Configuring Authentication

17 Mar

Configuring Authentication
After you enable TACACS+ or RADIUS globally on the network device, you must define the authentication methods used to verify users before they are allowed access to the network and network services. To configure AAA authentication, first define a named list of authentication methods and then apply that list to the correct interfaces. The method list defines the types of authentication to be performed and the sequence in which they will be performed; it must be applied to a specific interface before any of the defined authentication methods will be performed. The default method list, however, is an exception; it is automatically applied to all interfaces except those that have a named method list explicitly defined on them. A defined method list overrides the default method list.

A method list is a sequential list that describes the authentication methods to be used to authenticate a user. Cisco IOS software uses the first configured method listed to authenticate users. If that method fails to respond or returns an error, it selects the next authentication method listed in the method list. This process continues until there is successful communication with a listed authentication method or until all methods defined in the method list are exhausted.

Note The Cisco IOS software attempts authentication with the next configured authentication method only when there is no response from the preceding method or the method returns an error.

To configure AAA authentication, perform the following steps:

1.Enable AAA by using the aaa new−model global configuration command and configuring any security protocol parameters, such as the key value. This step was outlined earlier in the sections on configuring TACACS+ and RADIUS.

2.Define the method lists for authentication by using the following command:

aaa authentication <arap|login|enable|ppp|nasi> <default| − list−name> group <method1> <method2> <method3> − <method4>

3.Apply the method lists to a particular interface or line, using the following command:

login authentication {default|list name}

The aaa authentication command authenticates arap, login, enable, ppp, and nasi connections. As an example of how to configure these connections, router Seminole in Figure 2.8 will be configured to authenticate user James for Telnet access via the security server at IP address 192.168.10.4. All other lines will use the default list. Listing 2.2 displays the configuration commands needed to enable Seminole to authenticate James for Telnet access via the TACACS+ server.

Listing 2.2: Router Seminole authentication configuration.

#aaa new−model
#tacacs−server host 192.168.10.4
#tacacs−server key 1Cisco9
#aaa authentication login TELNET group tacacs −
local enable none
#aaa authentication login ADMIN none
#line con 0
#login authentication ADMIN
#line vty 0 4
#login authentication TELNET
#end

The configuration in Listing 2.2 creates a list named TELNET and defines four methods that should be used to authenticate the virtual terminal lines that are configured to use the list. The console port will use the method list named ADMIN, which specifies that no authentication is to take place. Listing 2.3 is part of the output from the command debug aaa authentication, which is used to verify whether the login attempt from user James was successful. This output also indicates that TACACS+ is the authentication method used by the router.

Listing 2.3: Successful login authentication output.

Seminole#debug aaa authen
AAA Authentication debugging is on
Seminole#
: AAA: parse name=tty2 idb type=−1 tty=−1
: AAA: name=tty2 flags=0×11 type=5 shelf=0 slot=0 adapter=0 –
: port=2 channel=0
: AAA/MEMORY: create_user (0×62527B28) user=” ruser=” –
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII –
service=LOGIN priv=1
: AAA/AUTHEN/START (3898654566): port=’tty2′ list=’TELNET’ –
action=LOGINservice=LOGIN: AAA/AUTHEN/START : found list –
TELNET
: AAA/AUTHEN/START (3898654566): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/START packet ver=192 id=3898654566
: TAC+: ver=192 id=3898654566 received AUTHEN status = GETUSER
: AAA/AUTHEN (3898654566): status = GETUSER
: AAA/AUTHEN/CONT (3898654566): continue_login (user=’(undef)’)
: AAA/AUTHEN (3898654566): status = GETUSER
: AAA/AUTHEN (3898654566): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/CONT packet id=3898654566
: TAC+: ver=192 id=3898654566 received AUTHEN status = GETPASS
: AAA/AUTHEN (3898654566): status = GETPASS
: AAA/AUTHEN/CONT (3898654566): continue_login (user=’James’)
: AAA/AUTHEN (3898654566): status = GETPASS
: AAA/AUTHEN (3898654566): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/CONT packet id=3898654566
: TAC+: ver=192 id=3898654566 received AUTHEN status = PASS
: AAA/AUTHEN (3898654566): status = PASS
: TAC+: (4047621580): received author response status = PASS_ADD

