Cisco IOS supports minimal password authentication at the console/VTY line and privilege exec boundaries, through the use of static, locally defined passwords. For example:
enable secret 5 $1$J19J$Q2jB2AM64H0U001nHStLW1 ! no aaa new-model ! line con 0 password 7 0532091A0C595D1D3B00351D190900 login line vty 0 15 password 7 152B0419293F38300A36172D010212 login
While easily implemented, this approach is far from ideal for a production network. For much more robust and easily managed authentication schemes, IOS supports the Authentication, Authorization, and Accounting (AAA) model, using the RADIUS or TACACS+ protocols to centralize these functions on dedicated AAA servers.
This article will look at deploying a typical IOS router AAA configuration which must meet two requirements:
- All users logging into the router must authenticate with a username and password to one of two redundant TACACS+ servers.
- Users must be able to log in using a backup local user account stored on the router only if neither TACACS+ server is reachable.
This article assumes that all back-end AAA server configuration has been completed and is working.
Configuring AAA on IOS for general administrative access entails four basic steps:
- Enable the "new model" of AAA.
- Configure the server(s) to be used for AAA (e.g. TACACS+ servers).
- Define authentication and authorization method lists.
- Enforce AAA authentication on the relevant lines (e.g. console and VTY lines).
Step 0: Create a backup user account
Although not technically a part of AAA configuration, we want to ensure a backup user account exists in the event the AAA servers become unreachable, so that we can still log in to the router.
Router(config)# username BackupAdmin privilege 15 secret MySecretPassword
Step 1: Enabling AAA
The new AAA model of authentication is enabled with a single command, which unlocks all other
aaa commands on the command line interface. Note that this command will break non-AAA line and enable passwords.
Router(config)# aaa new-model
Step 2: Configuring the TACACS+ servers
Next we need to configure the addresses of the AAA servers we want to use. This example shows the configuration of TACACS+ servers, but the concept applies to RADIUS servers as well.
There are two approaches to configuring TACACS+ servers. In the first, servers are specified in global configuration mode using the command
tacacs-server to specify an IP address and shared secret key for each server:
Router(config)# tacacs-server host 192.168.1.3 key MySecretKey1 Router(config)# tacacs-server host 192.168.2.3 key MySecretKey2
This approach is sufficient for many deployments, but is problematic if you want to reference only a subset of the defined servers for a certain AAA function. For example, suppose you want to use one TACACS+ server for control plane authentication on the router itself, and the second server for authenticating PPP connections. In this case, you would assign the servers to named AAA server groups:
Router(config)# aaa group server tacacs+ LoginAuth Router(config-sg-tacacs+)# server 192.168.1.3 Router(config)# aaa group server tacacs+ PPPAuth Router(config-sg-tacacs+)# server 192.168.2.3
Note that if using server groups, the servers are still defined with
tacacs-server in global configuration mode. (Servers can optionally be defined only within a group by using the command
private-server under group configuration.)
Step 3: Define the AAA method lists
Next we need to define a method list which instructs the router to use AAA authentication for terminal logins.
Router(config)# aaa authentication login default group tacacs+ local
This is a rather lengthy command, so let's work through it one bit at a time.
aaa authentication login specifies that the following parameters are to be used for user login authentication. The word
default is used in lieu of a custom name for the list (you can only define one default list for each AAA function).
The rest of the line specifies authentication methods.
group tacacs+ means "use all configured TACACS+ servers." If you defined a named server group in step two, use the name of that group in place of the word
local defines a secondary authentication mechanism; it instructs the router to fail over to locally defined user accounts if none of the authentication servers in the first method are reachable. (Note that this only happens if the servers are unreachable; a response from a server denying authentication will not trigger a fail-over to local authentication.)
The above method list handles only the authentication aspect of AAA. By itself, this list only allows us to authenticate as a user with privilege level 1 (user exec mode). To communicate a heightened privilege level (e.g. privilege level 15, or "enable mode") from the TACACS+ server, we also need to define an authorization method list for IOS shell creation.
Router(config)# aaa authorization exec default group tacacs+ local
You can see that the authorization method list follows the same logic as our first list, the only difference being that this list is used for exec (shell) authorization rather than login authentication.
Step 4: Enforcing AAA authentication on terminal lines
This last step has actually been done for us already by enabling AAA in step one. However, if we were to create a custom authentication method list for these lines, we would use the command below, substituting the method list name for the word
Router(config)# line console 0 Router(config-line)# login authentication default Router(config)# line vty 0 15 Router(config-line)# login authentication default
These commands will not appear in the running configuration if the default method list is specified.
At this point, we should have a fully functional AAA configuration for console authentication and authorization.
stretch@Sandbox ~ $ telnet 192.168.1.132 Trying 192.168.1.132... Connected to 192.168.1.132. Escape character is '^]'. Username: jstretch Password: Router#
Notice that upon logging in I was immediately placed into privileged exec mode without having to use the command
enable. This is our authorization method list at work. And remember, if the TACACS+ servers become unreachable, we can log into the router using the local user account we created in step zero.
The completed AAA configuration is included below.
aaa new-model ! aaa authentication login default group tacacs+ local aaa authorization exec default group tacacs+ local ! username BackupAdmin privilege 15 secret 5 $1$qLGb$VQ6BdqCEpzGZqPeC779Uh1 ! tacacs-server host 192.168.1.3 key 7 062B1612494D1B1C113C17125D tacacs-server host 192.168.2.3 key 7 143A0B380907382E3003362C70
UPDATE: I've added a packet capture of the TACACS+ authentication and authorization requests made by the router during a user login.