Chapter 02: Perimeter Security (Part03)

Configuring AAA on a Cisco Router Using the Local Database

AAA is widely supported in Cisco IOS Software as an additional security service available for securing access to network devices and networks. One of the options you have when configuring your network to work with AAA is to use a local username and password database to provide security greater than a simple password. It is likely that smaller organizations will configure AAA to operate locally.

Authentication, Authorization, and Accounting

Access control is the way you control who is allowed access to the access server or router and which services they are allowed to use once they have access. AAA network security services provide the primary framework through which you set up access control on your router. AAA services provide a higher degree of scalability than the line-level and privileged EXEC authentication commands alone.

Unauthorized access in campus, dialup, and Internet environments creates the potential for network intruders to gain access to sensitive network equipment and services. The Cisco AAA architecture enables systematic and scalable access security.

Network and administrative access security in the Cisco environment, whether it involves campus, dialup, or IPsec VPN access, is based on a modular architecture that has three functional components:

• Authentication: Authentication requires users and administrators to prove that they really are who they say they are. Authentication is established using a username and password, challenge and response, token cards, and other methods, such as “I am user student and my password validateme proves it.”

• Authorization: After authenticating the user and administrator, authorization services decide which resources the user and administrator are allowed to access and which operations the user and administrator are allowed to perform, such as “User student can access host serverXYZ using Telnet.”

• Accounting and auditing: Accounting records what the users and administrators actually did, what they accessed, and for how long they accessed it. Accounting keeps track of how network resources are used, such as “User student accessed host serverXYZ using Telnet for 15 minutes.”

Introduction to AAA for Cisco Routers

Two examples of AAA implementation include authenticating remote users that are accessing the corporate LAN through dialup or Internet (IPsec VPN) connections as shown in Figure 2-9, and authenticating administrator access to the router console port, auxiliary port, and vty ports.

Figure 2-9: Implementing Cisco AAA

Cisco networking products support AAA access control using a local usernames and passwords database or remote security server databases. A local security database is configured in the router for a small group of network users with the username xyz password strongpassword command or, preferably, the username xyz secret strongsecretpassword command. A remote security database is a separate server that provides AAA services for multiple network devices and a large number of network users by running RADIUS or TACACS+ protocols.

Cisco provides four ways to implement AAA services for Cisco routers:

• Self-contained AAA: AAA services can be self-contained in the router or network access server (NAS) itself. This form of authentication is also known as local authentication.

  Note

  The official Cisco definition of NAS is “network access server. Cisco platform (or collection of platforms, such as an AccessPath system) that interfaces between the packet world (for example, the Internet) and the circuit world (for example, the PSTN).” Source: Internetworking Terms and Acronyms, http://www.cisco.com/en/US/docs/internetworking/terms_acronyms/N12.html.

• Cisco Secure Access Control Server (ACS) for Microsoft Windows Server: AAA services on the router or NAS contact an external Cisco Secure ACS for Microsoft Windows system for user and administrator authentication.

• Cisco Secure ACS Express: This is an entry-level RADIUS and TACACS+ AAA server appliance. AAA services on the router or NAS contact an external Cisco Secure ACS Express device for user and administrator authentication. Cisco ACS Express is available as a one rack unit (RU), security-hardened appliance with a preinstalled Cisco Secure ACS Express license. Cisco ACS Express supports a maximum of 50 AAA clients and 350 unique user logons in a 24-hour period.

• Cisco Secure ACS Solution Engine: AAA services on the router or NAS contact an external Cisco Secure ACS Solution Engine for user and administrator authentication.

Using Local Services to Authenticate Router Access

If you have one or two NAS devices or routers that provide access to your network for a limited number of users, you can store username and password security information locally on the Cisco NAS devices or routers. This is referred to as local authentication on a local security database. The following are local authentication characteristics:

• Used for small networks

• Stores usernames and passwords in the Cisco router or Cisco NAS

• Users authenticate against the local security database in the Cisco router or Cisco NAS

• Does not require an external database

The system administrator must populate the local security database by specifying username and password profiles for each user that might log in.

Figure 2-10 shows how local authentication typically works.

Figure 2-10: Implementing Authentication Using Local Services

1. The client establishes a connection with the router.

2. The router prompts the user for a username and password.

3. The router authenticates the username and password in the local database. The user is authorized to access the network based on information in the local database.

Authenticating Router Access

You can use AAA to secure two different types of router access mode. The mode refers to the format of the packets that are requesting AAA services:

• Character mode: A user is sending a request to establish an EXEC mode process with the router, for administrative purposes.

