Last Updated on November 10, 2017 by Valerio Plessi
Authentication, Authorization, and Accounting… Otherwise Known as AAA (triple A). Most people who have had to implement AAA on a router or switch probably know very little about the commands they copy to the router config. Most simply grab the AAA configs from another working router or switch and be done with. But have you ever wondered what these commands do? Have you asked yourself – “Do I even need this? What’s the best way to implement AAA?” Today we’re gonna get our [ROUTER]FREAK on and check out some best practices with AAA.
If your working in an environment that uses AAA then you no doubt have a TACACS+ or ACS server running somewhere that is used for management of logins to your devices. AAA works in conjuction with TACACS+ to provide management of your login security. Who can login (Authentication), What can that user do (Athorization), and track the commands that are used (Accounting).
I’ve recently worked directly with Cisco to bang out what exactly is the best practices for configuring AAA on a router. what we came up with is the following:
aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ local if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
Some router configurations look more intimidating than others and AAA is always one them. Don’t worry, we’ll break this down and you will see its not so bad after all.
So lets take a look at it one line at a time…
aaa new-model
This basically turns on aaa on the router.
aaa authentication login default group tacacs+ local
Here we are saying that to authenticate to this router for logins use the default group which is tacacs+. If tacacs+ fails then use the local user account configured on the router. (This is why you always want to make sure you have a local user configured on your router)
aaa authentication enable default group tacacs+ enable
Here we are saying that for enable mode we want to use the default group tacacs+ (notice the local keyword is not used. This is because that a locally defined user will have specified the authorization level they require. . for example leve 15 will get enable mode)
aaa authorization config-commands
This says we want to check with TACACS+ to authorize going into config mode.
aaa authorization exec default group tacacs+ local if-authenticated
Notice the “if-authenticated” keyword at the end of this line. This is saying that if we are authenticated we will immediately be dropped into exec (enable) mode.
aaa authorization commands 1 default group tacacs+ if-authenticated
For best practices Cisco recommends that authorization be configured to each level of user access to network devices. In this command we are authorizing level 1 user. This would also be the same as non-enable mode. A fallback method should be configured such as a local user. This also requires the use of tacacs+.
aaa authorization commands 15 default group tacacs+ local if-authenticated
Here we are providing authorization for level 15 users against tacacs+. If tacacs+ is not available then the local user account is used. If authenticated the user will immediately be dropped into exec/enable mode.
aaa accounting exec default start-stop group tacacs+
AAA Accounting for each level of commands ensures there is accountability for use of privileged commands on the router. Privilege levels range from 1 to 15, with 15 being the highest level. Some organizations may want to implement additional levels of commands where 1 might be a help desk and 15 are network administrators.
aaa accounting commands 1 default start-stop group tacacs+
This is an optional command as far as best practices go… but this provides accountability or tracking of user activity even they thay have only logged in (not exec/enable)
aaa accounting commands 15 default start-stop group tacacs+
This command will provide for accounting of adminsitrators or priveledge level 15
… And that’s it! See? Oonce you go over each line its not quite so bad. The biggest hurdle is understanding the freaky Cisco command structure.
I hope this break down has helped clear things up a bit.
Until next time — FREAK!
11 Responses
Hi,
“aaa authorization commands 15 default group tacacs+ local if-authenticated”
1)Does above command authorize only level 15 users?
2)Or does it authorize all level users 1-15(inclusive)?
3)Or does it authorize only 2-15 levels (inclusive)?
Im a bit confused with this command becase in one post on cisco forum , it is mentioned that this command “aaa authorization commands 15 default group tacacs+ local if-authenticated” covers all level users , but this a bit condratics your config which has dedicated authorization for level 1 users “aaa authorization commands 1 default group tacacs+ if-authenticated”.
This makes me think that may be command “aaa authorization commands 15 default group tacacs+ local if-authenticated” auhtorizes ONLY 2-15 level users.
Please shed a light on this.
Thanks
Very good explanation!
Be aware however that the account name you sign up with is not the name
you will appear under in the game. If you have any questions, use the League of Legends forums.
We would have done a lot better though if Arsene had listened to me and hired
me as a Transfer Market consultant at the Emirates;
comon.
Take a look at my site: free rp generator no survey
Thanks for this aricle, It really helped me to understand the command line by line… Am been looking for the document to understand AAA from over a week….
We failback to enable password if tacacs fails rather than a local user. Do you have local usernames configured too for local failback? Will it actually allow you to specify local before tacacs? I wouldn’t have thought it would because it would never lose access to local in order to fail to tacacs if setup that way.
I wonder if would be a proper configuration and what benefits if any of using the local authentication BEFORE the group radius/tacacs+ ones?
Like: aaa authentication login default local group tacacs+
The routers I’ve being working with are failing in authenticating locally whenever the tacacs server is not available, it times out all the time…
Thanks.
aaa authorization config-commands
This says we want to check with TACACS+ to authorize going into config mode.
The description is absolutely wrong. This is not a very well documented command and it doesn't check TACACS+ to authorize going into config mode.
This command checks whether you are authorized to execute commands in the Global Exec mode provided you have enabled command authorization for level 15 commands. If you don't type in this command, the device makes no check to authorize level 15 commands even if an authorization list for level 15 commands has been applied under the vty or console terminal.
I just want to say thanks for breaking down to the T the AAA commands. I had struggled with them. I have always wante to understand what the command means not just cut and paste and see it it working. It's hard to find any material where this is broken down the way you did. The same with Multicast…I am still struggling with it but your 2 articles have begun to steer my mind around it.
Here is a sample configuration that I have; if you could brek them down, I would certainly appreciate that.
ip pim autorp listener
ip pim send-rp-announce Loopback1 scope 10 group-list Local-Range
ip pim send-rp-discovery Loopback0 scope 10 interval 30
ip pim rp-announce-filter rp-list RP-Lo299 group-list Local-Range
ip pim register-rate-limit 10
ip pim accept-register list MoH-Source-Group
ip msdp peer 10.255.255.224 connect-source Loopback0
ip msdp description 10.255.255.224
ip msdp sa-limit 10.255.255.224 2000
ip msdp cache-sa-state
ip msdp redistribute list msdp-Local-in
ip msdp originator-id Loopback0
ip msdp timer 1
ip tacacs source-interface Loopback0
!
ip access-list standard Local-Range
permit 239.250.0.0 0.0.15.255
permit 239.250.8.0 0.0.15.255
ip access-list standard RP-Lo299
permit 10.255.0.1 (this is same IP address configured on the 2 cores)
disregard the 299; just changed it so it's not familiar to some people that may recognize it.
Thanks!
I don't like local user authentication. A lot of engineers would argue using "enable" versus "local" This assumes you are using "enable secret" which enables hashed passwords using the MD5 algorithm. It is impossible to recover and a password recovery must be performed requiring physical access.
local user accounts use a weaker encryption which can be easily defeated.
Using "enable secret" is also the preferred method as outlined in the "Cisco Guide to Harden Cisco IOS Devices" guide here: http://www.cisco.com/en/US/tech/tk648/tk361/techn…
ChrisM
Isn't that only if you don't specify 'username cisco priv 15 secret cisco123' and instead use 'username cisco priv 15 password cisco123'? I'm with you though I prefer just using the enable secret.
Yup you are correct using “username cisco secret cisco” encrypts the password as a type 5, just like the “enable secret”. There is nothing wrong using local accounts in this regard…