2.1.a AAA with TACACS+ and RADIUS
Cisco switches can use the following two protocols to communicate with AAA servers:
TACACS+: A Cisco proprietary protocol that separates each of the AAA functions, communication is secure and encrypted over TCP port 49. Only TACACS+ server authorizes users with permission to use specific commands. Other methods given in the question could not provide the granular access to switch commands
RADIUS: A standards-based protocol that combines authentication and authorization into a single resource; communication uses UDP ports 1812 and 1813 (accounting), but is not completely encrypted. The authentication server (RADIUS) authenticates each workstation (supplicant) that is connected to a switch port before making available any services requested by the user. If the authentication succeeds, normal traffic can pass through the port. The RADIUS security system with Extensible Authentication Protocol (EAP) extensions is the only supported authentication server for use with 802.1x port based security protocol.
The global configuration command used for enabling authentication, authorization, and accounting on a switch is.
aaa new-model
By default, AAA is disabled on a switch. For providing an access to a switch, you configure Authentication. To provide access to various resources, you use Authorization. To record various switch events you use Accounting.
There are broadly four steps in configuring authentication on a Catalyst switch:
Enable AAA on the switch using the command :
switch(config)# aaa new-model
Define source of authentication using one or more of these commands:
locally configured username and password (stored in local switch database):
switch(config)# username <user name> password <pass word>
To use external authentication server, for example RADIUS:
Switch(config)# radius-server host {host-name | ip-address} [key string]
Where [key string] is the password known to switch and the radius server.
Define authentication methods by using the command:
switch(config)# aaa authentication login {default | list-name} method1 method2...
ex: switch(config)#aaa authentication login default radius
will enable radius authentication as default.
Also note that the local authentication is tried last after other authentication methods have failed to authenticate.
Finally, trigger the authentication defined at step 3 to the switch by entering line command prompt by using the command
switch(line)# login authentication {default | listname}
You use the command
login authentication {default | listname}
to trigger user authentication on that line to use an AAA method list.
The command syntax for applying an authorization method list to a specific line on a switch is given below:
Switch(config-line)# authorization {commands <level> | exec | reverse-access} {default | <list-name>}
To define a method for authorization on a Catalyst switch, use the command:
Switch(config)#aaa authorization {commands | config-commands | configuration | exec | network | reverse-access |} {default | list-name} [method1 [method2...]
Syntax Description
network: Runs authorization for all network-related service requests, including SLIP, and PPP
exec: Runs authorization to determine if the user is allowed to run an EXEC shell. commands: Runs authorization for all commands at the specified privilege level.
configuration: The server returns permission to enter the switch configuration mode
config-commands: The server returns permission to use any switch configuration command.
level: Specific command level that should be authorized. Valid entries are 0 through 15.
reverse-access: Runs authorization for reverse access connections, such as reverse Telnet.
default: Uses the listed authorization methods that follow this argument as the default list of methods for authorization.
For recording any switch events, you need to configure and enable Accounting module of the AAA.