• Packet mode: A user is sending a request to establish a connection through the router with a device on the network.

With the exception of accounting commands, all the AAA commands apply to both character mode and packet mode.

For a truly secure network, you must configure the router to secure administrative access and remote LAN network access using AAA services.

Table 2-10 compares the router access modes, port types, and AAA command elements.

Table 2-10: Router Access
Open table as spreadsheet

Access Type	Modes	NAS Ports	Specifications
Remote administrative access	Character (line or EXEC mode)	tty, vty, auxiliary, and console	login, exec, enable
Remote network access	Packet (interface mode)	async, group-async BRI and PRI	ppp, network

Configuring Local Database Authentication Using AAA

To configure AAA services to authenticate administrator access (character mode access) or network access (packet mode), follow these general steps:

• Add usernames and passwords to the local router database for users who need administrative access to the router.

• Enable AAA globally on the router, or confirm that it is already enabled.

• Configure AAA/parameters on the router.

• Confirm and troubleshoot the AAA configuration.

Configuring User Accounts Using Cisco SDM

The first step to configure AAA services for local authentication is to create users. Figure 2-11 shows the steps to use with Cisco SDM to create a user account in the local router database:

Figure 2-11: Implementing Authentication Using Local services

Step 1	Choose Configure > Additional Tasks > Router Access > User Accounts/View.
Step 2	Click Add to add a new user.
Step 3	In the Add an Account window, enter the username and password in the appropriate fields to define the user account.
Step 4	From the Privilege Level drop-down list, choose 15 unless you have defined lesser privilege levels.
Step 5	If you have defined views, you can check the Associate a View with the User check box and choose a view from the View Name list that you want to associate with this user.
Step 6	Click OK.

Cisco SDM will generate the following CLI command:

username AAAadmin privilege 15 secret 5 $1$f16u$uKOO6J/UnojZ0bCEzgnQi1 view root

Enabling and Disabling AAA Using Cisco SDM

The next step in configuring AAA is to make sure AAA is enabled. To verify the AAA configuration and to enable or disable AAA, choose Configure > Additional Tasks > AAA, as shown in Figure 2-12. AAA is enabled by default in Cisco SDM. If you click Disable, Cisco SDM displays a message telling you that it will make configuration changes to ensure that the router can be accessed after AAA is disabled. Disabling AAA will prevent you from configuring your router as an Easy VPN server, and will prevent you from associating user accounts with CLI views.

Figure 2-12: Enabling and Disabling AAA Using Cisco SDM

In the CLI, use the global configuration command aaa new-model to enable AAA. Use the no form of this command to disable AAA.

Configuring AAA Authentication Using Cisco SDM

A method list is a sequential list of authentication methods to query to authenticate a user. Method lists enable you to designate one or more security protocols to be used for authentication, thus ensuring a backup system for authentication in case the initial method fails.

When you first enable AAA, there is a default method list named default, which is automatically applied to all interfaces and lines, but which has no authentication methods defined. To configure AAA authentication, you must first either define a list of authentication methods for the default method, or configure your own named method lists and apply them to interfaces or lines. For flexibility, you can apply different method lists to different interfaces and lines. If an interface or line has a nondefault method list applied to it, that method overrides the default method list.

Cisco IOS Software uses the first method listed to authenticate users. If that method fails to respond, the Cisco IOS Software selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method or until all methods defined in the method list have been exhausted.

It is important to note that the Cisco IOS Software attempts authentication with the next listed authentication method only when there is no response from the previous method. If authentication fails at any point in this cycle (meaning that the security server or local username database responds by denying the user access), the authentication process stops and no other authentication methods are attempted.

Follow these steps, shown in Figure 2-13, to configure the default method list for login authentication using the local database:

Figure 2-13: Configuring AAA Authentication Using Cisco SDM

Step 1	Choose Configure > Additional Tasks > AAA > Authentication Policies > Login and click Add.
Step 2	In the Add a Method List for Authentication Login window, verify that Default is selected in the Name drop-down list.
Step 3	Click Add.
Step 4	From the Select Method List(s) for Authentication Login window, choose Local from the method list.
Step 5	Click OK.
Step 6	Click OK.

The Cisco SDM will generate the following CLI command:

aaa authentication login default local

Note

Remember to save your work by clicking the Save button in the toolbar across the top.

Additional AAA CLI Commands

To further secure administrative access to the router, you can specify the maximum number of failed AAA login attempts that can occur before an account is locked out. Currently, you can configure this option only from the CLI.

