Engine (ISE) * Secure Access Control Server (ACS) Terminal Access Controller Access Control System (TACACS+) ---------------------------------------------------------- - Cisco Proprietary - Uses TCP Port 49 for secure/encrypted communication Remote Access Dial-In User Service (RADIUS) ------------------------------------------- - Standards Based - Uses UDP Ports 1812 (Authentication) and 1813 (Accounting) - Not all traffic is encrypted Method Lists ============ - Used to group vvarius authentication/authorisation methods for easier reuse - Authentication methods * TACACS+ - Try each server defined until success or positive denial * RADIUS - Try each server defined until success or positive denial * LOCAL - Check the entered details against configured users on the local switch * LINE - Authenticate against password defined on VTP/console, does not use a username - Authorization Methods * Commands - Server must give permit for any command at any privilege level * Config-Commands - Server must give permission for config commands * Configuration - Server must vie permisson to enter config mode * Exec - Server must give permission to run exec session * Network - Server must return permission to use network related sessions * Reverse-Access - Server must give permission for reverse telnet sessions - Only TACACS+ supports per-command authorisation, RADIUS is all or nothing Accounting ========== - Records activities performed by a user - Supported by RADIUS and TACACS+ - Accounting Levels * System - Major swich events (E.g. reload) * Exec - User authenticated into an Exec session (IP, Time and duration are recorded) * Commands - Info on commands running at the specified level - Accounting Times * Start-Stop - Events recorded at both beginning and end * Stop-Only - Events recorded at end of action * none - No events recorded Configuring Authentication ========================== **Enable AAA on the Switch** :: aaa new-model **Create Local Users** :: username password **Define RADIUS server** :: radius-server host {|} [key ] **Define TACACS+ server** :: tacacs-server host {|} [key ] **Define Server Groups and Included Servers** :: aaa group server {radius|tacacs+} server **Define Method List For Authentiation** :: aaa authentiation login {default | } [ ...] **Apply the method list to a switch line** :: line {vty|con} login authentication {default|} Configure Authorisation ======================= **Define Authorization Method List** :: aaa authorization {commands|config-commands|configuration|exec|network|reverse-access} {default|} [ ...] **Apply method list too specific line** :: line {vty|con} login authorization {default|} Configure Accounting ==================== **Define Accounting Method List** :: aaa accounting {system|exec|commands } {default|} {start-stop|stop-only|wait-start|none} [ ...] **Apply method list to required lines** :: line {vty|con} login accounting {default|}