Authentication, authorization, and accounting (AAA, pronounced "triple A") provides security to Cisco IOS routers and network devices.
AAA provides a method for identifying users who are logged in to a router and have access to servers or concentrators. AAA also identifies the level of access that has been granted to each user and monitors user activity to produce accounting information.
As discussed in the previous chapters, access to network data is available via a variety of methods, including the following:
Dialup connections
Integrated services digital networks (ISDNs)
Broadband cable and asymmetric digital subscriber lines (ADSLs)
Access through the Internet via virtual private networks (VPNs)
The AAA model was designed in such a way that all these access methods can benefit from the AAA security features.
The three phases (authentication, authorization, and accounting) ensure that only legitimate users are permitted access, as explained in the following list:
Authentication Verification of who you are. Remote users must be authenticated before being permitted access to network resources by confirming their identities.
Authorization Control of what you can do. Once the user is identified, the accessible resources are defined by the authorization mechanism.
Accounting Tracking what you have done. Timestamps, command history, and type of resources are just a few examples of information collected by the accounting mechanism.
Let's now examine each of the three in a little more detail. Authentication allows the users to submit their usernames and passwords through a series of challenges and responses. Once users are authenticated, authorization defines what services in the network the users are permitted to access. The operations permitted may include the Cisco Internet Operating System (IOS) privileged executive commands that are permitted. For example, a user may be allowed to type commands, but only the certain
show and
debug commands that are authorized. This is demonstrated later in the chapter through examples.
Accounting allows the network administrator to log and view what actions were performed, such as whether a Cisco router was reloaded or the configuration was changed. The accounting function ensures that an audit allows network administrators to view which actions were performed and at what time. The AAA server handles all three functions: authentication, authorization, and accounting.
Figure 11-1 displays a typical network setup with a AAA server securing the network.
The remote users may be using dialup connections and running Async (PSTN) or using ISDN with Point-to-Point Protocol (PPP). Broadband access users could be using cable or ADSL connections. The Network Access Server (NAS) ensures that only authenticated users have access to the secure network. NAS also maintains resources and accounting information. The NAS depends on the AAA server to get the user-specific information.
Authorization controls which resources (FTP servers, web servers, and so on) are accessible. The NAS is configured with the AAA protocols and interacts with the AAA server to collect data on the network resources accessed.
The following sections describe AAA in more detail and provide examples of common AAA configurations on a Cisco IOS router.
Authentication allows administrators to identify who can connect to a router by comparing the usernames and passwords of those seeking access with the usernames and passwords in an authorized list or database. Normally, when a user connects to a router remotely via Telnet, the user needs to supply only a password, and the administrator has no way of knowing the user's username. With AAA authentication, whenever a user logs on, the user must enter a username and a password, which have been assigned by the administrator.
NOTE
The AAA model can be enabled on a Cisco router using the
Example 11-1 displays two types of remote access: a remote user accessing a router via Telnet without AAA and a remote user accessing a AAA-configured Cisco router.
Brussels#telnet nonAAA_router User Access Verification Password:
xxxxxxxx nonAAA_router> Brussels#
telnet AAA_router Trying AAA_router (10.1.1.1)... Open User Access Verification Username:
Gert Password:
xxxxxxxx AAA_router>
As you can see in Example 11-1, the user must enter a valid username and password to access a AAA-configured Cisco router. Both username and password are set to "Gert" in this case. Typically, a database contains the valid usernames that reside on a remote AAA server. Cisco IOS can also create a local database on the router, but this is not a scalable solution. Example 11-2 shows the configuration required to create a local database entry for user Gert.
AAA_router#configure terminal AAA_router(config)#
username Gert password Gert AAA_router(config)# AAA_router# AAA_router#
show running Building configuration... Current configuration : 1391 bytes ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname AAA_router ! logging queue-limit 100 enable password cisco ! username Gert password 0 Gert memory-size iomem 15 aaa new-model ! AAA_router#show user all Line User Host(s) Idle Location * 0 con 0 Gert idle 00:00:00 1 tty 1 00:00:00 2 tty 2 00:00:00 97 aux 0 00:00:00 98 vty 0 00:00:00 99 vty 1 00:00:00 100 vty 2 00:00:00 101 vty 3 00:00:00 102 vty 4 00:00:00 Interface User Mode Idle Peer Address AAA_router#
Authorization is the second step in the AAA process. Authorization allows administrators to control the level of access users have after they have successfully gained access to a device. For the sake of simplicity, this section focuses on accessing a router. Cisco IOS allows certain access levels (also called privilege levels) that control which Cisco IOS commands the user can issue. These levels range from 0 to 15. For example, a user with a privilege level of 0 cannot issue any Cisco IOS commands. A user with a privilege level of 15 can perform all valid Cisco IOS commands. The local database or remote security server (AAA server) can grant the required privilege levels.
