Authentication, authorization and accounting

Authentication, authorization and acounting is commonly called AAA. If you have more than a few network devices using local user accounts is not a scalable solution. The solution is to centralize the authentication either via a TACACS+ or a RADIUS server. It is more common to use a TACACS server. Cisco has their own TACACS server which is called Cisco ACS. To setup authentication we need to do some configuration. Many of us might have pasted the commands in from some template but do we really know what every command does? I will show a way to setup AAA and what the different commands do.

enable secret myenablepassword

We need an enable password configured. We will see why later in the configuration.

username fallback privilege 15 secret fallbackpassword

We need this account for local authentication if we loose contact with the TACACS server.

aaa new-model

This enables AAA, without this the other AAA commands have no effect.

tacacs-server host 1.2.3.4 key tacacskey

This is to configure what servers will be used for TACACS and the key needed.

aaa authentication login default group tacacs+ local

When the user logs in check with TACACS first and if that is not available use a local user account. The word default in this command is a listname. You can use a different listname if you want but default works fine unless you need several lists.

aaa authentication enable default group tacacs+ enable

When using enable check with TACACS first and if that is not available use the local enable secret password.

aaa authorization exec default group tacacs+ local if-authenticated

Check if user has the right to an exec shell. Check with TACACS first and then local if TACACS is unavailable. If-authenticated means that if an user has authenticated and later the TACACS server goes down the user can still do configuration. If we don’t use a backup option to TACACS, authorization will fail if the TACACS server goes down, that is why we use the local database as a fallback. If-authenticated means the user can continue to configure if there is no source available to do authorization.

aaa authorization config-commands

Authorize commands from  global config mode.

aaa authorization commands 1 default group tacacs+ local if-authenticated

Authorize commands that have a privilege level of 1.

aaa authorization commands 15 default group tacacs+ local if-authenticated

Authorize privilege level 15 commands.

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

These commands are used to setup accounting. Accounting is used to log what users do when logged in. We turn on accounting for when an user gets an exec shell and for privilege level 1 and 15 commands. We also want to log connections that the user does and system events.