Notice that the first few lines of the output determine that a connection has been requested on port tty2 and the authentication list named TELNET is defined on the line for LOGIN services. The router then begins to read through its configured lists to find a match for TELNET. Upon finding the list named TELNET, the router determines that the authentication method that should be used to authenticate the user is method TACACS+. The router then receives a request from the security server to retrieve the username from the user requesting access with the GETUSER request. The process continues with the security server, and then the router is asked to supply a password for the user. After verifying the supplied credentials, the security server responds with a PASS status packet and the user has been authenticated.

If, for instance, user James fails the authentication process, the response that is generated by the router would resemble the output in Listing 2.4

Listing 2.4: Failed login authentication output.

: AAA: parse name=tty2 idb type=−1 tty=−1
: AAA: name=tty2 flags=0×11 type=5 shelf=0 slot=0 adapter=0 –
port=2 channel=0
: AAA/MEMORY: create_user (0×6257E6A8) user=” ruser=” –
port=’tty2′
rem_addr=’192.168.11.45′ authen_type=ASCII service=LOGIN –
priv=1
: AAA/AUTHEN/START (2841923342): port=’tty2′ list=’TELNET’ –
action=LOGINservice=LOGIN: AAA/AUTHEN/START : found list –
TELNET
: AAA/AUTHEN/START (2841923342): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/START packet ver=192 id=2841923342
: TAC+: ver=192 id=2841923342 received AUTHEN status = GETUSER
: AAA/AUTHEN (2841923342): status = GETUSER
: AAA/AUTHEN/CONT (2841923342): continue_login (user=’(undef)’)
: AAA/AUTHEN (2841923342): status = GETUSER
: AAA/AUTHEN (2841923342): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/CONT packet id=2841923342
: TAC+: ver=192 id=2841923342 received AUTHEN status = GETPASS
: AAA/AUTHEN (2841923342): status = GETPASS
: AAA/AUTHEN/CONT (2841923342): continue_login (user=’James’)
: AAA/AUTHEN (2841923342): status = GETPASS
: AAA/AUTHEN (2841923342): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/CONT packet id=2841923342
: TAC+: ver=192 id=2841923342 received AUTHEN status = FAIL
: AAA/AUTHEN (2841923342): status = FAIL
: AAA/MEMORY: free_user (0×6257E6A8) user=’James’ ruser=” –
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII –
service=LOGIN priv=1

As explained in Chapter 1, Cisco routers have different modes of operation. These modes are generally protected with passwords so that certain users cannot just walk up and gain access to the router. The enable password and enable secret password are frequently configured to secure privileged mode access into a Cisco router. Although it’s a good start, there are some limitations to using this method alone. This method of security is burdensome to administer in enterprises that contain hundreds of routers. For instance, if the password needs to be changed for any reason, someone either has to physically go to each router and plug into it to change the password or has to telnet to each router. The point is that this could become an administrative nightmare. Another drawback to using this method is that the password must be known by all users who need access into the router. Fortunately, Cisco routers can be configured to authenticate a user via a security server for privileged mode access. This allows administrators to change the password in one place, giving them centralized control. In environments that use an external Windows NT/2000 database for authentication, each user has control of his or her own enable password.

Continuing with the authentication example, the router Seminole should be configured to authenticate users via the security server for privileged mode access. This can be accomplished using the following configuration commands:

#config t
#aaa authentication enable default group tacacs+ enable none
#end
#

The configuration commands in Listing 2.4 configure the router to authenticate privileged mode access using the TACACS+ method; if the security server returns an error, then authenticate the user using the configured enable password. After initiating a Telnet session to the router, James now must enter enable mode. Listing 2.5 shows the output when James accesses privileged mode is shown in.