Remote security servers, such as RADIUS and TACACS+ (which are discussed later in the chapter), authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works by assembling a set of attributes that describe the tasks the user is authorized to perform. These attributes are compared with the information contained in a database for a given user, and the result is returned to the AAA software to determine the user's actual capabilities and restrictions.
You can display your privileged level on a Cisco router with the
show privilege command. Example 11-3 displays the privilege level when the user has already been authenticated for the AAA_router.
show privilege Command Output
AAA_router#show privilege Current privilege level is 15
The higher the privilege, the more capabilities a user has with the Cisco IOS command set.
Accounting occurs after the authentication and authorization steps have been completed. Accounting allows administrators to collect information about users. More specifically, administrators can track which user logged in to which router, which CISCO IOS commands a user issued, and how many bytes were transferred during a user's session. Accounting information can be collected by a router or by a remote security server. For simplicity's sake, the output of the router command is displayed. The case study at the end of the chapter supplies more details on the AAA server output.
To display local account information on a Cisco router that is collecting accounting information, issue the
show aaa user all CISCO IOS command. Example 11-4 displays a sample output when the command is issued on a router named AAA_router.
NOTE
The
show accounting command is replaced by the
show aaa user all command in Cisco IOS releases version 12.2 and above.
show aaa user all Command Output
AAA_router#show aaa user all --------------------------------------------------Unique id 3 is currently in use.
Accounting: log=0x18001 Events recorded : CALL START INTERIM START INTERIM STOP update method(s) : NONE update interval = 0 Outstanding Stop Records : 0 Dynamic attribute list: 63517944 0 00000001 connect-progress(30) 4 0 63517958 0 00000001 pre-session-time(237) 4 21(15) 6351796C 0 00000001 elapsed_time(294) 4 0(0) 63517980 0 00000001 pre-bytes-in(233) 4 0(0) 63517994 0 00000001 pre-bytes-out(234) 4 0(0) 635179A8 0 00000001 pre-paks-in(235) 4 0(0) 635179BC 0 00000001 pre-paks-out(236) 4 0(0)
No data for type EXEC
No data for type CONN
NET: Username=(n/a) Session Id=00000001 Unique Id=00000003 Start Sent=0 Stop Only=N stop_has_been_sent=N Method List=0 Attribute list: 63517944 0 00000001 session-id(291) 4 1(1)
No data for type CMD
No data for type SYSTEM
No data for type RM CALL
No data for type RM VPDN
No data for type AUTH PROXY
No data for type IPSEC-TUNNEL
No data for type RESOURCE
No data for type 10
No data for type CALL Debg: No data available Radi: No data available Interface: TTY Num = 0 Stop Received = 0 Byte/Packet Counts till Call Start: Start Bytes In = 0 Start Bytes Out = 0 Start Paks In = 0 Start Paks Out = 0 Byte/Packet Counts till Service Up: Pre Bytes In = 0 Pre Bytes Out = 0 Pre Paks In = 0 Pre Paks Out = 0 Cumulatvie Byte/Packet Counts : Bytes In = 0 Bytes Out = 0 Paks In = 0 Paks Out = 0 StartTime = 23:24:22 UTC Mar 4 1993
Component = EXEC
Authen: service=LOGIN type=ASCII method=LOCAL Kerb: No data available Meth: No data available Preauth: No Preauth data. General: Unique Id = 00000003 Session Id = 00000001 Attribute List: 63517944 0 00000009 interface(150) 4 tty0 63517958 0 00000001 port-type(154) 4 4 6351796C 0 00000009 clid(25) 5 async PerU: No data available AAA_router#
In Example 11-4, the different functions for which the accounting code records data are highlighted. The most important accounting function records are
Network
EXEC
Connect
Command
The Network accounting function monitors dialup and PPP authentication. The EXEC function, as displayed in