RETIRED! Exam
By default, a Cisco IOS device performs authentication based on a line password and authorization based on a level 15 enable password. This is a problem for any organization that desires granularity or the ability to track activities back to one of multiple users. The solution to this is AAA. This allows an administrator to configure granular access and audit ability to an IOS device. To enable this more advanced and granular control in IOS, we must first use the "aaa new-model" command.
Authentication is the process of identifying an individual, usually based on a username and password. Authentication is based on the idea that each individual user will have unique information that sets him or her apart from other users.
Authorization is the process of granting or denying a user access to network resources once the user has been authenticated through the username and password. The amount of information and the amount of services the user has access to depend on the user's authorization level.
Accounting is the process of keeping track of a user's activity while accessing the network resources, including the amount of time spent in the network, the services accessed while there and the amount of data transferred during the session. Accounting data is used for trend analysis, capacity planning, billing, auditing and cost allocation.
For recording any switch events, you need to configure and enable Accounting module of the AAA.
The necessary configuration steps for doing the same are as given below:
R1>enable
R1#configure terminal
R1(config)#aaa new-model
The given command is: aaa authentication login console line
In the above command:
i) The named list is console
ii) There is only one authentication method (line).
Once a named list (in this example, console) is created, it must be applied to a line or interface for it to come into effect. This is done using the login authentication list name command:
line con 0
exec-timeout 0 0
password cisco
login authentication console
As per the above example you need to enter the password "cisco" (configured on line con 0) to get console access. The default list, if specified, is used on tty, vty and aux.
The syntax for a method list is as follows:
aaa type { default | list-name} method-1 [ method-2 method-3 method-4]
Given the AAA command:
aaa authentication login default group radius local
In the above command:
1. AAA type is authentication login
2. The named list is the default one (default).
3. There are two authentication methods (group radius and local).
All users are authenticated using the Radius server (the first method). If the Radius server doesn't respond, then the router's local database is used (the second method). For local authentication, define the username name and password
username xxx password yyy
Because we are using the list default in the aaa authentication login command, login authentication is automatically applied for all login connections (such as tty, vty, console and aux)
Given below are the steps in brief that one needs to go through for configuring AAA.
On the client side:
1. Configure AAA : aaa new model
2. Specify AAA server to be accessed by the client:
acacs-server host 192.168.1.2 key cisco@123
3. Create a name method list. MYAUTHLIST is used for example only. You can use whichever name you want.
aaa authentication login MYAUTHLIST group tacacs+ local
4. Create authorization method list to apply on users that have been authenticated.
aaa authorization exec MYAUTHORIZATIONLIST group tacacs+ local
5. Apply the method lists to a device interface
line vty 0 4
login authentication MYAUTHLIST
authorization exec MYUAUTHORIZATIONLIST