Listing 2.5: Authentication debug output.

Seminole>en
Password:
Seminole#
: AAA/MEMORY: dup_user (0×6255EA00) user=’James’ ruser=” –
port=’tty2′ rem_addr=’192.168.11.45′ authen_type=ASCII –
service=ENABLE priv=15 source=’AAA dup enable’
: AAA/AUTHEN/START (757557072): port=’tty2′ list=” −
action=LOGIN service=ENABLE
: AAA/AUTHEN/START (757557072): using “default” list
: AAA/AUTHEN/START (757557072): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/START packet ver=192 id=757557072
: TAC+: ver=192 id=757557072 received AUTHEN status = GETPASS
: AAA/AUTHEN (757557072): status = GETPASS
: AAA/AUTHEN/CONT (757557072): continue_login (user=’James’)
: AAA/AUTHEN (757557072): status = GETPASS
: AAA/AUTHEN (757557072): Method=tacacs+ (tacacs+)
: TAC+: send AUTHEN/CONT packet id=757557072
: TAC+: ver=192 id=757557072 received AUTHEN status = PASS
: AAA/AUTHEN (757557072): status = PASS
: AAA/MEMORY: free_user (0×6255EA00) user=’James’ ruser=” –
port=’tty2′ rem_addr=’10.191.150.45′ authen_type=ASCII –
service=ENABLE priv=15

In the first line, the router determines that the user logging in is a duplicate user who is requesting enable mode access. The router knows that the user is a duplicate user because after the user is successfully authenticated, the router caches the supplied username credential. After receiving the GETPASS from the security server, the router prompts James to enter his password and passes the value back to the security server. The security server then sends the Pass or Fail status to the router.

Prior to Cisco IOS 12.0, there were instances when an administrator could accidentally lock himself out of his network access server with an incorrect AAA configuration. In order to remedy this problem, Cisco developed the aaa authentication local−override command. This command proved to be very useful when you wanted to configure an override to the normal authentication method list processing the network access server performed for certain personnel, such as system administrators. With the override command configured, the user was always prompted for his username. The system then checked to see if the username that was entered corresponded to a
local account configured with the following command:

username name privilege level password password

If the username does not correspond to one in the local database, login proceeds with the methods configured with other aaa commands (such as aaa authentication login). An example of configuring the local−override feature is shown here:

Seminole# config t
Enter configuration commands, one per line. End with CNTL/Z.
Seminole(config)#aaa authentication local−override
Seminole(config)#end
Seminole#

The result of configuring the local−override command can be viewed by using the show
running−config command:

Seminole#show running−config
Building configuration…
!
Current configuration:
!
version 11.2
aaa new−model
aaa authentication local−override
!

However, with newer 12.0+ code, the aaa authentication local−over−ride is no longer a configuration option. This can be verified using the following method.

Seminole#config t
Enter configuration commands, one per line. End with CNTL/Z.
Seminole(config)#aaa authen
Seminole(config)#aaa authentication ?
arap Set authentication lists for arap.
banner Message to use when starting login.
enable Set authentication list for enable.
fail−message Message to use for failed authentication.
login Set authentication lists for logins.
nasi Set authentication lists for NASI.
password−prompt Text to use when prompting for a password.
ppp Set authentication lists for ppp.
username−prompt Text to use when prompting for a username.

With 12.0+ code, when access to the network access devices is critical at all times and administrators need the same functionality they get when they use the local−override command, you can configure a default method of access into the network access device. This can be accomplished using the following command:

#config t
#aaa authentication login default local group tacacs enable line
Seminole#

This example provides the same features that the aaa authentication local−override command provided. For login authentication, the network access server will first check the default method that is configured to authenticate the remote user (in this case, it’s the local database). Then, if the username is not found in the local database, the network access server will attempt to authenticate the user using the first method configured in the method list—in this case, TACACS+. If the TACACS+ server returns an error to the network access server, the network access server will then try the next method configured—in this case, the enable password—in an attempt to authenticate the user.


Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.