Securing access to routers with AAA commands Cisco Forum FAQWhen there are no AAA commands implemented into routers, there must be a password set under the vty line in addition of login command to have the router remotely accessible via (let's say) telnet and ssh. With the proper implementation of AAA command set, the router no longer need password set under the vty line to be telnet or ssh-able. With proper AAA command set implementation, all login attempt from telnet, ssh, http, https, SNMP, console in via either Console or AUX port will be authenticated using the same credential. In addition, implementing AAA command set is more secure approach especially when the router has to authenticate with external TACACS+ or RADIUS server.
The following AAA commands are applicable not only to routers, but any Cisco gears that are running IOS image (IOS-based gears) such as switches and wireless AP devices. These AAA command set has been tested in various situation; including automatic failover from TACACS+ server to local credential or local enable password during unreachable TACACS+ server situation due to down server or down network.
As mentioned, there will be no need to have passwords under line console, aux, and vty once these AAA command set are in place. All login attempt will be controlled by the AAA command set.
If the router happen to have passwords under line console, aux, and vty; these passwords should be removed since the AAA command set will take over all login authentication anyway. In other words, those passwords are no longer in effect once the AAA command set are in place.
At first AAA command set to authenticate using local credential only is introduced to provide preliminary understanding. Then external TACACS+ server utilization is introduced to provide greater security perimeter.
AAA command set using local credential
Sample #1:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
aaa new-model
Note:
To login, enter the local username and password. To enter privilege mode, enter the enable password.
Sample #2:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
aaa new-model
aaa authentication login default group local enable
aaa authentication enable default enable
aaa authorization console
aaa authorization exec default local if-authenticated
aaa authorization commands 15 default local if-authenticated
Note:
Password to login and to enter enable (privilege) mode is the same. Therefore you don't enter the enable password to enter the privilege mode.
AAA command set with external TACACS server
Sample #3:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Note:
When the TACACS+ server fails, router will authenticate using local credential.
Sample #4:
username [ENTER USERNAME HERE] secret 0 [ENTER YOUR PASSWORD HERE]
enable secret 0 [ENTER ENABLE MODE PASSWORD HERE]
tacacs-server host [ENTER TACACS SERVER IP ADDRESS HERE]
tacacs-server key 0 [ENTER THE SECRET KEY HERE]
aaa new-model
aaa authentication login default group tacacs+ enable
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
Note:
When the TACACS+ server fails, router will authenticate using enable password
Setting local account privilege level and authorized command list
Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
there is a discussion of setting up certain Privilege Level 15 commands to Privilege Level 0 users. Let's say the following commands are authorized to use for those Privilege Level 0 users in addition to the default Privilege Level 0 authorized command list.
traceroute
traceroute ip (extended traceroute)
ping
ping ip (extended ping)
show (i.e. show version, show ip route, etc.)
show configuration
As discussed in the FAQ link, there should be a centralized TACACS+ server to regulate those commands on the list. However in case of down network or unreachable TACACS+ server, those Privilege Level 0 users should still be able to issue those commands. When the TACACS+ server is unreachable from the router perspective, then one way to keep those Privilege Level 0 users be able to issue those commands is to locally define those commands as additional authorized commands for Privilege Level 0 users. To make that happen, following should be on the router configuration in addition to the above AAA command set of your choice.
username [ENTER Privilege Level 0 USERNAME HERE] privilege 0 secret 0 [ENTER YOUR PASSWORD HERE]
privilege exec level 0 traceroute ip
privilege exec level 0 traceroute
privilege exec level 0 ping ip
privilege exec level 0 ping
privilege exec level 0 show configuration
privilege exec level 0 show
and either one of the following AAA command set
Option 1 (suitable when you implement Sample Configuration #2)
aaa authorization commands 0 default local if-authenticated
Option 2 (suitable when you implement Sample Configuration #3)
aaa authorization commands 0 default group tacacs+ local
aaa accounting commands 0 default start-stop group tacacs+
Option 3 (suitable when you implement Sample Configuration #4)
aaa authorization commands 0 default group tacacs+ if-authenticated
aaa accounting commands 0 default start-stop group tacacs+
Some Discussion on Cisco website:
How to Assign Privilege Levels with TACACS+ and RADIUS
How router behaves with specific AAA command set
Referring to this FAQ
»Cisco Forum FAQ »Secure and Monitor Network Access with AAA (TACACS/RADIUS) and Privilege Level
there is a discussion of how to specify which commands that Privilege Level 0 users can issue eventhough on the TACACS+ server these users are set as Privilege Level 15 users. Let's say there are such Privilege Level 0 users in place. When the router is configured to implement if-authenticated parameter, then the parameter overrides the TACACS+ server command setting. With if-authenticated parameter, Privilege Level 0 users can issue unauthorized command such as configure terminal. Therefore when there is a need to have Privilege Level 0 users that are able to issue certain Privilege Level 15 user commands only, then you might want to implement the AAA command set without the if-authenticated parameter to let the TACACS+ server has the total control.
feedback form
by Covenant edited by aryoba
last modified: 2008-08-07 08:44:28