CCNP ISCW Notes

Print page | Print all

1 Apr 2008

Chapter 20: Using AAA to Scale Access Control

AAA

Authentication, Authorization, and Accounting (AAA) has two access modes:

Character Mode - Used on VTY, auxiliary, and console lines to access the CLI
Packet Mode - Used on physical interfaces and dialer profiles for inter-device authentication (PPP, Arap, or NASI)

TACACS+

Developed by Cisco, defined in RFC 1492.

TACACS+ uses TCP.

TACACS+ allows for encryption of the entire packet body.

TACACS+ separates authentication and authorization, allowing a different backend to be used for each.

TACACS+ has better multiprotocol support than RADIUS.

Only TACACS+ provides command-specific authorization.

Configuration example:

aaa new-model
tacacs-server host 10.18.0.27
tacacs-server key SharedSecret
username Steve secret <hash>
aaa authentication ppp dial-list tacacs+ local
aaa authorization commands 15 tacacs+ if-authenticated none
aaa accounting network start-stop tacacs+

RADIUS

Defined in RFC 2865

RADIUS uses UDP.

RADIUS only encrypts passwords within an access-request packet.

RADIUS combines authentication and authorization.

Configuration example:

aaa new-model
radius-server host 10.18.0.27
radius-server key SharedSecret
username Steve secret <hash>
aaa authentication ppp dial-list radius local
aaa authorization network radius local
aaa accounting network mynetwork start-stop group radius

Debugging

debug aaa authentication
debug aaa authorization
debug aaa accounting
debug radius
debug tacacs

« Chapter 19: Securing Administrative Access

Chapter 21: Cisco IOS Threat Defense Features »

Gerard Metoho-Eke commented on 11 Sep 2008 at 7:24 a.m.

One of the best summary I have seen. It make life easier and time well spent. Good job. Gerard

sam commented on 15 Sep 2008 at 3:18 a.m.

nice work

CCNP ISCW Notes

Chapter 20: Using AAA to Scale Access Control

AAA

TACACS+

RADIUS

Debugging

Leave a comment

Comment Tips