To specify the maximum number of unsuccessful authentication attempts before a user is locked out, use the aaa local authentication attempts max-fail command in global configuration mode. To remove the number of unsuccessful attempts that was set, use the no form of this command. The complete syntax for this command is as follows:

aaa local authentication attempts max-fail number-of-unsuccessful-attempts

To display a list of all locked-out users, use the show aaa local user lockout command in privileged EXEC mode.

Example 2-23 shows that user1 is locked out.

Example 2-23: show aaa local user lockout Command Output

---

R1# show aaa local user lockout
               Local-user          Lock time
               user1               04:28:49 UTC Sat Dec 15 2007

---

Use the clear aaa local user lockout command in privileged EXEC mode to unlock a locked-out user. The complete syntax for this command is clear aaa local user lockout {username username | all}. To specify a single user to unlock, specify the username using the username parameter. To unlock all the users, use the all keyword. You might also consider using the clear aaa local user fail-attempts username username or the clear aaa local user fail-attempts all commands for cases in which you need to clear already logged unsuccessful attempts after the user configuration was changed.

Note

The aaa local authentication attempts max-fail command differs from the login delay command in how it handles failed attempts. The aaa local authentication attempts max-fail command locks the user account if the authentication fails. This account stays locked until it is cleared by an administrator. The login delay command introduces a delay between failed login attempts without locking the account.

When a user logs in to a Cisco router and uses AAA, a unique ID is assigned to the session. Throughout the life of the session, various attributes that are related to the session are collected and stored internally within the AAA database. These attributes can include the IP address of the user, the protocol that is used to access the router (such as PPP or SLIP), the speed of the connection, and the number of packets or bytes that are received or transmitted.

To display the attributes that are collected for a AAA session, use the show aaa user {all | unique id} command in privileged EXEC mode.

Note

This command does not provide information for all of the users who are logged in to a device, but only for those who have been authenticated or authorized using AAA, or for those whose sessions are being accounted for by the AAA module.

As shown in Example 2-24, you can use the show aaa sessions command to show the unique ID of a session.

Example 2-24: show aaa sessions Command Output

---

R1# show aaa sessions
Total sessions since last reload: 4
Session Id: 1
  Unique Id: 175
  User Name: tecteam
  IP Address: 10.30.30.2
  Idle Time: 0
  CT Call Handle: 0

---

Confirming and Troubleshooting the AAA Configuration

To configure AAA services to authenticate administrator access (character mode access) or network access (packet mode), follow these general steps:

• Add usernames and passwords to the local router database for users that need administrative access to the router.

• Enable AAA globally on the router, or confirm that it is already enabled.

• Configure AAA/parameters on the router.

• Confirm and troubleshoot the AAA configuration.

Example 2-25 shows an example of what the running configuration would look like after configuring AAA for local authentication using Cisco SDM and the CLI.

Example 2-25: AAA Configuration

---

aaa new-model
aaa local authentication attempts max-fail 10
!
!
aaa authentication login default local

enable secret 5 $1$x1EE$33AXd2VTVvhbWL0A37tQ3.
enable password 7 15141905172924
!
username admin1 password 7 14161606050A7B7974786B
username admin2 secret 5 $1$ErWl$b5rDNK7Y5RHkxX/Ks7Hr00
username AAAadmin privilege 15 view root secret 5 $1$0GGC$1Y.WBhh7UQso8cJSkvv2N0
!

---

To display information on AAA authentication, use the debug aaa authentication command in privileged EXEC command mode, as shown in Example 2-26. Use the no debug aaa authentication form of the command to disable this debug mode. Example 2-26 shows the debug output for a successful AAA authentication using a local database.

Example 2-26: Displaying AAA Authentication Information

---

R1# debug aaa authentication
113123: Feb 4 10:11:19.305 CST: AAA/MEMORY: create_user (0x619C4940) user=''
ruser='' port='tty1' rem_addr='async/81560' authen_type=ASCII service=LOGIN priv=1
113124: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): port='tty1' list=''
action=LOGIN service=LOGIN
113125: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): using "default" list
113126: Feb 4 10:11:19.305 CST: AAA/AUTHEN/START (2784097690): Method=LOCAL
113127: Feb 4 10:11:19.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113128: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='(undef)')
113129: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETUSER
113130: Feb 4 10:11:26.305 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL
113131: Feb 4 10:11:26.305 CST: AAA/AUTHEN (2784097690): status = GETPASS
113132: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): continue_login
(user='diallocal')
113133: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = GETPASS 
113134: Feb 4 10:11:28.145 CST: AAA/AUTHEN/CONT (2784097690): Method=LOCAL 
113135: Feb 4 10:11:28.145 CST: AAA/AUTHEN (2784097690): status = PASS

---