The remote access case study covers the configuration of the AAA server (CiscoSecure ACS) in a real scenario. The setup and configuration of a corporate router are covered using some screenshots of the AAA server. Figure 11-9 illustrates the network diagram of Company XYZ for this scenario.
The IT manager has decided to configure all internal network devices with AAA authentication. All internal devices authenticate (via TACACS+) with the ACS located on the management VLAN (10.100.1.0/24). When IT engineers need to log in to any network device (routers, switches, firewalls, or concentrators), they are required to authenticate first with a username/password combination, which is maintained centrally on the AAA server.
Figure 11-10 zooms in on an aspect of Figure 11-9 so that only the relevant devices for this case study are shown. The remote IT engineer must log in to router COMMSROOM1 for some maintenance work. For this case study, it is assumed that a secure VPN has been set up for the IT engineer to connect across the Internet to the corporate network.
Before delving into the specific configurations for this case study, examine the TACACS+ configuration tasks required when enabling TACACS+ on a Cisco IOS router.
To configure your router to support TACACS+, you must perform the following tasks:
Use the
aaa new-model global configuration command to enable AAA. AAA must be configured if you plan to use TACACS+.
Use the
tacacs-server host command to specify the IP address of one or more TACACS+ servers. Use the
tacacs-server key command to specify an encryption key that is used to encrypt all exchanges between the NAS and the TACACS+ server. This same key must also be configured on the TACACS+ server.
Use the
aaa authentication global configuration command to define method lists that use TACACS+ for authentication.
Use
line and
interface commands to apply the defined method lists to various interfaces.
After enabling AAA, complete the following tasks:
Step 1. | Identify the TACACS+ server host (required). tacacs-server host hostname [ single-connection ] [ port integer ] [ timeout integer ] [ key string ] |
Step 2. | Specify a TACACS+ key. The command tacacs-server key key sets the encryption key to match that used on the TACACS+ daemon. |
Optional configuration tasks:
Step 3. | Configure AAA server groups (optional). |
Step 4. | Configure AAA server group selection based on DNIS (optional). |
Step 5. | Specify TACACS+ authentication (required). |
Step 6. | Specify TACACS+ authorization (optional). |
Step 7. | Specify TACACS+ accounting (optional). |
Example 11-5 displays the configuration of a router COMMSROOM1 with TACACS+ authentication for login services.
COMMSROOM1#show running-config ... <snip> ...
aaa new-model
aaa authentication login SecFundamentals group tacacs+ local ... <snip> ... tacacs-server host 10.100.1.246
tacacs-server key Cisco ... <snip> ...
line vty 0 4 exec-timeout 0 0 password cisco logging synchronous login authentication SecFundamentals
The lines in the preceding sample configuration are defined as follows:
The
aaa new-model command enables the AAA security services.
The
aaa authentication command defines a method list, "SecFundamentals," to be used on all vty connections. The keyword
group tacacs+ means that authentication is accomplished through TACACS+. If TACACS+ returns an error of some sort during authentication, the keyword
local indicates that authentication is attempted using the local database on the NAS.
The
tacacs-server host command identifies the TACACS+ daemon as having an IP address of 10.100.1.246. The
tacacs-server key command defines the shared encryption key to be "Cisco."
The
login command selects the line, and the
authentication command applies the test method SecFundamentals to this line.
To keep this setup simple, assume that the AAA server is already installed. Figure 11-11 shows the front page of the ACS when logging in to the server.
On the AAA server or ACS, you need to define router COMMSROOM1 as a NAS. Figure 11-12 illustrates the configuration of COMMSROOM1 in the server.
The NAS IP address is defined as 10.100.1.252 per definition on Figure 11-10, and the AAA client host name is set to COMMSROOM1. TACACS+ is the authentication method configured for the COMMSROOM1 client, as displayed in Figure 11-12.
Once the NAS is defined, the network administrator needs to define the users. Figure 11-13 illustrates the LocalIT user configuration on the ACS.
This completes the configuration segment for this scenario. Now the remote engineer can try to log in to the COMMSROOM1 router, and AAA authentication using TACACS+ should occur.
To test and visualize this configuration,
debug aaa authentication on the router is turned on. Example 11-6 shows the debug output on COMMSROOM1 after the remote engineer attempts to authenticate.
COMMSROOM1# 5d21h: AAA: name=tty66 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=66 channel=0 5d21h: AAA/MEMORY: create_user (0x82782F8C) user='NULL' ruser='NULL' ds0=0 port='tty66'rem_addr='160.100.1.1' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0' 5d21h: AAA/AUTHEN/START (234160424): port='tty66' list='SecFundamentals' action=LOGIN service=LOGIN 5d21h: AAA/AUTHEN/START (234160424): found list SecFundamentals 5d21h: AAA/AUTHEN/START (234160424): Method=tacacs+ (tacacs+) 5d21h: TAC+: send AUTHEN/START packet ver=192 id=234160424 5d21h: TAC+: ver=192 id=234160424 received AUTHEN status = GETUSER 5d21h: AAA/AUTHEN (234160424): status = GETUSER COMMSROOM1# 5d21h: AAA/AUTHEN/CONT (234160424): continue_login (user='(undef)') 5d21h: AAA/AUTHEN (234160424): status = GETUSER 5d21h: AAA/AUTHEN (234160424): Method=tacacs+ (tacacs+) 5d21h: TAC+: send AUTHEN/CONT packet id=234160424 5d21h: TAC+: ver=192 id=234160424 received AUTHEN status = GETPASS 5d21h: AAA/AUTHEN (234160424): status = GETPASS COMMSROOM1# 5d21h: AAA/AUTHEN/CONT (234160424): continue_login (user='localIT') 5d21h: AAA/AUTHEN (234160424): status = GETPASS 5d21h: AAA/AUTHEN (234160424): Method=tacacs+ (tacacs+) 5d21h: TAC+: send AUTHEN/CONT packet id=234160424 5d21h: TAC+: ver=192 id=234160424 received AUTHEN status = PASS 5d21h: AAA/AUTHEN (234160424): status = PASS COMMSROOM1#
There are also some log files to troubleshoot on the ACS to find out why the authentication is not working. Figure 11-14 shows the main Reports and Activity page. Examine the TACACS+ log, as displayed in Figure 11-15.
In the passed authentication file, notice the successful authentication of user "localIT" with IP address 160.100.1.1 for NAS 10.100.1.252.
![[View full size image]](/image/library/english/13756_11fig09_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_11fig11_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_11fig12_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_11fig13_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_11fig14_alt.jpg;380136){kind=link}
![[View full size image]](/image/library/english/13756_11fig15_alt.jpg;380136){kind=link}