Authentication, authorization and acounting is commonly called AAA. If you have more than a few network devices using local user accounts is not a scalable solution. The solution is to centralize the authentication either via a TACACS+ or a RADIUS server. It is more common to use a TACACS server. Cisco has their own TACACS server which is called Cisco ACS. To setup authentication we need to do some configuration. Many of us might have pasted the commands in from some template but do we really know what every command does? I will show a way to setup AAA and what the different commands do.
enable secret myenablepassword
We need an enable password configured. We will see why later in the configuration.
username fallback privilege 15 secret fallbackpassword
We need this account for local authentication if we loose contact with the TACACS server.
This enables AAA, without this the other AAA commands have no effect.
tacacs-server host 188.8.131.52 key tacacskey
This is to configure what servers will be used for TACACS and the key needed.
aaa authentication login default group tacacs+ local
When the user logs in check with TACACS first and if that is not available use a local user account. The word default in this command is a listname. You can use a different listname if you want but default works fine unless you need several lists.
aaa authentication enable default group tacacs+ enable
When using enable check with TACACS first and if that is not available use the local enable secret password.
aaa authorization exec default group tacacs+ local if-authenticated
Check if user has the right to an exec shell. Check with TACACS first and then local if TACACS is unavailable. If-authenticated means that if an user has authenticated and later the TACACS server goes down the user can still do configuration. If we don’t use a backup option to TACACS, authorization will fail if the TACACS server goes down, that is why we use the local database as a fallback. If-authenticated means the user can continue to configure if there is no source available to do authorization.
aaa authorization config-commands
Authorize commands from global config mode.
aaa authorization commands 1 default group tacacs+ local if-authenticated
Authorize commands that have a privilege level of 1.
aaa authorization commands 15 default group tacacs+ local if-authenticated
Authorize privilege level 15 commands.
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
These commands are used to setup accounting. Accounting is used to log what users do when logged in. We turn on accounting for when an user gets an exec shell and for privilege level 1 and 15 commands. We also want to log connections that the user does and system events.
4 thoughts on “Authentication, authorization and accounting”
Just wanted to say thanks for putting this up. I scoured the Cisco website only to find convoluted information. Rock on!
Pingback:2010 in review « Daniels quest for CCIE
proper boss ! great article mate 🙂
Pingback:AAA – JD's Notepad